Hi,
> From: jgt10 @
amdahl .
com (John G. Thompson)
> Date: Mon, 26 Feb 1996 10:45:36 -0800 (PST)
> Subject: Re: RealAudio and firewalls
>
> > Can anyone tell me or point me in the direction of any documentation
> > explaining why real-audio etc. causes problems with firewalls.
>
> The basic problem is that the RealAudio protocol runs the data
> through UDP ports. To be used inside a firewall either the
> UDP ports must be generically allowed (thus opening the entire
> internal network to UDP attacks) or a proxy must be written
> to pass the traffic.
>
Yes it is UDP based. The following is snipped from their page.
----------------------snip---------------------------------
You must enable traffic on the following range of ports:
TCP port 7070
UDP ports 6970 - 7170 (inclusive) for incoming traffic only.
The TCP port is used by the client to initiate a conversation with an
external RealAudio server, to authenticate the player to the server,
and to pass control messages during playback (e.g.,pausing or stopping
the audio stream).
The range of UDP ports, on the other hand, carry the incoming audio
stream. These ports begin to carry traffic only after the player and
server have performed the authentication routine, and should be enabled
only for incoming traffic.
A slightly safer configuration can be achieved by careful configuration
of the TCP port connection. Since you do not want incoming connection
attempts on this port, you should configure the router's access control
list to allow TCP connections on port 7070 to be initiated from the
inside network exclusively. Incoming traffic, on the other hand, should
only be allowed if it is part of an ongoing connection. This is assured
by requiring incoming TCP packets to have the ACK bit set in the TCP
header carried by every packet.
------------------------------end snip--------------------------
To handle this in a reasonable secure way you must have a proxy
that is able to maintain state and check that the incoming
UDP packets are a result of the outgoing TCP connection. Checking
the ACK bit is nice, but as has been discussed here many times,
not enough to block someone determined, and the UDP stuff is fully open
anyway.
The configuration they describe abowe is an invitation to open up your
network. They claim that Border and Checkpoint has a proxy now, but I do
not know how they work (I did not find any info about it on Borders'
page).
An interesting question relating to this is: Has anybody digged deep
enough into RFC1889 and RFC1890 to see if the new realtime protocol is
designed in a way that makes it possible to firewall in a secure way??
> Since Progressive Networks is very concnerned about protecting
> it's protocol it is unclear how much security they have implemented
> to help alievate security concerns.
>
> JGT
>
> - --
> John G. Thompson jgt10 @
amdahl .
com 1-408-992-2088
> Amdahl Corporation, P.O. Box 3470 MS 383, Sunnyvale, CA 94088-3470
>
> [The opinions expressed are MINE. They do not necessarily reflect the
> policies, procedures, press releases or opionions of the Amdahl
> Corporation.]
Regards,
Kare
--
----------------------------------------------------------
Kåre Presttun Alcanet International
Tel: +33 1 4058 5614 33, rue Emeriau
Fax: +33 1 4058 5945 F-75015 Paris
mailto:Kare .
Presttun @
ansf .
alcatel .
fr FRANCE
mailto:Kare .
Presttun @
alcatel .
no http://www.alcatel.com
|
|
