Solved

Getting useful information from a Websense Report

Posted on 2013-01-07
9
429 Views
Last Modified: 2013-02-25
I currently have Websense WebSecurity deployed in my environment, and I'm several versions behind, currently on Websense Manager 7.1.

Frequently, we'll have issues with bandwidth being chewed up, or suspicions about inappropriate usage of our bandwidth, but are unable to obtain useful information from reports.  Our largest bandwidth hogs will frequently be reporting as visiting https IP ranges, and we really have no idea what these are, or what's coming across the wire.  Sometimes, we'll be able to run a WHOIS and get something like Limelight, but that still doesn't really tell me what's happening.  More frequently, you'll be unable to determine the destination, what kind of traffic is coming across, or anything else that would give you political reason to investigate the user more thoroughly, or get their manager to actually back you.

So, how can I actually find useful data?  How can I generate a report that allows me to have any kind of real visibility into where the user is going, or what kind of traffic they're using?

Attached is a screenshot to show the typical return I get on investigative reports.

If it has any relevance, the Websense server sits on a 2008 server (R1) VM, on an ESX host.  The initial config took multiple days back when Websense was still willing to assist with deployment.  I'm understaffed, and the upgrade project appears sufficiently complex enough to be very intimidating.

Thanks for your time and help.
WSScreen.jpg
0
Comment
Question by:jasondimaio
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38753797
> .. and we really have no idea what these are
use nslookup or whatever your os has to reverse lookup the IP

> .. unable to determine the destination ..
the destination is the IP as written in the report, what else do you expect?

> .. what kind of traffic is coming across, ..
it's https as wriiten in the report

> How can I generate a report that allows me to have any kind of real visibility into where the user is going, or what kind of traffic they're using?
the report already contains "where" the user is going

if you're talking about "what" the user is there looking for, you first need to inform your users that you're monitoring the traffic and ask for permission to do so (depends on the regulations in your country), then you need to use a proxy for https which then obviusly breaks the trust of SSL
0
 
LVL 64

Assisted Solution

by:btan
btan earned 250 total points
ID: 38753907
Are we already looking at all the various type of report not able to meet this needed...below are some categories...

http://www.websense.com/content/support/library/web/v77/presentation_rpt_qs/pr_customize.aspx

http://www.websense.com/content/support/library/data/v753/help/view%20incidents.aspx

But also suggest that you understand not all site visited are user intended...maybe can check below


http://community.websense.com/forums/t/3638.aspx
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38754161
> .. not all site visited are user intended ..
assuming "user" means a human, I'd qualify most HTTP(S) requests are not user intended (i.g. all advertising and tracking ;-)
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 64

Expert Comment

by:btan
ID: 38754185
Yap as shared in the link ;) which generate such traffic from other embedded links hosted at the fronting website...
0
 
LVL 8

Assisted Solution

by:amatson78
amatson78 earned 125 total points
ID: 38754307
I would also look into the Websense Content Gateway Integration for your environment as this proxy will decrypt the certificates and header info showing you the destination URL vs the IP as you get now.

Cheers, Alan
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 38754634
fyi, limelight is a cdn (content delivery network) so it could be ANYTHING so unless you break the ssl
0
 

Author Comment

by:jasondimaio
ID: 38754803
To the above snarky comments, I'm sorry I was not clear.  Yes, I can see the IP address to which they go.  That's not useful to me, as it doesn't really give me any context for what they're doing.  Whatever the traffic is going across SSL is secured traffic, I get that, but again, not useful to me, as I can't tell if it's streaming media, downloaded data, or something else, so again, not useful to me.  Websense also doesn't tell me (from what I know) what front-end generated the back-end SSL connection/traffic in the first place.  THAT could be useful.

I've had issues with Akamai destinations as well, but I was hoping that someone more versed in Websense could give me some better tips or tools to actually determine what kind of content was being delivered, as actually visiting the IPs, doing a WhoIS, or anything else doesn't really tell me a thing.  Considering how pervasive Akamai is, I can't really block it.

For those of you that tried to help, I do appreciate it.  From what I can tell in this thread, there's not really anything I can do to glean more information or use Websense in a more productive manner without spending more money.  Alan, I'll look at that tool.  Thank you.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 250 total points
ID: 38754917
Reporting tool from content filter will not be simply be accurate by just seeing the url in forward proxy deployment with user surfing the internet. That is why they also preached to Bb supplemented by reputation engine and other network forensic tool before it get encrypted or simply be a MITM or MITB. Akamai purely embedded the url they fronted with tier dynamic DNS host. Even firewall need to configured dynamic address object to detect and block if needed. Not straightforward having this obscurity running through. But I will say application analytics and filter is still something to fish out any anomalies of leakage intentionally. .. Some analytics you may be nterested is solera and lastline or recent rsa security analytic using netwitness. ..just my few cents
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 125 total points
ID: 38755142
hmm, so you simple requirement is to see the URL in your websense?
to do that, your websense need to be the proxy (MiTM) and hence breaking SSL as I already explained in my first comment
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question