这websense也太厉害了吧 - 未名空间MITBBS历史存档

国际科技财经博客移民网络热点娱乐民生时事公众号

Redian新闻

>未名空间

>EmergingNetworking - 热门网络技术

这websense也太厉害了吧

这websense也太厉害了吧# EmergingNetworking - 热门网络技术

j*e2008-12-17 08:12

1 楼

公司服务器上装了websense，搞得我所有的BBS，下载站点，stream media站点等等全
都上不去，MSN不能用，web的MSN也全都失效。然后想用proxy绕过也绕不过。一直以来
用logmein登录自己家的电脑上这些，现在居然也登录不了，真是赶尽杀绝啊。
大侠有没有什么办法支支招啊？
谢谢了！

z*r2008-12-17 08:12

2 楼

get a ssl based vpn server on your home machine

【在 j*e 的大作中提到】

: 公司服务器上装了websense，搞得我所有的BBS，下载站点，stream media站点等等全
: 都上不去，MSN不能用，web的MSN也全都失效。然后想用proxy绕过也绕不过。一直以来
: 用logmein登录自己家的电脑上这些，现在居然也登录不了，真是赶尽杀绝啊。
: 大侠有没有什么办法支支招啊？
: 谢谢了！

Z*e2008-12-17 08:12

3 楼

加密proxy啊：自己在家架个linux的proxy，比如用squid，然后再公司弄个SSH tunnel
到家里，这样你公司的browser就连接本机的端口，但实际被加密映射到了家里的proxy
端口，除非公司block你家IP/域名

【在 j*e 的大作中提到】

s*42008-12-17 08:12

4 楼

没用,Admin可以设置POLICY,只要是从楼主的公司IP里出来的,去往任何不可知IP的
REQUEST一律BLOCK.

tunnel
proxy

【在 Z****e 的大作中提到】

: 加密proxy啊：自己在家架个linux的proxy，比如用squid，然后再公司弄个SSH tunnel
: 到家里，这样你公司的browser就连接本机的端口，但实际被加密映射到了家里的proxy
: 端口，除非公司block你家IP/域名

c*t2008-12-17 08:12

5 楼

说说有没有后门？

【在 s*********4 的大作中提到】

: 没用,Admin可以设置POLICY,只要是从楼主的公司IP里出来的,去往任何不可知IP的
: REQUEST一律BLOCK.
:
: tunnel
: proxy

z*r2008-12-17 08:12

6 楼

of coz you can do this, but this doesn't make sense. the point is to block
some non-work related access based on the *content*, so, ssl based vpn can
easily bypass websense

【在 s*********4 的大作中提到】

: 没用,Admin可以设置POLICY,只要是从楼主的公司IP里出来的,去往任何不可知IP的
: REQUEST一律BLOCK.
:
: tunnel
: proxy

s*42008-12-17 08:12

7 楼

It is not simply based on "content". The content has been pre-categoried
into a database. At runtime you are blocked by user or source IP combined
with detination IP (of course there are other more complicated policies you
can do). An unknown detination IP such as your proxy will be identified as "
uncategorized" and could be set to block regarless HTTP or HTTPS or any
other protocols (any port).

【在 z**r 的大作中提到】

: of coz you can do this, but this doesn't make sense. the point is to block
: some non-work related access based on the *content*, so, ssl based vpn can
: easily bypass websense

z*r2008-12-17 08:12

8 楼

you didn't get my point, I said "of coz you can do this, but this doesn't
make sense".
what are known addresses or unknown addresses? the address space changes
everyday... so the only way that works is, block all addresses and enable
some "known" addresses. This is a piece of a cake for a firewall, so tell me
why I need to buy websense?
dealing with layer 3/4 is not wise as far as filtering Internet access...

you
"

【在 s*********4 的大作中提到】

: It is not simply based on "content". The content has been pre-categoried
: into a database. At runtime you are blocked by user or source IP combined
: with detination IP (of course there are other more complicated policies you
: can do). An unknown detination IP such as your proxy will be identified as "
: uncategorized" and could be set to block regarless HTTP or HTTPS or any
: other protocols (any port).

