The firewall may actually fail before the server, but if there was enough resources on the firewall, it could for example, proxy the TCP connection and not send bogus packets to the server. In your case it's probably only allowing access to the services you are running which is good. Maybe see which device will route the most packets. You may like the device to block ports and setup VPN access.
ActiveHost Corporation - Hyper-V, New York Co-location, VPS, Dedicated & Shared Hosting Fully Supporting: Windows 2008, ASP.NET 3.5, SQL 2008, Silverlight 3 14 Years in Business with our own multi-million dollar data center www.activehost.com[email protected]1-888-500-6799
Yes it will my Cisco PIX already have stopped massive DDoS attacks can someone knowledgeable please help me?
Firewalls especially the ones you are talking about don't stop DDoS attacks, maybe just straight attacks that can be null routed if the attacker is stupid and just uses one ip and that is a big maybe. But otherwise firewalls are not designed at all in anyway shape or form to stop a DDoS/DoS attack. Some netscreens on the higher levels might have some ability to but when you get into that price range its better to get a stand alone DDoS appliance ala Riorey or a Cisco guard.
The firewalls you are talking about have a MAX packets per/sec which any real "massive" attack will easily clobber and bring the box down, the other thing is they are both 100mbps max uplinks which any real massive attack will clobbber and bring that device down. So either way you loose loose.
Firewalls are designed for primarily one thing, to NAT/Route, and close off unwanted ports and provide logging via syslog to an off device server that someone is attacking this port.