How to block stock market trading programs in network?

Employees can spend hours on reading market data and online stock trading. To keep productivity, it is necessary to block online trading traffic during working hours.

This tutorial will guide you to block “Nest trader” and “(IIFL) Trader Terminal” traffic in your network.

Since WFilter does not have these two protocols supported in default, you need to add customize protocols in “System Settings”->”Customize Protocols”.

1. Block IIFL trade terminal

1). Add a new protocol named “IIFL Trader”, choose a protocol type.

2). Add a new pattern, choose pattern “Type” as “TLS”. Set pattern content as “swaraj\.indiainfoline\.com”.

3). Check “Block IIFL Trader” in your blocking policy.

4). Now IIFL trader can be blocked.

2. Block “Nest trader”

1). Add a new protocol named “Nest Trader”, choose a protocol type.

2). Add a new pattern, choose pattern “Type” as “TCP SEND”. Set pattern content as “^\x00\x00\x00\x13\x52\x55\x00\x0f\x6c\x69\x63\x65\x6e\x73\x65\x5f\x63\x68\x65\x63\x6b\x65\x72″.

3). Check “Block Nest Trader” in your blocking policy.

4). Done. Now Nest trader will also be blocked.

How to block youtube website access of network computers?

Since youtube video streaming can consume a lot bandwidth, you might want to block youtube access during working hours. This tutorial will guide you to setup an internet policy to block youtube access at work with WFilter 4.0 version.

You can block youtube at different levels:

  1. Block youtube access completely.
  2. Block youtube access during working hours.
  3. Block youtube videos, but allow youtube website.

1. Block youtube website completely

You can block youtube with WFilter’s “Website black list”, as shown in below figure:


You also can block youtube by blocking the “Streaming Media” website category. All streaming websites in WFilter url database will be blocked.

Access blocked.

Because youtube also provides HTTPS access, you need to enable a HTTPS black list to block HTTPS access of youtube.


HTTPS access blocked.

2. Block videos, but allow website access

If you want to allow youtube website, but block all videos. You can enable the “Block Online HTTP Video and Downloading of Video Files” option to do it.


How to customize WFilter reports by directly querying the database?

Though WFilter already has many reports by default, there has the chance that you need other report formats or data. In this case, you can directly query the database tables to get what you need.

It’s complicated to customize reports for WFilter file-based version. So you need to install WFilter database version first. For steps to install WFilter database version, please check: WFilter Database Version Installation Guide

There has a “web surfing time report” in “Detailed Reports”->”Web Report”, you can generate this report “by name” or “by website” in WFilter user interface. Now if you need to get a report of web surfing time both “by name” and “by website”, you need to customize a sql query. The data is stored in table “webreport” with below structure:


create table webreport
(

mac char(12) NOT NULL /* MAC address */
ip varchar(20) /* ip address */
acct varchar(200) /* domain username */
happendate varchar(10) /* date */
method char(1) /* 0 – get, 1 – post */
categoryid varchar(10) /* website category id */
host varchar(100) /* website domain name*/
visitcnt varchar(20) /* visits number */
duration varchar(20) /* surfing time in seconds*/

)


1. Web surfing time report by ip address

To get a report by ip address and websites for a certain date, you can execute a sql like:

select ip, host, sum(convert(int, duration)) cnt from webreport where happendate>=’20120803′ and happendate<’20120804′ and ip is not null group by ip, host order by ip, cnt desc

You will get such kind of data:

192.168.1.131 www.google.com 226
192.168.1.131 forum.imfirewall.us 192
192.168.1.131 ct1.addthis.com 180
192.168.1.131 l.yimg.com 180
192.168.1.131 sports.yahoo.com 153
192.168.1.20 m614.mail.qq.com 266
192.168.1.20 share.baidu.com 254
192.168.1.20 forum.imfirewall.us 200
192.168.1.20 hm.l.qq.com 180
192.168.1.20 info.iet.unipi.it 180

2. Web surfing time report by user

If you have “Account Monioring” enabled, you also can generate reports based on AD usernames. The sql will be:

select acct, host, sum(convert(int, duration)) cnt from webreport where happendate>=’20120803′ and happendate<’20120804′ and acct is not null group by acct, host order by acct, cnt desc

You will get such kind of data:

CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng www.google.com 226
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng forum.imfirewall.us 192
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng l.yimg.com 180
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng ct1.addthis.com 180
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng sports.yahoo.com 153
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng test.org.uk 96
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng www.yahoo.com 72
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng *.bc.yahoo.com 67
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng *.websense.com 59
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng *.g.doubleclick.net 34
CN=Users%2cDC=demo%2cDC=com%2fBruce_Geng www.google.com.hk 31


Please notice, the “acct” column is urlencoded. You need to urldecode it to get a readable username.

Online urldecode.

How to deploy WFilter in a VMware ESXi server?

VMware ESX and ESXi server are widely used in business networks. This document will guide you to deploy WFilter in a ESXi server to filter internet traffic of virtual systems.

In a VMware ESXi server, WFilter can work both in “Pass-by” and “Pass-through” modes. For more details about these two modes, please check: WFilter deployment modes

It is simple for WFilter to work in “Pass-by” mode in a VMware ESXi server. You simply need to install WFilter in a VMWare virtual computer and allow “Promiscuous mode” of the virtual switch. However, because WFilter can not filter UDP traffic in pass-by mode, you also need to configure udp blocking in an up-layer router/firewall. Please check: How to block certain UDP ports in router/firewall?

In this tutorial, we will introduce you to deploy WFilter in pass-through mode in a VMware ESXi server.

Deploy WFilter in pass-through mode in a VMware ESXi server.

To deploy WFilter in pass-through mode on a VMware ESXi server, following conditions are required:

  1. A virtual computer with two adapters to install WFilter.
  2. At least two virtual switches.
  3. The two adapters shall be connected to different virtual switches.

As in below figure, the wfilter server “94-wfilter-server” is connected between “vSwitch0″ and “vSwitch1″. In this topology, all virtual computers in vSwitch1 will be monitored and filtered by the WFilter server “94-wfilter-server”.

Step 1, create a new virtual switch

As in below figure, a new virtual switch with no physical adapter is created.

Step 2, connect the two adapters to different virtual switches

To bridge the virtual switches, two adapters of the WFilter server shall be connected to different virtual switches.

Step 3, allow “Promiscuous mode” of virtual switches

The virtual switches connected to the wfilter server shall be configured to accept “Promiscuous Mode”.

Now, you also need to bridge the two adapters inside the WFilter server. And the WFilter program shall be configured to work in “Pass-through mode”. Please check this document for more details: Deploy WFilter in a windows network bridge.

How to whitelist yahoo mail and hotmail websites in WFilter?

How to whitelist yahoo email and hotmail websites?


Sometimes you might want to block all websites with exception. In that case, you can enable WFilter’s “website whitelist” to do this.


However, websites can be complicated with differenet images/ad/files hosts. It will require you to whitelist several domains for a webpage to be properly loaded. For example, mail.yimg.com is also requiried for images in yahoo email.


In this topic, I will demonstrate you to identify the required domains for a website.


First, add the domain into the exception list


Second, make a visit and check real-time blocking of WFilter.


Make a visit to this website and check “real-time blocking” or “Current Activity” in WFilter, you will see several blocking events. These domains are also required for this webpage.


Add more domains into the exception list


Add more blocked domains into the exception list until the website can be properly loaded.


In this example, for hotmail and yahoo mail to work, you need to add below list:


*mail.yahoo*


*mail.yimg.com


*.live.com


*.hotmail.com


*.wlxrs.com

How to set a redirect denial page in WFilter?

Sometimes you might want to redirect blocked websites to a new URL. To do this, you need to edit WFilter denial page in source mode.

This tutorial will guide you to configure a redirect denial page in WFilter.

First, edit a blocking level

Edit a blocking level and new a denial page. Please don’t forget to list your new URL in the exception list.

Second, edit the denial page in source mode.

A javascript code is required:

<script>window.location=”http://www.yourwebsite.com/…”;</script>

Third, uncheck “view source” and click “Save” to save the settings.

Please notice, click “save” after unchecking “view source”.

Done, now all blocked web request will be redirected to the new url.

More information, please check “WFilter Enterprise”.

Other related links:

How to block UDP ports in RRAS windows server 2003?
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?

When shall you use two network cards for monitoring and blocking?

In “pass-by” filtering mode(WFilter works on a mirroring port), WFilter sends RST packets to block TCP connections. However, if outgoing traffic is limited on the blocking adapter, blocking feature of WFilter might not be working.

The default settings of WFilter use a same adapter for monitoring and blocking. However, it will not work if a following condition is met.

