RE: firewall and multicast

["Safier, Adam (GEIS)" <Adam.Safier () geis ge com>]

Adam & Co,

TIS was working on a multicast proxy Client/Server model about a year+ ago.
The way I understood it, the Server piece on the firewall accepted multicast
on one interface and did a directed TCP session from the internal interface.
The Client piece let users actually join and have internal applications that
thought they were talking to a standard Multicast service. Sort of a NAT
with UDP/TCP protocol conversion thrown in and a client piece to help out
apps that insisted on talking to a multicast stack.  I could have it all
wrong so I suggest you contact TIS and ask.  Hope they got it done.

A while back (when I was at CSC) we got Multicast through Firewall-1 on SUN
by adding public domain MOSPF (Multicast OSPF routing protocol).  HP could
also do it for small packet sizes (<1400 bytes) with the supplied multicast
support but didn't have quad ethernet cards available :(Hint, HP).  The
Firewall-1 software allowed us to filter to specific multicast addresses and
port numbers so internal users were restricted to which groups they could
join.  

A multicast allows an attacker to hit a whole bunch of stations while only
transmitting one packet so we were still not real thrilled with the
solution. We got a multicast guru programmer to whip up a proxy that did NAT
for multicast on one interface and unicast UDP on the other interface.  The
Firewall admin entered a static map of allowed associations - which was not
elegant but just fine for the application.

I also heard that Raptor is supporting Multicast in their product.

You might want to check out gated.  I think it supports multicast routing.

Finally, if you are desperate and want consultants, check out CSC (my former
employer) in Maryland. Some of their people have significant multicast
experience (government group).  No wonder CA wants to buy them!

Hope I remembered all of that correctly!
Adam  (the other and lurking Adam)


> -----Original Message-----
> From: Adam Shostack 
> Sent: Friday, March 06, 1998 9:57 AM
> To:   wangw () singnet com sg
> Cc:   firewall-wizards () nfr net
> Subject:      Re: firewall and multicast
>
>
> Theres a paper by some folks at TIS in the 1997 IEEE symposium on
> Security & Privacy about adding a Multicast gateway to the FWTK.
> Don't have it handy, but recall there being some useful points made
> about the security implications of multicast.
>
> Adam
>
>
> George Wang wrote:
> | Hi,
> | 
> | What are the firewalls that support multicast? Is there any security
> | implications of that?
> | 
> | Regards,
> | GW
> | 
> | 
>
>
> -- 
> "It is seldom that liberty of any kind is lost all at once."
>                                                      -Hume