s*92008-12-17 08:12

9 楼

me
对啊，没错，我明白你意思，普通防火墙都可以干BLOCK 未知IP这个事了。
可能这个websense就是一个简化版的软件防火墙！

【在 z**r 的大作中提到】

: you didn't get my point, I said "of coz you can do this, but this doesn't
: make sense".
: what are known addresses or unknown addresses? the address space changes
: everyday... so the only way that works is, block all addresses and enable
: some "known" addresses. This is a piece of a cake for a firewall, so tell me
: why I need to buy websense?
: dealing with layer 3/4 is not wise as far as filtering Internet access...
:
: you
: "

n*w2008-12-17 08:12

10 楼

ssh port 被禁用，不能ssh出去有什么办法？

tunnel
proxy

【在 Z****e 的大作中提到】

s*42008-12-17 08:12

11 楼

The known IP addresses have been identified in Websense database. Any IP
addresses (mapped to various domains) that are not included in Websense
database are identified as "unknown" thus can be set to block, regardless
ports.
You have a logic (not technical) concept misunderstanding. Websene can do
layer 3 filtering doesn't mean it can ONLY do layer 3 filtering. Also in
enterprise environment the customers may install similar systems from
multiple vendors. For example, proxy chainning, multiple

【在 z**r 的大作中提到】

p*n2008-12-17 08:12

12 楼

zher 可是活跃在未名的每个版块。

【在 z**r 的大作中提到】

: get a ssl based vpn server on your home machine

Z*e2008-12-17 08:12

13 楼

我不是说了么block ip就没用了么，呵呵

【在 s*********4 的大作中提到】

: 没用,Admin可以设置POLICY,只要是从楼主的公司IP里出来的,去往任何不可知IP的
: REQUEST一律BLOCK.
:
: tunnel
: proxy

Z*e2008-12-17 08:12

14 楼

用什么port可以自己选啊，非要22不可么

【在 n*w 的大作中提到】

: ssh port 被禁用，不能ssh出去有什么办法？
:
: tunnel
: proxy

c*r2008-12-17 08:12

15 楼

没错。就用80，如果websense有protocol discovery，找fake webserver实际上是ssh
server，拿到key以后就应该通过了。

【在 Z****e 的大作中提到】

: 用什么port可以自己选啊，非要22不可么

s*42008-12-17 08:12

16 楼

没用,是IP + Port block.

ssh

【在 c*****r 的大作中提到】

: 没错。就用80，如果websense有protocol discovery，找fake webserver实际上是ssh
: server，拿到key以后就应该通过了。

n*w2008-12-17 08:12

17 楼

好像只有80和https可以出去。以前试过"connect.c"+ssh但是还是出不去。

【在 Z****e 的大作中提到】

: 用什么port可以自己选啊，非要22不可么

z*r2008-12-17 08:12

18 楼

俺知道websense可以block IP，俺的意思是，没这个必要，每个产品都有特色，干自己
专长的比较好，另外，俺质疑这种block all unknown IP的policy是不是真的有公司会用

【在 s*********4 的大作中提到】

: The known IP addresses have been identified in Websense database. Any IP
: addresses (mapped to various domains) that are not included in Websense
: database are identified as "unknown" thus can be set to block, regardless
: ports.
: You have a logic (not technical) concept misunderstanding. Websene can do
: layer 3 filtering doesn't mean it can ONLY do layer 3 filtering. Also in
: enterprise environment the customers may install similar systems from
: multiple vendors. For example, proxy chainning, multiple

z*r2008-12-17 08:12

19 楼

其实就那么2、3个，碰巧你也去这几个版，呵呵

【在 p*****n 的大作中提到】

: zher 可是活跃在未名的每个版块。

z*r2008-12-17 08:12

20 楼

told you get a ssl based vpn server on your home machine, say openvpn.

【在 n*w 的大作中提到】

: 好像只有80和https可以出去。以前试过"connect.c"+ssh但是还是出不去。