test web filtering

Started by LynK, December 09, 2015, 12:49:56 PM

Previous topic - Next topic

LynK

guys,

how do you test explicit sites for like X rated stuff. Is there a webpage known for this and we can test without showing T!Ts to my boss on accident.

lol.
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

Nerm

I just use redtube. Is that wrong? lol

deanwebb

If gambling sites are blocked in the same filter, then we use gambling.com as a test of it.

But, yeah, I'd say turn off images in your browser, then test the sites for blocking.

I had to find white supremacist sites that didn't have words in their URL that would be blocked by the text filter. Not a fun job...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

dlots

I always did godhatesfags.com it's normally covered by hate speech, I imagine the KKK's website would also work.

With alot of web filtering stuff you can specify a page to be blocked, you can just manually block a test page that no one would ever want to go to like yourcompanyurl.com/thispageisblocked



LynK

#4
on this same sidenote, does anyone know any reputable cloud based web filtering companies that can support thousands of users across hundreds of branch networks? We are looking into barracuda, but other companies would be great too.

I think I am going to go with an opendns solution.
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

SimonV

On the SRX you can test an URL on the command line and see the result. Palo Alto has examples for each category, and you can also test an URL here

The thing is, URL filtering doesn't work too well with HTTPS sessions as the GET request is encrypted. So the underlying IP block needs to be categorized as well. Most of the x-rated sites are still on plain old HTTP though.

Something I tried recently on a guest network is the OpenDNS FamilyShield servers, redirects queries for adult and proxies/anonymizers. FW is configured to only allow DNS to those two servers for the guest VLANs, all else is dropped.  I haven't tested it extensively yet though :mrgreen:


routerdork

Quote from: LynK on December 09, 2015, 01:35:06 PM
I think I am going to go with an opendns solution.
I heard this works well. My old company used them for a bit and loved it. Then switched to Websense and things sucked again.  :barf: Websense was full of issues, especially overseas.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

icecream-guy

I used to use the neighboring companies network, who didn't have such controls.  we were co-located in the same building.
I used to be the p0rn police..
:professorcat:

My Moral Fibers have been cut.

mlan

Quote from: LynK on December 09, 2015, 01:35:06 PM
on this same sidenote, does anyone know any reputable cloud based web filtering companies that can support thousands of users across hundreds of branch networks? We are looking into barracuda, but other companies would be great too.

I think I am going to go with an opendns solution.

I also recommend OpenDNS.  I recently migrated a large enterprise with around 100 sites to OpenDNS and it has been performing quite well.

NetworkGroover

If you use Websense, Websense has a support page where you can click on linkies that don't actually have the content as described - they are just test pages that have been classified as porn, gambling, etc. to make the Web Security product throw up a block page.

I remember when I worked for them in tech support, a number of customers going to playboy.com or hustler to test and it was always humorous on a remote session when the blocking didn't work.  Had that conversation more than once to use the provided test page on the Websense web site. ;)
Engineer by day, DJ by night, family first always

NetworkGroover

Quote from: routerdork on December 09, 2015, 02:26:03 PM
Quote from: LynK on December 09, 2015, 01:35:06 PM
I think I am going to go with an opendns solution.
I heard this works well. My old company used them for a bit and loved it. Then switched to Websense and things sucked again.  :barf: Websense was full of issues, especially overseas.

Websense works very well when you understand what's involved.  Were you using the proxy product and trying to backhaul traffic overseas?  Latency is a huge factor there. 

On an unrelated note - upgrades were awful.  We pretty much recommended completely destroying the deployment and re-installing from scratch, then importing the settings from your previous deployment.
Engineer by day, DJ by night, family first always

routerdork

Quote from: AspiringNetworker on December 09, 2015, 03:43:14 PM
Quote from: routerdork on December 09, 2015, 02:26:03 PM
Quote from: LynK on December 09, 2015, 01:35:06 PM
I think I am going to go with an opendns solution.
I heard this works well. My old company used them for a bit and loved it. Then switched to Websense and things sucked again.  :barf: Websense was full of issues, especially overseas.

Websense works very well when you understand what's involved.  Were you using the proxy product and trying to backhaul traffic overseas?  Latency is a huge factor there. 

On an unrelated note - upgrades were awful.  We pretty much recommended completely destroying the deployment and re-installing from scratch, then importing the settings from your previous deployment.
We had the agent installed on all PC's and then it would tunnel traffic to whichever DC was closest. It was a PITA for NetFlow because then everything showed up as Webense. Ran into a lot of issues where it would just crap out and you couldn't get anywhere. A few times I had it happen to me. I could get on our firewalls and get out with no issues but the agent wouldn't let you browse. Overseas there we had a ton of port blocking issues. Granted these may or may not have been Websense issues since they would randomly start working and then blow up again. But what I disliked most about this piece was dealing with tech support; horrible to get someone knowledgeable, cases dragged on and on, late to conf calls if they showed up.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

wintermute000

Not URL, but for vulnerability there are test sites that host malicious scripts (that don't actually do anything) to see if your inspection is kosher.

NetworkGroover

#13
Quote from: routerdork on December 09, 2015, 04:21:04 PM
We had the agent installed on all PC's and then it would tunnel traffic to whichever DC was closest. It was a PITA for NetFlow because then everything showed up as Webense. Ran into a lot of issues where it would just crap out and you couldn't get anywhere. A few times I had it happen to me. I could get on our firewalls and get out with no issues but the agent wouldn't let you browse. Overseas there we had a ton of port blocking issues. Granted these may or may not have been Websense issues since they would randomly start working and then blow up again. But what I disliked most about this piece was dealing with tech support; horrible to get someone knowledgeable, cases dragged on and on, late to conf calls if they showed up.

Ahhhhhh man so it sounds like things haven't changed much after I left... so you were doing Cloud web security or whatever it was called (Hybrid?)... it was new when I was leaving and I never supported it.  I was wondering about that immediately after my post...

So funny to see your comments about Tech Support though... yep.... typical modus operandi I'm afraid.  I wasn't even a CCNP and I was "the Cisco guy" - I got the pleasure of having any cases suspected of being remotely related to networking issues dumped in my lap.... got burnt out REAL quick.

EDIT - I would say ask for Daniela Herrera as she's great from what I remember... but looks like she's a TAM now...

EDIT2 - I'll never forget the time we had a huge issue with a very big financial customer... pulled in two developers into the support session.. and they sat there.. silent.  The account manager screamed at them on IM to say something... it was so embarrassing.  I was better off just supporting them myself.  I think I ended up finding the issue on that one too - without the help of Dev afterall... sad - thought that's probably why they offered me a job when they found out I was leaving TS, or it was all just a show to try to get me to stay - they do some screwy stuff over there since retention issues abound... but that was before the HQ move to TX.
Engineer by day, DJ by night, family first always

SofaKing

My security team goes to playboy.com... mainly just articles and longer has porn but should still be filtered as a porn site
Networking -  You can talk about us but you can't talk without us!