Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: [VPN] Application timeouts over VPN...HELP!
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: [VPN] Application timeouts over VPN...HELP!
  • From: "Dr T1meL0rD" <[EMAIL PROTECTED]>
  • Date: Fri, 11 Apr 2003 23:00:01 -0400
  • Sender: [EMAIL PROTECTED]
.
 

Please define "abnormally long"...
Yes, backups over a network connection, some SSH sessions (for SAs, DBAs, etc.), database instance backups, etc, usually require "longer than normal" timeouts, sometimes several hours in the case of backups. HOWEVER, these connections should be the extreme exception, rather than the rule.
Situations like this have resulted in verbal sparring with some of my clientele and their administrative staff, but I NEVER allow it to compromise the security of a system that they are paying me good money to protect. I have walked out of meetings because some requests were so over-the-top.
Typically, I will run a TCP connection up to 5 minutes, and it seems to work well, except in some of the occasions I mentioned above. Getting to know your customer's system is key. Cutting through the BS is usually a tougher nut, but is essential in trying to determine what _is_ necessary. Using UDP to circumvent the state issue will create more work for the developers in that more error-checking and -handling code is necessary.
I definitely agree with Dana in that developers need to be a bit more judicious with the amount of time they allow connections to remain open. The less security savvy (usually the ones who roll their eyes and begin complaining when they hear a firewall is going to be implemented) typically are sloppier about maintaining state in the application, which is usually a prime reason _the_firewall_ is blamed for "breaking their application." IT managers with sufficient clue will suspect this to be the case.
BTW, however heavily I may use it in brief contact with individuals on a professional basis, I have never seen instant messaging as a requirement for a long time-out through a firewall on a production system. If you are putting a firewall only at the border with these requirements, I would certainly recommend defense-in-depth... 



_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail 

_______________________________________________
VPN mailing list
[EMAIL PROTECTED]
http://lists.shmoo.com/mailman/listinfo/vpn
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.