Re: [fw-wiz] Websense protocol Version 4?

From: Kevin (kkadow_at_gmail.com)
Date: 03/10/05

  • Next message: Kevin: "Re: [fw-wiz] MJR on Linux/OSS"
    To: firewall-wizards@honor.icsalabs.com
    Date: Wed, 9 Mar 2005 21:57:29 -0600
    
    

    On Mon, 7 Mar 2005 10:42:14 -0500, Paul Melson <psmelson@comcast.net> wrote:
    > > Kevin Kadow wrote:
    > > I see from PIX and Websense documentation that the recommended
    > > configuration for URL filtering is to use the following PIX command:
    > > url-server host <IP-NUMBER> protocol UDP version 4
    > >
    > > Websense and PIX can also be configured to use a TCP protocol.
    > >
    > > Are either of these protocols documented anywhere?
    > > I searched both Cisco and Websense, but did not see specifications for the
    > > communication protocol between the PIX and the filter engine.
    > >
    > > Information on the Websense site shows that V4.x uses port 15868 for the
    > "Filtering service", and 15871 for blocking messages, but does not document
    > the protocol itself.
    >
    > The WebSense protocols are proprietary, and not publicly available (at least
    > that I've seen). There also appear to be differences between the WebSense
    > protocol used for PIX firewalls and the one used for Check Point firewalls
    > (UFP).
    >
    > Port 15868 listens for the actual url-filter requests from the firewall and
    > issues a response code based on matching. Port 15871 is something like an
    > HTTP server and issues an alert that is inserted in-stream to the browser,
    > letting the user know that WebSense has blocked the URL they've requested.
    >
    > PaulM

    Thanks.

    We're making some progress on unpacking the Websense protocol
    on TCP/15686 from examination of sniffer traces. Much of the contents
    of a TCP request is obvious, (the URL, the client IP as four binary bytes, etc),
    but there are also several binary bytes which are static across requests and
    some fixed-length blocks of binary which change (checksum?) all of which the
    purpose is not immediately obvious. No signs of encryption.

    Once I get my new test PIX I'll try the UDP protocol and see if it is perhaps
    easier to interpret; right now I'm limited to sniffing real traffic.

    If nothing else, it'd be interesting to have an Ethereal plugin for Websense :)

    Kevin Kadow
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Kevin: "Re: [fw-wiz] MJR on Linux/OSS"

    Relevant Pages

    • RE: [fw-wiz] Websense protocol Version 4?
      ... There also appear to be differences between the WebSense ... protocol used for PIX firewalls and the one used for Check Point firewalls ... I see from PIX and Websense documentation that the recommended configuration ... Websense and PIX can also be configured to use a TCP protocol. ...
      (Firewall-Wizards)
    • Re: [fw-wiz] Websense protocol Version 4?
      ... You might find the Protocol Informatics Project useful for protocol ... >> The WebSense protocols are proprietary, ... > of a TCP request is obvious, (the URL, the client IP as four binary ... Kevin Sheldrake MEng MIEE CEng CISSP ...
      (Firewall-Wizards)
    • Re: PIX 515 responding to ARP commands...
      ... PIX software version you are running. ... Frame is marked: False Arrival Time: Aug 31, 2005 13:02:12.689705000 Time delta from previous packet: -15837.314363000 seconds Time since reference or first frame: 591.799104000 seconds Frame Number: 1 Packet Length: 60 bytes Capture Length: 60 bytes Protocols in frame: eth:arp ... Hardware type: Ethernet Protocol type: IP ... your PIX emitting a default route towards the inside, which is normally overridden by something with a better route but that something drops the ball? ...
      (comp.dcom.sys.cisco)
    • Re: can I use a PIX 515 to block URLs instead of using Websense?
      ... the pix isnt really built for URL blocking, which is why products such as ... websense server ... Unfortunately, Private I does not ...
      (comp.security.firewalls)
    • Re: PIX Firewall Question
      ... Cisco newsgroups?? ... >> My question is if anyone out there knows how the PIX boxes 'handle' ... > Apple incorporated the Apple talk protocol in 1980 with some interesting ... > features in the Network layer. ...
      (comp.security.firewalls)