There are three issues here: First, the security itself will not necessarily be compromised. As always there is the danger of session hijacking, i.e. someone interjecting spoofed packets between the client and server. This kind of attack requires specific knowledge of the open connection, i.e. port numbers and sequence numbers. Generally speaking the attacker has to be in the packet path between the machines. In practice this is not a script kiddie attack. An 8-hour timeout would give a longer window of opportunity to notice a connection and exploit it, but this doesn't really compromise the security.
Second, as Randy mentioned, there's the possibility of DoS against the connections table. The connections table tracks all open connections, both UDP and TCP. Filling the connections table causes a tremendous slow-down on the rate the firewall will process new connections. Finally, there's the consideration of the traffic. The times I've seen the need for a longer TCP timeout, it's been because FW-1 dropped an FTP control session while a long file was transferring. Often this occurs in the middle of a script in the middle of the night. If you only need a longer timeout for a specific service, this procedure is fairly easy - and you won't lose sleep over what's happening to your other protocols. Regards, -Jim MacLeod At 09:44 AM 1/24/2002, you wrote: >What is the security risk to setting tcp session >timeout to 8 hours? Currently, I have it set at 1 >hour. > >Yim ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
