Multimedia applications may transmit requests on TCP, get responses
on UDP or TCP, use dynamic ports, use the same port for source and destination,
and so on. Every application behaves in a different way. Implementing support
for all multimedia applications using a single secure method is very difficult.
Two examples of multimedia applications follow:
- RealAudio – Sends the originating request to TCP port 7070. The RealAudio
server replies with multiple UDP streams anywhere from UDP port 6970 through
7170 on the client machine.
- CUseeMe client – Sends the originating request from TCP port 7649 to TCP
port 7648. The CUseeMe datagram is unique in that it includes the legitimate IP
address in the header as well as in the payload, and sends responses from UDP
port 7648 to UDP port 7648.
The PIX Security Appliance dynamically opens and closes UDP ports for
secure multimedia connections. Administrators do not need to open a large range
of ports, which creates a security risk, or have to reconfigure any application
clients.
Also, the PIX Security Appliance supports multimedia with or
without NAT. Many firewalls that cannot support multimedia with NAT limit
multimedia usage to only registered users, or require exposure of inside IP
addresses to the Internet. Lack of support for multimedia with NAT often forces
multimedia vendors to join proprietary alliances with firewall vendors to
accomplish compatibility for their applications.
More information about
configuring multimedia application support can be found in the Command
Reference.