Disable Tcp_timestamp : applicable to Web servers only or App & DB as well?

When VA scanner scan & recommend to disable TCP_timestamp,
is this something we disable at Web only or needs to be done at
App & DB too?    We can't do it at LB level due to an impact.

Refer to :
http://www.tmltechnologies.com/html-2012/index.php/linux-rescue-kits/82-secret/91-disable-tcp-timestamps-on-linux
   Issue using root:
    # echo 0 > /proc/sys/net/ipv4/tcp_timestamps
          & to make it stay across reboots,
    add the following line to /etc/sysctl.conf:
        net.ipv4.tcp_timestamps = 0
 
Create Solaris iptables firewall rules as additional enhancement:
   iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
   iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
 
 
 
 
For Windows 2008 R2:
https://social.technet.microsoft.com/Forums/en-US/d4015aa9-0613-473e-8950-a3b3d3e72b04/i-have-security-vulnerability-tcp-timestamp-response-on-w2k3-w2k8-servers-how-to-fix-it?forum=winserversecurity     :
    Add & set Tcp1323Opts value to 0 in registry HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Also add the equivalent firewall rules in Windows & reboot Windows server
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
From googling around, I noticed Tcp_timestamp disabling
are done on web servers only, is this correct or it ought to
be done on app & DB servers as well?
0
Neil RussellTechnical Development LeadCommented:
Most admins consider that the Risk/Benefit of Tcp_timestamp disabling is just not worth it.  The "RISK" is very light, it does not provide an exploit in its own right, as I am sure you have read already.

It is ANY server that communicates with TCP that is "affected" not just web servers.

There can be unintended consequences that lead to a dramatic loss in performance and as the "RISK" is that somebody will know how long your server has been on or them knowing the OS you use, I would put a red line through it.

Risk assessment is not just about following all recommendations. It is about acknowledging that you have understood a "RISK" and made a business decision on the potential for loss verses the potential for loss in performance.  
As I said, Most consider the Risk and mark it as "Noted".
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
Best tuning advice would be to leave everything at defaults and dont fix what is not broken.

Some points:
1) Are timestamps derived from system time or random? In second case there is no security advantage in disabling them
2) Either way - is reading timer or generating few pseudo-random bits expensive on your system? Not on Linux on good hardware, but there are some bad seeds around e.g virtualisation.
3) Do you have more than two million of inflight packets to make use of sequence number roll-over protection that timestamps offers? (Like terabyte of tcp buffer)? - OK - it might be useful then, but then again - which operating systems implement this feature?
4) When you flip just 10 sysctl switches how do you identify source of problem? By repeating test 1024 times with all possible flip switch positions?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.