Dear @ll, I would like to discuss a problem with Websense. Websense permits you to filter the internet page using a DB. We have in our company two user profiles; Basic user and Administrative user.
Using the Administrator profile, it is simple enough to bybass Websense by setting a proxy address in the internet browser option. How can we prevent the Administrator profile from being able to do this?
Thanks a lot and best regards
Why would you want your Administrators blocked from anything?
Use websense in conjunction with a hardware firewall that uses statefull packet inspection to enforce using the websense server for all HTPP connections. Many firewalls will specifically support integration with the websense server to do this.
Or, in this case, from something as simple as websurfing? (There are a couple configuration options that I've wired in in two different places, so that even if I screw up in one place SAMBA still isn't reachable from any WAN interface, and so on).
That aside, however, the real problem isn't keeping administrators from changing proxy settings - it's the fact that you allow port 80 access to any host beside your proxy. Fix that first, then do the same for port
8080, and possibly 81 (there are some pretty broken installations out there).Of course, you still can't filter https traffic... and a moderately knowledgeable user will be able to find a way around this (use some public proxy server, connect on a non-standard port, Putty into your home box and use w3m/links/lynx, test all links on https-capabilities,etc etc; I've even heard of a web-to-mail gateway, not sure if it's still operational.)
Another option is to install Snort and set it to monitor for policy violations. It won't actually stop anyone, but it does tell you who is surfing for pr0n. [1]
However, I basically believe what you want is a) not a terribly good idea and b) not technically feasible (you may be able to keep your average office worker in, but I seriously doubt you'll be able to contain anyone with a good dose of technical knowledge and a little patience).
Joachim
[1] Employees resent being spied upon. This will cause all sorts of problems and may or may not even be legal.Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.