Re: [fw-wiz] Websense protocol Version 4?
From: Kevin (kkadow_at_gmail.com)
Date: 03/10/05
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] MJR on Linux/OSS"
- In reply to: Paul Melson: "RE: [fw-wiz] Websense protocol Version 4?"
- Next in thread: Kevin Sheldrake: "Re: [fw-wiz] Websense protocol Version 4?"
- Reply: Kevin Sheldrake: "Re: [fw-wiz] Websense protocol Version 4?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Wed, 9 Mar 2005 21:57:29 -0600
On Mon, 7 Mar 2005 10:42:14 -0500, Paul Melson <psmelson@comcast.net> wrote:
> > Kevin Kadow wrote:
> > I see from PIX and Websense documentation that the recommended
> > configuration for URL filtering is to use the following PIX command:
> > url-server host <IP-NUMBER> protocol UDP version 4
> >
> > Websense and PIX can also be configured to use a TCP protocol.
> >
> > Are either of these protocols documented anywhere?
> > I searched both Cisco and Websense, but did not see specifications for the
> > communication protocol between the PIX and the filter engine.
> >
> > Information on the Websense site shows that V4.x uses port 15868 for the
> "Filtering service", and 15871 for blocking messages, but does not document
> the protocol itself.
>
> The WebSense protocols are proprietary, and not publicly available (at least
> that I've seen). There also appear to be differences between the WebSense
> protocol used for PIX firewalls and the one used for Check Point firewalls
> (UFP).
>
> Port 15868 listens for the actual url-filter requests from the firewall and
> issues a response code based on matching. Port 15871 is something like an
> HTTP server and issues an alert that is inserted in-stream to the browser,
> letting the user know that WebSense has blocked the URL they've requested.
>
> PaulM
Thanks.
We're making some progress on unpacking the Websense protocol
on TCP/15686 from examination of sniffer traces. Much of the contents
of a TCP request is obvious, (the URL, the client IP as four binary bytes, etc),
but there are also several binary bytes which are static across requests and
some fixed-length blocks of binary which change (checksum?) all of which the
purpose is not immediately obvious. No signs of encryption.
Once I get my new test PIX I'll try the UDP protocol and see if it is perhaps
easier to interpret; right now I'm limited to sniffing real traffic.
If nothing else, it'd be interesting to have an Ethereal plugin for Websense :)
Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] MJR on Linux/OSS"
- In reply to: Paul Melson: "RE: [fw-wiz] Websense protocol Version 4?"
- Next in thread: Kevin Sheldrake: "Re: [fw-wiz] Websense protocol Version 4?"
- Reply: Kevin Sheldrake: "Re: [fw-wiz] Websense protocol Version 4?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
