Great Circle Associates Firewalls
(November 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: re:Security Risks with Real Audio?
From: C Matthew Curtin <cmcurtin @ research . megasoft . com>
Date: Thu, 7 Nov 1996 14:04:10 -0500
To: Chris Carlson <carlson @ cycon . com>
Cc: "2LT Jeffery J. Lowder, 333-4615" <LowderJJ . SCB . USAFA @ usafa . af . mil>, Firewalls @ GreatCircle . COM
In-reply-to: <Pine . LNX . 3 . 93 . 961105094921 . 2874r-100000 @ cypress . cycon . com>
References: <vines.,X49+ggfTmA @ cs01 . usafa . af . mil> <Pine . LNX . 3 . 93 . 961105094921 . 2874r-100000 @ cypress . cycon . com>
Reply-to: cmcurtin @ research . megasoft . com 
>>>>> "Chris" == Chris Carlson <carlson @
 cycon .
 com> writes:

Chris> So, there is a
Chris> security risk in that you must open UDP ports for RealAudio to
Chris> transmit.  And UDP ports are a common avenue of exploitation by
Chris> hackers, crackers, etc.

Chris> There's a few ways you can overcome this:

Chris> 1) Use RealAudio's TCP only service (but I heard it's not as
Chris> good)

Certainly it isn't. (How could it be? TCP has serious overhead
compared to UDP. Further, the single feature of guaranteed packet
delivery can cause problems if you lose a couple of packets in a row,
or have to send one several times, since the rest of the data stream
will wait for that retrasmitted one to come in, then reassemble all of
the packets in the proper order. The end result is a pause in the
sound while all of this goes on.)

Chris> 2) Use RealAudio's proxy for firewalls

How does proxying UDP overcome the problem of opening yourself up to
UDP? You're still allowing UDP to come in. It doesn't matter whether
it's coming over proxy or not... The point is that it's coming in,
without being able to tell whether they're part of some sort of
"ongoing conversation" or whether some bonehead from Timbuktu is
trying something funny.

Chris> 3) Get a firewall that supports UDP-based RealAudio

...so that you can open yourself up to any incoming-UDP problems in a
more automated fashion?

Chris> Note that RealAudio is only one of many emerging multimedia
Chris> applications that use UDP and dynamically assigned channels to
Chris> transmit data.  Other cool apps (but a pain for firewalls) are:
Chris> Vosaic, VDOLive, VXTreme, and even Microsoft's NetShow and
Chris> NetMeeting, and Netscape's CoolTalk.

This is going to continue to be the case, because of TCP's
inappropriate amount of overhead for streaming applications...

Chris> ** plug - plug **

The only really safe (how you define "safe" will depend on whom you
ask) way to deal with UDP is to do so in a stateful packet filtering
mechanism, whereby the packet filtering rules will be dynamically
changed to allow incoming UDP from outside hosts only if UDP packets
from an inside host has gone that way, and could be expecting a reply
via UDP.

Sounds like the firewall you're plugging has some kind of
functionality, but I'll remain skeptical (as I do with anyone's stuff)
until I have significant reason to prove otherwise. Of course, a
number of firewall products already offer this functionality...

-- 
Matt Curtin  cmcurtin @
 research .
 megasoft .
 com  Megasoft, Inc   Chief Scientist
http://www.research.megasoft.com/people/cmcurtin/   I speak only for myself.
Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet
References:
Indexed By Date Previous: Re: CERT statistics
From: C Matthew Curtin <cmcurtin @ research . megasoft . com>
Next: RE: Catapult
From: Matthew Thompson <mthomps1 @ kiwitech . co . nz>
Indexed By Thread Previous: re:Security Risks with Real Audio?
From: Chris Carlson <carlson @ cycon . com>
Next: Re: re:Security Risks with Real Audio?
From: Michael Richardson <mcr @ sandelman . ottawa . on . ca>
Google
 
Search Internet Search www.greatcircle.com