Solved

Getting useful information from a Websense Report

Posted on 2013-01-07
9
424 Views
Last Modified: 2013-02-25
I currently have Websense WebSecurity deployed in my environment, and I'm several versions behind, currently on Websense Manager 7.1.

Frequently, we'll have issues with bandwidth being chewed up, or suspicions about inappropriate usage of our bandwidth, but are unable to obtain useful information from reports.  Our largest bandwidth hogs will frequently be reporting as visiting https IP ranges, and we really have no idea what these are, or what's coming across the wire.  Sometimes, we'll be able to run a WHOIS and get something like Limelight, but that still doesn't really tell me what's happening.  More frequently, you'll be unable to determine the destination, what kind of traffic is coming across, or anything else that would give you political reason to investigate the user more thoroughly, or get their manager to actually back you.

So, how can I actually find useful data?  How can I generate a report that allows me to have any kind of real visibility into where the user is going, or what kind of traffic they're using?

Attached is a screenshot to show the typical return I get on investigative reports.

If it has any relevance, the Websense server sits on a 2008 server (R1) VM, on an ESX host.  The initial config took multiple days back when Websense was still willing to assist with deployment.  I'm understaffed, and the upgrade project appears sufficiently complex enough to be very intimidating.

Thanks for your time and help.
WSScreen.jpg
0
Comment
Question by:jasondimaio
9 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38753797
> .. and we really have no idea what these are
use nslookup or whatever your os has to reverse lookup the IP

> .. unable to determine the destination ..
the destination is the IP as written in the report, what else do you expect?

> .. what kind of traffic is coming across, ..
it's https as wriiten in the report

> How can I generate a report that allows me to have any kind of real visibility into where the user is going, or what kind of traffic they're using?
the report already contains "where" the user is going

if you're talking about "what" the user is there looking for, you first need to inform your users that you're monitoring the traffic and ask for permission to do so (depends on the regulations in your country), then you need to use a proxy for https which then obviusly breaks the trust of SSL
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 38753907
Are we already looking at all the various type of report not able to meet this needed...below are some categories...

http://www.websense.com/content/support/library/web/v77/presentation_rpt_qs/pr_customize.aspx

http://www.websense.com/content/support/library/data/v753/help/view%20incidents.aspx

But also suggest that you understand not all site visited are user intended...maybe can check below


http://community.websense.com/forums/t/3638.aspx
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38754161
> .. not all site visited are user intended ..
assuming "user" means a human, I'd qualify most HTTP(S) requests are not user intended (i.g. all advertising and tracking ;-)
0
 
LVL 62

Expert Comment

by:btan
ID: 38754185
Yap as shared in the link ;) which generate such traffic from other embedded links hosted at the fronting website...
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 8

Assisted Solution

by:amatson78
amatson78 earned 125 total points
ID: 38754307
I would also look into the Websense Content Gateway Integration for your environment as this proxy will decrypt the certificates and header info showing you the destination URL vs the IP as you get now.

Cheers, Alan
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 38754634
fyi, limelight is a cdn (content delivery network) so it could be ANYTHING so unless you break the ssl
0
 

Author Comment

by:jasondimaio
ID: 38754803
To the above snarky comments, I'm sorry I was not clear.  Yes, I can see the IP address to which they go.  That's not useful to me, as it doesn't really give me any context for what they're doing.  Whatever the traffic is going across SSL is secured traffic, I get that, but again, not useful to me, as I can't tell if it's streaming media, downloaded data, or something else, so again, not useful to me.  Websense also doesn't tell me (from what I know) what front-end generated the back-end SSL connection/traffic in the first place.  THAT could be useful.

I've had issues with Akamai destinations as well, but I was hoping that someone more versed in Websense could give me some better tips or tools to actually determine what kind of content was being delivered, as actually visiting the IPs, doing a WhoIS, or anything else doesn't really tell me a thing.  Considering how pervasive Akamai is, I can't really block it.

For those of you that tried to help, I do appreciate it.  From what I can tell in this thread, there's not really anything I can do to glean more information or use Websense in a more productive manner without spending more money.  Alan, I'll look at that tool.  Thank you.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 38754917
Reporting tool from content filter will not be simply be accurate by just seeing the url in forward proxy deployment with user surfing the internet. That is why they also preached to Bb supplemented by reputation engine and other network forensic tool before it get encrypted or simply be a MITM or MITB. Akamai purely embedded the url they fronted with tier dynamic DNS host. Even firewall need to configured dynamic address object to detect and block if needed. Not straightforward having this obscurity running through. But I will say application analytics and filter is still something to fish out any anomalies of leakage intentionally. .. Some analytics you may be nterested is solera and lastline or recent rsa security analytic using netwitness. ..just my few cents
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 125 total points
ID: 38755142
hmm, so you simple requirement is to see the URL in your websense?
to do that, your websense need to be the proxy (MiTM) and hence breaking SSL as I already explained in my first comment
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How important is it to take extra precautions to protect your online business? These are some steps you can take to make sure you're free of any cyber crime.
An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now