防火墙入门:让流流动

The digital equivalent of the night watchman – the firewall – protects networks from unwanted traffic, 窥探的眼睛和恶意的黑客. But firewalls can pose some special problems when streaming media is brought into the equation. 下面是防火墙技术的入门教程, 它与流媒体的互动, and how you can set your corporate or personal firewall to allow access to streaming media.

长城

A firewall -- usually a dedicated hardware appliance or software application running on a computer -- is planted between the Internet and the devices it will protect. The firewall has one foot on either side and can listen to all traffic entering or exiting the network. How the firewall treats the traffic depends on the specific firewall technology and its configuration. The firewall market can be split into two camps, based on features: solutions aimed at enterprises and those designed for individuals.

在前一类中, corporations and service providers like Intel, 数字岛, 康柏, 福特实施了专门的, single-purpose firewall devices like those from Cisco Systems (www.思科.com)及SonicWall (www.sonicwall.com). The primary goal of these solutions is to protect computers and their contents from crackers trying to obtain unauthorized access. Corporations also try to mitigate the effects of large-scale denial-of-service attacks, which occur when a torrent of traffic is directed at a single point in the network in the name of saturating it beyond function.

对于每个数据包, the firewall evaluates everything in the header: the traffic type (Web, FTP, RTSP流, MMS流, 等等), 源IP地址, 目的IP地址, and the type of connection (existing or new). Newer firewalls also check the content of the packet, in order to block out specific streaming clips based on the URL, 例如.

To tell a firewall what kind of traffic it should allow and what it should reject, 管理员进行了创建规则的操作. 例如, a rule could allow only Web traffic to pass, while another could allow connections from an employee's home DSL line, 第三种可能会拒绝其他一切. The firewall verifies each rule in sequence and accepts or rejects the traffic based on the first match. 可以创建更复杂的规则集, such as allowing FTP traffic to pass only from addresses 192.168.1.4 to 10.3.1.2.

这对流媒体意味着什么?

Peeking behind the scenes of a typical streaming service provider, one would find a firewall device in each server farm configured to examine the traffic entering from the Internet. It would accept connections for a select number of services, 比如HTTP (Web流量), RTSP (RealMedia and QuickTime streaming protocol), MMS (Windows Media), 和PNM (RealMedia遗留协议). One final catchall rule would deny connections for everything else.

在公司办公环境中, it's standard for all incoming connections to be rejected so that employees can't run server software on their desktop machines. It's also quite normal to have restrictions on outgoing traffic, limiting what services users are allowed to use. 这通常包括流媒体内容.

然而, companies that wish to allow employees access to streaming can leave ports 554 (RTSP, allowing RealMedia G2 and QuickTime streaming), 1755 (MMS, 允许Windows媒体流), 7070 (PNM), 允许皇马的旧版本5.0流)打开. Other companies choose to firewall all UDP (User Datagram Protocol) traffic, relegating streaming to its less flexible cousin, TCP(传输控制协议).

仍然, with all of the streaming-specific ports commonly restricted, streaming media software vendors have had to be creative to allow their content to pass through corporate firewalls. RealNetworks was the first to embed streaming traffic in HTTP requests, making it very difficult for firewalls to differentiate between streaming media and plain Web browsing. HTTP streaming delivery and generic Web browsing both use port 80, and both are compliant with the same HTTP specification, 所以只过滤一个几乎是不可能的. Microsoft implemented HTTP streaming in Windows Media soon after and Apple released QuickTime 4.内置HTTP支持.

个人主义

Following in the footsteps of enterprise firewalls, personal firewall software solutions have sprung up recently. 诺顿互联网保安(www.赛门铁克.com)、黑冰(www.networkice.com)和区域警报(www.zonelabs.com) are designed for individual users on DSL, cable modem, and dial-up connections. They offer out-of-the-box presets to filter denial-of-service attacks that could otherwise crash the computer.

While useful for system protection and casual security monitoring, these programs' monitors can occasionally be tripped by the UDP traffic used for streaming delivery. The firewall software logs packets as attempted UDP fragmentation attacks, 端口扫描, 或者其他潜在的安全问题, when in fact a harmless streaming clip is being played. 使用此类软件时, simply be cautious of taking firewall reports of UDP traffic too seriously when playing streaming media.