Getting useful information from a Websense Report

Posted on 2013-01-07
Medium Priority
Last Modified: 2013-02-25
I currently have Websense WebSecurity deployed in my environment, and I'm several versions behind, currently on Websense Manager 7.1.

Frequently, we'll have issues with bandwidth being chewed up, or suspicions about inappropriate usage of our bandwidth, but are unable to obtain useful information from reports.  Our largest bandwidth hogs will frequently be reporting as visiting https IP ranges, and we really have no idea what these are, or what's coming across the wire.  Sometimes, we'll be able to run a WHOIS and get something like Limelight, but that still doesn't really tell me what's happening.  More frequently, you'll be unable to determine the destination, what kind of traffic is coming across, or anything else that would give you political reason to investigate the user more thoroughly, or get their manager to actually back you.

So, how can I actually find useful data?  How can I generate a report that allows me to have any kind of real visibility into where the user is going, or what kind of traffic they're using?

Attached is a screenshot to show the typical return I get on investigative reports.

If it has any relevance, the Websense server sits on a 2008 server (R1) VM, on an ESX host.  The initial config took multiple days back when Websense was still willing to assist with deployment.  I'm understaffed, and the upgrade project appears sufficiently complex enough to be very intimidating.

Thanks for your time and help.
Question by:jasondimaio
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 51

Expert Comment

ID: 38753797
> .. and we really have no idea what these are
use nslookup or whatever your os has to reverse lookup the IP

> .. unable to determine the destination ..
the destination is the IP as written in the report, what else do you expect?

> .. what kind of traffic is coming across, ..
it's https as wriiten in the report

> How can I generate a report that allows me to have any kind of real visibility into where the user is going, or what kind of traffic they're using?
the report already contains "where" the user is going

if you're talking about "what" the user is there looking for, you first need to inform your users that you're monitoring the traffic and ask for permission to do so (depends on the regulations in your country), then you need to use a proxy for https which then obviusly breaks the trust of SSL
LVL 64

Assisted Solution

btan earned 500 total points
ID: 38753907
Are we already looking at all the various type of report not able to meet this needed...below are some categories...



But also suggest that you understand not all site visited are user intended...maybe can check below

LVL 51

Expert Comment

ID: 38754161
> .. not all site visited are user intended ..
assuming "user" means a human, I'd qualify most HTTP(S) requests are not user intended (i.g. all advertising and tracking ;-)
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 64

Expert Comment

ID: 38754185
Yap as shared in the link ;) which generate such traffic from other embedded links hosted at the fronting website...

Assisted Solution

amatson78 earned 250 total points
ID: 38754307
I would also look into the Websense Content Gateway Integration for your environment as this proxy will decrypt the certificates and header info showing you the destination URL vs the IP as you get now.

Cheers, Alan
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 38754634
fyi, limelight is a cdn (content delivery network) so it could be ANYTHING so unless you break the ssl

Author Comment

ID: 38754803
To the above snarky comments, I'm sorry I was not clear.  Yes, I can see the IP address to which they go.  That's not useful to me, as it doesn't really give me any context for what they're doing.  Whatever the traffic is going across SSL is secured traffic, I get that, but again, not useful to me, as I can't tell if it's streaming media, downloaded data, or something else, so again, not useful to me.  Websense also doesn't tell me (from what I know) what front-end generated the back-end SSL connection/traffic in the first place.  THAT could be useful.

I've had issues with Akamai destinations as well, but I was hoping that someone more versed in Websense could give me some better tips or tools to actually determine what kind of content was being delivered, as actually visiting the IPs, doing a WhoIS, or anything else doesn't really tell me a thing.  Considering how pervasive Akamai is, I can't really block it.

For those of you that tried to help, I do appreciate it.  From what I can tell in this thread, there's not really anything I can do to glean more information or use Websense in a more productive manner without spending more money.  Alan, I'll look at that tool.  Thank you.
LVL 64

Assisted Solution

btan earned 500 total points
ID: 38754917
Reporting tool from content filter will not be simply be accurate by just seeing the url in forward proxy deployment with user surfing the internet. That is why they also preached to Bb supplemented by reputation engine and other network forensic tool before it get encrypted or simply be a MITM or MITB. Akamai purely embedded the url they fronted with tier dynamic DNS host. Even firewall need to configured dynamic address object to detect and block if needed. Not straightforward having this obscurity running through. But I will say application analytics and filter is still something to fish out any anomalies of leakage intentionally. .. Some analytics you may be nterested is solera and lastline or recent rsa security analytic using netwitness. ..just my few cents
LVL 51

Accepted Solution

ahoffmann earned 250 total points
ID: 38755142
hmm, so you simple requirement is to see the URL in your websense?
to do that, your websense need to be the proxy (MiTM) and hence breaking SSL as I already explained in my first comment

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question