Last Updated on 24 August, 2019 by Grim Reaper
Scenario
As we know, YouTube uses Google’s certificate over HTTPS and then its not possible to block YouTube website over HTTPS through a common web filter based common name scanning.
So the other options available are:
- HTTPS Scanning (Deep Packet Inspection)
- Application Filter
Now the problem with option 1 is that the browsers will give you a browser warning when you try to access HTTPS based websites, because of SSL bridging. So we need to install the firewall’s certificate in all the end user browsers. This task is tedious in the absence of a domain based network. And the second option is application signature based, where the firewall identifies the traffic based on its application signature database.
In the Application Filter based approach, we can create a policy denying the relevant YouTube applications as shown below.
Challenge
In Identity based firewalls like Cyberoam, we may have to create a rule for DNS traffic on top of the firewall rule set to allow the DNS queries to reach the DNS servers in order to make the authentication functionality work properly. Hence this traffic is not scanned by the application filter. And users will be able to access YouTube website.
Solution
The Application Signature ‘YouTube Website’, identifies the DNS queries for YouTube domain. So we can block this traffic by applying a application filter policy in the DNS rule created. Steps shown below.
1. Create an application filter policy with application signature ‘YouTube Website’ denied
2. Apply the policy in the DNS Rule
3. When user tries to access youtube.com and DNS query is blocked by firewall
Note: Cyberoam should not be the DNS server for the users. If configured so, DNS traffic will not go through LAN – WAN rule and traffic will not be scanned by application filter.To avoid this we can disable the DNS service in the LAN Zones as shown below.
For more references : kb.cyberoam.com