Re: [fw-wiz] Websense protocol Version 4?

From: Kevin (kkadow_at_gmail.com)
Date: 03/10/05

  • Next message: Kevin: "Re: [fw-wiz] MJR on Linux/OSS"
    To: firewall-wizards@honor.icsalabs.com
    Date: Wed, 9 Mar 2005 21:57:29 -0600
    
    

    On Mon, 7 Mar 2005 10:42:14 -0500, Paul Melson <psmelson@comcast.net> wrote:
    > > Kevin Kadow wrote:
    > > I see from PIX and Websense documentation that the recommended
    > > configuration for URL filtering is to use the following PIX command:
    > > url-server host <IP-NUMBER> protocol UDP version 4
    > >
    > > Websense and PIX can also be configured to use a TCP protocol.
    > >
    > > Are either of these protocols documented anywhere?
    > > I searched both Cisco and Websense, but did not see specifications for the
    > > communication protocol between the PIX and the filter engine.
    > >
    > > Information on the Websense site shows that V4.x uses port 15868 for the
    > "Filtering service", and 15871 for blocking messages, but does not document
    > the protocol itself.
    >
    > The WebSense protocols are proprietary, and not publicly available (at least
    > that I've seen). There also appear to be differences between the WebSense
    > protocol used for PIX firewalls and the one used for Check Point firewalls
    > (UFP).
    >
    > Port 15868 listens for the actual url-filter requests from the firewall and
    > issues a response code based on matching. Port 15871 is something like an
    > HTTP server and issues an alert that is inserted in-stream to the browser,
    > letting the user know that WebSense has blocked the URL they've requested.
    >
    > PaulM

    Thanks.

    We're making some progress on unpacking the Websense protocol
    on TCP/15686 from examination of sniffer traces. Much of the contents
    of a TCP request is obvious, (the URL, the client IP as four binary bytes, etc),
    but there are also several binary bytes which are static across requests and
    some fixed-length blocks of binary which change (checksum?) all of which the
    purpose is not immediately obvious. No signs of encryption.

    Once I get my new test PIX I'll try the UDP protocol and see if it is perhaps
    easier to interpret; right now I'm limited to sniffing real traffic.

    If nothing else, it'd be interesting to have an Ethereal plugin for Websense :)

    Kevin Kadow
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Kevin: "Re: [fw-wiz] MJR on Linux/OSS"