Threshold Rules; Overview; Connection Rate/Total Connection Limiting; Grouping - D-Link NetDefend DFL-210 User Manual

10.2. Threshold Rules

10.2. Threshold Rules

10.2.1. Overview

The objective of a Threshold Rule is to have a means of detecting abnormal connection activity as
well as reacting to it. An example of a cause for such abnormal activity might be an internal host
becoming infected with a virus that is making repeated connections to external IP addresses. It
might alternatively be some external source trying to open excessive numbers of connections. (A
"connection" in this context refers to all types of connections, such as TCP, UDP or ICMP, tracked
by the NetDefendOS state-engine).
A Threshold Rule is like a normal policy based rule. A combination of source/destination
network/interface can be specified for a rule and a type of service such as HTTP can be associated
with it. Each rule can have associated with it one or more Actions which specify how to handle
different threshold conditions.
A Threshold has the following parameters:
• Action - The response to exceeding the limit: either Audit or Protect
• Group By - Either Host or Network based
• Threshold - The numerical limit which must be exceeded to trigger a response
• Threshold Type - Limiting connections per second or limiting total number of concurrent
connections
These parameters are described below:

10.2.2. Connection Rate/Total Connection Limiting

Connection Rate Limiting allows an administrator to put a limit on the number of new connections
being opened to the D-Link Firewall per second.
Total Connection Limiting allows the administrator to put a limit on the total number of connections
opened to the D-Link Firewall. This function is extremely useful when NAT pools are required due
to the large number of connections generated by P2P users.

10.2.3. Grouping

The two groupings are as follows:
• Host Based - The threshold is applied separately to connections from different IP addresses.
• Network Based - The threshold is applied to all connections matching the rules as a group.

10.2.4. Rule Actions

When a Threshold Rule is triggered one of two responses are possible:
• Audit - Leave the connection intact but log the event
• Protect - Drop the triggering connection
Logging would be the preferred option if the appropriate triggering value cannot be determined
beforehand. Multiple Actions for a given rule might consist of Audit for a given threshold while the
action might become Protect for a higher threshold.
279
Chapter 10. Traffic Management