A Transport-Level Proxy for Secure Multimedia Streams

service, firewalls need more than static packet filtering and application-level proxies. SOCKS is an application-independent transport-level proxy that offers user-level authentication and data encryption. An extended SOCKS UDP binding model with appropriate socket calls is proposed to provide complete support for UDP-based, multimedia streaming applications. T he increasing popularity of multimedia streaming applications, such as RealNetworks' RealPlayer and Microsoft's NetMeeting and Windows Media Player, pose challenges to the Internet infrastructure , particularly in providing secure firewall traversal for video and audio streams. Static packet filtering, the approach used by firewalls today, cannot adequately support the security needs of these applications for several reasons. First, common packet-filtering policies block almost all incoming user datagram protocol (UDP) traffic except for a few services such as the domain name service (DNS), network time protocol (NTP), and Archie. 1 Many multimedia streaming applications, however, employ UDP for data transport because for multimedia streaming, minimal delay and delay jitter is more important than total reliability. Second, the problem with UDP unicast also applies to IP multicast, which supports UDP only. IP multicast, nevertheless, is essential to a scalable solution for Internet-wide multimedia streaming. Finally, in multimedia streaming the UDP ports on the client and server sides are usually dynamically assigned through the application protocol, which is further complicated by the network address translation (NAT) performed by firewalls. As a result, special configurations, such as fixing a particular UDP port for receiving multi-media streams, are often required. 2 This article investigates the suitability of SOCKS, a transport-level proxy solution adopted by the Internet Engineering Task Force's Authenticated Firewall Traversal Working Group, for supporting multimedia streaming applications. 3 The name SOCKS came from Secure Sockets, originally developed by David Koblas and Michelle Koblas. 4 Specifically, we identify two problems encountered by SOCKS: a mismatch of call sequences between the SOCKS' transport model and multimedia streaming protocols' transport models, and inadequate socket call support for UDP binding. Failure to resolve these problems results in the firewall's blocking of the multimedia streams. We use the real-time streaming protocol (RTSP), an IETF-proposed standard, to illustrate the problems, and we propose an enhanced SOCKS to provide complete support for UDP-based applications, particularly multimedia streaming applications.