guys,
how do you test explicit sites for like X rated stuff. Is there a webpage known for this and we can test without showing T!Ts to my boss on accident.
lol.
I just use redtube. Is that wrong? lol
If gambling sites are blocked in the same filter, then we use gambling.com as a test of it.
But, yeah, I'd say turn off images in your browser, then test the sites for blocking.
I had to find white supremacist sites that didn't have words in their URL that would be blocked by the text filter. Not a fun job...
I always did godhatesfags.com it's normally covered by hate speech, I imagine the KKK's website would also work.
With alot of web filtering stuff you can specify a page to be blocked, you can just manually block a test page that no one would ever want to go to like yourcompanyurl.com/thispageisblocked
on this same sidenote, does anyone know any reputable cloud based web filtering companies that can support thousands of users across hundreds of branch networks? We are looking into barracuda, but other companies would be great too.
I think I am going to go with an opendns solution.
On the SRX you can test an URL on the command line and see the result. Palo Alto has examples (https://urlfiltering.paloaltonetworks.com/CategoryList.aspx) for each category, and you can also test an URL here (https://urlfiltering.paloaltonetworks.com/?AspxAutoDetectCookieSupport=1)
The thing is, URL filtering doesn't work too well with HTTPS sessions as the GET request is encrypted. So the underlying IP block needs to be categorized as well. Most of the x-rated sites are still on plain old HTTP though.
Something I tried recently on a guest network is the OpenDNS FamilyShield servers, redirects queries for adult and proxies/anonymizers. FW is configured to only allow DNS to those two servers for the guest VLANs, all else is dropped. I haven't tested it extensively yet though :mrgreen:
Quote from: LynK on December 09, 2015, 01:35:06 PM
I think I am going to go with an opendns solution.
I heard this works well. My old company used them for a bit and loved it. Then switched to Websense and things sucked again. :barf: Websense was full of issues, especially overseas.
I used to use the neighboring companies network, who didn't have such controls. we were co-located in the same building.
I used to be the p0rn police..
Quote from: LynK on December 09, 2015, 01:35:06 PM
on this same sidenote, does anyone know any reputable cloud based web filtering companies that can support thousands of users across hundreds of branch networks? We are looking into barracuda, but other companies would be great too.
I think I am going to go with an opendns solution.
I also recommend OpenDNS. I recently migrated a large enterprise with around 100 sites to OpenDNS and it has been performing quite well.
If you use Websense, Websense has a support page where you can click on linkies that don't actually have the content as described - they are just test pages that have been classified as porn, gambling, etc. to make the Web Security product throw up a block page.
I remember when I worked for them in tech support, a number of customers going to playboy.com or hustler to test and it was always humorous on a remote session when the blocking didn't work. Had that conversation more than once to use the provided test page on the Websense web site. ;)
Quote from: routerdork on December 09, 2015, 02:26:03 PM
Quote from: LynK on December 09, 2015, 01:35:06 PM
I think I am going to go with an opendns solution.
I heard this works well. My old company used them for a bit and loved it. Then switched to Websense and things sucked again. :barf: Websense was full of issues, especially overseas.
Websense works very well when you understand what's involved. Were you using the proxy product and trying to backhaul traffic overseas? Latency is a huge factor there.
On an unrelated note - upgrades were awful. We pretty much recommended completely destroying the deployment and re-installing from scratch, then importing the settings from your previous deployment.
Quote from: AspiringNetworker on December 09, 2015, 03:43:14 PM
Quote from: routerdork on December 09, 2015, 02:26:03 PM
Quote from: LynK on December 09, 2015, 01:35:06 PM
I think I am going to go with an opendns solution.
I heard this works well. My old company used them for a bit and loved it. Then switched to Websense and things sucked again. :barf: Websense was full of issues, especially overseas.
Websense works very well when you understand what's involved. Were you using the proxy product and trying to backhaul traffic overseas? Latency is a huge factor there.
On an unrelated note - upgrades were awful. We pretty much recommended completely destroying the deployment and re-installing from scratch, then importing the settings from your previous deployment.
We had the agent installed on all PC's and then it would tunnel traffic to whichever DC was closest. It was a PITA for NetFlow because then everything showed up as Webense. Ran into a lot of issues where it would just crap out and you couldn't get anywhere. A few times I had it happen to me. I could get on our firewalls and get out with no issues but the agent wouldn't let you browse. Overseas there we had a ton of port blocking issues. Granted these may or may not have been Websense issues since they would randomly start working and then blow up again. But what I disliked most about this piece was dealing with tech support; horrible to get someone knowledgeable, cases dragged on and on, late to conf calls if they showed up.
Not URL, but for vulnerability there are test sites that host malicious scripts (that don't actually do anything) to see if your inspection is kosher.
Quote from: routerdork on December 09, 2015, 04:21:04 PM
We had the agent installed on all PC's and then it would tunnel traffic to whichever DC was closest. It was a PITA for NetFlow because then everything showed up as Webense. Ran into a lot of issues where it would just crap out and you couldn't get anywhere. A few times I had it happen to me. I could get on our firewalls and get out with no issues but the agent wouldn't let you browse. Overseas there we had a ton of port blocking issues. Granted these may or may not have been Websense issues since they would randomly start working and then blow up again. But what I disliked most about this piece was dealing with tech support; horrible to get someone knowledgeable, cases dragged on and on, late to conf calls if they showed up.
