RE: [fw-wiz] Multicasting

• Previous message: Antonomasia: "Re: [fw-wiz] enterprise security management"
• Maybe in reply to: Fiamingo, Frank: "[fw-wiz] Multicasting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Fiamingo, Frank" <FiamingF@strsoh.org>
To: firewall-wizards@honor.icsalabs.com
Date: Fri, 21 Feb 2003 08:46:22 -0500

> From: Paul D. Robertson [mailto:proberts@patriot.net]
> Sent: Thursday, February 20, 2003 7:43 PM
>
> On Thu, 20 Feb 2003, Fiamingo, Frank wrote:
>
> > We've been told to install a vender solution for
> video/audio streaming.
> > The vendor, RAW Communications, feeds their on-site server
> (MS Win2K) via
> > a satellite download (receiving only, no transmission back to the
> > satellite),
> > and then uses multicast to supply the video stream to the
> local desktops.
> > The vendor requirement is that all ports be open from the
> server to the
> > desktop for a single multicast address.
> >
> > Is there any way to do this securely? With minimum exposure?
>
> Probably the most you can hope for is to only allow that
> exact multicast
> group traffic out.
>
> >
> > My initial suggestion was to isolate a couple of machines
> and just allow
> > the service to those desktops. But unless we can come up
> with some real
> > world examples to show how unsafe this can be, we will
> likely have to open
> > this up to our entire LAN.
>
> I don't know how well Win2k isolates multicast traffic from unicast
> addresses. If it dosen't do that well, then SQL/Slammer is a perfect
> example of why this wouldn't be something you'd want to let
> run rampant.
> Given the potential use of multicast addressing in the routing
> infrastructure, the whole idea may be of significantly more
> concern if you
> can't lock it all down to a particular group, or if the
> address is already
> in use.
>
> Is it truly a multicast-only solution, or is there unicast
> traffic from
> the clients back to the server? If it's two-way, then I
> think the issues
> open up much more significantly, and Slammer becomes much more of a
> realistic scenerio.

My understanding of how the product works is as follows.
There is a client on the desktops that connects to the server via a web
page to request content. The server, since it has no direct contact back
to its home base, redirects the client to a URL, via the Internet, from
which a particular audio/video presentation can be requested. That
presentation is then downloaded via satellite to the on-site server.
The server will then broadcast the event, to a multicast group, that the
client can listen for. If the client doesn't receive the multicast
traffic it will request a unicast feed from the server.

        Thanks,
        Frank

>
> Also, it's worth noting that some routers/switches appear to be much
> more sensitive to multicast flooding, so there's an
> infrastructure issue
> that's likely to loom absent actual pointed attacks.
>
> If there's bidirectional traffic, maybe there's some stateful
> thing you
> can do to ensure that responses only come as a result of
> requests. If
> it's a proprietary protocol, perhaps the right way to
> approach this is to
> ask the vendor to underwrite insurance for an attack from that vector?
>
> HTH,
>
> Paul
> --------------------------------------------------------------
> ---------------
> Paul D. Robertson "My statements in this message are
> personal opinions
> proberts@patriot.net which may have no basis whatsoever in fact."
> probertson@trusecure.com Director of Risk Assessment
> TruSecure Corporation
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Next message: Anton A. Chuvakin: "Re: [fw-wiz] enterprise security management"
• Previous message: Antonomasia: "Re: [fw-wiz] enterprise security management"
• Maybe in reply to: Fiamingo, Frank: "[fw-wiz] Multicasting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]