[FW-1] Using WebSense instead of proxy servers

[Security Guy <firewall_security@FW1-NOSPAMHOTMAIL.COM>]

Sorry is this has been mentioned already...

 

Maybe we are a little old school, but our shop has never been a fan of using the firewall for anything but a firewall.  They are already a point of failure, why push the issue?  There are a number of differnet apps that the firewall can support, IDS, URL filtering, websense...just to name a few

 

Our setup:

Dual Nokia 440s (latest IPSO, sp5)

MS proxy 2.0

Websense (newest ver 4.3?) it's been a long day!

Websense Reported 6.3 (using SQL)

 

 

All of the boxes are separate with the exception of the websense products.  In the past we have run the proxy and websense on the same box, but performance was an issue.  To elivate failure points and in a effort to increase performance  they were separated.  All web traffic is funnled to  websense via an ISAPI filter on the proxy. So far so good, my policy need some tweaking but I am happy with the reports so far.

 

We use the proxy in the same manner, no unauthenticated users....proxy access is done through global group grants.

 

Regards

 

 

----- Original Message -----

From: Perrymon, Josh L.

To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com

Sent: Monday, October 14, 2002 3:31 PM

Subject: [FW-1] Using WebSense instead of proxy servers

Hello,

 

I want to setup Websense with my FW-1 installation and phase out the MS proxy servers. Currently we use proxies because they authenticate

our users. ( Some users aren't allowed WWW access and others are) 

 

We use DHCP and have 300-700 users so DENY rules wouldn't be efficient. Is  anyone using Websense/ FW-1 to authenticate users for WWW?

And what problems have you ran into...?  I hear there is an agent you install on your domain controllers to query the users DB..

 

 

 

Thanks

Josh Perrymon
Network Security Consultant
BE&K , INC