beautypg.com

Threshold rules – Amer Networks E5Web GUI User Manual

Page 684

background image

10.3. Threshold Rules

Overview

The objective of a Threshold Rule is to have a means of detecting abnormal connection activity as
well as reacting to it. An example of a cause for such abnormal activity might be an internal host
becoming infected with a virus that is making repeated connections to external IP addresses. It
might alternatively be some external source trying to open excessive numbers of connections. (A
"connection" in this context refers to all types of connections, such as TCP, UDP or ICMP, tracked
by the cOS Core state-engine).

Threshold Policies

A Threshold Rule is like other policy based rules found in cOS Core, a combination of
source/destination network/interface can be specified for a rule and a type of service such as
HTTP can be associated with it. Each rule can have one or more Actions associated with it and
these specify how to handle different threshold conditions.

A Threshold Rule has the following parameters associated with it:

Action

This is the response of the rule when the limit is exceeded. Either the option Audit or Protect
can be selected. These options are explained in more detail below.

Group By

The rule can be either Host or Network based. These options are explained below.

Threshold

This is the numerical limit which must be exceeded for the action to be triggered.

Threshold Type

The rule can be specified to either limit the number of connections per second or limit the
total number of concurrent connections.

Limiting the Connection Rate

Connection Rate Limiting allows an administrator to put a limit on the number of new
connections being opened to the Clavister Security Gateway per second.

Limiting the Total Connections

Total Connection Limiting allows the administrator to put a limit on the total number of
connections opened to the Clavister Security Gateway.

This function is extremely useful when NAT pools are required due to the large number of
connections generated by P2P users.

The Group By Setting

The two groupings allowed are as follows:

Chapter 10: Traffic Management

684

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: