Firewall timeout and TCP RST

03/10/2007, 11h10

Hi there.
The program I wrote is used to access a remote database via a TCP
connection.
No prolems 'til the time someone decided to build a firewall around
the DB and to apply a timeout policy for low traffic connections. So,
if my application doesn't query the DB for an hour, the firewall emits
a RST packet and drops down the connection.
What's better ?
- to edit all the source code (I have many programs like the one
above) to periodically 'ping' the DB
- to write a new layer that behaves like a proxy and periodically
'pings' the DB; by this way the original code is safe...
- to develop something able to manage the RST packets

Any other solution is clearly welcome!
Thanx everyone for answering me.
n.dzl

03/10/2007, 13h01

In comp.security.firewalls parnej@inwind.it wrote:
> - to edit all the source code (I have many programs like the one
> above) to periodically 'ping' the DB
> - to write a new layer that behaves like a proxy and periodically
> 'pings' the DB; by this way the original code is safe...
> - to develop something able to manage the RST packets

- to kick someones ass for being so idiotic

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

03/10/2007, 13h42

In article <1191406226.210843.314900@22g2000hsm.googlegroups. com>,
parnej@inwind.it says...
> Hi there.
> The program I wrote is used to access a remote database via a TCP
> connection.

Does it do it through a VPN connection?

If not, then it's a risk and should be rethought.

Remote databases should be access through some form of tunnel and not
directly exposed to the world. That would solve your problem.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

03/10/2007, 14h30

> > Hi there.
> > The program I wrote is used to access a remote database via a TCP
> > connection.
>
> Does it do it through a VPN connection?
>
> If not, then it's a risk and should be rethought.

Thank you for your interest in the security aspect of the question,
but this was not the topic of my post (I'm not the security designer!)

I'm looking for the best method to work-around the problem from the
source-code point of view.
I cannot nor want change anything in the topology of the network.
However: clients and DBs are inside a 10.x.x.x network that is
unaccessible (!) from the outside world.
The FW is intended as part of a 'segmentation-policy' of the
enterprise network.

I add that the FW doesnt require authentication.

bye
n.dzl

03/10/2007, 14h43

In article <1191418247.328034.141380@57g2000hsv.googlegroups. com>,
parnej@inwind.it says...
>
> > > Hi there.
> > > The program I wrote is used to access a remote database via a TCP
> > > connection.
> >
> > Does it do it through a VPN connection?
> >
> > If not, then it's a risk and should be rethought.
>
>
> Thank you for your interest in the security aspect of the question,
> but this was not the topic of my post (I'm not the security designer!)
>
> I'm looking for the best method to work-around the problem from the
> source-code point of view.

Then you're looking at it from the wrong side.

Once you've been given access through a tunnel then you don't have to
worry about time-outs.

> I cannot nor want change anything in the topology of the network.
> However: clients and DBs are inside a 10.x.x.x network that is
> unaccessible (!) from the outside world.
> The FW is intended as part of a 'segmentation-policy' of the
> enterprise network.
>
> I add that the FW doesnt require authentication.

You clearly said that the DB's were protected by a firewall and that you
access them remotely.

If the firewall is setup properly and you have a secure tunnel, there is
no timeout and you don't need to change your solution.

So, either you didn't write your program to close and open the
connection as needed, which is a bad move, or you don't have a secure
tunnel and proper firewall setup.

So, with that being the case, have you asked the firewall controller
about the timeout?

Have you considered properly coding your app to open/close connections
as needed instead of leaving the connection open all the time?

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

03/10/2007, 15h40

> So, with that being the case, have you asked the firewall controller
> about the timeout?
....
> Have you considered properly coding your app to open/close connections
> as needed instead of leaving the connection open all the time?

ok, I'll try to explain myself better.

TODAY (03/oct/2007) the status is:
- a 10. network
- many clients
- many DBs (in a wide-sense)

WITHIN FEW WEEKS (>01/nov/2007) situation will be:
- a 10. network
- many clients
- a FW between clients and DBs, with Timeout on low traffic
connections and no authentication
- many DBs (in a wide-sense)

Today everything works fine.
I'm evaluating which is the impact for those clients which firstly
open a connection and use it until it is available (and generally try
to reconnect).
The case may be that of CORBA clients or ORACLE clients.
Here the connection cannot be done every time I query the DB: it would
be extremly slow, while the system must answer 'in real time'.

