topic Re: PIX TCP timeout in Network Security

PIX TCP timeout

rnance — Fri, 21 Feb 2020 06:49:14 GMT

We have some developers that have an application that they say needs to have the TCP timeout set to 4 hours (talking to some mainframe somewhere)and I need some ammunition/arguments that will show them how this is not a secure thing to do.

Re: PIX TCP timeout

tvanginneken — Wed, 25 Jun 2003 15:07:32 GMT

Hi,

I don't think that this is a real security problem for TCP connections because TCP headers include the sequence numbers of the packets.

It is not a good idea to do this for UDP connections since there are no sequence numbers inside the UCP header.

Regards,

Tom

Re: PIX TCP timeout

shannong — Wed, 25 Jun 2003 15:19:39 GMT

It's not really a security issue. However, if the firewall handles alot of sessions, it may significantly impact memory consumption and slightly on the CPU load.

What type of client and server? What protocol is used for connectivity?

*nix hosts can be configured to send keepalives. The client side app can be configured/written to send keepalives. This will prevent the timeouts on the firewall.