The Wowza server itself does not host any SWF file and will not use SSL. So the Flash Player is hosted on our web server. For example,
vod1.example.com is one of the Wowza server and
web.example.com is the web server hosting the web page and the SWF files to play the media.
Crossdomain.xml is used by flash clients when an swf needs to load a resource from a different domain than the one the swf was launched from. It is basically saying, can the resource (the http stream in our case) be sent to the swf that is requesting it? Even though Wowza server doesn't host any swf files, the crossdomain.xml file will be requested for any http requests that come from an swf launched from a different domain. It is normally only for HTTP type requests so RTMP requests from an swf won't normally trigger a request for crossdomain.xml
You can edit the conf/crossdomain.xml file to make it more restrictive. In this case, you can specify the domains that are allowed to access the streams. You do need to be careful if using something like the JW Player cloud hosted version because the crossdomain.xml request will come from the cloud domain and not your website domain.
For simple streaming requests, it probably isn't even worth restricting playback using the crossdomain.xml You are better off to restrict access using Secure Token or DRM. The crossdomain.xml was really designed as a mechanism for one swf to be able to trust and interact with another swf from a different domain. Because there is not any interaction between the stream and the player, the security provided by the crossdomain.xml isn't really needed which is why the default setting is open access. The file is needed because the swf will request it and if there is no response then the actual resource won't be requested.