From: Mirto on
Dear @ll,
I would like to discuss a problem with Websense.
Websense permits you to filter the internet page using a DB.
We have in our company two user profiles; Basic user and
Administrative user.

Using the Administrator profile, it is simple enough to bybass
Websense by setting a proxy address in the internet browser option.
How can we prevent the Administrator profile from being able to do
this?

Thanks a lot and best regards
From: Joachim Schipper on
Leythos <void(a)nowhere.lan> wrote:
> On Tue, 01 Feb 2005 01:26:14 -0800, Mirto wrote:
>
>> Dear @ll,
>> I would like to discuss a problem with Websense.
>> Websense permits you to filter the internet page using a DB.
>> We have in our company two user profiles; Basic user and
>> Administrative user.
>>
>> Using the Administrator profile, it is simple enough to bybass
>> Websense by setting a proxy address in the internet browser option.
>> How can we prevent the Administrator profile from being able to do
>> this?
>>
>> Thanks a lot and best regards
>
> Why would you want your Administrators blocked from anything?
>

Or, in this case, from something as simple as websurfing? (There are a
couple configuration options that I've wired in in two different places,
so that even if I screw up in one place SAMBA still isn't reachable from
any WAN interface, and so on).

That aside, however, the real problem isn't keeping administrators from
changing proxy settings - it's the fact that you allow port 80 access to
any host beside your proxy. Fix that first, then do the same for port
8080, and possibly 81 (there are some pretty broken installations out
there).

Of course, you still can't filter https traffic... and a moderately
knowledgeable user will be able to find a way around this (use some
public proxy server, connect on a non-standard port, Putty into your
home box and use w3m/links/lynx, test all links on https-capabilities,
etc etc; I've even heard of a web-to-mail gateway, not sure if it's
still operational.)

Another option is to install Snort and set it to monitor for policy
violations. It won't actually stop anyone, but it does tell you who is
surfing for pr0n. [1]

However, I basically believe what you want is a) not a terribly good
idea and b) not technically feasible (you may be able to keep your
average office worker in, but I seriously doubt you'll be able to
contain anyone with a good dose of technical knowledge and a little
patience).

Joachim

[1] Employees resent being spied upon. This will cause all sorts of
problems and may or may not even be legal.
From: T. Sean Weintz on
Mirto wrote:
> Dear @ll,
> I would like to discuss a problem with Websense.
> Websense permits you to filter the internet page using a DB.
> We have in our company two user profiles; Basic user and
> Administrative user.
>
> Using the Administrator profile, it is simple enough to bybass
> Websense by setting a proxy address in the internet browser option.
> How can we prevent the Administrator profile from being able to do
> this?
>
> Thanks a lot and best regards

Use websense in conjunction with a hardware firewall that uses statefull
packet inspection to enforce using the websense server for all HTPP
connections. Many firewalls will specifically support integration with
the websense server to do this.