Author Archives: WFilter

How to monitor a wireless network?

Wireless communication brings fundamental changes to data networking and telecommunications. Nowadays, more and more organizations and home users build up wireless networks. And in many situations, wired networks and wireless networks exist together. This topic demonstrates two solutions to monitor wireless networks internet activities.

1.  Monitoring with a manageable switch.

A typical network contains both wired and wireless networks:

Because port mirroring can not mirror wireless traffic, we need to setup port mirroring in the wired part. In this example, we add a manageable switch TL-SL2210WEB between the router and wireless AP to mirror the AP’s traffic.

“Port 1″ of the manageable switch is connected to the router, “port 2″ is connected to WFilter computer,  and “port 3″ connected to the wireless Access Point.

By setting “Port 1″ as the mirrored port and “Port 2″ as the mirroring port, we will be able to monitor all internet traffic.

By now, you can monitor all the wired and wireless computers.

2. Deployment with a proxy server.

If you don’t have an available manageable switch, you also can do monitoring in a local proxy server.

As in the below figure, by setting up a proxy server and install WFilter in the proxy server, computers using this proxy server to access internet will all be monitored.

Please refer to “Deploy WFilter with a Proxy Server” for more information.

How to block Skype?

1. What is Skype?


Skype is software that enables you to make free video and conference calls, send instant message and share files with other Skype users. Skype uses both TCP and UDP to communicate with dynamic ports, which makes it difficult to block it. For more details about skype protocol, please check: Skype protocol.


2. How block Skype with Wfilter ?


WFilter makes it simple to block skype traffic in your network from a central server. However, because WFilter is a pass-by filtering product, it can only detect and block skype TCP traffic. So you also need to block UDP ports 1024-65534 in your router of firewall. For more information about “pass-by filtering”, please check: What is the difference between passby filtering and passthrough filtering?


(1) Add a blocking level and enable “Block Skype”



(2)Apply blocking level to computers you want to block.



(3)Now skype will not able to connect anymore


 



 



More information, please check “WFilter Enterprise”.


Other related links:

How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?

What’s the difference between Pass-by filtering and Pass-through filtering?

Filtering technologies are divided into two types: Pass-through (sever plug-in based) and Pass-by (standalone-based).

 

A Pass-by filter usually monitors and filters network traffic with the help of port mirroring while a Pass-through filter monitors and filters network traffic on a gateway or bridge.

 

The differences between Pass-by filtering and Pass-through filtering: Advantages of Pass-by filtering:

 

1. Pass-by filtering is easier to be deployed. You only need to setup a mirroring port in your switch without the need to change your network topology. However, since pass-through filtering needs to be installed in the gateway or bridge, usually you need to change your network topology to deploy a pass-through filtering product.

 

2. Pass-by filtering product, such as WFilter Enterprise, only deals with copies of network packets, without any delay of the original packets. Even a pass-by filtering product stops working, your internet connection stays alive.

 

However, because a Pass-through product “stops and checks” network packets, it is unavoidable to make slight delay to your internet access. And, when a pass-through filtering product stops working, you will lose your internet connection.

 

Disadvantages of Pass-by filtering:

 

1. Port mirroring is required for pass-by filtering, you can not monitor or filter your network without a manageable switch.

 

2. A pass-by filtering product sends RST packets to terminate TCP connections, however, UDP traffic can not be blocked by pass-by filtering. Usually, you also need to block certain UDP ports in your router for completely blocking.

 

3. Traffic shaping and QoS is unavailable in pass-by filtering, since it only deals with copies of network packets.

For more information about WFilter technical details, please check: WFilter Inside Technologies.

Why a port mirroring switch is required to monitor my network? How to monitor internet usage without a manageable switch?

What is port mirroring?


Usually, a computer connected to a switch or a router can only receive its own network packets. A switch with port mirroring function allows you to monitor network packets from a mirroring port.


With port mirroring is enabled, the switch sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packets can be analyzed.


How to monitor network without a port mirroring switch?


There’re three methods to monitor your network without a manageable switch.


1. Using a broadcasted Hub


A broadcasted hub is a data packet repeater commonly used in broadcast networks.


Most broadcasted hubs provide a uplink port to connect with a up layer device. You shall connect the up layer device to the uplink port of the hub (Note: Do not use the port next to the uplink port).


However, most broadcasted hubs only work in 10Mb speed, and all the computers connected to the hub will share the bandwidth, which is not so fast as a switch. So we recommend you use a manageable switch instead.


2. Windows Gateway, Proxy Server or Bridge


Windows Gateway


If a port mirroring switch is unavailable, you can setup a windows gateway by your network edge. With an internet monitoring/filtering product in this windows gateway,


you will be able to monitor all internet traffic of network computers.


How to configure Windows 2008 Server IP Routing?


Proxy Sever


A Proxy Sever is a computer that offers a network service to allow clients to make indirect network connections to internet.


Like the gateway solution, you also can do monitoring/filtering in the proxy server. To make things simple, some proxy servers have monitoring/filtering modules integrated,


while some monitoring/filtering programs also have a proxy module integrated.


For example, you can easily enable the proxy server service in WFilter enterprise. For more details about WFilter proxy settings, please check:


http://www.wfiltericf.com/help/doc/deploy_proxy.htm


 


Bridge


Bridges (sometimes called “Transparent bridges”) work at OSI model Layer 2. Bridges just forward data depending on the destination address in the data packet.


By deploying a bridge in your internet entrance, you can setup a monitoring product in this bridge to monitor internet activities of your whole network.


3. ARP Spoofing


ARP spoofing, also called ARP Cache poisoning, is one of the hacking methods to spoof the contents of an ARP table on a remote computer on the LAN. With ARP spoofing,


you act as a relay server between client computers and the real gateway, so you will be able to monitor their traffic. However, as a hacking technology, ARP spoofing will make your network unstable.


So I recommend you not to use it unless necessary.

WFilter in comparison to other similar products.

There are a lot of products for you to manage your network: firewall, content filtering, web filtering proxy… Some users might get confused to choose them.
Since more and more customers had requested a comparison of WFilter to other similar products, I wrote this guide to list some important differences.

WFilter is a passby internet monitoring and filtering software program. It monitors network traffic from a mirroring port in your switch. When a TCP connection needs to be blocked, WFilter will send 1-2 RST packets to reset this connection. This is called “Passby Filtering”. More technical details of WFilter can be found at: WFilter Technologies

WFilter VS firewall program/appliance

Advantages:

1. WFilter monitor and archive most internet activities, while firewalls don’t keep internet usage details.

2. WFilter parses protocols at the application layer, it can recognize 100+ common protocols according to their signatures and behaviors. Most firewall program/application filters packets based on ports or ip addresses.

3. WFilter analyse copies of internet packets from a mirroring port of your switch. It is easy to be deployed, without any delay of your network. However, a firewall program/appliance needs to be deployed at the edge of your network. And since each packet goes through the firewall program/appliance, there will be a slight delay.

4. If the WFilter server goes down, the Internet connection stays alive. If the firewall program/appliance hangs, you will not be able to access internet.

5. WFilter is a content filtering product. It is designed to monitor and filter internet usage of employees to raise your productivity. However, a firewall program/appliance is designed to filter network packets and protect your network.

Disadvantages:

1. WFilter can not block UDP packets. So you also need to block UDP ports in your router/firewall.

2. WFilter consumes more memory and disk space of your computer. If you archive all internet activity, it might consume 2-3M disk space for each monitored computer every day.

WFilter VS open source web filtering projects

Some open source projects, like “SQUID” and “dansguardian”, also provide web filtering solutions. Below I list some major differences:

1. Most open source projects work as a proxy server. It requires you to change your internet access to proxy mode.

2. Most open source projects are web filtering only. Blocking of p2p traffic, internet monitoring/archieving are not supported.

3. Lack of statistics and reports for open source projects.

4. Lack of support for open source projects. Since protocols are changing, live update/support is required to keep your pattern database up to date, while most open source projects don’t have such support. In IMFirewall protocol lab, to keep our pattern database up to date, we have a system to monitor most common internet products/protocols, so when a new version of certain product is released, our team will work on it immediately.

Try “WFilter Enterprise” by yourself: http://www.wfiltericf.com/WFilter.htm

How to block TeamViewer on my network using WFilter?

TeamViewer is a computer software package for remote control, desktop sharing, and file transfer between computers. The software operates with Microsoft Windows, Mac OS X, iOS, and Linux. It is possible to access a machine running TeamViewer with a web browser.

With TeamViewer, it will be very convenient for employees to access computers in their homes, transfer files to remote computers. So for security purpose, sometimes you may want to block TeamViewer on your network.

This tutorial will guide you to block TeamViewer with “WFilter Enterprise 3.3″.

Because blocking of Teamviewer is not supported by default in WFilter, in this example, we uses “Customize Protocols” feature of WFilter to define TeamViewer protocol.

First, Add “TeamViewer” Protocol.


.
TeamViewer has two patterns:
1. “teamviewer01″:
  Type — “HTTP SEND”
  Format — “X-IM-URL”
  Content — “s=.*\&(p|id)=.*\&client=.*”

2. “teamviewer02″:
  Type — “TCP ALL”
  Format — “0″
  Content — “^\x17\x24[\x00-\xff]{2}[\x00-\x02]“


Second, Enable blocking of teamViewer in certain blocking levels.



And apply this blocking policy to certain computers.



Now, TeamViewer will be blocked.

WFilter blocking events:



Failure connection of teamViewer.



More information, please check “WFilter Enterprise”.
Other related links:
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?

How to block HTTPS websites on my network?

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure (website security testing) identification of the server. It uses port 443. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems.
As more and more websites provide both HTTP and HTTPS access. For example, facebook.com can be access both from “http://www.facebook.com” and “https://www.facebook.com”. So you can not block facebook completely until both http and https are blocked. However, HTTPS are widely used in payment transactions, web email authentication …, so block all HTTPS traffic will not be a good choice.

“WFilter Enterprise” provides you a “HTTPS black/white List” for you to filter HTTPS websites by its domain name.

First, enable “HTTPS Black/white List”.


Second, add HTTPS domains in the black list.

More information, please check “WFilter Enterprise”.
Other
related links:
How to block
internet downloading?

How
to monitor internet usage on company network?

Internet
monitoring software for business

How to filter web
surfing?

How to block websites and restrict internet access?
How to Block Bittorrent and bitcomet?
How to block msn file transfer?
How to block certain websites to save your productivity?
How to block AIM using WFilter?

How to monitor jabber(XMPP) chat messages on network?

XMPP-based software is deployed on thousands of servers across the Internet and by 2003 was used by over ten million people worldwide, according to the XMPP Standards Foundation.
Because some organizations want to archieve employees chat messagers in their network, from version “en.3.3.174″, WFilter added support of recording jabber messages.
However, since the default traffic of XMPP clients is encrypted and compressed, to enable WFilter to monitor chat messages of Jabber client. You need to disable encryption and compression in jabber server settings.

Let’s take openfire as an example.

First, disable SSL/TLS in “security settings”.


Second, disable compression in “compression settings”.


Now, Jabber(XMPP) messages will be recorded in WFilter.

More information, please check “WFilter Enterprise”.
Other related links:
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to Block Bittorrent and bitcomet?
How to block msn file transfer?
How to block certain websites to save your productivity?
How to block AIM using WFilter?

How to block BBC online video with WFilter?

One customer reported that BBC online video can not be blocked by WFilter, even “Block Online HTTP Video and Downloading of Video Files” is checked in certain blocking levels.
So we did some research and found, other than HTTP protocol, the BBC websites also use the RTMP (Real Time Messaging Protocol) to play online video.
Because blocking of RTMP is not supported by default in WFilter(will be added soon), this tutorial will guide you to block BBC online video by the “Customize Protocols” feature of WFilter.

First, Add a new protocol named “RTMP”.


1. Protocol Settings:
Protocol Name: RTMP
Protocol Desc: Real Time Messaging
Protocol Type: Streaming

2. Pattern1
Name: RTMP_HTTP
Desc: RTMP_HTTP
Type: HTTP SEND
Offset: 0
Format: User-Agent
Content: Shockwave\sFlash

3. Pattern2
Name: RTMP
Desc: RTMP
Type: TCP_SEND
Offset: 0
Begin Byte: 03
Format: 0
Content: \x03[\x00-\xff]{4}\x80\x00

Second, Enable blocking of RTMP in certain blocking levels.

Now, BBC videos will be successfully blocked.

Related Topic: How to block bbc iplayer?

How to restrict employees internet access on your network?

Internet can be a benefit to business when used properly, but internet
is often abused by employees and poses significant liability and
security risks. Used
improperly, the Internet can subject every organization to harassment claims,
countless hours of lost productivity and innumerable security leaks and
vulnerabilities.

Several important risks caused by improper internet usage:
1. Virus Infection
2. Lost Productivity
3. Legal liability
4. Bandwidth consumer

So it is necessary for you to restrict employees internet access on your network.

To achieve this goal,  first you need an internet access policy, which should be able to:

1. Clarify what constitutes acceptable use of Internet services.
2. Ensure employees understand who to contact with questions regarding acceptable use.
3. Ensure employees understand the penalties that arise from Internet misuse.
4. Help lessen an organization’s spyware and virus infestation rates.
5. Provide human resources with signed documentation from each employee stating a pledge not to improperly use Internet services.
6. Help mitigate productivity losses.
7. Decrease dependence upon technology solutions used to enforce employee behavior.
8. Reduce the organization’s liability resulting from harassment claims, copyright violations originating onsite and other illegal acts.

You also need an internet filtering product to assure your internet policy. Let’s take “WFilter Enterprise” as an example, it enables you to monitor and filter internet access for all computers from a mirroring port of your switch. You only need to install WFilter in one computer to monitor the whole network.

Key Features:

  • Keep a detailed record of each web surfing and web posting.
  • Record all incoming and outgoing email content and attachment.
  • Monitor and archive instance messengers chat contents and activities.
  • Monitor and archive files transferred by web, ftp and IM tools.
  • Implement a policy to filter internet access during working hours.
  • Websites, messengers and p2p file downloading can be blocked to save bandwidth and raise productivity.
  • You only need to install WFilter in ONE computer to manage your whole network.

http://www.wfiltericf.com