Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
6
Helpful
3
Replies

Limiting connection for inside hosts

David Lin
Level 1
Level 1

‎09-30-2009 01:11 PM - edited ‎03-11-2019 09:21 AM

Hi all,

I got a problem in the firewall network. One of the inside servers got virus and generated a huge TCP connections with other unknown hosts outside. Eventually, it depleted the connection resource and made the ASA5520 frozen. I had to disconnect that server from the network but it caused a service outage indeed.

Is there any way to prevent such issue on the firewall? Thank you.

Labels:
0 Helpful
3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

‎09-30-2009 02:37 PM

Hi David,

In my opinion there is not whole a lot you can do in the firewall for this particular scenario, unless you know the ports and outside IP to block them, but even then it is hard to act quickly when you are trying to identify what's going on.

You can fine tune the ASA with respect to how the firewall can treat connection behaviors shown in this link but still you need that additional mechanism as preventive measure like Cisco NAC (Network Admission Control) or AIP-SSM IPS Module solution. https://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml .

In your case you have an already infected system in the inside of your network that most of the time folks don't know how it got there, the connections are initiated from infected system inside to outside and firewall thinks is legit traffic ,unless you have other mechanisms in place internally,the internal network can still be vulnerable.NAC would have quarentine that system in an isolated VLAN for example.

NAC solution

http://www.cisco.com/en/US/products/ps6128/index.html

ASA AIP-SSM IPS solution

https://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/data_sheet_c78-459036_ps4077_Products_Data_Sheet.html

Regards

Jorge Rodriguez

rbays@angelo.edu
Level 1
Level 1

‎09-30-2009 05:58 PM

Maybe I'm missing something, but have you looked into using the concurrent TCP connection limitation feature of static or dynamic NATs? I use this in our residential networks to limit tcp connections from our residents. The limitation implemented on a static would look something like this:

static (inside,outside) X.X.X.X Y.Y.Y.Y netmask 255.255.255.255 tcp 100.

Use this with caution though. Based on the services that you offer from a server it could be possible for to exceed 100 concurrent connections under normal operation. Do some investigations before arbitrarily setting a limitation. Best of luck.

David Lin
Level 1
Level 1
In response to rbays@angelo.edu

‎10-01-2009 12:05 PM

Hum, that parameter should help if it effects to outbound connection. I will check and test that though.

But I may not be able to apply it in PAT entry since it will block every inside servers.

Thanks anyway.

configure mode commands/options:

<0-65535> The maximum number of simultaneous TCP connections the local IP hosts are to allow, default is 0 which means unlimited connections. Idle connections are closed after the time specified by the timeout conn command

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card