Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Stay informed on the latest security exploits, industry news, research, solutions, and more.
My Security Team approached me today with a request. They have gleaned a list of 12,640 "sites" that they would like recategorized to a user defined category. Then have an SNMP trap sent to RSA enVision SIEM when any user hits items on the list.
My first thoughts are that this large of a list would bury the CPU but I have no proof of that.
Any thoughts??
Here is a sample of the list:
amberschool.com/z2/bot.exedbi-static.com/hm/bot.exetestingforg00gle777245.com.tw/2x/svtuk-tuk.com/map/Icons/Religion/exejamberschool2.com/z2/bot.exefileservice.ir/bid/tmbd.exealtium.dev.hosting.rubius.com/themefuntime.arvixe.ru/imgs/bayy.exebestvideoworld.com/fara/bot.exetopupdates.ru/rU7raVuM9ChuxAdABEst/testfortestltd444557.com.tw/2x/svchilovekeks.biz/z2/bot.exetesttestforfhj111998.com.tw/2x/svchrogueroad.ru/chvias.exeexp.exetsoft.org.ua/exe.exebrnsounds.cc/ex/1.exeoneant.ru/stopelko.exejust-ping.org/z2/bot.exeanysnare.us/z2/bot.exe
Instead of letting your security team determine and maintain a list of malicious URLs, rather let websense do it, that is what you are paying for. I bet that all those URL's are already categorised in security categories. Not only that but there are probably millions more that Websense are aware of that are not on the list given to you.
You can also send snmp alerts to the Envision every time a security category is triggered.
What countries do you do business in? We're US-only so we take a bludgeon to non-ARIN inbound IP addresses. We also use a geo-protection on the firewalls to drop outbound traffic to lots of countries.
One glaring lack in Websense is there is no way to block country-specific URLs as we could do with ISA server. The ability to drop *.in, *.cn, *.pk, *,ru and similar would save us a lot of alerts.
I don't think adding 12,000 URLs would be noticeable unless Websense somehow runs User Defined categories a lot slower. But that list is going to have a short life. Change the folder and some of those paths are history. Switch to a random domain and it's the same result. It might make them feel better but the reduction in risk is going to be small.
We use our <other vendor's firewall> Geo Protection feature for the countries we do no do business with
so that is taken care of.
I brought up the relatively short life of such a list but they wish to recreate it every 2-4 weeks. It just seem a bad way of getting the alerting they want.
Put the URLs through the Web Lookup Tool on this site. Let Websense recategorize them as malicious and do all that, no need for you to maintain a custom category.
That's fine if you pay the additional subscription for the security categories...maybe the OP does not and is looking to setup a custom category to do similar
Personally, I think the security categories should be bundled in the base subscription, after all, you are paying for an internet filtering solution...these security categories were introduced as a way of Websense making money, and were previously part of existing included categories
So set it up for them and if it brings the box to its knees, which I doubt, you'll be able to remove it. Just make sure they give it to you in a format you can import, including the needed additions to cover HTTPS links.
