Rate limiting Firebox VPN and Outlook Web Access Connections

We're using a firebox to protect our internal network and want to rate limit the incoming VPN connections (20 max at any one time) and also the connections to our internal Exchange 2013 server which supports around 200 users.

This is undoubtedly a nooby question but what would be an appropriate rate limit to set for those two instances to protect us from brute force password attacks?



  • Options

    FYI - a rate limit won't protect you from brute force password attacks. All it can do is to slow them down somewhat and possibly discard some of the userid/password combination attempts.

    I believe that OWA sessions are long running sessions, so for 200 OWA users you could try a fairly low value. However, make sure that you have notifications set up so that you can find out when this threshold is being reached, and adjust up as needed.

    What type of VPN connection are your users using?

  • Options
    edited February 2022

    Thanks for taking the time to respond Bruce. We're using SSL via the watchguard client on our remote machines. We are a charity and were offered a freeby penetration test which highlighted our vulnerability to brute force attacks so it's something that we need to address.

    What would consider to be a low value for OWA? I'm assuming from what you have said that a rate limit will restrict the number of new connections made per second. If that's the case then I suspect we could make it very low as we rarely have more than 20 users connected to OWA at the same time.

    Thanks, Bob

  • Options

    So did the pen test folks indicate the rate that they tested or did they just blast away?
    Did they indicate the rate that they were able to achieve?

    Before setting a value, you should turn on Logging on whatever policy allows the OWA access, and see how may log entries that you see for a period of time in Traffic Monitor, and then see how many there are per second.
    This way you will get an understanding of real world use at your site and will be able to choose a value which gives you a sense of protection without affecting your users.

    For IPSec policies for 20 users, it is more difficult without understanding what they can access over the VPN connection.
    If they can get to the Internet, some web sites, on an initial page access can cause the loading of dozens or more HTTP/HTTPS items, usually within a few seconds.
    For example, accessing www.abc.com, from my logs, there were 159 separate downloads of content on the initial page load, and hanging there for just a few seconds.

  • Options

    So if I understand you correctly the rate limit is not simply about establishing any initial connection but it also applies to any subsequent traffic from the same or any other external ip address concurrently accessing the firewall? Most of our users will be remote desktopping to machines on our internal network and then browsing from there but of course there will still be traffic from their remote machines. That traffic will also be rate limited? i.e. all incoming packets.

    Our pen tester was not specific only saying that he could attempt 10,000 connections to OWA in no time at all, not very helpful. What puzzled me was that when I checked the logs for failed logons to OWA there were less than 10 per second.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    If the pen tester attempted a connection flood, the firewall will allow connections up to your max per IP in Default Threat Protection, then discard any additional requests for that second.

    For example, if your max connections per second is 10, and the tester sends 10000 in one second, the first 10 will be allowed, and the subsequent 99,990 will be dropped. The counter resets every second, and the process repeats.

    -James Carson
    WatchGuard Customer Support

  • Options

    The Rate Limit is for connections per second, not packets per second.
    The only way that I know of to identify a connection is from Traffic Monitor or the logs.
    One needs to use a proxy policy, have "Enable logging for reports" selected, and then look for the log entries with sent_bytes= rcvd_bytes= elapsed_time=.
    This is the summary log record create by "Enable logging for reports" being enabled, and indicates the end of a connection.

    As I do not use OWA, I have no idea exactly how many of these connections are likely to be generated on an initial OWA session, which is probably the time of highest connections per OWA user.

    If you want to see all of the log records related to a connection, then do Traffic Monitor search for the source port dest port in a log entry.
    For example: "50939 443" (no quotes)
    50939 is the source port of the connection & 443 is the dest port.
    Usually just the source port is all that is needed for a Traffic Monitor search, but for logs over many hours/days it is safer to do the search for both.

Sign In to comment.