Multimedia applications (such as RealAudio, VoIP Telephony, Video Streaming etc) were always an issue when passing through a network firewall. These kind of applications behave in unique ways:
- They use dynamic ports.
- They transmit request using TCP and get responses in UDP or TCP.
- They use the same port for source and destination.
- For each multimedia request, the multimedia server might send numerous streams of data in reply.
All the above impose an “unacceptable” traffic behavior for a network firewall, thus multimedia traffic needs some special treatment in order to be permitted through the firewall.
The diagram above shows the behavior of multimedia traffic through a network firewall. The multimedia client sends a TCP or UDP request to the multimedia server, which replies back using a range of ports in the reply packets. In order for the reply packets to pass through the firewall, a range of ports needs to be opened, which creates a security risk.
For example, RealAudio protocol sends the originating request to TCP port 7070, and the RealAudio Server replies with multiple UDP streams anywhere from UDP port 6970 up to 7170 on the client.
Another example is the Cisco IP Phone. It sends the SCCP message to the call manager on TCP port 2000. SCCP uses Real-Time Transport Protocol (RTP) and RTP Control Protocol (RTCP) for media transmissions. The UDP media ports are randomly selected by the IP Phone.
To accommodate multimedia traffic without permanently opening several ports on the firewall, the big firewall vendors (Cisco, Checkpoint, Netscreen etc) have implemented dynamic inspection of known multimedia traffic, so that the security appliance can dynamically open and closes UDP ports for secure multimedia communication. For example, the firewall is able to sense that the traffic passing through is multimedia traffic, thus it dynamically opens the required inbound ports (from the Server to the Client) for the communication to pass. After the multimedia communication is finished, the firewall again dynamically closes all ports that were opened at the beginning.
For example, the Cisco Firewall can inspect and work dynamically on several multimedia applications such as Cisco IP/TV, Cisco IP Phones, Apple QuickTime 4, RealNetworks (RealAudio, RealPlayer, RealServer), SIP, H323 etc.