Firewall Wizards mailing list archives
RE: firewall and multicast
From: "Safier, Adam (GEIS)" <Adam.Safier () geis ge com>
Date: Fri, 6 Mar 1998 22:14:34 -0500
Adam & Co, TIS was working on a multicast proxy Client/Server model about a year+ ago. The way I understood it, the Server piece on the firewall accepted multicast on one interface and did a directed TCP session from the internal interface. The Client piece let users actually join and have internal applications that thought they were talking to a standard Multicast service. Sort of a NAT with UDP/TCP protocol conversion thrown in and a client piece to help out apps that insisted on talking to a multicast stack. I could have it all wrong so I suggest you contact TIS and ask. Hope they got it done. A while back (when I was at CSC) we got Multicast through Firewall-1 on SUN by adding public domain MOSPF (Multicast OSPF routing protocol). HP could also do it for small packet sizes (<1400 bytes) with the supplied multicast support but didn't have quad ethernet cards available :(Hint, HP). The Firewall-1 software allowed us to filter to specific multicast addresses and port numbers so internal users were restricted to which groups they could join. A multicast allows an attacker to hit a whole bunch of stations while only transmitting one packet so we were still not real thrilled with the solution. We got a multicast guru programmer to whip up a proxy that did NAT for multicast on one interface and unicast UDP on the other interface. The Firewall admin entered a static map of allowed associations - which was not elegant but just fine for the application. I also heard that Raptor is supporting Multicast in their product. You might want to check out gated. I think it supports multicast routing. Finally, if you are desperate and want consultants, check out CSC (my former employer) in Maryland. Some of their people have significant multicast experience (government group). No wonder CA wants to buy them! Hope I remembered all of that correctly! Adam (the other and lurking Adam)
-----Original Message----- From: Adam Shostack Sent: Friday, March 06, 1998 9:57 AM To: wangw () singnet com sg Cc: firewall-wizards () nfr net Subject: Re: firewall and multicast Theres a paper by some folks at TIS in the 1997 IEEE symposium on Security & Privacy about adding a Multicast gateway to the FWTK. Don't have it handy, but recall there being some useful points made about the security implications of multicast. Adam George Wang wrote: | Hi, | | What are the firewalls that support multicast? Is there any security | implications of that? | | Regards, | GW | | -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- firewall and multicast George Wang (Mar 05)
- Re: firewall and multicast Darren Reed (Mar 06)
- Re: firewall and multicast Adam Shostack (Mar 06)
- <Possible follow-ups>
- RE: firewall and multicast Safier, Adam (GEIS) (Mar 07)