DoS protections: load balancers vs. firewalls

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!



We currently have a route through

a router,
Checkpoint external Firewall,
F5 load balancer,
Checkpoint internal FW to
(DMZ role) Web servers.

Now it looks like the single external firewall easily works as a
"fuse", and becomes a failing bottleneck, when we test for a high
volume DoS attack (we have a gigabit line to the ISP side, with
smaller but upgradeable guaranteed bandwith). So to strenghten the
availablity and DoS resilience we are thinking, why not to get rid of
the external firewall totally? We could configure the F5 with all the
security features and use it also in an external firewall role...

Note that the external Cisco router anyway limits incoming traffic,
with a simple ACL, to a few virtual IP addresses and ports 80 and 443.
Do we really need a separate external firewall? Anyway, I can't find
any references of this kind of setups with F5 interfacing the
Internet. Maybe I better ask F5, but I would like to have an
independent opinion/experience...


Site Timeline