Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Websense/Web Filtering

To: "'Chris F'" <[email protected]>, Brian Mulford <[email protected]>, "Check Point FW List (E-mail)" <[email protected]>
Subject: RE: [FW1] Websense/Web Filtering
From: "Hubbard, Dan" <[email protected]>
Date: Fri, 16 Feb 2001 12:52:43 -0800
Sender: [email protected]

Title: RE: [FW1] Websense/Web Filtering

Chris;

I am sorry to hear you are having problems with WS and CKP. Below I am going to explain technically the difference between WS 3.X with CKP and WS 4.X with CKP. I also understand your fustrations as to having to deal with two seperate companies pointing the fingers at each other.

Although I am not familiar with the *exact* problem you are having (I am getting a status report from our technical support dept.). The information below should clear things up for you as far as the differences between 3.x 4.x and between different UFP versions.

Websense V3.X was our original version that talked to FW-1 with the UFP (note not CVP). This version talked directly to the UFP code in FW-1 over a socket. We wrote all the code for the "communication" from the UFP server side.

Due to some additional features that we have added to our product (including defer/continue, redirect of sites, user-authentication w/LDAP,NT, and an expanded category base) we used the "new UFP V2) in our 4.X version of Websense. Checkpoint mandates that with this version of the UFP they handle all socket based communications from the UFP server to the Firewall. Unlike previously where we handled them. We use libraries from Checkpoint on the UFP server side in order for the socket communication to work.

Thus, all TCP traffic between the Firewall and the UFP server is handled by Checkpoint not us. We simply get messages from the libraries that we compiled with. The standard UFP port is 18182. By "snooping" the traffic between the UFP server (ie: Websense) and the Firewall you are looking at packets that are all handled by Checkpoint code. As I mentioned above in the original UFP we had control of this communication. However in the new UFP we have no control of this communication.

The "new UFP" socket communication does appear to have some bugs in it. If you hear of any other problem with the joint solution, let me know offline what the trouble ticket is and I will look into it.

Thanks

-----Original Message-----
From: Chris F [mailto:[email protected]]
Sent: Friday, February 16, 2001 8:40 AM
To: Brian Mulford; Check Point FW List (E-mail)
Subject: Re: [FW1] Websense/Web Filtering

Hi Brian,

I've used Websense for a few years in the Unix/NT
environment.

Back in the days of Solaris 2.5.1, Websense v3.11, and
CP FW1 v3.0b Build 3064 -- EVERYTHING WORKED!

When working -- Websense is easy to implement and
configure. Once you set your filters, there is little
(or no) administration. Websense will update it's
database automatically for you -- I have it auto
update every night.
There is no noticeable network lag from using Websense
and only a few sites will give you problems (easily
fixed in your security policy). I have used Websense
on the firewall, and as a stand alone CVP/URI server.

Since the introduction of FW v4.x and Websense v4.x.x
- I've had some problems with the communication
between CP http security server and Websense.

I'm now on Solaris 2.6 5/98 HW version (patched with
patches as of Jan 26, 2001), FW1 v4.1 SP3 -- built
from scratch, and I'm having the same issues
(unfortunately).

What's most frustrating is getting the vendor pointing
when things don't go as planned: Websense will blame
CP's http security server for any problems you have,
and CP will blame Websense. Yet, you pay for support
from both -- and no one wants to help you. Nice
partnership, eh?

Because of this, I'm getting better at using "snoop"
and call their bluff when they try and tell me
otherwise :)

Telemate.Net makes a similar product -- a hardware
solution for filtering. I'm still investigating this
product.

www.telemate.net if you're interested.

Please feel free to contact me if you have any
details/questions. Sorry for this book reply.

HTH -- Chris

--- Brian Mulford <[email protected]> wrote:
>
> I am evaluating websense as a content management
> filter that integrates
> with FW1. Anyone have any comments good or bad, or
> possible other
> software that may be better? Thanks
>
> Brian
>
>
>
================================================================================
> To unsubscribe from this mailing list, please
> see the instructions at
>
> http://www.checkpoint.com/services/mailing.html
>
================================================================================

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/

================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Nokia vs. NT
Next by Date: [FW1] CVP manager and H.A.
Previous by thread: RE: [FW1] Websense/Web Filtering
Next by thread: Re: [FW1] Websense/Web Filtering
Index(es):
- Date
- Thread