RE: [fw-wiz] Multicasting

From: Fiamingo, Frank (
Date: 02/21/03

  • Next message: Anton A. Chuvakin: "Re: [fw-wiz] enterprise security management"
    From: "Fiamingo, Frank" <>
    Date: Fri, 21 Feb 2003 08:46:22 -0500

    > From: Paul D. Robertson []
    > Sent: Thursday, February 20, 2003 7:43 PM
    > On Thu, 20 Feb 2003, Fiamingo, Frank wrote:
    > > We've been told to install a vender solution for
    > video/audio streaming.
    > > The vendor, RAW Communications, feeds their on-site server
    > (MS Win2K) via
    > > a satellite download (receiving only, no transmission back to the
    > > satellite),
    > > and then uses multicast to supply the video stream to the
    > local desktops.
    > > The vendor requirement is that all ports be open from the
    > server to the
    > > desktop for a single multicast address.
    > >
    > > Is there any way to do this securely? With minimum exposure?
    > Probably the most you can hope for is to only allow that
    > exact multicast
    > group traffic out.
    > >
    > > My initial suggestion was to isolate a couple of machines
    > and just allow
    > > the service to those desktops. But unless we can come up
    > with some real
    > > world examples to show how unsafe this can be, we will
    > likely have to open
    > > this up to our entire LAN.
    > I don't know how well Win2k isolates multicast traffic from unicast
    > addresses. If it dosen't do that well, then SQL/Slammer is a perfect
    > example of why this wouldn't be something you'd want to let
    > run rampant.
    > Given the potential use of multicast addressing in the routing
    > infrastructure, the whole idea may be of significantly more
    > concern if you
    > can't lock it all down to a particular group, or if the
    > address is already
    > in use.
    > Is it truly a multicast-only solution, or is there unicast
    > traffic from
    > the clients back to the server? If it's two-way, then I
    > think the issues
    > open up much more significantly, and Slammer becomes much more of a
    > realistic scenerio.

    My understanding of how the product works is as follows.
    There is a client on the desktops that connects to the server via a web
    page to request content. The server, since it has no direct contact back
    to its home base, redirects the client to a URL, via the Internet, from
    which a particular audio/video presentation can be requested. That
    presentation is then downloaded via satellite to the on-site server.
    The server will then broadcast the event, to a multicast group, that the
    client can listen for. If the client doesn't receive the multicast
    traffic it will request a unicast feed from the server.


    > Also, it's worth noting that some routers/switches appear to be much
    > more sensitive to multicast flooding, so there's an
    > infrastructure issue
    > that's likely to loom absent actual pointed attacks.
    > If there's bidirectional traffic, maybe there's some stateful
    > thing you
    > can do to ensure that responses only come as a result of
    > requests. If
    > it's a proprietary protocol, perhaps the right way to
    > approach this is to
    > ask the vendor to underwrite insurance for an attack from that vector?
    > HTH,
    > Paul
    > --------------------------------------------------------------
    > ---------------
    > Paul D. Robertson "My statements in this message are
    > personal opinions
    > which may have no basis whatsoever in fact."
    > Director of Risk Assessment
    > TruSecure Corporation
    firewall-wizards mailing list

    Relevant Pages

    • Re: suid bit files + securing FreeBSD (new program: LockDown)
      ... I found the design maybe LockDown or your IDS could use ... So you need at least one CFC server, ... the client boots, it will just use the files it already have and update ... The multicast address the client is a member of. ...
    • Re: NTS multicast response on IPv6
      ... > Please understand that is not how multicast works. ... > passive and only receive multicast packets from the server (modulo the ... Once the authentication is set up the client start listening on ... >> like ntpq to do my tests? ...
    • Re: Multicast client for UDP doesnt work?
      ... I'm a newbie to multicast programming, and I have to build a client ... Even when the server isn't ... WSADATA wsaData; ...
    • Re: NTS multicast response on IPv6
      ... NTP client to discover by multicast a NTP server on my IPv6 network. ...
    • Re: Multicast question
      ... I have a new system running Solaris 10 set up as an NTP server. ... IT is synchronizing correctly but I cannot get it to multicast on any interface except the systems primary Ethernet interface, ... Basically multicast configuration is sort of configured backwards. ...