The WebFilter and the Wikileak

When Wikileaks was first posted, I wondered to myself whether people with clearances could get themselves in trouble by viewing the website.   I was on vacation at the time, but 3 days later an email came out from the facility security officer.   Like many Federal government employees, we received a memo saying we cannot access those websites using company resources.   As the BlueCoat admin, I was asked to block access to Wikileaks.

Wikileaks has a number of different mirrors listed at wikileaks.info.   They have also asked individuals to mirror the site and announce the address via twitter.  Not wanting to play a game of wack-a-mole while on vacation I suggested to my colleague that he 1.  look at blocking everything with wikileaks in the domain name and 2) ask BlueCoat to categorize wikileaks as illegal/questionable.   

BlueCoat just posted a blog entry about Wikileaks.   The post acknowledges that some organizations have expressed the desire to block wikileaks.   We’re not looking for a discussion of rightness or wrongness in blocking this.   Its our decision, just like blocking porn and not blocking shopping.   The BlueCoat WebFilter should be a tool allowing us to do this.   The writer of the BlueCoat blog believes BlueCoat webfilter does provide the flexibility for those who want to block wikileaks.   I dont agree.     UPDATE: BlueCoat now has a KB article on blocking wikileaks.   Option 2 is simple.   Its a static solution, but better than the block we put in.   Option 1 is blocking websites that are in both Political/Activist AND in NEWS/Media.   I’d have to do some testing to make sure that doesn’t have any collateral damage.   The remainder of my original post is below.   Also see the comments.

 The issue here is BlueCoat incorrectly categorizes wikileaks as Political/Activist Groups and News/Media.   I’ve also seen it categorized as Reference.   

Political/Activist contains sites like texasgop.org, aclu.org, rnc.org, dnc.org.  News/Media contains sites like cnn.com, foxnews.com, msnbc.msn.com.   WikiLeaks doesn’t fit in with these sites.   I can’t block those categories without a lot of collateral damage.   

If BCWF put wikileaks into a category I could safely block, I could also rely on BlueCoat Webpulse to dynamically categorize all new wikileak mirrors.    Instead I’m left in the cold.   Not even a knowledgebase article on how to block it manually.

4 Comments

  1. Hi,

    I understand you are on vacation and may not have access to all resources, but I did want to let you know that there is a Knowledgebase (KB) posting with exact instructions on how to block Wikileaks sites, including mirror sites with WebFilter. From WebFilter customers that desire this policy, we have had very positive feedback on our ability to block Wikileaks web sites and rate new Wikileak mirror sites on the fly with our cloud based real-time rating technologies.

    We believe Wikileaks is categorized correctly in both Political/Activist Groups and News/Media. The intersection of two categories (Political/Activist Groups and News/Media) provides a small set of web sites where Wikileaks content can be blocked per a customer-defined policy. The post assumes an OR (Political/Activist Groups or News/Media), which is not advised as this blocks all sites in either category. The multiple category ratings for web content that WebFilter can deliver provide a more granular and precise solution without inflating categories or generalizing web content into a flat schema of single categories.

    This solution allows customers to use their current deployments with no changes to production environments, only updating filtering policies. We even provide policy in the KB posting to copy/paste into your ProxySG devices. Adding a new category to a global web rating architecture takes time and we have regular cycles for this activity, note that customers also have the option of creating custom categories, plus custom allow/block lists on the fly.

    Note that many major news sites hosted the Wikileaks content and these specific web site areas can be blocked using the policy advice in our KB article without blocking the entire site nor rating them as Illegal/Questionable which is more focused on scam sites.

    Our public Security Blog, like many other vendors, is an area for open comment and discussion, plus education on web threat techniques. Information on product features, capabilities, policy and best practices can be found in our Support web site. If you have any other questions, please let me know. We appreciate your use of Blue Coat solutions.

    Best,
    Tom Clare

    • Tom, thanks for the thought out reply. I appreciate your time.

      I see the wikileaks KB was posted two days ago on the 14th. I had checked both the KB and the forum several times but not since the 14th. I have a RSS feed subscription for both Field Alerts and the KB. Looks like my RSS feed for the KB was filtered to Solutions only so it didn’t see this added as a FAQ.

      I’m not familiar with using two categories together to generate a block. I’m a bit leery of that. So many sites are in multiple categories. I’m worried about unintended consequences. IE Political/Activist AND News/Media sounds a lot like huffingtonpost and the Drudge Report to me. I’ll have to play with it a bit, and see if the policy or the filter category works best for us.

      From what I’ve heard, we aren’t banned from reading the newspaper. So I have no designs on blocking the media websites.

      • looking over the static list provided in the KB article there are some obvious misses. wikileaks.info and many of the urls on that page like wikileaks.de should be on the list.

        Then I took a couple of the urls from the list and ran them through sitereview. Not all of the urls on your known wikileaks list are actually in both the political and news categories.

        For a while I thought I didn’t know how to create a combined destination object correctly, then it turned out, I was testing with a URL that wasn’t categorize with both. At any rate, I am 99% better off than I was when I wrote this originally. Again I appreciate your pointing out the KB/FAQ article.

Comments are closed.