Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Come work for the global leader in unified information security. Go
Greetings
I have deployed websense in our organization, but we have a specific level of management that does not want to be included in the Websense program. These users are on another floor of the building, however some of our included users will go up to that floor and login to a PC for work related purposes. I need to be able to monitor/log those users when they're at other PC's on different floors.
As it stands, my users are added via the Clients section of Websense via Active Directory, and I have no IP's listed under the Network section of Clients. It seems that if I forward all packets from the switch to Websense, even users NOT LISTED in Websense will be blocked/treated with our Websense policy, thus our management department is impacted by Websense (not allowed). Is there a work around to this? Am I doing something wrong?
Very confused by your 2nd paragraph... if you're doing AD identification you can give Management users a different policy from everyone else. Heck you can put all those users into 1 AD group and give the policy to the group. As long as your other users are also AD users it shouldn't matter where they log in and they'll get the right policy for them.
That's for filtering... now as for not logging users that's very dangerous. You're liable not only to have legal / HR issues (unless they blessed this exemption) but if one of those managers gets infected (and start spreading it internally) you'll have no logs of it happening.
I always recommend that there is NEVER a "Never Block" policy applied to anyone in any environment. The least restrictive policy ever given out should be one that still blocks the Security type categories (Malicious, Spyware, Bot Network, etc). Even the most well meaning users will end up getting themselves infected at some point if you don't, and this is mostly what you pay Websense to protect you from.
Long Story Short: Put managers in 1 AD group, give it a very lenient policy but still have it block Security risk categories. Never exclude anyone from logging because if something goes down you'll be the first one to take the blame. Be very restrictive of who can read the logs and you're fine, heck if management is that afraid implement a policy that requires the Head of HR to approve the retrieval of any manager's logs.
We're blessed with said exemption...
I cannot include these users into Websense though, for it would log their traffic. Any solution?
I am not clear on your actual architecture (e.g., if you are using WCG); however, below is a solution I have seen implemented by various customers who elected not to log (within the SQL Server database) the web traffic activity of designed users (e.g., HR personnel, Legal, Executive Management).
For the users whose traffic you don't want logged, you can create a SQL statement incorporated with the Websense_ETL_Job_(partition_name) to run as a job againt the Websense Log Database and have those user names deleted. The SQL statements/Jobs are created within Microsoft SQL Server Management Studio environment.
This approach allows you to create a Websense Policy (e.g., Default, Permit All, or Deny All) for all users and applied the desired level of Internet Content security protection to regulate accessing websites. Afterwards, you can have the Websense_ETL_Job_(partition_name) remove designated user activity stored within the Log Server Database periodically (e.g., whenever the ETL job is executed). The removal of user names frequeny can be adjusted.
Thanks
Terrence
The preferred approach is to delete the entire user record (not just the user name) contained within the log database.
There must be a better solution, I can't imagine I'm the first one with such a dilema?
I will call Websense tomorrow
There is, I just forget exactly how to do it. I believe one way is you could just avoid their username from ever being used to identify someone so their traffic would only show up as an IP address (which is useless in the long run thanks to DHCP) but this could mess up how you filter them. Just remember you're doing all of this so management can cover their tracks meaning if anything happens you're the only one left to take the fall.
We did this by adding the users that have unlimited access to the 'Unrestricted' policy that was available by default then adding their AD Login Id to the 'Ignore.txt' file in the BIN folder. This way their activity is not filtered or recorded, but anyone else using the workstation would be filtered by the appropriate policy.
