Well, the device is Radware Defense Pro, an intrusion detection system.
Since the server, application are critical and the management station open a huge number of TCP sockets it was decided that all traffic should traverse a single TCP socket so there will be no DOS to the server.
Any idea on how to accomplish that?
Regards.
| [reply] |
Thank you for your answer.I am no security specialist, but the "single TCP socket" seems a rather crude solution to me, esp. since Radware Defense prides itself to protect against high frequency flooding attacks. I cannot imagine that it does so by funneling all connections through a single socket and thus reducing network speed to a crawl. Also what are the chances that the management station gets subverted? Isn't that within a safe zone?
CountZero A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James
| [reply] |
Encouraging only a single tcp connection can make downloading a lot faster when there are lots of small files.
That's why browsers are doing that too: websites often refer to lots of small images.
Update: this is of course even more true for https then for http.
| [reply] |
That must be because the time used for setting up and tearing down the TCP socket connection is significant relative to the time spent in transmitting the data, but I fail to see what security implications it has.
CountZero A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James
| [reply] |