Firewall rules to secure live stream

Report · Sep 12, 2011

Hello, recently been dealing with a problem where outsiders have been able to hijack our Windows 2003 server based Flash Media Server 4 default livestream access point and bounce pirated television content over it. Currently am running this on a campus network and thought I had it locked down so that all incoming port 1935 requests must originate from campus and outgoing streams are served everywhere. This is sort of working, but it is also stopping legitimate traffic from streaming video to off campus visitors. If anyone can shed a light on how to setup my firewall rules that would be great, as I am stumped. Here is the list of how I've setup the rules (not using our real IP's for protection):

Campus is a class B network, everything is based off of 123.123.X.X

Server sits on 123.123.1.2

Port/rulename Rule Local Port Local IP Remote IP Remote Port

Port 80 Allow TCP/UDP 80 ANY ANY ANY

Streaming out Allow TCP/UDP OUT 1935 ANY ANY ANY <--this rule is supposed to allow all 1935 traffic out

Streaming in Allow TCP/UDP IN 1935 ANY 123.123.*.* ANY <--this rule is supposed to restrict who sends signal inward to campus range only

If there is a better way I would love to know. I've tried swf verify but thats easy to circumvent, nor can I get the allowhttpdomains options to work properly as it wants real names and not IP numbers.

Report · Sep 12, 2011

well create an authentication system on both the server side and the client side if they decompile the client and find out your secrets then you have the server side code secrets to fall back on just make it so if they don't have your cclient side and server side script then they are out of luck. If they are using a man in the middle attack and consuming your network traffic and then somehow replaying it you could use Influxis to host your FMS application they are fairly secure dare I say are secure? maybe doing that will help you protect your content. Another thing you might want to do is see if your content can be consumed by programs such as streamtransport. I always encrypt my .swf and make it difficult for somebody to either decompile or rebuild my .swf by making it complex with the necessary "security features"

Report · Sep 12, 2011

We're using JW player for our stuff..its a simple setup frankly. Using an outside vendor/host is not possible at this point. All I want is to restrict traffic via the network level as there is no means via FMS at this point unless I am missing something.

Report · Sep 12, 2011

there is no way to block it or protect it if you actually want people to be able to connect. If I even want the IP to your server i can easily get it. Your problem is to figure out exactly how they are consuming/replaying/using your stream only then will you be able to takes steps to protect against it. You may even have to write a program in C++ or some other language that can access the server/router/network hardware. I doubt you can buy anything since you are very vauge on exactly how the malicious users are "stealing" your stream. Does your FMS server have a virus? What antivirus are you running? How did you detect the theft of your stream?

Report · Sep 13, 2011

What is happening is that they are just pointing their encoders at the default rtmp://serveraddress:1935/livestream from somewhere out of the country, so I am getting hundreds of connections via a pirate web site where people can watch live television signals (obviously pirated). Naturally we also use this end point name as well for our own live streaming purposes. All I am trying to do is setup a firewall block on port 1935 for incoming connections to just allow our local addresses, and block everyone else. And at the same time, allow the outward bound live stream to be open to the internet. Currently it does not go beyond our network. I'm asking if this is possible, or is there another way to do something similar.

Report · Sep 13, 2011

To be honest this is just a dirty way to attempt to use FMS. If you don't want somebody attaching your stream someplace else you are going to have to build a player that you actually have control of. Sure we could block ports and come up with some sort of scheme that will probably never work without blocking legitimate customers. The only thing i can suggest is for you to block suspect connections by ip address which will take a considerable amount of man power if you want to hire me to sit around all day and analyze network traffic then tell me so and pay me $63 per hour 40 hours per week for a minimum of 4 weeks. You can escrow the money to me on elance.come CellGeek is the username. Adobe please message me if u don't appreciate me attempting to do business here I don't need to shamelessly self promote my services here if you have a problem with it.

Report · Sep 13, 2011

I'll pass...

Anyone else want to chime in here?

Report · Sep 13, 2011

You would have to build something into the c++ authentication plugin of some sorts. Being that you are using the streaming version of FMS, you're very limited in what you can do. If it was the interactive version then it would just be a matter of setting up a password in some server side coding to stop people from connecting up anymore.

I don't know why we don't see more of these complaints here actually.. it's a completely unsecured application that lives on almost every FMS machine out there..

Report · Sep 13, 2011

As I thought on it briefly there, you can also setup some rules in the Adaptor.xml or Server.xml file for partial IP addresses. Again though as has already been mentioned, you'll have to check logs etc to see what's coming in and determine what is not legit:

http://help.adobe.com/en_US/flashmediaserver/configadmin/WS5b3ccc516d4fbf351e63e3d119f2926583-7ffb.html#WS5b3ccc516d4fbf351e63e3d119f2926bcf-7f5a

Report · Sep 13, 2011

So what your saying is, I cannot limit port 1935 as by design it must have full in/out capabilities in order to function. I think the other poster is missing the point, they are not using any of my web sites or flash viewing windows, they are taking advantage of an open system (like a spam relay) to pump their crap through and theres nothing I can do about except turn it off completely.

Report · Sep 13, 2011

The only way to "limit" a port is to block IP addresses I think. Essentially you do that either at the OS level or FMS level. Or c++ authenticator level I guess.

The streaming version of FMS is extremely limited, not many easy options here.

Report · Sep 13, 2011

fine i don't get it I tell you how you can fix it ....get a intrusion detection system such as snort and block at the packet level I beleive you can block whole ip ranges by region using this method or you may identify a diffrent packet dynamic I've never had to do this with FMS so i can't tell you what to look for without analyzing the data . Please don't ask me how to configure snort because I'm going to charge you and you have already exspressed that you don't have intrest.

Report · Sep 19, 2011

I have never used JW Player so I am not sure whether its used for publishing too. May I know what do you use for publishing, FMLE or SWF client?

Report · Sep 19, 2011

We use FMLE or Wirecast depending on the situation. JW Player is only for playback.

Report · Sep 19, 2011

So if you are usign FMLE - you can use FMLE Authentication Add-in. You can download it from Download Authentication Add-In

You can read about the documentation related to Add-in here:http://help.adobe.com/en_US/FlashMediaLiveEncoder/3.2/Using/WS5b3ccc516d4fbf351e63e3d11c104ba878-7fe...

Report · Sep 19, 2011

So..using this method will prevent spammers from bouncing off the open port for live streaming? I will look into this thanks SE_0208

Report · Sep 19, 2011

If you use FMLE Authentication Add-in - each publisher needs to have user id and password - So only valid users would be able to publish to your "live" applications.

Report · Sep 19, 2011

The FMLE auth add in is a username/password based authentication mechanism and not a port-traffic kind auth. So, this is one step moving to stop some unauthorized access to the FMLE for restricting the publishing.

Report · Sep 19, 2011

Nikhil if I may make a suggestion to Adobe to please add some better security options like the option limiting the incoming live stream port to a range of IP addresses for example would help secure things even more. I will look into this method of authentication in the mean time.

Report · Sep 19, 2011

Thank you for your suggestions. It always is a nice thing to have to inherently have more security mechanisms built in, but the way the FMS is modeled to be extended by making any custom C++ plugins, it is not integrated as a hard rule into FMS, so that any business scenario can be supported.

The point noted, let's hope it is a part of the future FMS