RE: Real Audio Security

[ark () eltex ru]

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

Hmmm ;) AFAIR Gauntlet has its own RA proxy, probably based on PN's 
reference implementation available from their site - what's wrong 
with it , why should you use web proxy ;)? 

Ah! Bashing socks i forgot another problem with it: if you use firewall
to control what your users do on the net, socks (if you don't spend
some amount of time to configure it for selected applications and hosts
only) is a way for them to avoid your control. All you see from
socks log is just host addresses and port numbers and no knowledge what
they actually do, not more than packet filtering can provide to you.

And the biggest problem with socks is that most firewall administrators
are NOT aware of the problems i mentioned.

- ----

"LeGrow, Matt" <Matt_LeGrow () NAI com> said :

While researching a problem with the Gauntlet 5.0 web proxy a while
back I had a chance to observe RealAudio traffic tunnelling itself
through our web proxy.    RealAudio actually allows you to configure
or gives the option to determine for itself the best method out of
several types of transport, including TCP and UDP-based transports. 
As if thats not confusing enough, there are also two different
versions of the TCP transport protocol to choose from, either RTSP
(TCP port 554) or PNA (TCP port 1090).  The UDP-based transport uses
both multiple single ports and a range of UDP ports.

So the least complicated thing is to just tell it to run through your
Web Proxy.  Through a web proxy, at least,I can tell you that
RealAudio sends some strange traffic through, including mysterious
encoded/encrypted (?) 5k POSTs on a fairly consistent basis (with
Spinner we were able to match them to the ends of songs that we
played through the client) that I assume are encoded requests or
updates of state information to the realaudio server.  With the two
clients I was testing with (Spinner and RealPlayer 6.0.6.45) the POST
requests were adorned with incorrect content-lengths and
non-Y2K-compliant expiration dates for content.  Just not knowing
what the thing is posting through your firewall should make any
reasonably paranoid admin nervous enough.

I would say just on external observation and not knowing the guts of
the protocol, that its definitely a big black hole, but if you must
proxy it set up a TCP/SOCKS proxy instead of burdening your web proxy
with the additional barely-compliant HTTP traffic
- ---

                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBOIgvwaH/mIJW9LeBAQEdrQQAl/fnaKQeKywIHm71pW4EPFMFVpmxsLfR
XVYXL3J3T/WJCUT36QR86bY2mnWVVZirpdmdvpq2cQyYyiXM4t6dGe6vZiaqqSwU
/5llI2Mrvz9m+GvgZ+/MqFM5cuzRKFueShqN29BKaG9LOjGLpLci898o/IGgRBYC
RcUUBwKsQXs=
=z7n3
-----END PGP SIGNATURE-----