Please don't say me "CORBA is not suitable for ral time system" or sth
like this for ORACLE...!
I'm a programmer from the client side. Server side is not under my
control!
The same for the FW: I must work with it from november; Nothing if its
configuration etc.. is under my control. I simply must comply with the
enterprise rules!

bye
n.dzl

03/10/2007, 16h00

In article <1191422422.689861.269120@n39g2000hsh.googlegroups .com>,
parnej@inwind.it says...
>
> > So, with that being the case, have you asked the firewall controller
> > about the timeout?
> ...
> > Have you considered properly coding your app to open/close connections
> > as needed instead of leaving the connection open all the time?
>
>
>
> ok, I'll try to explain myself better.
>
> TODAY (03/oct/2007) the status is:
> - a 10. network
> - many clients
> - many DBs (in a wide-sense)
>
> WITHIN FEW WEEKS (>01/nov/2007) situation will be:
> - a 10. network
> - many clients
> - a FW between clients and DBs, with Timeout on low traffic
> connections and no authentication
> - many DBs (in a wide-sense)
>
> Today everything works fine.
> I'm evaluating which is the impact for those clients which firstly
> open a connection and use it until it is available (and generally try
> to reconnect).
> The case may be that of CORBA clients or ORACLE clients.
> Here the connection cannot be done every time I query the DB: it would
> be extremly slow, while the system must answer 'in real time'.
>
> Please don't say me "CORBA is not suitable for ral time system" or sth
> like this for ORACLE...!
> I'm a programmer from the client side. Server side is not under my
> control!
> The same for the FW: I must work with it from november; Nothing if its
> configuration etc.. is under my control. I simply must comply with the
> enterprise rules!

Again, this would seem to be simple, you query for the connection and if
it fails you reconnect.

While I can't understand why the problem, you need to be able to
talk/address the issue and you need to understand that maintaining a
remote connection is problematic and you should have accounted for it in
your application.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

03/10/2007, 16h38

parnej@inwind.it wrote:
> Hi there.
> The program I wrote is used to access a remote database via a TCP
> connection.
> No prolems 'til the time someone decided to build a firewall around
> the DB and to apply a timeout policy for low traffic connections. So,
> if my application doesn't query the DB for an hour, the firewall emits
> a RST packet and drops down the connection.
> What's better ?
> - to edit all the source code (I have many programs like the one
> above) to periodically 'ping' the DB
> - to write a new layer that behaves like a proxy and periodically
> 'pings' the DB; by this way the original code is safe...
> - to develop something able to manage the RST packets

The far easiest solution, is to get the firewall administrator to adjust
the timeout on the database port. This is trivial with just about every
firewall.
The cleanest solution imo, would be that your application are able to
reconnect when needed, if the connection has been reset. What happens
with all your clients now, if the db for some reason suddenly restart?

I have seen several applications doing a query like "select * from dual"
(on oracle) every x minute, to keep a connection open. Wouldn't say it's
elegant, but it works.

Erik

03/10/2007, 11h10	#1
parnej@inwind.it Messages: n/a Hébergeur:	Firewall timeout and TCP RST Hi there. The program I wrote is used to access a remote database via a TCP connection. No prolems 'til the time someone decided to build a firewall around the DB and to apply a timeout policy for low traffic connections. So, if my application doesn't query the DB for an hour, the firewall emits a RST packet and drops down the connection. What's better ? - to edit all the source code (I have many programs like the one above) to periodically 'ping' the DB - to write a new layer that behaves like a proxy and periodically 'pings' the DB; by this way the original code is safe... - to develop something able to manage the RST packets Any other solution is clearly welcome! Thanx everyone for answering me. n.dzl

03/10/2007, 13h01	#2
Volker Birk Messages: n/a Hébergeur:	Re: Firewall timeout and TCP RST In comp.security.firewalls parnej@inwind.it wrote: > - to edit all the source code (I have many programs like the one > above) to periodically 'ping' the DB > - to write a new layer that behaves like a proxy and periodically > 'pings' the DB; by this way the original code is safe... > - to develop something able to manage the RST packets - to kick someones ass for being so idiotic Yours, VB. -- "Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden geschützt wird, die seinem Ziel und seinem Geist zuwider sind." Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

03/10/2007, 13h42	#3
Leythos Messages: n/a Hébergeur:	Re: Firewall timeout and TCP RST In article <1191406226.210843.314900@22g2000hsm.googlegroups. com>, parnej@inwind.it says... > Hi there. > The program I wrote is used to access a remote database via a TCP > connection. Does it do it through a VPN connection? If not, then it's a risk and should be rethought. Remote databases should be access through some form of tunnel and not directly exposed to the world. That would solve your problem. -- Leythos - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address)

03/10/2007, 14h30	#4
parnej@inwind.it Messages: n/a Hébergeur:	Re: Firewall timeout and TCP RST > > Hi there. > > The program I wrote is used to access a remote database via a TCP > > connection. > > Does it do it through a VPN connection? > > If not, then it's a risk and should be rethought. Thank you for your interest in the security aspect of the question, but this was not the topic of my post (I'm not the security designer!) I'm looking for the best method to work-around the problem from the source-code point of view. I cannot nor want change anything in the topology of the network. However: clients and DBs are inside a 10.x.x.x network that is unaccessible (!) from the outside world. The FW is intended as part of a 'segmentation-policy' of the enterprise network. I add that the FW doesnt require authentication. bye n.dzl

