Firewall Wizards mailing list archives

Re: Multicasting

From: "Paul D. Robertson" <proberts () patriot net>
Date: Thu, 20 Feb 2003 19:43:05 -0500 (EST)

On Thu, 20 Feb 2003, Fiamingo, Frank wrote:

We've been told to install a vender solution for video/audio streaming.
The vendor, RAW Communications, feeds their on-site server (MS Win2K) via 
a satellite download (receiving only, no transmission back to the
satellite), 
and then uses multicast to supply the video stream to the local desktops.  
The vendor requirement is that all ports be open from the server to the 
desktop for a single multicast address.

Is there any way to do this securely?  With minimum exposure?


Probably the most you can hope for is to only allow that exact multicast 
group traffic out.


My initial suggestion was to isolate a couple of machines and just allow
the service to those desktops. But unless we can come up with some real
world examples to show how unsafe this can be, we will likely have to open
this up to our entire LAN.


I don't know how well Win2k isolates multicast traffic from unicast 
addresses.  If it dosen't do that well, then SQL/Slammer is a perfect 
example of why this wouldn't be something you'd want to let run rampant.  
Given the potential use of multicast addressing in the routing 
infrastructure, the whole idea may be of significantly more concern if you 
can't lock it all down to a particular group, or if the address is already 
in use.  

Is it truly a multicast-only solution, or is there unicast traffic from 
the clients back to the server?  If it's two-way, then I think the issues 
open up much more significantly, and Slammer becomes much more of a 
realistic scenerio.

Also, it's worth noting that some routers/switches appear to be much 
more sensitive to multicast flooding, so there's an infrastructure issue 
that's likely to loom absent actual pointed attacks.

If there's bidirectional traffic, maybe there's some stateful thing you 
can do to ensure that responses only come as a result of requests.  If 
it's a proprietary protocol, perhaps the right way to approach this is to 
ask the vendor to underwrite insurance for an attack from that vector?

HTH,

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Multicasting Fiamingo, Frank (Feb 20)
- Re: Multicasting Paul D. Robertson (Feb 20)
- <Possible follow-ups>
- RE: Multicasting Fiamingo, Frank (Feb 21)