The perimeter firewall must be configured for service redundancy, load balancing, or other organization-defined safeguards to limit the effects of types of denial-of-service (DoS) attacks on the network.
As a critical security system, perimeter firewalls must be safeguarded with redundancy measures. If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Service redundancy techniques reduce the susceptibility of the firewall to many DoS attacks. A firewall experiencing a DoS attack will not be able to handle the traffic load. The high CPU utilization caused by a DoS attack will also have impact control keep-alives and timers used for neighbor peering, resulting in route flapping and eventually black hole traffic. Though redundant hardware is the primary means of compliance, there are a number of ways to meet this requirement. The firewall can also be configured for filter-based forwarding, per-flow load balancing, and/or per-packet load balancing.
Consult vendor configuration guides and knowledge base. Implement one or more methods of service redundancy and/or load balancing (e.g., filter-based forwarding, per-flow load balancing, per-packet load balancing, or hardware redundancy options). The implementation must be tested prior to placing into production.
Since Service redundancy and load balancing can be a highly complex configuration that can be implemented using a wide variety of configurations, ask the site representative to demonstrate the method used and the configuration. If the perimeter firewall is not configured for service redundancy, load balancing, or other organization-defined safeguards to limit the effects of types of DoS attacks on the network, this is a finding.