RE: Real Audio Security

["LeGrow, Matt" <Matt_LeGrow () NAI com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While researching a problem with the Gauntlet 5.0 web proxy a while
back I had a chance to observe RealAudio traffic tunnelling itself
through our web proxy.    RealAudio actually allows you to configure
or gives the option to determine for itself the best method out of
several types of transport, including TCP and UDP-based transports. 
As if thats not confusing enough, there are also two different
versions of the TCP transport protocol to choose from, either RTSP
(TCP port 554) or PNA (TCP port 1090).  The UDP-based transport uses
both multiple single ports and a range of UDP ports.

So the least complicated thing is to just tell it to run through your
Web Proxy.  Through a web proxy, at least,I can tell you that
RealAudio sends some strange traffic through, including mysterious
encoded/encrypted (?) 5k POSTs on a fairly consistent basis (with
Spinner we were able to match them to the ends of songs that we
played through the client) that I assume are encoded requests or
updates of state information to the realaudio server.  With the two
clients I was testing with (Spinner and RealPlayer 6.0.6.45) the POST
requests were adorned with incorrect content-lengths and
non-Y2K-compliant expiration dates for content.  Just not knowing
what the thing is posting through your firewall should make any
reasonably paranoid admin nervous enough.

I would say just on external observation and not knowing the guts of
the protocol, that its definitely a big black hole, but if you must
proxy it set up a TCP/SOCKS proxy instead of burdening your web proxy
with the additional barely-compliant HTTP traffic.

Matt LeGrow
Network Associates, Inc.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Note: Opinions expressed herein are most certainly NOT that of my
employer:-)


> -----Original Message-----
> From: Cracknell, Phil [mailto:phil.cracknell () nomura co uk]
> Sent: Tuesday, January 18, 2000 5:47 AM
> To: firewall-wizards () nfr net
> Subject: Real Audio Security
>
>
>
> Two in one day!
>
> Could someone point me to any research data on the security 
> pitfalls of Real
> Audio through a firewall?
>
> Particularly interested in bandwidth issues, use of PN prxy or
> other.  
>
> Thanks
>
> Phil
> -- 
> --------------------------------------------------------------
> --------------
> The information contained in this message is intended for the 
> named recipients 
> only. If you are not an intended recipient of this message, 
> you must not copy,
> distribute or take any action in reliance on it and you 
> should notify the 
> sender immediately.  E-mail transmission cannot be guaranteed 
> to be secure or 
> error-free as information could be intercepted, corrupted, 
> lost, destroyed, 
> arrive late or incomplete, or contain viruses, and Nomura 
> International plc 
> excludes liability for (1) any errors or omissions in the 
> contents of this 
> message which arise as a result of e-mail transmission and (2) the 
> transmission of any viruses. If verification is required 
> please request a 
> hard-copy version. 
>
> Nomura International plc is regulated by the Securities and 
> Futures Authority Limited and is a member of the London Stock 
> Exchange.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>

iQA/AwUBOIdrlvbW52zw8/NBEQIcNwCfSpLmVAKvthT9ZklENoCG6/5d5zMAoNY/
oJDgsvH6ZJmym26QB8+1qzAB
=KuVp
-----END PGP SIGNATURE-----