Re: [fw-wiz] Multicasting

From: Paul D. Robertson (proberts@patriot.net)
Date: 02/21/03

  • Next message: SimonChan@lifeisgreat.com.sg: "[fw-wiz] enterprise security management"
    From: "Paul D. Robertson" <proberts@patriot.net>
    To: "Fiamingo, Frank" <FiamingF@strsoh.org>
    Date: Thu, 20 Feb 2003 19:43:05 -0500 (EST)
    

    On Thu, 20 Feb 2003, Fiamingo, Frank wrote:

    > We've been told to install a vender solution for video/audio streaming.
    > The vendor, RAW Communications, feeds their on-site server (MS Win2K) via
    > a satellite download (receiving only, no transmission back to the
    > satellite),
    > and then uses multicast to supply the video stream to the local desktops.
    > The vendor requirement is that all ports be open from the server to the
    > desktop for a single multicast address.
    >
    > Is there any way to do this securely? With minimum exposure?

    Probably the most you can hope for is to only allow that exact multicast
    group traffic out.

    >
    > My initial suggestion was to isolate a couple of machines and just allow
    > the service to those desktops. But unless we can come up with some real
    > world examples to show how unsafe this can be, we will likely have to open
    > this up to our entire LAN.

    I don't know how well Win2k isolates multicast traffic from unicast
    addresses. If it dosen't do that well, then SQL/Slammer is a perfect
    example of why this wouldn't be something you'd want to let run rampant.
    Given the potential use of multicast addressing in the routing
    infrastructure, the whole idea may be of significantly more concern if you
    can't lock it all down to a particular group, or if the address is already
    in use.

    Is it truly a multicast-only solution, or is there unicast traffic from
    the clients back to the server? If it's two-way, then I think the issues
    open up much more significantly, and Slammer becomes much more of a
    realistic scenerio.

    Also, it's worth noting that some routers/switches appear to be much
    more sensitive to multicast flooding, so there's an infrastructure issue
    that's likely to loom absent actual pointed attacks.

    If there's bidirectional traffic, maybe there's some stateful thing you
    can do to ensure that responses only come as a result of requests. If
    it's a proprietary protocol, perhaps the right way to approach this is to
    ask the vendor to underwrite insurance for an attack from that vector?

    HTH,

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    proberts@patriot.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



    Relevant Pages

    • Re: Multicast question
      ... I have a new system running Solaris 10 set up as an NTP server. ... IT is synchronizing correctly but I cannot get it to multicast on any interface except the systems primary Ethernet interface, ... Basically multicast configuration is sort of configured backwards. ...
      (comp.protocols.time.ntp)
    • RE: [fw-wiz] Multicasting
      ... >> The vendor, RAW Communications, feeds their on-site server ... >> desktop for a single multicast address. ... There is a client on the desktops that connects to the server via a web ... traffic it will request a unicast feed from the server. ...
      (Firewall-Wizards)
    • Re: Howto find multiple servers using TCP
      ... int CAsyncSocket::SendTo( ... When a packet is sent using a UDP socket ... differences between multicast and regular udp packets, ... But if the server program is your program, ...
      (microsoft.public.vc.mfc)
    • Re: Howto find multiple servers using TCP
      ... OnReceive ReceiveFrom section, what would you do? ... When a packet is sent using a UDP socket ... differences between multicast and regular udp packets, ... But if the server program is your program, ...
      (microsoft.public.vc.mfc)
    • Re: Unicast works, but Multicast will not
      ... RTP is not involved with multicast broadcasts. ... packets flowing from your video server to your client PC. ... The server should always be spitting out multicast packets, ... I am using Windows Media encoder in a PUSH ...
      (microsoft.public.windowsmedia.server)