YouTube videos often not available behind our firewall

Looks like a content filtering rule - not necessarily an ACL. YouTube uses flash video and that is streamed over regular TCP port 80. That means that if it were blocked the internet wouldn't work at all.
What kind of firewall?

Juniper Netscreen

juckyt,

Ther are lots of possabilites, MQC, NBAR, ASA/PIX(firewalls), content filter servers, anthing that can perform deep packet inspection on http traffic and potentially match url strings destined for youtube*.
This is quite easy actually on a Cisco ASA/PIX or router.

What probably happened is that someone was monitoring your network traffic and determined many employees were surfing to sites that burn up bandwidth and they are trying to restrict access but freeing up bandwidth for busniess, not to mention the potential security implications of some sites on the web.

harbor235 ;}

harbor is probably right. But if you want to re-allow it then you need to determine where the rule is - another possibility (not very likely) is that someone called the ISP and asked them to block this (but I have seen it done).

Netscreen's can perform deep packet inspection,

http://www.juniper.net/solutions/literature/solutionbriefs/351089.pdf

harbor235 ;}

I think what he's trying to do is STOP the filtering so people CAN view the videos.
Juckyt - what you need to do is check out the configs of all the security equipment to find where the filtering is going on and disable it.

This sucks...

I'll check in with you guys tomorrow...

Okay no prob! I'm sorry there's no way to do this with the PIX. Depending on who your ISP is, you might call them and ask them to do it. Most of the time they won't but you might get lucky.
Best of luck!

Ooops sorry... accidentally combined two posts.
What I mean to say is call your ISP and make sure they're not filtering it. Again, not likely but possible.

You could remoe desktop to your home machine(or other machine) and access youtube from there. i typically get around firewalls in this manner. I have even ran remote destop on my home system on some port i know the firewall allows like ftp port 21, http port 80, etc .., connect home, launch my browser and surf as needed, best part is the flow is encrypted.

there are ways around it

harbor235 ;}

:-) Every try running streaming video over RDP and a home internet connection? Not pretty. And often companies block outgoing RDP or ports other than ones necessary for business. This might be the case since YouTube is clearly blocked.
It's best not to expose your PC to the internet with RDP.

RDP before vista and Windows server 2008 uses weak encryption - often just a 56-bit DES key to encrypt RDP sessions. Since the RDP sessions default TCP timeout is 10 hours, an attacker has plenty of time to crack the weak crypto and start a man-in-the-middle attack to take complete control of your server. Windows Vista and server 2008 are considerably safer because they use 128-bit RC4 encryption, however care should still be taken to not expose RDP to the internet as they can just guess your password.

http://www.securiteam.com/windowsntfocus/5EP010KG0G.html |

VPN is many more secure than even the 128-bit RDP. When RDP is tunneled through VPN using AES-128, it is (with today's technology) unbreakable - and I'm not quick to use words like that - I'm very skeptical of such claims.

Thats why you run RDP on a port other than 3389,  like port 21 like I said in my post.

harbor235

Harbor, I'll bet you $100 port 21 (FTP) gets scanned more often than 3389. That's even worse. RDP before Vista is not secure and should NOT be used across the internet.
Not to mention the slowness of RDP coming from a regular home internet connection (upload is not very good on them).
No disrespect, but that is not a viable solution for being able to view videos - the framerate would be terrible and the sound is choppy at best.

Who cares if it gets scanned more, the point is that it is a port left open by most Enterprise firewalls. It does not matter if is secure either, all I am worried about is that its open and I have a way around the firewall to view youtube videos. RDP is a protocol that is typically filtered by enterprise firewalls, I was just offering a way to keep watching youtube.

