> -----Original Message-----
> From: Bart van Moorsel [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 15 October 1999 7:00 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: secure access to video stream
>
>
> I have several webcams running and I want to publish the stream on the
> web. How can I control the access to this? The simplest thing
> that I can
> imagine is a username and password to the website but that
> would be also
> simple to sniff.
Yes. It would. Then again, SSH would defeat all but the most dedicated of
password sniffers. If you use "strong" username / password combinations
there's probably a fairly reasonable solution here...The trick is that SSH
encrypts the connection before the username and password is exchanged with
the server.
>
> And if I can control the access I am afraid that it is possible that
> people can listen on the stream if they now the ip address
> and port. Am
> I right on this one?
No. Well, probably not. Basically, if people aren't on the same shared
ethernet segment as the server they can't sniff your traffic - this would
mean that they would need to be on the same hub as either the video server
or the video client. [1]
> I think that I can not encrypt the stream.
Why not? Network layer encryption (as in VPN stuff) would do fine, and I
don't see any reason why it wouldn't work through an application layer
solution like SSH. In terms of native application layer encryption for
video, I don't know of one but I'd bet my salary for next month that there's
one out there somewhere (there's gotta be a nifty codec or something...).
>
> I am open to any suggestions.
I suggest you use SSH unless this is extremely sensitive data. It's easy, in
keeping with your existing setup and doesn't require any architecture
changes.
Oh, one more thing - the weak link would then become the WWW server. Use a
good one. If someone can compromise the WWW server then all your tricksy
password stuff is for naught.
>
> Regards,
>
> Bart
>
Cheers,
[1] This is a lie. People can sometimes do tricks to misdirect IP traffic
from your host to theirs, but you'd probably notice (your session would
die). It's also possible to trick or configure switches into sending MAC
layer stuff to them instead of you, or even to mirror the data to their
port, which you wouldn't be able to detect. However, in practice, this stuff
is nowhere near as useful or feasible as paranoid security freaks like us
make out. Unless it's ultra-sensitive, I'd not worry about it (but use
strong crypto anyway - never hurts to be sure ;).
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
