RE: Multicasting

["Fiamingo, Frank" <FiamingF () strsoh org>]

> From: Paul D. Robertson [mailto:proberts () patriot net]
> Sent: Thursday, February 20, 2003 7:43 PM
>
> On Thu, 20 Feb 2003, Fiamingo, Frank wrote:
>
> > We've been told to install a vender solution for 
> video/audio streaming.
> > The vendor, RAW Communications, feeds their on-site server 
> (MS Win2K) via 
> > a satellite download (receiving only, no transmission back to the
> > satellite), 
> > and then uses multicast to supply the video stream to the 
> local desktops.  
> > The vendor requirement is that all ports be open from the 
> server to the 
> > desktop for a single multicast address.
> >
> > Is there any way to do this securely?  With minimum exposure?
>
> Probably the most you can hope for is to only allow that 
> exact multicast 
> group traffic out.  
>
> > My initial suggestion was to isolate a couple of machines 
> and just allow
> > the service to those desktops. But unless we can come up 
> with some real
> > world examples to show how unsafe this can be, we will 
> likely have to open
> > this up to our entire LAN.
>
> I don't know how well Win2k isolates multicast traffic from unicast 
> addresses.  If it dosen't do that well, then SQL/Slammer is a perfect 
> example of why this wouldn't be something you'd want to let 
> run rampant.  
> Given the potential use of multicast addressing in the routing 
> infrastructure, the whole idea may be of significantly more 
> concern if you 
> can't lock it all down to a particular group, or if the 
> address is already 
> in use.  
>
> Is it truly a multicast-only solution, or is there unicast 
> traffic from 
> the clients back to the server?  If it's two-way, then I 
> think the issues 
> open up much more significantly, and Slammer becomes much more of a 
> realistic scenerio.

My understanding of how the product works is as follows.
There is a client on the desktops that connects to the server via a web
page to request content.  The server, since it has no direct contact back
to its home base, redirects the client to a URL, via the Internet, from
which a particular audio/video presentation can be requested.  That 
presentation is then downloaded via satellite to the on-site server.
The server will then broadcast the event, to a multicast group, that the
client can listen for.  If the client doesn't receive the multicast 
traffic it will request a unicast feed from the server.  

        Thanks,
        Frank

> Also, it's worth noting that some routers/switches appear to be much 
> more sensitive to multicast flooding, so there's an 
> infrastructure issue 
> that's likely to loom absent actual pointed attacks.
>
> If there's bidirectional traffic, maybe there's some stateful 
> thing you 
> can do to ensure that responses only come as a result of 
> requests.  If 
> it's a proprietary protocol, perhaps the right way to 
> approach this is to 
> ask the vendor to underwrite insurance for an attack from that vector?
>
> HTH,
>
> Paul
> --------------------------------------------------------------
> ---------------
> Paul D. Robertson      "My statements in this message are 
> personal opinions
> proberts () patriot net      which may have no basis whatsoever in fact."
> probertson () trusecure com Director of Risk Assessment 
> TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards