Choose from several options for complete web, email and data security.
Learn more
Evaluate Websense products by watching demos and installing evaluation software.
Learn how Websense solutions help keep our customer safe, secure and productive
Get information on product updates, support resources and more.
Get the most out of support in five simple steps.
Find tools and assets to help sell Websense solutions.
Stay informed on the latest security exploits, industry news, research, solutions, and more.
Hello,We do not (can't and will not) use an inline solution so we can't do https mitm. Websense web filtering is very easy to "bypass" by using https; fully blocking https protocol is not an option due to obvious reasons.As an exemple, we block facebook but users now use https to access facebook and other blocked websites; so they just say that our/your filtering solution is ridiculously easy to bypass. In reports we see that some https IPs are already classified (7.0.1) and, as websense is able to block non http protocols why can't it reset https connections on IPs belonging to blocked/quota'ed categories ?We are aware that it is not possible to redirect the user to a blockpage without an inline solution, blocking/quota will result in an error in the user browser but, in our case, it's still a better solution than having users accessing sites in blocked categories.So my request is that Websense should be able use categories and take action on websites using ssl . thanks
This already exists. Please use Websense Content Gateway with Cisco's WCCP statements in your Cisco firewall/router.
JACOB SLOAN, CCNA, WCSE
hello,
we're using network agents and have no integration with other products. network agent should be able to do such a thing, this is the feature request.
thanks,
In order to get the url that users are going to, the SSL Session has to be decrypted. To get that, you have to have either the source or destination end of that secure tunnel connection. Since Network Agent intercepts in the middle, it has neither session key to decrypt the communication. Hence why Network Agent only will report IP addresses for HTTPS sites.
The only time the site is mentioned is when the certificate is sent across during the first few miliseconds of the establishment of the SSL session. This is detailed in http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html.
The problem with this is that a certificate's common name doesn't necessarily mean that you went to THAT site. A single certificate can be used in many differnet sites if all the same sites are listed in the certificate's Subject Alternative Name. In which case, if Network Agent does get this feature, it may not report on the correct url for that IP address.
But, I did put this feature request in June of 2009.... And I expect to see it in version 8.0
gdut, it sounds to me like you're not filtering HTTPS at all... as Sloan points out this is definitely possible, even without the Content Gateway. I know in my environment if I block Social Networking category users cannot simply use the https version of Facebook to get around it or any other website/category for that matter.
I'd definitely recommend confirming whether or not you are filtering HTTPS at all and open a ticket with Websense to address. The Protocol Set "HTTPS" is only used to block HTTPS entirely for your users of that policy... if you allow it the URL they request still has to be in a category they're allowed access to.
I have integrated websense v checkpoint , I am having the same problem, do we have any other solution other than WCS.
This forum post is 2 years old Manik, I'd suggest opening a new thread and going into much more detail about your problem and what you have.
