• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7207
  • Last Modified:

How does Websense work?

Ok, I have to admit up front that this question is merely for my own information.  It is driving me crazy.  I have inherited a network with a Websense content filter.  It seems to work really good.  What I don't fully understand is how it is working.  As the network administrator I really think I should.  So if anyone out there knows, I am all ears.  

Here is the situation.  We have a PIX 506 firewall connected to our ISP.  There is no reference to the Websense server at all in the PIX config.  The Websense server is not hard wired between the PIX and the rest of the network.  When the server is down all traffic flows unrestricted to and from the Internet without having to change a thing.

How can a server block broacast traffic that I know the PIX is hearing and forwarding as both the Wensense and the PIX are connected to the same physical network?  None of the clients have proxy server configured.  The Websense seems to be able to yank packets off the network whenever it wants.  How?
0
jasonzook
Asked:
jasonzook
1 Solution
 
jasonbirdCommented:
Hi Jason
It sounds to me as though the Websense is just configured as an Outbound proxy. So all of your workstations are configured to go through the Websense as their Proxy server, and then Websense itself is configured with your PIX as it's gateway and simply routes the traffic from the internet back through, whilst analysing the content coming through. Websense is capable of doing hand-off with some firewalls where the firewall actually specifically sends certain content (usually HTTP/FTP etc..) to the Websense unit to be scanned, or you can use it as a a hard wired appliance so that all traffic is directly sent through Websense and it will scan the content it is capable of reading, or finally the Outbound proxy method as described above. Check out the resources at: http://www.websense.com/content/WebFilter.aspx

Hope this helps
J
0
 
giltjrCommented:
Do any of the clients have auto proxy configured?

Do you have any other Cisco devices in your network?  Cicso has a function called WCCP, Web Cache Communctions Protocol.  You can enable this in some Cicso devices and the Cisco device will watch for HTTP traffic and forward it to a proxy automatically.
0
 
jasonzookAuthor Commented:
I would normally agree, but none of the clients has proxy server setup at all.  So if thier browsers are not sending to Websense as a proxy, how is it able to block the content?  Could it be that Websense is responding to the request from the browser before the actual web site responds?  If so, what happens to the actual response?  Does it just get ignored since the browser has already recieved a response?

If the clients were pointing to Websense as thier proxy, I would understand how it is all working.  That is the issue, none of them are pointing to a proxy server.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
jasonzookAuthor Commented:
giltjr: I checked on that.  There is no reference in any of the PIX configs to the IP of the Websense server.  Don't you think that if the PIX were doing that, that there would be a reference to the proxy IP?
0
 
giltjrCommented:
Do you have any Cicso routers or L3 switches within your network? WCCP is typically done in router/L3 switches.

On one of the clients issue the command proxycfg and see if there is a proxy configured outside of IE.

Are all of the clients pointing to the PIX as their default route?
0
 
jasonzookAuthor Commented:
We only have the PIX and all clients point to it as the default gateway.  The result of proxycfg is "direct access (no proxy server)".  We have no Cisco switches.  Would a 3com be able to run WCCP?
0
 
giltjrCommented:
If it is manged yes.  You may also what to see if the 3Com has a port setup for porting mirroring.  

I don't know if WebSense can do this, but I have heard of IPS/IDS's that will sit on a mirror port and when they see "suspect activity" send TCP RESET's to both hosts in the conversation.
0
 
jlockieCommented:
Do a "show ip wccp" on your PIX....most likely the PIX is dumping the HTTP GET traffic to the Websense, not your 3COM.  

Where are you looking for a reference to the Websense, and how, on the PIX?  Are you doing "show run"?

WCCP is an IP layer 3 protocol so it's always ran on routers (and switches configured as routers) :-).  Like giltjr says, possibly there is SPAN port configured on your 3COM.  This is easy to check.  But it is not typical for anything other than an IPS/IDS.  

The proper method is in-path first, and if you cannot configure in path then WCCP or equivalent.  This is true for both caching and content filtering, etc.

I do believe 3COM can run WCCP, but WCCP is a Cisco protocol so you will be paying for it.
0
 
giltjrCommented:
What did you find out?
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now