Firewall Wizards mailing list archives
RE: Multicasting
From: "Fiamingo, Frank" <FiamingF () strsoh org>
Date: Fri, 21 Feb 2003 08:46:22 -0500
From: Paul D. Robertson [mailto:proberts () patriot net] Sent: Thursday, February 20, 2003 7:43 PM On Thu, 20 Feb 2003, Fiamingo, Frank wrote:We've been told to install a vender solution forvideo/audio streaming.The vendor, RAW Communications, feeds their on-site server(MS Win2K) viaa satellite download (receiving only, no transmission back to the satellite), and then uses multicast to supply the video stream to thelocal desktops.The vendor requirement is that all ports be open from theserver to thedesktop for a single multicast address. Is there any way to do this securely? With minimum exposure?Probably the most you can hope for is to only allow that exact multicast group traffic out.My initial suggestion was to isolate a couple of machinesand just allowthe service to those desktops. But unless we can come upwith some realworld examples to show how unsafe this can be, we willlikely have to openthis up to our entire LAN.I don't know how well Win2k isolates multicast traffic from unicast addresses. If it dosen't do that well, then SQL/Slammer is a perfect example of why this wouldn't be something you'd want to let run rampant. Given the potential use of multicast addressing in the routing infrastructure, the whole idea may be of significantly more concern if you can't lock it all down to a particular group, or if the address is already in use. Is it truly a multicast-only solution, or is there unicast traffic from the clients back to the server? If it's two-way, then I think the issues open up much more significantly, and Slammer becomes much more of a realistic scenerio.
My understanding of how the product works is as follows. There is a client on the desktops that connects to the server via a web page to request content. The server, since it has no direct contact back to its home base, redirects the client to a URL, via the Internet, from which a particular audio/video presentation can be requested. That presentation is then downloaded via satellite to the on-site server. The server will then broadcast the event, to a multicast group, that the client can listen for. If the client doesn't receive the multicast traffic it will request a unicast feed from the server. Thanks, Frank
Also, it's worth noting that some routers/switches appear to be much more sensitive to multicast flooding, so there's an infrastructure issue that's likely to loom absent actual pointed attacks. If there's bidirectional traffic, maybe there's some stateful thing you can do to ensure that responses only come as a result of requests. If it's a proprietary protocol, perhaps the right way to approach this is to ask the vendor to underwrite insurance for an attack from that vector? HTH, Paul -------------------------------------------------------------- --------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Multicasting Fiamingo, Frank (Feb 20)
- Re: Multicasting Paul D. Robertson (Feb 20)
- <Possible follow-ups>
- RE: Multicasting Fiamingo, Frank (Feb 21)