Solved

YouTube videos often not available behind our firewall

Posted on 2008-09-30
23
5,910 Views
Last Modified: 2011-10-19
Experts:
Have you had this problem yourself?
Most of the time, but now all, users on my corporate LAN cannot view YouTube videos while in the office (behind the firewall). I swear it when I say, i can't find a single reason why that's happening.

Does You Tube stream over a specific protocol I could open specifically for that purpose?

Any ideas here?


juckyt
YouTube.png
0
Comment
Question by:juckyt
  • 11
  • 6
  • 5
  • +1
23 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22608691
Looks like a content filtering rule - not necessarily an ACL. YouTube uses flash video and that is streamed over regular TCP port 80. That means that if it were blocked the internet wouldn't work at all.
What kind of firewall?
0
 

Author Comment

by:juckyt
ID: 22608892
Juniper Netscreen
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22608906

juckyt,

Ther are lots of possabilites, MQC, NBAR, ASA/PIX(firewalls), content filter servers, anthing that can perform deep packet inspection on http traffic and potentially match url strings destined for youtube*.
This is quite easy actually on a Cisco ASA/PIX or router.

What probably happened is that someone was monitoring your network traffic and determined many employees were surfing to sites that burn up bandwidth and they are trying to restrict access but freeing up bandwidth for busniess, not to mention the potential security implications of some sites on the web.

harbor235 ;}
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22609119
harbor is probably right. But if you want to re-allow it then you need to determine where the rule is - another possibility (not very likely) is that someone called the ISP and asked them to block this (but I have seen it done).
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22609470


Netscreen's can perform deep packet inspection,

http://www.juniper.net/solutions/literature/solutionbriefs/351089.pdf

harbor235 ;}
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22610194
I think what he's trying to do is STOP the filtering so people CAN view the videos.
Juckyt - what you need to do is check out the configs of all the security equipment to find where the filtering is going on and disable it.
0
 

Author Comment

by:juckyt
ID: 22610216
This sucks...

I'll check in with you guys tomorrow...
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22610436
Okay no prob! I'm sorry there's no way to do this with the PIX. Depending on who your ISP is, you might call them and ask them to do it. Most of the time they won't but you might get lucky.
Best of luck!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22610447
Ooops sorry... accidentally combined two posts.
What I mean to say is call your ISP and make sure they're not filtering it. Again, not likely but possible.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22613426


You could remoe desktop to your home machine(or other machine) and access youtube from there. i typically get around firewalls in this manner. I have even ran remote destop on my home system on some port i know the firewall allows like ftp port 21, http port 80, etc .., connect home, launch my browser and surf as needed, best part is the flow is encrypted.

there are ways around it

harbor235 ;}
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22617715
:-) Every try running streaming video over RDP and a home internet connection? Not pretty. And often companies block outgoing RDP or ports other than ones necessary for business. This might be the case since YouTube is clearly blocked.
It's best not to expose your PC to the internet with RDP.

RDP before vista and Windows server 2008 uses weak encryption - often just a 56-bit DES key to encrypt RDP sessions. Since the RDP sessions default TCP timeout is 10 hours, an attacker has plenty of time to crack the weak crypto and start a man-in-the-middle attack to take complete control of your server. Windows Vista and server 2008 are considerably safer because they use 128-bit RC4 encryption, however care should still be taken to not expose RDP to the internet as they can just guess your password.

http://www.securiteam.com/windowsntfocus/5EP010KG0G.html |

VPN is many more secure than even the 128-bit RDP. When RDP is tunneled through VPN using AES-128, it is (with today's technology) unbreakable - and I'm not quick to use words like that - I'm very skeptical of such claims.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 32

Expert Comment

by:harbor235
ID: 22618826


Thats why you run RDP on a port other than 3389,  like port 21 like I said in my post.

harbor235
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22618917
Harbor, I'll bet you $100 port 21 (FTP) gets scanned more often than 3389. That's even worse. RDP before Vista is not secure and should NOT be used across the internet.
Not to mention the slowness of RDP coming from a regular home internet connection (upload is not very good on them).
No disrespect, but that is not a viable solution for being able to view videos - the framerate would be terrible and the sound is choppy at best.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22630875

Who cares if it gets scanned more, the point is that it is a port left open by most Enterprise firewalls. It does not matter if is secure either, all I am worried about is that its open and I have a way around the firewall to view youtube videos. RDP is a protocol that is typically filtered by enterprise firewalls, I was just offering a way to keep watching youtube.

