[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] tcp session timeout
There are three issues here: First, the security itself will not necessarily be compromised. As always there is the danger of session hijacking, i.e. someone interjecting spoofed packets between the client and server. This kind of attack requires specific knowledge of the open connection, i.e. port numbers and sequence numbers. Generally speaking the attacker has to be in the packet path between the machines. In practice this is not a script kiddie attack. An 8-hour timeout would give a longer window of opportunity to notice a connection and exploit it, but this doesn't really compromise the security. Second, as Randy mentioned, there's the possibility of DoS against the connections table. The connections table tracks all open connections, both UDP and TCP. Filling the connections table causes a tremendous slow-down on the rate the firewall will process new connections. Finally, there's the consideration of the traffic. The times I've seen the need for a longer TCP timeout, it's been because FW-1 dropped an FTP control session while a long file was transferring. Often this occurs in the middle of a script in the middle of the night. If you only need a longer timeout for a specific service, this procedure is fairly easy - and you won't lose sleep over what's happening to your other protocols. Regards, -Jim MacLeod At 09:44 AM 1/24/2002, you wrote: What is the security risk to setting tcp session timeout to 8 hours? Currently, I have it set at 1 hour.
|