Article Applies To:

SonicWALL Security Appliance Platforms:

Gen5: NSA E8500, NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 240
Gen5 TZ Series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 Wireless,

Firmware/Software Version:
SonicOS Enhanced versions 5.6.3.0 and above.
Services: Access Rules


Feature Overview:

The Connection Limiting feature is intended to offer an additional layer of security and control when coupled with such SonicOS features as SYN Cookies and Intrusion Prevention Services (IPS). Connection limiting provides a means of throttling connections through the SonicWALL. Until now Connection Limiting provided global control of the number of connections for each IP address and was configured in the Access Rules by declaring the maximum percentage of the total available connection cache that can be allocated to that class of traffic.

Connection Limiting, version 2 is a major enhancement and is designed to granulate this kind of control so that the SonicWALL administrator can configure connection limitation more flexibly. Connection Limiting v2 uses Firewall Access Rules to allow the administrator to choose which IP address, which Service, and which traffic direction when configuring connection limiting.


Configuration:

Conection Limiting is configured under Firewall > Access Rules. Select the desired direction of traffic (LAN to WAN, DMZ to LAN, WAN to LAN etc ). To enforce connection limit either edit an existing rule or create a new rule and click on the Advanced tab.

For eg. if the rule is from LAN to WAN, the option Enable connection limit for each Source IP Address would mean the source IP address of hosts on the LAN. Threshold is the maximum number of connections permissible by each host on the LAN.

Likewise, Enable connection limit for each Destination IP Address would mean the destination IP addresses of hosts on the WAN side of the SonicWALL. Threshold is the maximum number of connections permissible to that destination IP address.

The option Number of connections allowed (% of maximum connections) is the % of the maximum number of connection applicable to that device.

The following table delineates the connection-cache size of currently available SonicWALL devices running SonicOS Enhanced with Unified Threat Management (UTM) security services enabled or disabled (numbers are subject to change):

SonicWALL Security Appliance Full UTM No UTM
NSA 240 12,500 25,000
NSA 240 (Expaned License) 17,500 35,000
NSA 2400 32,000 48,000
NSA 3500 65,535 131,071
NSA 4500 131,072 524,288
NSA 5000 131,072 600,000
NSA E5500 153,600 600,000
NSA E6500 204,900 750,000
NSA E7500 500,000 1,000,000


Background:

Coupled with IPS, Connection Limiting can be used to mitigate the spread of a certain class of malware as exemplified by Sasser, Blaster, and Nimda. These worms propagate by initiating connections to random addresses at atypically high rates. For example, each host infected with Nimda attempted 300 to 400 connections per second, Blaster sent 850 packets per second, and Sasser was capable of 5,120 attempts per second. Typical, non-malicious network traffic generally does not establish anywhere near these numbers, particularly when it is Trusted >Untrusted traffic (i.e. LAN->WAN). Malicious activity of this sort can consume all available connection-cache resources in a matter of seconds, particularly on smaller appliances.

In addition to mitigating the propagation of worms and viruses, Connection limiting can be used to alleviate other types of connection-cache resource consumption issues, such as those posed by uncompromised internal hosts running peer-to-peer software (assuming IPS is configured to allow these services), or internal or external hosts using packet generators or scanning tools.

Finally, connection limiting can be used to protect publicly available servers (e.g. Web servers) by limiting the number of legitimate inbound connections permitted to the server (i.e. to protect the server against the Slashdot-effect). This is different from SYN flood protection which attempts to detect and prevent partially-open or spoofed TCP connection. This will be most applicable for Untrusted traffic, but it can be applied to any zone traffic as needed.