Firewalls and IDPS solutions are not foolproof to attacks
We can’t just rely on firewall and IDPS only and assume that everything is safe. The firewall will not work alone no matter the brand or design of the firewall. We need to understand that it’s simply just a tool in many tools of security.
The firewalls and IDPS can’t handle DDoS attacks and the reason is they are not designed to do so.
Firewalls and IDPS focus on examining as well as preventing (in some cases) one packet at a time but if an attacker sends millions of packets in a small-time frame then they won’t be able to do anything.
Firewall and IDPS are stateful devices in which they track all the connections ad packets and inspect them and store them in a connection table. Now, they match each and every packet in the connection table and verify that it was transmitted over secured connection and the packet is legitimate. They do the same process for all the packets.
Now a typical connection table hold tens of thousands of those active connections. When an attacker sends thousands of packets per second, the firewall or IDPS will be forced to open a new connection table as the packets won’t have a record in the current connection table. They will try to store all those malicious packets in new connection and will keep doing that until it gets full and at the end, they will be out of their capacity to open a new connection. So, they will block everything on their way-even the legitimate users and their packets.
Firewall and IDPS can’t differentiate between legitimate and malicious packets
Many DDoS attack vectors such as HHTP floods contain millions of legitimate sessions. Now firewall or IDPS won’t mark those sessions as malicious and they can’t. Because they are not designed to look at the packet’s behavior. They are simple designed to inspect the session.