Databases and Out Of Sync Packets

Common problem…

Joe Bob at Warehouse X starts his shipping and receiving application in the morning before going out to smoke his first cig. A couple hours later he may wander back into the building and fill out some information before heading back out to the dock.

In the meantime, the database application just sites there doing nothing. No heartbeats, no random traffic.  Firewall drops state information after 1 hour. So when Joe Bob comes back after 4 hours to type information into client GUI which is talking to the front end app. The front end app tries to connect to the database server. The firewall says “I’ve never seen this connection and drops out-of-sync packets.

Result: Random hangs, random behavior, random

How to fix?

1) Lengthen the session timeout:

You can hunt down and find those connections from front end app to back end database and lengthen the session timeouts.

longsession

Problem is this may not scale if you have tons of database servers and applications.

2) For internal firewalls going to/from internal database servers, you might consider this.  Ignore out of state drops.

You can do this on a per firewall basis or for the whole domain.

outofstate

Wouldn’t do this on a perimeter firewall obviously, but internally the cost/benefit/risk may make sense for you depending on how many of these database servers you have around. Remember you still have SRC/DST/PORT rules, its just that there won’t be any TCP state kept for them. So theoretically hackers could send incomplete TCP sessions through your internal firewalls. You probably have bigger fish to fry than worry about an attack like this on an internal firewall.

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Kai Kataja  On January 19, 2015 at 1:46 am

    Because a lot of TCP socket connections send keepalive segment in two hour intervals usually raising idle timeout little over 7200 seconds is enough. Of course stateless TCP is another option.

    • Dreezman  On January 19, 2015 at 4:07 pm

      Which we did, but we have hundreds of database apps, so finding and setting up all the src/dst/ports is problematic.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: