Firewall > Access Rules
430
SonicOS Enhanced 4.0 Administrator Guide
Coupled with IPS, this can be used to mitigate the spread of a certain class of malware as
exemplified by Sasser, Blaster, and Nimda. These worms propagate by initiating connections
to random addresses at atypically high rates. For example, each host infected with Nimda
attempted 300 to 400 connections per second, Blaster sent 850 packets per second, and
Sasser was capable of 5,120 attempts per second. Typical, non-malicious network traffic
generally does not establish anywhere near these numbers, particularly when it is Trusted -
>Untrusted traffic (i.e. LAN->WAN). Malicious activity of this sort can consume all available
connection-cache resources in a matter of seconds, particularly on smaller appliances.
The following table delineates the connection-cache size of currently available SonicWALL
devices running SonicOS Enhanced (numbers are subject to change):
In addition to mitigating the propagation of worms and viruses, Connection limiting can be used
to alleviate other types of connection-cache resource consumption issues, such as those posed
by uncompromised internal hosts running peer-to-peer software (assuming IPS is configured to
allow these services), or internal or external hosts using packet generators or scanning tools.
Finally, connection limiting can be used to protect publicly available servers (e.g. web-servers)
by limiting the number of legitimate inbound connections permitted to the server (i.e. to protect
the server against the Slashdot-effect). This is different from SYN flood protection which
attempts to detect and prevent partially-open or spoofed TCP connection. This will be most
applicable for Untrusted traffic, but it can be applied to any Zone traffic as needed.
Connection limiting is applied by defining a percentage of the total maximum allowable
connections that may be allocated to a particular type of traffic. The above figures show the
default LAN ->WAN setting, where all available resources may be allocated to LAN->WAN (any
source, any destination, any service) traffic.
More specific rules can be constructed; for example, to limit the percentage of connections that
can be consumed by a certain type of traffic (e.g. FTP traffic to any destination on the WAN),
or to prioritize important traffic (e.g. HTTPS traffic to a critical server) by allowing 100% to that
class of traffic, and limiting general traffic to a smaller percentage (minimum allowable value is
1%).
Note It is not possible to use IPS signatures as a connection limiting classifier; only Access Rules
(i.e. Address Objects and Service Objects) are permissible.
Access Rule Configuration Examples
This section provides configuration examples on adding network access rules:
“Enabling Ping” section on page 431
“Blocking LAN Access for Specific Services” section on page 431
“Enabling Bandwidth Management on an Access Rule” section on page 431
SonicWALL Security
Appliance Connection Cache
Maximum
PRO 4060 524,288
PRO 5060 750,000