Re: Multicast Firewall

["Srinivasa Rao Addepalli" <srao () intotoinc com>]

To get some understanding of issues related to Firewalls and Multicast,
you can go through rfc2588. This is informational RFC and gives good
background. 

Organizations require multicast packet inspection for integrity, similar to
type of integrity checks that are done for unicast packets. It is required 
that access control is provided on multicast packets. Unlike unicast packets,
multicast packet can be forwarded to multiple interfaces i.e multiple
destinations.  In unicast packets, intended destination's IP address is present
in the unicast packets. In multicast packets, only multicast group address is
present in the packet. Intended recipients are programmed/configured in
multicast routing database. Multicast routing database is either created manually
or by IGMP Proxy or MROUTE etc..  Due to this, access control will have to
be different from Unicast packets.

In firewall world, the networks are divided into Corporate network, DMZ network
and external network.  Multicast access control can be based on this network.
You could have 'OUTBOUND' and 'INBOUND' multicast access control database
on Corporate, DMZ. You may would like to have this access control database for
local applications. 

Multicast access control policy can have similar filter attributes i.e.  source IP/subnet/range,
multicast IP address/range, IP protocol,  Source Port/Range, Destination Port/Range in case
of UDP protocol. You could have action such as 'Accept' or 'Deny'. In case of outbound,
you may would like to have source NAT, if there are multicast source in internal networks.
With these databases,  multicast traffic from external to internal networks and Internal networks
to external network can be controlled. 

In summary.
    - You need access control on multicast packets.
    - You need to do packet integrity checks on multicast packets.

I hope it helps.
Srini

Intoto Inc. 
Enabling Security Infrastructure
3160, De La Cruz Blvd #100
Santa Clara, CA 95054
www.intotoinc.com
----- Original Message ----- 
From: "Ravi Kumar" <ravivsn () roc co in>
To: <firewall-wizards () honor icsalabs com>
Sent: Tuesday, October 21, 2003 10:15 PM
Subject: [fw-wiz] Multicast Firewall


> Hi,
>             I work for a company which makes firewall+VPN appliances. 
> Today, we have
>             unicast firewall. I was asked to prepare specifications for 
> multicast firewall.
>             I tried to find out any standards or documents on Internet 
> related to this. But I did
>             not find any relevant information. Any advice on this is 
> appreciated. What type of
>             capabilities to be provided and what type of security is expected?
>        Thanks
>         Ravi
>
>
>
>
> ----------
> <http://www.roc.co.in/>ROCs Ambassador product: iSecure
>   iSecure is comprehensive security appliance with stateful inspection 
> Firewall and IPSEC/IKE based VPN. Firewall supports several ALGs, 
> cyber-defense engine and powerful session lookup engine. VPN is based on 
> latest IPSEC and IKE RFCs and supports preshared key and RSA/DSA 
> certificate authentication.
> The Views Presented in this mail are completely mine. The company is not 
> responsible for what so ever.
>
> ----------
> Ravi Kumar CH
> Rendezvous On Chip (I) Pvt Ltd
> Hyderabad, INDIA
>
> <http://www.roc.co.in/>ROC HOME PAGE:
> http://www.roc.co.in
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards