>>>>> "Chris" == Chris Carlson <carlson @
Chris> So, there is a
Chris> security risk in that you must open UDP ports for RealAudio to
Chris> transmit. And UDP ports are a common avenue of exploitation by
Chris> hackers, crackers, etc.
Chris> There's a few ways you can overcome this:
Chris> 1) Use RealAudio's TCP only service (but I heard it's not as
Certainly it isn't. (How could it be? TCP has serious overhead
compared to UDP. Further, the single feature of guaranteed packet
delivery can cause problems if you lose a couple of packets in a row,
or have to send one several times, since the rest of the data stream
will wait for that retrasmitted one to come in, then reassemble all of
the packets in the proper order. The end result is a pause in the
sound while all of this goes on.)
Chris> 2) Use RealAudio's proxy for firewalls
How does proxying UDP overcome the problem of opening yourself up to
UDP? You're still allowing UDP to come in. It doesn't matter whether
it's coming over proxy or not... The point is that it's coming in,
without being able to tell whether they're part of some sort of
"ongoing conversation" or whether some bonehead from Timbuktu is
trying something funny.
Chris> 3) Get a firewall that supports UDP-based RealAudio
...so that you can open yourself up to any incoming-UDP problems in a
more automated fashion?
Chris> Note that RealAudio is only one of many emerging multimedia
Chris> applications that use UDP and dynamically assigned channels to
Chris> transmit data. Other cool apps (but a pain for firewalls) are:
Chris> Vosaic, VDOLive, VXTreme, and even Microsoft's NetShow and
Chris> NetMeeting, and Netscape's CoolTalk.
This is going to continue to be the case, because of TCP's
inappropriate amount of overhead for streaming applications...
Chris> ** plug - plug **
The only really safe (how you define "safe" will depend on whom you
ask) way to deal with UDP is to do so in a stateful packet filtering
mechanism, whereby the packet filtering rules will be dynamically
changed to allow incoming UDP from outside hosts only if UDP packets
from an inside host has gone that way, and could be expecting a reply
Sounds like the firewall you're plugging has some kind of
functionality, but I'll remain skeptical (as I do with anyone's stuff)
until I have significant reason to prove otherwise. Of course, a
number of firewall products already offer this functionality...
Matt Curtin cmcurtin @
com Megasoft, Inc Chief Scientist
http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself.
Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet