URL Filtering--Websense, etc.

Unanswered Question
Mar 9th, 2007

I have a PIX 515, and my compnay is interested in implementing A product to log web URL activity for groups of employees. I thought websense would be the best product to do the job, but what type of server and storage space reqs do you need? This is probably a bad forum for this, but I thought maybe someone here could offer some suggestions.

Thanks in advance, Rob

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Fri, 03/09/2007 - 11:11

are you looking for a syslog server which is actually a logging server logging the traffic traversing through the firewall

or are you looking for a URL Filtering server to work with firewall ?

I am asking this because ya mentioned about websense which is actually a url filtering server....if ya looking for logging server then no need to spend extra penny...go to goggle and download a free utility of "KIWI SYSLOG SERVER"

Hope this answers a couple if ya Question ..

thebrom Fri, 03/09/2007 - 11:14

what do you mean they don't recommend the use of these products? Can the firewall do its own URL filtering?

vitripat Fri, 03/09/2007 - 11:41

Hey Rob,

What you are looking for can be achieved using a URL server. Using this, you can log what all URLs are being accessed and define policies accordingly what to allow and what not to allow. For mimimum system requirements, you can check following link:

http://www.guardsense.com/system-requirements.asp

The issue with syslog servers is that they wont log the URL, but the IP address of the website being accessed. However, when used in conjunction with url-server, PIX logs the URL being accessed to the syslog server.

Hope this helps.

Regards,

Vibhor.

thebrom Fri, 03/09/2007 - 11:48

thanks a lot. Now I see that it only reqs 2GB of free disk space. I know that is just for the install, but what kind of space am I looking at for logging all of the visited URLs of a 200 user network, and Imean they are online all day long searching for things legitimately and illegitimately.

Rob

vitripat Fri, 03/09/2007 - 11:57

You'll have two different servers. One is URL server and other is Logging server. On this URL-server, you'll need to look at following syslogs:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm#wp1054385

304001-304007

Given the activity you are suggesting, you'll atleast need 4 GB space. That'll be good enough. On top of that, if you are using KIWI syslog server, you can configure it to keep a watch on the disk space left. Using KIWI you can also generate reports on the syslogs.

Regards,

Vibhor.

abinjola Fri, 03/09/2007 - 12:06

Since you need a heavy monitoring ... you need to integrate a web sense server in that case though there are online logging server available which does log the traffic along with the "URL" however they are not as scalable as paid websense..a paid pastry always tastes well than a robbed one..:-)

you may use Websense or N2H2

url-filtering software....also there is a cache length on web sense that stores and loggs the traffic . this length can be customised as per the traffic that you need to log in there...

To accomplish URL filtering, pix can be configured with Websense (www.websense.com) or

N2H2 (www.n2h2.com) in this way:

a)A client establishes a TCP connection to a web server.

b)The client sends an HTTP request for a page on this server.

c)The pix intercepts this request and hands it over to the filtering server.

d)The filtering server decides if the client should be allowed access to the requested

page.

e)If the decision is positive, the pix forwards the request to the server and the client

receives the requested content.

f)If the decision is negative, the client's request is dropped.

NOTE: Websense works with pix version 5.3 onwards and N2H2 works with pix version 6.2

onwards. These can only perform HTTP filtering not FTP or HTTPS. Although for blocking ftp

sites, a URL like ftp://ftp.somedomain.com can be entered.

For configuring N2H2 or Websense with pix, the following command syntax are required:

N2H2:

[no] url-server [(if_name)] vendor n2h2 host local_ip [port number] [timeout seconds]

[protocol {TCP | UDP}]

WEBSENSE:

[no] url-server [(if_name)] vendor websense host local_ip [timeout seconds] [protocol {TCP

| UDP} version]

show url-server

show url-server stats

This would also be available at:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer

ence_chapter09186a00801727ae.html#1026449

Hey Rob,

We are using Websence in our company. Some URL Filtering apps need space. How much space depends on the number of users and how much they surf.

In some applications each entry recorded by the URL filtering software is 300k per user per day. Multiply this by the number of users and by how much logging/reporting you will do. Some of these Apps will store data for 1 month or more. I think our user DB has grown to 1.8 GB. So do the math. The URL database in these apps also grows. Ours in the beginning was 140 MB.

Some of these APPS can run on a server running other functions, but we keep it on its own.

Good luck,

Julio

thebrom Mon, 03/12/2007 - 17:06

thank you all for the info. I think I have what I need to make an informed decision!

Actions

This Discussion