[VPN] Application timeouts over VPN...HELP!

Dr T1meL0rD dr_t1mel0rd at hotmail.com
Fri Apr 11 23:00:01 EDT 2003 

Please define "abnormally long"...

Yes, backups over a network connection, some SSH sessions (for SAs, DBAs, 
etc.), database instance backups, etc, usually require "longer than normal" 
timeouts, sometimes several hours in the case of backups.  HOWEVER, these 
connections should be the extreme exception, rather than the rule.

Situations like this have resulted in verbal sparring with some of my 
clientele and their administrative staff, but I NEVER allow it to compromise 
the security of a system that they are paying me good money to protect.  I 
have walked out of meetings because some requests were so over-the-top.

Typically, I will run a TCP connection up to 5 minutes, and it seems to work 
well, except in some of the occasions I mentioned above.  Getting to know 
your customer's system is key.  Cutting through the BS is usually a tougher 
nut, but is essential in trying to determine what _is_ necessary.  Using UDP 
to circumvent the state issue will create more work for the developers in 
that more error-checking and -handling code is necessary.

I definitely agree with Dana in that developers need to be a bit more 
judicious with the amount of time they allow connections to remain open.  
The less security savvy (usually the ones who roll their eyes and begin 
complaining when they hear a firewall is going to be implemented) typically 
are sloppier about maintaining state in the application, which is usually a 
prime reason _the_firewall_ is blamed for "breaking their application."  IT 
managers with sufficient clue will suspect this to be the case.

BTW, however heavily I may use it in brief contact with individuals on a 
professional basis, I have never seen instant messaging as a requirement for 
a long time-out through a firewall on a production system.  If you are 
putting a firewall only at the border with these requirements, I would 
certainly recommend defense-in-depth...



_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

More information about the VPN mailing list