Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] tcp session timeout

To: [email protected]
Subject: Re: [FW-1] tcp session timeout
From: Jim MacLeod <[email protected]>
Date: Thu, 24 Jan 2002 12:53:28 -0800
In-reply-to: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

There are three issues here:

First, the security itself will not necessarily be compromised.  As always
there is the danger of session hijacking, i.e. someone interjecting spoofed
packets between the client and server.  This kind of attack requires
specific knowledge of the open connection, i.e. port numbers and sequence
numbers.  Generally speaking the attacker has to be in the packet path
between the machines.  In practice this is not a script kiddie attack.  An
8-hour timeout would give a longer window of opportunity to notice a
connection and exploit it, but this doesn't really compromise the security.

Second, as Randy mentioned, there's the possibility of DoS against the
connections table.  The connections table tracks all open connections, both
UDP and TCP.  Filling the connections table causes a tremendous slow-down
on the rate the firewall will process new connections.

Finally, there's the consideration of the traffic.  The times I've seen the
need for a longer TCP timeout, it's been because FW-1 dropped an FTP
control session while a long file was transferring.  Often this occurs in
the middle of a script in the middle of the night.  If you only need a
longer timeout for a specific service, this procedure is fairly easy - and
you won't lose sleep over what's happening to your other protocols.

Regards,
-Jim MacLeod

At 09:44 AM 1/24/2002, you wrote:

What is the security risk to setting tcp session
timeout to 8 hours?  Currently, I have it set at 1
hour.

Yim


=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] tcp session timeout
  - From: Yim Lee <[email protected]>

Prev by Date: Re: [FW-1] Checkpoint vs. Cisco VPN Client
Next by Date: Re: [FW-1] Checkpoint vs. Cisco VPN Client
Previous by thread: Re: [FW-1] tcp session timeout
Next by thread: Re: [FW-1] tcp session timeout
Index(es):
- Date
- Thread