The video is buffered so frame rate and chop are not issues, also we are talking about a corporate internet connection on the initiating side. My internet connection supports it with no problems, I guess  if you have dial this will not work well.

harbor235 ;}
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22630970
Harbor, you are incorrect! Stop saying stuff that just isn't true. The default firewall policy on EVERY enterprise security product is to deny everything unless it's specified to let it in.
Quoting you: "It does not matter if is secure either" Do you hear yourself? What kind of advice are we supposed tobe offering? Good advice, I thought. What kind of wrecklessness is this that you're proposing?
You say we're talking about a corporate connection on the initiating side - yes it is. HOWEVER, on the other side (aka the side that is UPLOADING the video to the user), it is NOT a corporate connection - probably a home internet connection with a 512k upload or lower.
Also, yes, the video is buffered - on the remote PC. It is NOT buffered over the RDP link and the user will probably get something where half the video refreshes and the other half doesn't for a second or two and then some really choppy audio with parts dropped out. I've tried it. It isn't pretty on even a fast home internet connection because RDP has to refresh the whole area and blocks around it. This just isn't suitable for streaming video over RDP. I'm sorry to burst your bubble.
Cheers! Just trying to give some good advice.
 
 
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22634263

>The default firewall policy on EVERY enterprise security product is to deny everything unless it's specified to let it in.

Correct, however when initiated from the inside the return traffic is allowed back in via the default firewall policy without explicitly allowing the traffic.

>Quoting you: "It does not matter if is secure either" Do you hear yourself? What kind of advice are we supposed tobe offering? Good advice, I thought. What kind of wrecklessness is this that you're proposing?

A deep understanding how things really work is important, whether or not RDP prior to Vista
is secure or not is not big concern in my opinion, it's encrypted, and yes it does offer weak encryption for older clients like 56 bit DES, however, I guess you do not know RDP can also use 128-bit high encryption.

As far as the internet connection I guess it depends, my home connection has 8M upload,
my connection is nothing special and is a typical product offered by verizon or comcast.

So for me and most people in urban areas of the US this is less of a problem.

juckyt, I apologize for getting sidetracked, I was trying to offer options not necessarily the best solution, that is for you to decide.  I hope this has helped, sorry if it added confusion.


harbor235 ;}





0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22635699
>A deep understanding how things really work is important, whether or not RDP prior to Vista is secure or not is not big concern in my opinion, it's encrypted, and yes it does offer weak encryption for older clients like 56 bit DES, however, I guess you do not know RDP can also use 128-bit high encryption.
Didn't I already state that 128-bit is enabled in Vista and WS 2008? :-/
> As far as the internet connection I guess it depends, my home connection has 8M upload, my connection is nothing special and is a typical product offered by verizon or comcast.

Where do you live? That's the fastest home connection I've ever heard of. Are you sure the 8Mbps is upload and not download? How much do you pay?
And yes, sorry about trailing off.
Cheers!
0
 

Author Comment

by:juckyt
ID: 22635879
Guys!

This is about YouTube and Firewall issues. I do like the offeres for a work-around but arguing over its effectiveness does us no good here.

With that said...the situation persists. My Netscreen is not really doing any deep packet inspection.

Could this be a DNS or DNSBL issue?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22635961
If the internet is working then it's not a DNS issue. Yes, it could be blacklisted.
Are there security devices other than the NetSceen? Specifically any content filtering appliance? No Microsoft ISA?
Also, I know this sounds crazy... did you call your ISP and have them check like I asked? Probably not, but possible that that's the problem.
Cheers!
0
 

Author Comment

by:juckyt
ID: 22696076
You know, we actually we're blacklisted multiple times over the past few months. The DNS records have been scrubbed but matbe there's still something there. I have three ISPs and have confirmed with one of them that they are not filtering YouTube vids. So the mystery continues...

juckyt
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22697714
Interesting... keep me posted!
Cheers and good luck!
0
 
LVL 3

Expert Comment

by:leonjs
ID: 22751223
I know with the ASA unless your using expression or a web filter  then there is no filtering.  Cisco Firewalls either permit or deny traffic theres no in between.  In this case if there was filtering which i have implemented on my firewall for youtube,  the page wouldnt display at all it would just say connection was interrupted.

I ve seen this before on my home laptop and usually a refresh of the page helps but in some cases you need to have shockwave and flash installed to see the videos. If not try clearing the temporary internet files, cache cookies etc and try then,  sometimes the issue is on youtubes end.
0
 

Accepted Solution

by:
juckyt earned 0 total points
ID: 22758712
Alright Hamilton!

here's the work-around (I knew it wasn't just me):

9 times out of 10 YouTube requests time-out with a blanket statement error message,  "we're sorry, this video is no longer available". Bullshit. Something's afoot with the server farm and until the man owns up to the fact, here's a simple work-around to use everytime you get stonewalled:

For example, http://www.youtube.com/watch?v=Szb2wF-N7hA will let you down&
To fix this problem append the code...
 &fmt=6 or
&fmt=18 or
&fmt=16
...to the end of the YouTube URL.
Hit enter and watch!

Using this method, the aforementioned URL becomes,
http://www.youtube.com/watch?v=Szb2wF-N7hA&fmt=6 or
http://www.youtube.com/watch?v=Szb2wF-N7hAfmt=18 or
http://www.youtube.com/watch?v=Szb2wF-N7hA&fmt=16

There's something about the additional code that makes it work. I couldn't care less so long as it works.


At least it's not a perimeter issue.


> juckyt <

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now