[c-nsp] Cisco and Websense

[Brian Feeny]

We have deployed Websense at an ISP and I am trying to come up with 
ideas to handle some of its shortcomings.

We use Cisco IOS on routers to handle the websense.  One of the 
shortcomings of the Cisco websense IMHO is that it directs
100% of the traffic on an interface for inspection by websense.  You 
can't just say "match this ACL and websense filter only these 
customers".  As an ISP, naturally you only want to send the customers 
that want to be filtered, that are paying you to be filtered, to this 
box.  Furthermore, websense counts any inspection as a license, so its 
not like you can use a really fast router and really fast websense box 
and just handle the policies on the websense box.

The solution I have used for years to get around these types of 
limitations is to use layer 4 switching and static routing.

If a customer wants websense, their IP block(s) get added to an ACL on 
a layer 4 switch which all traffic moves thru.  Those that match this 
ACL get there next hop switched to the Websense router, which does 
Websense IOS inspection on all traffic entering it.  It then proceeds 
out our border router.  Then I have to do static routes, ugh, on the 
border router to make sure the traffic makes it back thru the Websense 
router on the return path, simply because Websense in IOS requires the 
path to be symmetrical.

So maybe IOS is not the best solution for this.  I have heard that the 
PIX version of Websense does allow you to apply an ACL, but routing  
100% of ISP customers thru a PIX firewall sounds whack.  What I am 
doing right now is pretty gross too, but not as bad as all customers 
thru a firewall.

Does anyone know of a device that will work with websense, that you can 
put an aggregate traffic stream thru, and will only websense filter 
based on some sort of policy, such as an ACL?

Brian

---------------------------------------------
Brian Feeny, CCIE #8036, CISSP
Network Engineer
ShreveNet Inc.