[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] TCP connection timeout
very interesting infos indeed, but sometimes as you can't ask a reseller to add a keep-alive in its apps (try it with oracle, microsoft, or others, and good luck ..). we had some troubles here with database connections (udp), and we were forced to increase the timeout. but of course if you can recode the apps, it's the best solution. regards nicolas figaro -----Original Message----- From: Siddhartha Jain(IT) [mailto:[email protected]] Sent: lundi 28 juillet 2003 11:38 To: [email protected] Subject: Re: [FW-1] TCP connection timeout Hi Navin, Consider this before you try to increase TCP timeout Increasing the default TCP timeout can have two repercussions: 1. Session hijack attack - A session entry is created in Firewall-1 for tcp connections when two hosts are communicating. Increasing the TCP timeout value will allow a attacker to hijack sessions. For this attack to succeed, the attacker must know the contents of the state table and should be able to spoof the IP addresses of the session. Practically, it might be difficult because it requires a very high skill level and collusion with one of the security staff to gain knowledge of the state table. 2. Performance/Denial Of Service - Increasing the TCP timeout value will cause the number of stale sessions in the firewall at any given point of time to increase. This will increase resource utilization on the firewall. A large number of stale sessions will cause the firewall performance to decrease and as the number of connection increase the increase in TCP timeout may very well turn into a Denial of Service. If the performance of the firewall degrades it may stop accepting connections any further leading to disruption of services. Its better if you set a keep-alive routine in your app rather than do it in the firewall. HTH, Siddhartha Jain Certified Information Systems Security Professional (CISSP) IT Security Administrator Bank Muscat (www.bankmuscat.com) Phone: +968-768557 -----Original Message----- From: Navin Mehra/MUM/IN/STTL [mailto:[email protected]] Sent: Monday, July 28, 2003 1:08 PM To: [email protected] Subject: [FW-1] TCP connection timeout Hi, I want to increase my tcp connection/session timeout for specific services on my firewall. I am using Check Point NG and the maximum timeout value for a tcp service can not be more than 24 hrs i.e 86400 seconds. Any idea on how can I bypass than value. I basically require this to connect to by database servers in a different segment than the application servers. Thanks in advance. Regards Navin M ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= "This email message is intended for the named recipient only. It may be privileged and/or confidential. If you are not the intended named recipient of this email then you should not copy it or use it for any purpose, nor disclose its contents to any other person which is strictly prohibited and unlawful" ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|