Re: [fw-wiz] Multicast Firewall

From: Srinivasa Rao Addepalli (srao_at_intotoinc.com)
Date: 10/23/03

Next message: DeMoss, Scott: "[fw-wiz] (no subject)"

Previous message: Frederick M Avolio: "Re: [fw-wiz] Multicast Firewall"
In reply to: Ravi Kumar: "[fw-wiz] Multicast Firewall"
Next in thread: Marcus J. Ranum: "Re: [fw-wiz] Multicast Firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>, "Ravi Kumar" <ravivsn@roc.co.in>
Date: Wed, 22 Oct 2003 16:09:57 -0700

To get some understanding of issues related to Firewalls and Multicast,
you can go through rfc2588. This is informational RFC and gives good
background.

Organizations require multicast packet inspection for integrity, similar to
type of integrity checks that are done for unicast packets. It is required
that access control is provided on multicast packets. Unlike unicast packets,
multicast packet can be forwarded to multiple interfaces i.e multiple
destinations. In unicast packets, intended destination's IP address is present
in the unicast packets. In multicast packets, only multicast group address is
present in the packet. Intended recipients are programmed/configured in
multicast routing database. Multicast routing database is either created manually
or by IGMP Proxy or MROUTE etc.. Due to this, access control will have to
be different from Unicast packets.

In firewall world, the networks are divided into Corporate network, DMZ network
and external network. Multicast access control can be based on this network.
You could have 'OUTBOUND' and 'INBOUND' multicast access control database
on Corporate, DMZ. You may would like to have this access control database for
local applications.

Multicast access control policy can have similar filter attributes i.e. source IP/subnet/range,
multicast IP address/range, IP protocol, Source Port/Range, Destination Port/Range in case
of UDP protocol. You could have action such as 'Accept' or 'Deny'. In case of outbound,
you may would like to have source NAT, if there are multicast source in internal networks.
With these databases, multicast traffic from external to internal networks and Internal networks
to external network can be controlled.

In summary.
- You need access control on multicast packets.
- You need to do packet integrity checks on multicast packets.

I hope it helps.
Srini

Intoto Inc.
Enabling Security Infrastructure
3160, De La Cruz Blvd #100
Santa Clara, CA 95054
www.intotoinc.com
----- Original Message -----
From: "Ravi Kumar" <ravivsn@roc.co.in>
To: <firewall-wizards@honor.icsalabs.com>
Sent: Tuesday, October 21, 2003 10:15 PM
Subject: [fw-wiz] Multicast Firewall

> Hi,
> I work for a company which makes firewall+VPN appliances.
> Today, we have
> unicast firewall. I was asked to prepare specifications for
> multicast firewall.
> I tried to find out any standards or documents on Internet
> related to this. But I did
> not find any relevant information. Any advice on this is
> appreciated. What type of
> capabilities to be provided and what type of security is expected?
> Thanks
> Ravi
>
>
>
>
> ----------
> <http://www.roc.co.in/>ROCs Ambassador product: iSecure
> iSecure is comprehensive security appliance with stateful inspection
> Firewall and IPSEC/IKE based VPN. Firewall supports several ALGs,
> cyber-defense engine and powerful session lookup engine. VPN is based on
> latest IPSEC and IKE RFCs and supports preshared key and RSA/DSA
> certificate authentication.
> The Views Presented in this mail are completely mine. The company is not
> responsible for what so ever.
>
> ----------
> Ravi Kumar CH
> Rendezvous On Chip (I) Pvt Ltd
> Hyderabad, INDIA
>
> <http://www.roc.co.in/>ROC HOME PAGE:
> http://www.roc.co.in
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: DeMoss, Scott: "[fw-wiz] (no subject)"

Previous message: Frederick M Avolio: "Re: [fw-wiz] Multicast Firewall"
In reply to: Ravi Kumar: "[fw-wiz] Multicast Firewall"
Next in thread: Marcus J. Ranum: "Re: [fw-wiz] Multicast Firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: socket error when calling WSAIoctl
... multicast packets send by others devices to me. ... as far as I can tell, there's no support for that particular code in WinSock ... The only way I can think of that would allow you to see all of the multicast ... the network adapter that i have used to test, is WIFI, ad hoc ...
(microsoft.public.dotnet.framework.compactframework)
Packet reordering and blocking problem at gigabit with 2.4 kernel
... I am developing application level multicast router with Xeon processor. ... The system lost lots of packets and reordered the packets, ... Every channel sends 6Mbps with 2048 bytes packet. ... I heard that SMP machines has inherant reordering issues, ...
(Linux-Kernel)
RE: [SLE] Multicast Problem with Suse 9.2
... I've conducted tests as such that you told, but the is that the packets ... Multicast Problem with Suse 9.2 ... > say the kind of network I have. ...
(SuSE)
Re: SYSMAN problem
... nodes discover each other and services are advertised by periodic transmission of multicast packets. ... So proponents of routing expressed fear that as a network grew larger, it could grow to the point where all bandwidth is being consumed by broadcast and multicast packets, leaving no room for actual data traffic. ...
(comp.os.vms)
Re: UDP multicast packets not seen on listening interface in BETA5
... > I'm having a bit of trouble with a program I wrote to listen for ... > the multicast packets, ... > Also I verified the program is indeed listening with sockstat: ...
(freebsd-current)