Streaming Media and Firewalls (General info)

03/26/2020 17 17193

DESCRIPTION:

Product: Intrusion Prevention Service (IPS)

What is streaming media?

Streaming media typically refers to Non-text files, such as sounds, animation and video that is played on your computer but not downloaded to it. The file is simultaneously "streamed" to the user watching or listening to it. The user needs a player to view or listen to the files - a media player that is compatible with the format of the file must decompress files.

RealMedia, QuickTime and Windows Media are the most common streaming formats. Streaming is more a property of the delivery system than the media itself. These protocols were specifically designed to stream media over the network. They are all built on top of UDP.

• The Real-time Transport Protocol (RTP)
• The Real Time Streaming Protocol (RTSP) on Port 554 (RTSP, allowing RealMedia G2 and QuickTime streaming). RTSP requests are based on HTTP requests. While HTTP is stateless, RTSP is a stateful protocol.
• The Real Time Control Protocol (RTCP)
• Microsoft Media Server (MMS) protocol on port 1755 (MMS, permitting Windows Media streaming). 

Media players normally stream via UDP/IP on a wide range of ports (see below for those port numbers) or stream with TCP/IP through a single port. For those sites where opening a non-"well-known port" is a problem, media players can also stream via HTTP on port 80. It is necessary to block all of the UDP and TCP ports corresponding to those port numbers. The number ranges in the documentation below indicate an entire range of available ports; typically, the actual number of ports allocated will be far less.

By default, Windows Media Player uses the following ports to connect:

• TCP 80, 554, 4040, 7070, 8080, 443 (SSL for sign-in), 1755 (MMS Windows Media requests)
• UDP 6970-32,000, 1755 (MMS Windows Media resend requests)
• HTTP 80 (AU, Messaging Service, and HTTP Cloaking)

Player configurations will override these defaults, if these ports are restricted by your firewall. 

Still, with all of the streaming-specific ports commonly restricted, streaming media software vendors have had to be creative to allow their content to pass through corporate firewalls. RealNetworks was the first to embed streaming traffic in HTTP requests, making it very difficult for firewalls to differentiate between streaming media and plain Web browsing. HTTP streaming delivery and generic Web browsing both use port 80, and both are compliant with the same HTTP specification, so filtering only one becomes a challenge. Because many media streams fail over to Port 80 when other ports and protocols are blocked, it could be difficult to manage this through technical means.

Without strict workstation and network configuration management, clever users can work around any technical solution. Publish an acceptable use policy, declare your intent to enforce it, and then follow through. (Excerpt from Blocking some streaming media but not others - Network World).

Recommended Solutions:

1. Block the streaming media ports or known IP addresses using firewall access rules. (Example: LAN to WAN on the Firewall > Access Rules page in SonicOS Enhanced firmware).
2. Use Intrusion Prevention Service (IPS) to block Streaming media. You may view a list of IPS Multimedia signatures.
   Note: SonicWall IPS has categorized Multimedia under Low priority attacks; ensure that you have enabled the Prevent All and Detect All feature under IPS global settings.

Reference:

• Streaming media - Wikipedia, the free encyclopedia
• Firewall Information for Windows Media Services 9 Series – From Microsoft.com