03/10/2007, 14h43	#5
Leythos Messages: n/a Hébergeur:	Re: Firewall timeout and TCP RST In article <1191418247.328034.141380@57g2000hsv.googlegroups. com>, parnej@inwind.it says... > > > > Hi there. > > > The program I wrote is used to access a remote database via a TCP > > > connection. > > > > Does it do it through a VPN connection? > > > > If not, then it's a risk and should be rethought. > > > Thank you for your interest in the security aspect of the question, > but this was not the topic of my post (I'm not the security designer!) > > I'm looking for the best method to work-around the problem from the > source-code point of view. Then you're looking at it from the wrong side. Once you've been given access through a tunnel then you don't have to worry about time-outs. > I cannot nor want change anything in the topology of the network. > However: clients and DBs are inside a 10.x.x.x network that is > unaccessible (!) from the outside world. > The FW is intended as part of a 'segmentation-policy' of the > enterprise network. > > I add that the FW doesnt require authentication. You clearly said that the DB's were protected by a firewall and that you access them remotely. If the firewall is setup properly and you have a secure tunnel, there is no timeout and you don't need to change your solution. So, either you didn't write your program to close and open the connection as needed, which is a bad move, or you don't have a secure tunnel and proper firewall setup. So, with that being the case, have you asked the firewall controller about the timeout? Have you considered properly coding your app to open/close connections as needed instead of leaving the connection open all the time? -- Leythos - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address)

03/10/2007, 15h40	#6
parnej@inwind.it Messages: n/a Hébergeur:	Re: Firewall timeout and TCP RST > So, with that being the case, have you asked the firewall controller > about the timeout? .... > Have you considered properly coding your app to open/close connections > as needed instead of leaving the connection open all the time? ok, I'll try to explain myself better. TODAY (03/oct/2007) the status is: - a 10. network - many clients - many DBs (in a wide-sense) WITHIN FEW WEEKS (>01/nov/2007) situation will be: - a 10. network - many clients - a FW between clients and DBs, with Timeout on low traffic connections and no authentication - many DBs (in a wide-sense) Today everything works fine. I'm evaluating which is the impact for those clients which firstly open a connection and use it until it is available (and generally try to reconnect). The case may be that of CORBA clients or ORACLE clients. Here the connection cannot be done every time I query the DB: it would be extremly slow, while the system must answer 'in real time'. Please don't say me "CORBA is not suitable for ral time system" or sth like this for ORACLE...! I'm a programmer from the client side. Server side is not under my control! The same for the FW: I must work with it from november; Nothing if its configuration etc.. is under my control. I simply must comply with the enterprise rules! bye n.dzl

03/10/2007, 16h00	#7
Leythos Messages: n/a Hébergeur:	Re: Firewall timeout and TCP RST In article <1191422422.689861.269120@n39g2000hsh.googlegroups .com>, parnej@inwind.it says... > > > So, with that being the case, have you asked the firewall controller > > about the timeout? > ... > > Have you considered properly coding your app to open/close connections > > as needed instead of leaving the connection open all the time? > > > > ok, I'll try to explain myself better. > > TODAY (03/oct/2007) the status is: > - a 10. network > - many clients > - many DBs (in a wide-sense) > > WITHIN FEW WEEKS (>01/nov/2007) situation will be: > - a 10. network > - many clients > - a FW between clients and DBs, with Timeout on low traffic > connections and no authentication > - many DBs (in a wide-sense) > > Today everything works fine. > I'm evaluating which is the impact for those clients which firstly > open a connection and use it until it is available (and generally try > to reconnect). > The case may be that of CORBA clients or ORACLE clients. > Here the connection cannot be done every time I query the DB: it would > be extremly slow, while the system must answer 'in real time'. > > Please don't say me "CORBA is not suitable for ral time system" or sth > like this for ORACLE...! > I'm a programmer from the client side. Server side is not under my > control! > The same for the FW: I must work with it from november; Nothing if its > configuration etc.. is under my control. I simply must comply with the > enterprise rules! Again, this would seem to be simple, you query for the connection and if it fails you reconnect. While I can't understand why the problem, you need to be able to talk/address the issue and you need to understand that maintaining a remote connection is problematic and you should have accounted for it in your application. -- Leythos - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address)

03/10/2007, 16h38	#8
Erik Dahle Messages: n/a Hébergeur:	Re: Firewall timeout and TCP RST parnej@inwind.it wrote: > Hi there. > The program I wrote is used to access a remote database via a TCP > connection. > No prolems 'til the time someone decided to build a firewall around > the DB and to apply a timeout policy for low traffic connections. So, > if my application doesn't query the DB for an hour, the firewall emits > a RST packet and drops down the connection. > What's better ? > - to edit all the source code (I have many programs like the one > above) to periodically 'ping' the DB > - to write a new layer that behaves like a proxy and periodically > 'pings' the DB; by this way the original code is safe... > - to develop something able to manage the RST packets The far easiest solution, is to get the firewall administrator to adjust the timeout on the database port. This is trivial with just about every firewall. The cleanest solution imo, would be that your application are able to reconnect when needed, if the connection has been reset. What happens with all your clients now, if the db for some reason suddenly restart? I have seen several applications doing a query like "select * from dual" (on oracle) every x minute, to keep a connection open. Wouldn't say it's elegant, but it works. Erik

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email