  1. The monitoring switch does not allow outgoing traffic on the mirroring port. You can check this by “ping” other computers in the monitoring computer. This problem can be solved by changing switch settings(if supported) or adding a separated blocking adapter. Cisco switches have a parameter “ingress” to enable outgoing traffic on the mirroring port.
  2. The monitoring adapter is too busy of receiving mirrored packets. We recommend you to use another NIC for blocking when you have 50+ computers. To check this issue, you can run “System Settings”->”Check Settings” to perform a checking on the blocking adapter.

Steps to add a blocking adapter

1. Add a physical network card and connect this NIC to a normal port in your switch. If you have multiple VLANs, the blocking adapter shall be in a VLAN which can reach other VLANs.

2. Assign an available ip address and gateway settings to the new NIC.

3. If WFilter does not detect the new card in “System Settings”->”Monitoring Settings”, please click “Start”->”IMFirewall WFilter”->”Tools”->”Restart WFilter Service” to reload the adapters list.

4. Choose the new network card as the “blocking adapter” in “System Settings”->”Monitoring Settings”->”Monitoring Device Settings”.

5. Run “System Settings”->”Check Settings” to check.

6. Sometimes windows can not choose the correct network card for communicate, in that case, please check this topic to set “Metric”: Blocking adapter doesn’t work when using two network cards

Further readings:

How WFilter works to block internet connections in network?

How to block VNC traffic of network computers with WFilter?

VNC® provides secure remote access computers from any location for your home and organization. RFB is the protocol used in VNC and its derivatives.


This tutorial will guide you to block VNC with “WFilter Enterprise 4.0″. Because blocking of VNC is not supported by default in WFilter, in this example, we uses “Customize Protocols” feature of WFilter to define the VNC protocol.


First, Add “VNC” Protocol in “Customize Protocols”.


In “Customize Protocols”, new a protocol named “vnc”.



VNC has a pattern:
“vnc_tcp”:
Type–”TCP ALL”
Format–”0″
Pattern Content–”^\x52\x46\x42\x20\x30\x30″


Second, Enable blocking of VNC in certain blocking levels.


And apply this blocking policy to certain computers.


Now, VNC will be blocked.


WFilter blocking events:


Failure connection of VNC.

WFilter deployment with RouterOS’s port streaming feature.

Installed on a personal computer or server computer, RouterOS turns the computer into a network router, implementing features such as firewall rules, virtual private network (VPN) server and client, bandwidth shaping and quality of service, wireless access point functions and other commonly used features for routing and interconnecting networks.

To implement internet monitoring and more powerful internet filtering features with your RouterOS, you can enable RouterOS’s “port streaming” feature to mirror all internet packets to WFilter for monitoring and filtering.

This tutorial will guide you to configure RouterOS to work together with WFilter.

Enable Packet Streaming

Enable Packet Streaming in “Tools”->”Packet Sniffer”, choose the lan interface as the sniffer interface.

Set the WFilter server ip as the streaming server

Set the WFilter server ip address as the streaming server

Done, now you’re able to monitor all network computers in WFilter.

More information, please check “WFilter Enterprise”.

Other related links:

How to block UDP ports in RRAS windows server 2003?
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?

Modify ESET personal firewall settings to make WFilter work.

All internet packets are required for WFilter to parse network activities. However, the ESET personal firewall blocks non-local computer network packets by default. Therefore, when the ESET personal firewall is enabled, WFilter can not monitor itself computer because other computer’s network packets are all blocked by ESET.

To make WFilter work with ESET personal firewall, you need to adjust the firewall settings.

The following example demonstrates how to configure ESET Smart Security 5.0:

1. Click “Setup” -> “Network” in ESET.

2. The filtering mode shall be “interactive filtering mode”.

3. Click “Configure rules and zones…” to set the rules.

In “Toggle detailed view of all rules” view, click “new” to creat a new rule.

The new rule is set to allow all TCP&UDP traffic. All other rules shall be disabled.

  1. Direction: Both
  2. Action: Allow
  3. Protocol: TCP & UDP
  4. Profile: For every

4. In “Advanced Personal firewall setup…”

Uncheck “Check TCP connection status” in “Packet inspection” section of “IDS and advanced options”.

Now your WFilter shall be able to work.

More information of disable ESET firewall, please check: http://kb.eset.com/esetkb/index?page=content&id=SOLN2113