Block YouTube without SSL-decryption

Let’s say you want to block YouTube, and you started making a rule, it would probably look something like this:

yb1

Block Youtube and Youtube-base and set it to deny, but this will not work if you are not running SSL-decryption:

yb2

The application signatures is not able to identify the traffic correctly, since it’s inside an ssl-tunnel, and in the logs we can see this instead:

yb7

This gives us little to no information, so we need another way to do it..

First some recon on the traffic:

yb8

This gives us some context we can work with, that are not encrypted.

So what do we do with it?

First we need to create a new custom application:

Objects -> Applications -> Add

yb5

Put in some information on what the application is doing and what the characteristics are, don’t just throw this together because it can end up matching an Application filter you don’t want it to match. Mine is a good example to start out with.

yb6

Next step is to add a new signature to actually identify Youtube traffic, and then add the conditions, so it matches the picture.

The signature is based on identifying the word youtube and googlevideo in both the SSL Client Hello and in the Certificate, this makes it possible for us to find and stop traffic to and from servers affiliated with Youtube.

yb4

We then changes the application in our “Block Youtube” rule, and see what happens..

Chrome:

yb9

We still get into Youtube, due to how Chrome works, but we are able to block the videos.

Firefox:

yb10

Totally blocked.

Internet Explorer:

yb11

So, we are able to block it, and we can see the result in the logs:

yb3

Link to my custom App-ID: appid_youtube_ssl

Disclaimer:
I don’t take any responsibility if this custom application breaks anything else except youtube. The signature is based on names in the certificate and client hello, so if you have other services using googlevideo or youtube, then they will also be blocked.

 

 

 

 

About Glenn

Pre-Sales Engineer for Palo Alto Networks in Norway. Always looking for new ways to secure your organization!
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *