Skip to main content
O
okorioth
Participating Frequently
September 12, 2011
Question

Firewall rules to secure live stream

  • September 12, 2011
  • 1 reply
  • 4869 views

Hello, recently been dealing with a problem where outsiders have been able to hijack our Windows 2003 server based Flash Media Server 4 default livestream access point and bounce pirated television content over it. Currently am running this on a campus network and thought I had it locked down so that all incoming port 1935 requests must originate from campus and outgoing streams are served everywhere. This is sort of working, but it is also stopping legitimate traffic from streaming video to off campus visitors. If anyone can shed a light on how to setup my firewall rules that would be great, as I am stumped. Here is the list of how I've setup the rules (not using our real IP's for protection):

Campus is a class B network, everything is based off of 123.123.X.X

Server sits on 123.123.1.2

Port/rulename               Rule                   Local Port  Local IP   Remote IP     Remote Port

Port 80                     Allow TCP/UDP             80          ANY           ANY                ANY

Streaming out           Allow TCP/UDP OUT     1935        ANY            ANY                ANY <--this rule is supposed to allow all 1935 traffic out

Streaming in              Allow TCP/UDP IN       1935        ANY         123.123.*.*          ANY <--this rule is supposed to restrict who sends signal inward to campus range only

If there is a better way I would love to know. I've tried swf verify but thats easy to circumvent, nor can I get the allowhttpdomains options to work properly as it wants real names and not IP numbers.

    This topic has been closed for replies.

    1 reply

    calmchessplayer
    calmchessplayer
    Inspiring
    September 12, 2011

    well create an authentication system on both the server side and the client side if they decompile the client and find out your secrets then you have the server side code secrets to fall back on just make it so if they don't have your cclient side and server side script then they are out of luck. If they are using a man in the middle attack and consuming your network traffic and then somehow replaying it you could  use Influxis to host your FMS application they are fairly  secure dare I say are secure? maybe doing that will help you protect your content. Another thing you might want to do is see if your content can be consumed by programs such as streamtransport. I always encrypt my .swf  and make it difficult for somebody to either decompile or rebuild my .swf by making it complex with the necessary  "security features"

    O
    okoriothAuthor
    Participating Frequently
    September 12, 2011

    We're using JW player for our stuff..its a simple setup frankly. Using an outside vendor/host is not possible at this point. All I want is to restrict traffic via the network level as there is no means via FMS at this point unless I am missing something.

    calmchessplayer
    calmchessplayer
    Inspiring
    September 12, 2011

    there is no way to block it or protect it if you actually want people to be able to connect. If I even want the IP to your server i can easily get it. Your problem is to figure out exactly how they are consuming/replaying/using your stream only then will you be able to takes steps to protect against it. You may even have to write a program in C++ or some other language that can access the server/router/network hardware. I doubt you can buy anything since you are very vauge on exactly how the malicious users  are "stealing" your stream. Does your FMS server have a virus? What antivirus are you running? How did you detect the theft of your stream?

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices