Many businesses and government institutions use a content filtering program such as Websense to keep employees from visiting certain websites while at work. These programs can either prohibit the use of certain websites or monitor all of the sites that employees visit while in the office. Websense blocks several website categories: adult material, entertainment, drugs, games, sports, Internet communication, peer-to-peer file sharing, gambling, instant messaging, health, illegal, shopping, job search, Internet telephony, religion, special events, travel, violence, weapons, advertisements, freeware and software download, pay-to-surf, malicious websites, and many more.
The concept behind Websense is simple, whenever an employee attempts to visit a specific webpage, a request is generated and then passes through a firewall. Websense looks at this request and answers yes or no depending on if the requested URL is in the Websense database. In transparent mode, Websense counts on the fact that the firewall forwards the whole request one time. If the whole request is not transferred at one time, Websense allows the packet to pass, as the packet does not look like an HTTP request. Several techniques allow users to bypass Websense’s filtering and authentication process.
Bypassing Websense via a Web Proxy
One way to bypass Websense is to use a web-based proxy site. With a proxy, Websense sees the user browse to the web proxy, not to the website the user is actually browsing to. The user browses to the web proxy and the web proxy browses to the website that the user wants to visit. These web proxies can bypass Websense because the ‘S’ in the HTTP address (https://) stands for secure connection and Websense does not block such secured connections. This is probably the simplest way to get around the Websense program as it takes little time and no one will wonder what the user is up to.
Bypassing Websense via HTTP Tunneling
Users can also bypass Websense via HTTP Tunneling. Most programs also come with options that help to destroy Internet history and Widows activity. This means that the user’s online activities are secure and he/she can spoof his/her web browser information, which helps to thwart hacking missions. One can download HTTP Tunneling software programs from the Internet quite easily and inexpensively.
This articles description of HTTPS may not be entirely accurate. I’m sitting behind a websense proxy right now. It performs the negotiation between HTTPS sites and serves me a custom, unsigned SSL cert, essentially performing a man in the middle attack and monitoring all HTTPS traffic just as easy at HTTP.
From my experience, while annoying, websense is easily bypassed via RDP to a personal computer off site. Please note, while what you do on your personal machine is protected, the IP address and duration of RDP sessions may be able to be reported on.
Jacob Pagano
This does not always work. If your organization has purchased ISA Server or TMG or Websense Content Gateway than Websense can work with a proxy server to filter out secure connections, I know because of I have setup a Websense Server in the Past. and as for the HTTP Tunneling that can be blocked as well by protocol blocking. One way to bypass Websense is to setup your own proxy server at home and then configure your router for port forwarding and then go to work and reconfigure your browsers proxy settings then you can get around it but that is only if your work has not restricted the ability to set your browsers proxy settings.
As an IT guy, we search this stuff to see how your trying to get around it. In an installation that I manage of websense, using the IP address of the site won’t get you there, we block everything not catagorized, and review upon request. The TOR’s and other applications, well our firewalls are smart enough to see that traffic so it’s blocked too. However, I can say we aren’t as overboard with it as some companies, we just block personal email, social, and questionable content like pron, violence, etc.
Not saying that all of you spend all day, but when we see facebook sessions lasting all day long, kind of crazy. Also, think about asking your management team to allow Websense Quotas, they can give you like an hour a day of screw off time for stuff like email and the like, of course secure companies may not be able to do that for the concern that you might email someones social security or credit card details to Russia….. one bad apple….
Jacob Pagano
You can use Websense Data Security to prevent the e-mailing of Social Security or Credit Cards.
my tool…Remote Desktop Connection to home computer. Surf what I want with no one knowing what I browse. The connection is not as fast through RDP, but that has to do with our pitiful 3MB service.
Jacob Pagano
That is the same thing that i do.
I’m RDP’d passed websense as we speak. It should be noted, however, that while your behavior via RDP is secure, websense can report on the IP address and duration of your RDP sessions.
The company I work for just started to allow employee’s internet usage for business purposes only. We are an outside sales company and my employees visit stores, and nightly synchronize store data. Each employee has a laptop computer. As such, to help monitor internet activity I am now receiving monthly recaps on each employee and their internet activity. The company uses Websense to track activity. Out of the 18 employee’s I supervise, 13 visited sites I would consider not business related. The remaining 5 showed no activity at all. The one common denominator that all 13 had in common was that they visited our company intranet site. When questioned about the sites,,, etc… all of them said they never visited any site other than our intranet site. Some even said that several of the sites listed were sites they have only visited on their home computer. Is it possible that websense can pick up internet sites from home computers?
Another Security Guy
Simply put, no. Websense can only log and report on systems which connect through the filter. It would also require the user to have the same domain/user credentials on their home box. If they say they’ve never visited these sites from a company system, they are not telling you the truth.
If you are getting reports that someone has visited, for instance, Facebook and they deny ever having done so there are, imho, three possibilities
1. They are not telling the truth
2. Someone else used their machine (in which case they should learn to lock it)
3. (most probable) The reports of Facebook use are actually caused by visits to pages that have links to Facebook (like buttons, content from Facebook)
I have seen a lot of reports where there is an indication of misuse (as defined by the corporate policy) but further investigation shows that the reported use was “indirect”. Go to almost any newspaper site and you will see connections to Facebook / Twitter etc. It is possible that these connections are being serverd directly by Facebook / Twitter etc and show as visits in Websense.
I used to work for Websense, the filtering products do also have an option to filter remote machines (eg. company laptops/PC’s) …. even when you are using your home internet connection.
that only works if they are using Logon Agent through a tunnel from home to work – if they aren’t attached to the network being filtered then NO WS cannot log the traffic and you, exwebsense, should know that.
Poor Bored Bastard
Here’s the thing, though, security guy. Not everyone has the same job on the same shift. So while those guys on day shift might be a million times more productive not being able to check their email or read the news, us poor slobs on nights are going to suffer a huge lapse in productivity when we fall asleep waiting for the next chunk of work to be brought to us. Here in the lab I work at we have regular chunks of 10-20 minutes where we’re either waiting for assay samples to fuse or waiting for someone to bring in more samples. Before websense I might have used this time to check my email, maybe peruse a few headlines. Now? I chug a coke and try not to fall asleep. Don’t try to tell me that’s somehow better for business.
Another Security Guy
So speak to your management, don’t just make ridiculous comments about a product. Websense is only the tool – much like your assay sampling machine. If one of those broke down, would you be online blaming the product? No. You would speak to someone with authority about it. You might have 10 – 20 minutes to spare at a time. It takes much longer to fix computers that end up virus laden, or full of malware as a result of people who have no clue what they are doing downloading rubbish to machines.
A sensible policy needs to accompany the product. Websense provide the categories. Management provide the policies.
If a work computer ends up virus laden, or full of malware, you as an admin should be fired.
Firefox + adblock (+ NoScript if you wanna be super picky) + Spybot S&D immunization & TeaTimer + halfway decent AV (Avast for example, if you are using norton, mcafee or anything similar, you should be fired, then taken out back and shot. Repeatedly. For being a bleeding idiot) = Fairly impenetrable computer. Bout the worst thing you’ll have to do is clean tracker cookies once in a while.
Securing work machines is simple. Teaching the IT Staff how not to be blathering idiots is the difficult part.
There is still another way! Although most people don’t get it that much. Webscence got themselves a proxy avoidance filter, as well as a download one. Http tunneling can be quite resource needing. This is quite simple. In firefox (that you can download, since the download site is listed as EDUCATION in webscence) install foxy procy BASIC (not original) then look around in google for this “proxy IP host port” type some into froxyproxy basic (number and port, preferably transparent) and then browse! It’s the same as a proxy, but built-in. So it cannot be blocked. Posted by Shingetsu.
