Re: [fw-wiz] Websense protocol Version 4?
From: Kevin (kkadow_at_gmail.com)
To: firstname.lastname@example.org Date: Wed, 9 Mar 2005 21:57:29 -0600
On Mon, 7 Mar 2005 10:42:14 -0500, Paul Melson <email@example.com> wrote:
> > Kevin Kadow wrote:
> > I see from PIX and Websense documentation that the recommended
> > configuration for URL filtering is to use the following PIX command:
> > url-server host <IP-NUMBER> protocol UDP version 4
> > Websense and PIX can also be configured to use a TCP protocol.
> > Are either of these protocols documented anywhere?
> > I searched both Cisco and Websense, but did not see specifications for the
> > communication protocol between the PIX and the filter engine.
> > Information on the Websense site shows that V4.x uses port 15868 for the
> "Filtering service", and 15871 for blocking messages, but does not document
> the protocol itself.
> The WebSense protocols are proprietary, and not publicly available (at least
> that I've seen). There also appear to be differences between the WebSense
> protocol used for PIX firewalls and the one used for Check Point firewalls
> Port 15868 listens for the actual url-filter requests from the firewall and
> issues a response code based on matching. Port 15871 is something like an
> HTTP server and issues an alert that is inserted in-stream to the browser,
> letting the user know that WebSense has blocked the URL they've requested.
We're making some progress on unpacking the Websense protocol
on TCP/15686 from examination of sniffer traces. Much of the contents
of a TCP request is obvious, (the URL, the client IP as four binary bytes, etc),
but there are also several binary bytes which are static across requests and
some fixed-length blocks of binary which change (checksum?) all of which the
purpose is not immediately obvious. No signs of encryption.
Once I get my new test PIX I'll try the UDP protocol and see if it is perhaps
easier to interpret; right now I'm limited to sniffing real traffic.
If nothing else, it'd be interesting to have an Ethereal plugin for Websense :)
firewall-wizards mailing list