Ahhhhhh man so it sounds like things haven't changed much after I left... so you were doing Cloud web security or whatever it was called (Hybrid?)... it was new when I was leaving and I never supported it. I was wondering about that immediately after my post...
So funny to see your comments about Tech Support though... yep.... typical modus operandi I'm afraid. I wasn't even a CCNP and I was "the Cisco guy" - I got the pleasure of having any cases suspected of being remotely related to networking issues dumped in my lap.... got burnt out REAL quick.
EDIT - I would say ask for Daniela Herrera as she's great from what I remember... but looks like she's a TAM now...
EDIT2 - I'll never forget the time we had a huge issue with a very big financial customer... pulled in two developers into the support session.. and they sat there.. silent. The account manager screamed at them on IM to say something... it was so embarrassing. I was better off just supporting them myself. I think I ended up finding the issue on that one too - without the help of Dev afterall... sad - thought that's probably why they offered me a job when they found out I was leaving TS, or it was all just a show to try to get me to stay - they do some screwy stuff over there since retention issues abound... but that was before the HQ move to TX.
My security team goes to playboy.com... mainly just articles and longer has porn but should still be filtered as a porn site
Quote from: SofaKing on December 10, 2015, 11:13:34 AM
My security team goes to playboy.com... mainly just articles and longer has porn but should still be filtered as a porn site
A colleague and I just found out testing our proxy the other day that Playboy.com is no longer considered Porn by our Bluecoat Proxy but rather Entertainment since they have now switched to more like a Maxim magazine style magazine/website. We thought our changes broke something but turned out it just wasn't blocked anymore.
Try looking up some of the more... "out-there" sites... I once had to filter for one employee's fetish for women with casts on. No nudity at the sites, but a guy had to pay $25 a month to see women in arm and leg casts in various provocative poses.
There was more than one site, as I recall... but I knew the rule about there being pr0n about just about anything long before anyone made it into a rule about the Internet.
But the out-there sites tend to have names that don't flag in URL text filters. "Womenwithcasts.com" almost sounds like an online support forum...
Quote from: deanwebb on December 10, 2015, 03:06:22 PM
But the out-there sites tend to have names that don't flag in URL text filters. "Womenwithcasts.com" almost sounds like an online support forum...
It's an online support forum for someone ;)...
Another challenge is undesirable content put on sites not classified as porn. If you for example allow blogs, and someone puts naked photos from their Cancun trip, it won't be blocked. Had to explain to a customer that Websense wasn't performing optical scans of pictures. ;P. Also Google Searches... Websense could integrate with Google's little kiddie protector thing.. but if Google didn't classify the content at a certain level, it wouldn't be blocked. Kids searching for "breasts" brought up pictures from sites not classfied by Websense or Google as high risk.. so... there ya go.
I read an article a while back on the massive human operations that manually classify content for services such as websense. Apparently its a mind numbing yet stressful job that burns people out really quickly - nobody can be exposed to that much filth full time without eventually coming out damaged.
http://www.wired.com/2014/10/content-moderation/ (http://www.wired.com/2014/10/content-moderation/)
Reminded me of the apocryphal story of how the CIA spent billions developing sophisticated expert-learning AI assisted programs for web based astroturfing/propaganda, allowing one human operator to masquerade as 20 or 30 fake individuals simultaneously, whilst China just paid an army of actual astroturfers a dollar a comment :)
Facebook and other guys have to hire content moderators. Third world people that live next to an Internet cafe who think they can make some easy money... two weeks later, they are husks with their cores shredded by what an unfiltered Internet is capable of.
It is never easy money, saying "no" to the raw Internet.
I ran into a number of commercial websites, that were hacked, had sub-sub-directories created to host pOrn, no links on any pages, you just had to know where to go via the specific URL.
Quote from: deanwebb on December 10, 2015, 03:06:22 PM
Try looking up some of the more... "out-there" sites... I once had to filter for one employee's fetish for women with casts on. No nudity at the sites, but a guy had to pay $25 a month to see women in arm and leg casts in various provocative poses.
There was more than one site, as I recall... but I knew the rule about there being pr0n about just about anything long before anyone made it into a rule about the Internet.
But the out-there sites tend to have names that don't flag in URL text filters. "Womenwithcasts.com" almost sounds like an online support forum...
Casts? Really? I have seen some odd fetishes but that is just weird lol.
Quote from: Nerm on December 11, 2015, 07:50:17 AM
Quote from: deanwebb on December 10, 2015, 03:06:22 PM
Try looking up some of the more... "out-there" sites... I once had to filter for one employee's fetish for women with casts on. No nudity at the sites, but a guy had to pay $25 a month to see women in arm and leg casts in various provocative poses.
There was more than one site, as I recall... but I knew the rule about there being pr0n about just about anything long before anyone made it into a rule about the Internet.
But the out-there sites tend to have names that don't flag in URL text filters. "Womenwithcasts.com" almost sounds like an online support forum...
Casts? Really? I have seen some odd fetishes but that is just weird lol.
It's a big crazy world that takes all types to make it go 'round... someone, somewhere, is buying a toaster for all the wrong reasons. What those reasons are, I can't say... but I just know, deep down, that the reasons are
wrong.
Websense to my knowledge uses crawlers. The only manual operation that they do that I'm aware of is when customers specifically request a specific classification of a website - then it of course has to be reviewed.
EDIT - After looking at that article though... I wonder if the crawlers are people :P