The video is buffered so frame rate and chop are not issues, also we are talking about a corporate internet connection on the initiating side. My internet connection supports it with no problems, I guess  if you have dial this will not work well.

harbor235 ;}

Harbor, you are incorrect! Stop saying stuff that just isn't true. The default firewall policy on EVERY enterprise security product is to deny everything unless it's specified to let it in.
Quoting you: "It does not matter if is secure either" Do you hear yourself? What kind of advice are we supposed tobe offering? Good advice, I thought. What kind of wrecklessness is this that you're proposing?
You say we're talking about a corporate connection on the initiating side - yes it is. HOWEVER, on the other side (aka the side that is UPLOADING the video to the user), it is NOT a corporate connection - probably a home internet connection with a 512k upload or lower.
Also, yes, the video is buffered - on the remote PC. It is NOT buffered over the RDP link and the user will probably get something where half the video refreshes and the other half doesn't for a second or two and then some really choppy audio with parts dropped out. I've tried it. It isn't pretty on even a fast home internet connection because RDP has to refresh the whole area and blocks around it. This just isn't suitable for streaming video over RDP. I'm sorry to burst your bubble.
Cheers! Just trying to give some good advice.
 
 

>The default firewall policy on EVERY enterprise security product is to deny everything unless it's specified to let it in.

Correct, however when initiated from the inside the return traffic is allowed back in via the default firewall policy without explicitly allowing the traffic.

>Quoting you: "It does not matter if is secure either" Do you hear yourself? What kind of advice are we supposed tobe offering? Good advice, I thought. What kind of wrecklessness is this that you're proposing?

A deep understanding how things really work is important, whether or not RDP prior to Vista
is secure or not is not big concern in my opinion, it's encrypted, and yes it does offer weak encryption for older clients like 56 bit DES, however, I guess you do not know RDP can also use 128-bit high encryption.

As far as the internet connection I guess it depends, my home connection has 8M upload,
my connection is nothing special and is a typical product offered by verizon or comcast.

So for me and most people in urban areas of the US this is less of a problem.

juckyt, I apologize for getting sidetracked, I was trying to offer options not necessarily the best solution, that is for you to decide.  I hope this has helped, sorry if it added confusion.


harbor235 ;}

>A deep understanding how things really work is important, whether or not RDP prior to Vista is secure or not is not big concern in my opinion, it's encrypted, and yes it does offer weak encryption for older clients like 56 bit DES, however, I guess you do not know RDP can also use 128-bit high encryption.
Didn't I already state that 128-bit is enabled in Vista and WS 2008? :-/
> As far as the internet connection I guess it depends, my home connection has 8M upload, my connection is nothing special and is a typical product offered by verizon or comcast.

Where do you live? That's the fastest home connection I've ever heard of. Are you sure the 8Mbps is upload and not download? How much do you pay?
And yes, sorry about trailing off.
Cheers!

Guys!

This is about YouTube and Firewall issues. I do like the offeres for a work-around but arguing over its effectiveness does us no good here.

With that said...the situation persists. My Netscreen is not really doing any deep packet inspection.

Could this be a DNS or DNSBL issue?

If the internet is working then it's not a DNS issue. Yes, it could be blacklisted.
Are there security devices other than the NetSceen? Specifically any content filtering appliance? No Microsoft ISA?
Also, I know this sounds crazy... did you call your ISP and have them check like I asked? Probably not, but possible that that's the problem.
Cheers!

You know, we actually we're blacklisted multiple times over the past few months. The DNS records have been scrubbed but matbe there's still something there. I have three ISPs and have confirmed with one of them that they are not filtering YouTube vids. So the mystery continues...

juckyt

Interesting... keep me posted!
Cheers and good luck!

I know with the ASA unless your using expression or a web filter  then there is no filtering.  Cisco Firewalls either permit or deny traffic theres no in between.  In this case if there was filtering which i have implemented on my firewall for youtube,  the page wouldnt display at all it would just say connection was interrupted.

I ve seen this before on my home laptop and usually a refresh of the page helps but in some cases you need to have shockwave and flash installed to see the videos. If not try clearing the temporary internet files, cache cookies etc and try then,  sometimes the issue is on youtubes end.