Thursday, May 05, 2005

Evaluating websense "censorware" software

Websense is one of the most well-known and widely deployed "corporate" URL filtering products, but it doesn't receive much scrutiny. For example, Peacefire's most recent WebSENSE examination dates back to 2001!

"Websense Enterprise" is normally deployed in a "sniffer" type setup, where the "Network Agent" tries to inspect web requests as they flow by (either directly to the Internet, or as requests towards a proxy or pool of proxies). If it sees something it doesn't like, it spoofs packets to hijack the session and send back a "blocked" page.

There are two positives to this type of deployment:

  1. If the Websense Network Agent fails, all internet traffic just flows like normal, it "fails open".

  2. If you don't already have proxies deployed, you don't need to deploy a proxy for Websense to work -- you can just set it up as a sniffer without slowing down your Internet throughput.

There is a problem with this "sniffer" design, a problem that leads to a high rate of false positives.

In my experience, Websense Enterprise can, under load, miss "seeing" certain requests, so if you really want to watch the forbidding paris-hilton.mpg, just keep hitting reload and eventually you will get lucky (and your admin will get a ton of log events to review, from all of the times it did successfully block the request.)

The above "false negative" problem is made worse by a weird, unpublicized bug in Websense.

For each request from a client, Websense will do DNS lookups on the URL hostname and IP destination of the TCP session. This is necessary if not deployed in front of a proxy, where Websense needs to do a reverse lookup to figure out the real web site being accessed.

The problem is that Websense can miss out on blocking HTTP requests if it gets slow DNS answers, even for requests towards a proxy where the cleartext URL has a "banned" domain name, requests for which you would not expect DNS lookups to be a factor in the allow/deny decision.

I've found it difficult to reliably exploit this, and so I don't currently have a working "exploit" to publish. If you want to try it for yourself, find a blocked MPG link on Yahoo Video Search, wait until about 11:30 in the morning, then just keep hitting reload and wait for the movie to appear or (HR to come calling).

Lastly, Websense is generally the most expensive for per-seat pricing, and they have a funny notion of "seats" -- The Websense software counts all unique client IP addresses seen as "seats", so if you have short DHCP lease times you can get hit up for a lot more seats than you have employees.


Post a Comment

<< Home