Firewall Primer: Let The Streams Flow

The digital equivalent of the night watchman – the firewall – protects networks from unwanted traffic, prying eyes and malicious hackers. But firewalls can pose some special problems when streaming media is brought into the equation. Here's a primer on firewall technology, its interaction with streaming media, and how you can set your corporate or personal firewall to allow access to streaming media.

The Great Wall

A firewall -- usually a dedicated hardware appliance or software application running on a computer -- is planted between the Internet and the devices it will protect. The firewall has one foot on either side and can listen to all traffic entering or exiting the network. How the firewall treats the traffic depends on the specific firewall technology and its configuration. The firewall market can be split into two camps, based on features: solutions aimed at enterprises and those designed for individuals.

In the former category, corporations and service providers like Intel, Digital Island, Compaq, and Ford implement specialized, single-purpose firewall devices like those from Cisco Systems (www.cisco.com) and SonicWall (www.sonicwall.com). The primary goal of these solutions is to protect computers and their contents from crackers trying to obtain unauthorized access. Corporations also try to mitigate the effects of large-scale denial-of-service attacks, which occur when a torrent of traffic is directed at a single point in the network in the name of saturating it beyond function.

For each packet of data, the firewall evaluates everything in the header: the traffic type (Web, FTP, RTSP streaming, MMS streaming, and so on), the source IP address, the destination IP address, and the type of connection (existing or new). Newer firewalls also check the content of the packet, in order to block out specific streaming clips based on the URL, for instance.

To tell a firewall what kind of traffic it should allow and what it should reject, the administrator creates a set of rules. For example, a rule could allow only Web traffic to pass, while another could allow connections from an employee's home DSL line, and a third could reject everything else. The firewall verifies each rule in sequence and accepts or rejects the traffic based on the first match. More complicated rule sets can be created, such as allowing FTP traffic to pass only from addresses 192.168.1.4 to 10.3.1.2.

What Does It Mean for Streaming?

Peeking behind the scenes of a typical streaming service provider, one would find a firewall device in each server farm configured to examine the traffic entering from the Internet. It would accept connections for a select number of services, like HTTP (Web traffic), RTSP (RealMedia and QuickTime streaming protocol), MMS (Windows Media), and PNM (RealMedia legacy protocol). One final catchall rule would deny connections for everything else.

In corporate office environments, it's standard for all incoming connections to be rejected so that employees can't run server software on their desktop machines. It's also quite normal to have restrictions on outgoing traffic, limiting what services users are allowed to use. Often, that includes streaming content.

However, companies that wish to allow employees access to streaming can leave ports 554 (RTSP, allowing RealMedia G2 and QuickTime streaming), 1755 (MMS, permitting Windows Media streaming), and 7070 (PNM, permitting Real's legacy pre-version 5.0 streams) open. Other companies choose to firewall all UDP (User Datagram Protocol) traffic, relegating streaming to its less flexible cousin, TCP (Transmission Control Protocol).

Still, with all of the streaming-specific ports commonly restricted, streaming media software vendors have had to be creative to allow their content to pass through corporate firewalls. RealNetworks was the first to embed streaming traffic in HTTP requests, making it very difficult for firewalls to differentiate between streaming media and plain Web browsing. HTTP streaming delivery and generic Web browsing both use port 80, and both are compliant with the same HTTP specification, so filtering only one is almost impossible. Microsoft implemented HTTP streaming in Windows Media soon after and Apple released QuickTime 4.1 this year with embedded HTTP support.

Individualism

Following in the footsteps of enterprise firewalls, personal firewall software solutions have sprung up recently. Norton Internet Security (www.symantec.com), BlackICE (www.networkice.com), and Zone Alarm (www.zonelabs.com) are designed for individual users on DSL, cable modem, and dial-up connections. They offer out-of-the-box presets to filter denial-of-service attacks that could otherwise crash the computer.

While useful for system protection and casual security monitoring, these programs' monitors can occasionally be tripped by the UDP traffic used for streaming delivery. The firewall software logs packets as attempted UDP fragmentation attacks, port scans, or other potential security issues, when in fact a harmless streaming clip is being played. When using such software, simply be cautious of taking firewall reports of UDP traffic too seriously when playing streaming media.