Our firewalls are capable to provide up to layer 7 filtering and they're connected between our core-router ( which is directly connected to our data center's core-router) and our main router (which our switches are connected to) receiving filtering rules from NIDS and/or rarely from our staff members. Our firewalls have been designed to function both independently and as a whole. By default they all function together, but if for any reason NIDS becomes unavailable, the firewalls will start functioning independently. This may result in a temporary slower performance in order to avoid the network being unfiltered until NIDS becomes available again. Additionally, if one of the firewalls becomes unavailable, it instantly gets excluded from the load balancing system to prevent the network from becoming affected. This way, the network has a complete fail-over no matter if any of the firewalls or NIDS becomes unavailable.
Additionally, our NIDS analyzes and identifies attacks per packet's protocol, packet type and several other characteristics giving the opportunity to our firewalls to filter an attack with at least 15 methods (planning to increase to 20+ methods in the near future). In rare cases, when an attack cannot get filtered differently, an IP null-route is applied. If the attack exceeds a specific number of Gbps (Gigabits per second) or Mbps (Million packets per second), additional ACLs may get applied in our router(s).
The Firewall mechanism described above has been completely designed and engineered by HostHoney staff using fundamental understanding of filtering, intensive knowledge and experience in preventing DDoS attacks. Our firewalls and NIDS use as open-source operating system with engineered Firewall and detection software.