Monthly Archives: November 2014

Databases and Out Of Sync Packets

Common problem…

Joe Bob at Warehouse X starts his shipping and receiving application in the morning before going out to smoke his first cig. A couple hours later he may wander back into the building and fill out some information before heading back out to the dock.

In the meantime, the database application just sites there doing nothing. No heartbeats, no random traffic.  Firewall drops state information after 1 hour. So when Joe Bob comes back after 4 hours to type information into client GUI which is talking to the front end app. The front end app tries to connect to the database server. The firewall says “I’ve never seen this connection and drops out-of-sync packets.

Result: Random hangs, random behavior, random

How to fix?

1) Lengthen the session timeout:

You can hunt down and find those connections from front end app to back end database and lengthen the session timeouts.

longsession

Problem is this may not scale if you have tons of database servers and applications.

2) For internal firewalls going to/from internal database servers, you might consider this.  Ignore out of state drops.

You can do this on a per firewall basis or for the whole domain.

outofstate

Wouldn’t do this on a perimeter firewall obviously, but internally the cost/benefit/risk may make sense for you depending on how many of these database servers you have around. Remember you still have SRC/DST/PORT rules, its just that there won’t be any TCP state kept for them. So theoretically hackers could send incomplete TCP sessions through your internal firewalls. You probably have bigger fish to fry than worry about an attack like this on an internal firewall.

More Pros-Cons of NanoVision

So we hired a one of those wiz bang Cisco geek smart guys that was a Palo Alto admin in his past 2 gigs 8,000 users each about. These are his pros and cons:

Pros:

– easy to manage and understand, quick learning curve
– stable
– good support
– licensing is simplier than Cisco and CP
– good for small shops
– integration with AD was good
– Cisco weenie says if you have ASA, its a no brainer to move to PA. If you have CP it
   is a sideways move some pluses and some minuses.
Cons:
– groups have 500 limit and then you must create more sub/groups for objects
– Objects can be either global objects or firewall specific objects. No way for
  1 object can be shared by several specific firewalls. Zones are used to assign
   rules to a group of firewalls but CANNOT hold objects.
– Small firewalls have limits on number of objects they support so be careful with
   large number of shared objects, especially if you have lots of global shared objects
– logging is poor when scales
– they are hemorrhaging cash $200M+ in last year, when do they hit the wall?
SUMMARY: good for small shops. larger shops will hit the wall when buying bigger appliances because underlying software does not scale that well for large number of objects/users/rules, etc.
Once again MDS has not been replaced, the heart and soul of CP. Everyone and their mother can implement security technologies(ACLs, AV, antibot, IPS, antispam,etc), but so far only CP can converge them into a SCALABLE single pane of glass security management (as long as they test them this time before they ship!!!)
blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.