Hello dougcc-ga,
I'm not sure if I fully understand the question, or how to answer, but
this may help:
First, a little explanation about what a Websense policy is (in
Websense v.5.1, the most current release):
A Policy defines what TIME and DAY of the WEEK a CATEGORY or PROTOCOL
is blocked, soft-blocked (quota-time, continue, after-work) or
permitted.
Where:
- TIME is a 24-hour clock
- DAY of the WEEK are Sun, Mon, Tues, Wed, Thurs, Friday, Sat and Sat
& Sun. (Yes, Sat & Sun, to indicate the weekend in one selection)
- CATEGORY is a list of over 80+ categories that Websense updates
daily by adding newly categorized Websites and removing old, outdated
sites and ip addresses
- PROTOCOL is a list of protocols that the Websense Network Agent can
monitor and filter.
---
Websense v.5.1 includes 3 out-of-the-box Policies:
* Global
* Power Users - Sample Policy
* Managers - Sample Policy
=============
Global Policy
=============
Defined as:
00:00 - 24:00; Sun, Mon, Tues, Wed, Thurs, Fri, Sat; *Default Settings
(Category Set); *Default Settings (Protocol Set)
* Defaul Settings (Category Set) - very limited access category that
allows the basic internet, but blocks and soft-blocks (quota-time,
continue, after-work) MANY categories
From the Websense v.5.1 Admin Guide, page 174:
http://www.websense.com/support/documentation/adminguide/v5/EIMAdminGuide.pdf
----
The Global policy is initially assigned by default to all users who are filtered
by Websense. This provides an immediate way to manage Internet access
throughout your organization. You can use the Global policy as it is,
or edit it
to meet the needs of your organization. Since the Global policy is the default
policy, it cannot be deleted.
Initially, the Global policy directs Websense to filter requests according to
the Default Settings category set and the Default Settings protocol set 24
hours a day, seven days a week. See page 153 for more information on
category sets and filtering options.
After installing Websense, you should review the Default Settings category
set to determine whether it meets the needs of your organization. Make any
appropriate changes and the Global policy filters according to the revised
settings.
By default, the Global policy filters protocols and Internet applications
according to the Default Settings protocol set. For the Default Settings
protocol set, the Permit option is active for all protocols. See page 205 for
information on customizing filtering options for protocol sets.
Additionally, you can edit the Global policy to enforce different category sets
or protocol sets according to a schedule you establish. Websense then filters
users according to the new schedule.
---
=============
Power Users
=============
Defined as:
00:00 - 24:00; Sun, Mon, Tues, Wed, Thurs, Fri, Sat; Never
Block(Category Set); Never Block(Protocol Set)
* Never Block (Category Set) - Access to anysite within any category is not blocked
=============
Managers
=============
Defined as:
00:00 - 24:00; Sun, Mon, Tues, Wed, Thurs, Fri, Sat; Basic Filtering
(Category Set); Basic Filtering(Protocol Set)
* Basic Filtering (Category Set) - Websense's "Sinful Six" categories
are blocked, while every other category is allowed. The six
categories include pornography, gambling, illegal activities, hate
sites, tasteless material and violent content
(http://www.wired.com/news/business/0,1367,51009,00.html)
------
I found the following Websense Knowledge Base Article that gives a
detail explanation of how Websense determines whether a site is
blocked or allowed:
For each Internet site request it receives, Websense first assures
license compliance, and then determines which policy applies. Once the
active policy is determined, Websense filters the site according to
the policy's restrictions. These steps are described in the following
sections.
Ensuring License Compliance
When Websense receives a site request, it starts by evaluating your
license. If the license is current and the number of licensed users
has not been exceeded, Websense searches for the active policy, as
described in the next section.
If the license has expired or this user's request exceeds the license
limit, Websense either blocks all sites or permits all sites,
according to your Server Configuration setting. Be sure to renew or
increase your license to avoid similar problems in the future.
Determining the Policy
After license compliance has been assured, Websense must determine
which policy applies to the current request. Since a policy can be
assigned in various ways, Websense uses the following hierarchy to
locate the policy that applies.
1. Policy assigned to the User (if applicable).
2. Policy assigned to the IP address (Workstation or Network) of the
computer being used.
3. Policies assigned to Groups the user belongs to (if applicable).
4. The Global policy.
Websense applies only one policy to each request. For example, if
there is a policy assigned to the user making a request, Websense
enforces that policy. It does not check to see if there is a policy
assigned to the user's computer or to any groups the user belongs to.
In cases where a user belongs to more than one group and no user,
workstation, or network policy applies, Websense checks the polices
assigned to each of the user's groups. If all of the groups have the
same policy, then Websense filters the request according to that
policy.
If one of the groups has a different policy than the others, Websense
filters the request according to a setting in the Server Configuration
dialog box. If the "Use more restrictive blocking" option is checked,
Websense blocks the site if it would be blocked by any of the policies
assigned to those groups. If this option is unchecked, Websense
permits the site if it would be permitted by any of the policies
assigned to those groups.
After determining the appropriate policy for the request, Websense
filters the requested site in light of the policy's restrictions.
Filtering the Site
Websense compares the requested site to the policy's restrictions, in
the following order, to determine whether it should be permitted or
blocked.
1. Determine the policy's active category set for the current day and time.
A. If the active category set is Always Block, block the site.
B. If the active category set is Never Block, permit the site.
C. If the active category set is Yes List Only, check the permitted
custom URLs list. If the site is found on the permitted custom URL
list, permit the site. If the site is not found on the permitted
custom URL list, block the site.
D. If any other category set applies, continue to step 2.
2. Try to match the site to a URL in the permitted custom URLs list.
A. If a match is made, permit the site.
B. If a match is NOT made, continue to step 3.
3. Try to match the site to a URL in the filtered custom URLs list.
A. If a match is made, identify the category for the site and skip to step 5.
B. If a match is NOT made, continue to step 4.
4. Try to match the site to an entry in the Master Database.
A. If a match is made, identify the category for the site and continue to step 5.
B. If a match is NOT made, skip to step 6.
5. Check the active category set and identify the filtering option for
the category of the requested site.
A. If the filtering option is Block, block the site.
B. If any other the filtering option is in effect, continue to step 6.
6. Check for blocked keywords in the URL and/or CGI path, according to
the Server Configuration setting (see page ).
A. If a blocked keyword is found, block the site.
B. If a blocked keyword is NOT found, continue to step 7.
NOTE: If a site belongs to a permitted or deferred category, it may
still be blocked if it contains a blocked keyword.
7. Handle the site according to the filtering option set for the active category.
A. Permit-permit the site.
B. Defer to AfterWork (if available) - display the block message with
an option that lets users save the site as a bookmark on their
personal AfterWork.com page.
C. Defer to AfterWork/Continue (if available) - display the block
message with the options to save the site as a bookmark on their
personal AfterWork.com page, or view the site for work-related
purposes.
D. Quotas - Allows you to grant access to certain sites of your choice
in configurable increments of time. |
