From: Mirto on 1 Feb 2005 04:26 Dear @ll, I would like to discuss a problem with Websense. Websense permits you to filter the internet page using a DB. We have in our company two user profiles; Basic user and Administrative user. Using the Administrator profile, it is simple enough to bybass Websense by setting a proxy address in the internet browser option. How can we prevent the Administrator profile from being able to do this? Thanks a lot and best regards
From: Joachim Schipper on 2 Feb 2005 13:24 Leythos <void(a)nowhere.lan> wrote: > On Tue, 01 Feb 2005 01:26:14 -0800, Mirto wrote: > >> Dear @ll, >> I would like to discuss a problem with Websense. >> Websense permits you to filter the internet page using a DB. >> We have in our company two user profiles; Basic user and >> Administrative user. >> >> Using the Administrator profile, it is simple enough to bybass >> Websense by setting a proxy address in the internet browser option. >> How can we prevent the Administrator profile from being able to do >> this? >> >> Thanks a lot and best regards > > Why would you want your Administrators blocked from anything? > Or, in this case, from something as simple as websurfing? (There are a couple configuration options that I've wired in in two different places, so that even if I screw up in one place SAMBA still isn't reachable from any WAN interface, and so on). That aside, however, the real problem isn't keeping administrators from changing proxy settings - it's the fact that you allow port 80 access to any host beside your proxy. Fix that first, then do the same for port 8080, and possibly 81 (there are some pretty broken installations out there). Of course, you still can't filter https traffic... and a moderately knowledgeable user will be able to find a way around this (use some public proxy server, connect on a non-standard port, Putty into your home box and use w3m/links/lynx, test all links on https-capabilities, etc etc; I've even heard of a web-to-mail gateway, not sure if it's still operational.) Another option is to install Snort and set it to monitor for policy violations. It won't actually stop anyone, but it does tell you who is surfing for pr0n. [1] However, I basically believe what you want is a) not a terribly good idea and b) not technically feasible (you may be able to keep your average office worker in, but I seriously doubt you'll be able to contain anyone with a good dose of technical knowledge and a little patience). Joachim [1] Employees resent being spied upon. This will cause all sorts of problems and may or may not even be legal.
From: T. Sean Weintz on 2 Feb 2005 14:38 Mirto wrote: > Dear @ll, > I would like to discuss a problem with Websense. > Websense permits you to filter the internet page using a DB. > We have in our company two user profiles; Basic user and > Administrative user. > > Using the Administrator profile, it is simple enough to bybass > Websense by setting a proxy address in the internet browser option. > How can we prevent the Administrator profile from being able to do > this? > > Thanks a lot and best regards Use websense in conjunction with a hardware firewall that uses statefull packet inspection to enforce using the websense server for all HTPP connections. Many firewalls will specifically support integration with the websense server to do this.
|
Pages: 1 Next: WatchGuard SOHO WG2500 plz help..... |