Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Getting useful information from a Websense Report

Posted on 2013-01-07
Medium Priority
Last Modified: 2013-02-25
I currently have Websense WebSecurity deployed in my environment, and I'm several versions behind, currently on Websense Manager 7.1.

Frequently, we'll have issues with bandwidth being chewed up, or suspicions about inappropriate usage of our bandwidth, but are unable to obtain useful information from reports.  Our largest bandwidth hogs will frequently be reporting as visiting https IP ranges, and we really have no idea what these are, or what's coming across the wire.  Sometimes, we'll be able to run a WHOIS and get something like Limelight, but that still doesn't really tell me what's happening.  More frequently, you'll be unable to determine the destination, what kind of traffic is coming across, or anything else that would give you political reason to investigate the user more thoroughly, or get their manager to actually back you.

So, how can I actually find useful data?  How can I generate a report that allows me to have any kind of real visibility into where the user is going, or what kind of traffic they're using?

Attached is a screenshot to show the typical return I get on investigative reports.

If it has any relevance, the Websense server sits on a 2008 server (R1) VM, on an ESX host.  The initial config took multiple days back when Websense was still willing to assist with deployment.  I'm understaffed, and the upgrade project appears sufficiently complex enough to be very intimidating.

Thanks for your time and help.
Question by:jasondimaio
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 51

Expert Comment

ID: 38753797
> .. and we really have no idea what these are
use nslookup or whatever your os has to reverse lookup the IP

> .. unable to determine the destination ..
the destination is the IP as written in the report, what else do you expect?

> .. what kind of traffic is coming across, ..
it's https as wriiten in the report

> How can I generate a report that allows me to have any kind of real visibility into where the user is going, or what kind of traffic they're using?
the report already contains "where" the user is going

if you're talking about "what" the user is there looking for, you first need to inform your users that you're monitoring the traffic and ask for permission to do so (depends on the regulations in your country), then you need to use a proxy for https which then obviusly breaks the trust of SSL
LVL 65

Assisted Solution

btan earned 500 total points
ID: 38753907
Are we already looking at all the various type of report not able to meet this needed...below are some categories...



But also suggest that you understand not all site visited are user intended...maybe can check below

LVL 51

Expert Comment

ID: 38754161
> .. not all site visited are user intended ..
assuming "user" means a human, I'd qualify most HTTP(S) requests are not user intended (i.g. all advertising and tracking ;-)
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

LVL 65

Expert Comment

ID: 38754185
Yap as shared in the link ;) which generate such traffic from other embedded links hosted at the fronting website...

Assisted Solution

amatson78 earned 250 total points
ID: 38754307
I would also look into the Websense Content Gateway Integration for your environment as this proxy will decrypt the certificates and header info showing you the destination URL vs the IP as you get now.

Cheers, Alan
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 38754634
fyi, limelight is a cdn (content delivery network) so it could be ANYTHING so unless you break the ssl

Author Comment

ID: 38754803
To the above snarky comments, I'm sorry I was not clear.  Yes, I can see the IP address to which they go.  That's not useful to me, as it doesn't really give me any context for what they're doing.  Whatever the traffic is going across SSL is secured traffic, I get that, but again, not useful to me, as I can't tell if it's streaming media, downloaded data, or something else, so again, not useful to me.  Websense also doesn't tell me (from what I know) what front-end generated the back-end SSL connection/traffic in the first place.  THAT could be useful.

I've had issues with Akamai destinations as well, but I was hoping that someone more versed in Websense could give me some better tips or tools to actually determine what kind of content was being delivered, as actually visiting the IPs, doing a WhoIS, or anything else doesn't really tell me a thing.  Considering how pervasive Akamai is, I can't really block it.

For those of you that tried to help, I do appreciate it.  From what I can tell in this thread, there's not really anything I can do to glean more information or use Websense in a more productive manner without spending more money.  Alan, I'll look at that tool.  Thank you.
LVL 65

Assisted Solution

btan earned 500 total points
ID: 38754917
Reporting tool from content filter will not be simply be accurate by just seeing the url in forward proxy deployment with user surfing the internet. That is why they also preached to Bb supplemented by reputation engine and other network forensic tool before it get encrypted or simply be a MITM or MITB. Akamai purely embedded the url they fronted with tier dynamic DNS host. Even firewall need to configured dynamic address object to detect and block if needed. Not straightforward having this obscurity running through. But I will say application analytics and filter is still something to fish out any anomalies of leakage intentionally. .. Some analytics you may be nterested is solera and lastline or recent rsa security analytic using netwitness. ..just my few cents
LVL 51

Accepted Solution

ahoffmann earned 250 total points
ID: 38755142
hmm, so you simple requirement is to see the URL in your websense?
to do that, your websense need to be the proxy (MiTM) and hence breaking SSL as I already explained in my first comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question