Category Archives: Content Filter

How to identify computers in WFilter?

WFilter can monitor and filter computers internet activities in your network. In WFilter, two monitoring modes are available: “by ip address” and “by MAC address”. In “by ip address” monitoring mode, WFilter identifies a computer based on its ip address, while it identifies a computer based on its MAC address in “by mac address” monitoring mode.

However, if computers ip addresses are not fixed in your network. You might have trouble to identify a computer to set its monitoring/blocking policy.

This tutorial will introduce you several solutions to identify computers in your network in WFilter.

1. Monitor and block by AD users

Since WFilter can be integrated with Microsoft active directory, you don’t need to face the trouble of identifying computers if you have an available AD.

With “account monitoring” enabled, you can set blocking policy based on AD users, despite which computers they are using.

Please check this document for more details about “account monitoring”: How to do monitoring based on user accounts?

2. Identify computers by MAC addresses

With “by mac address” monitoring mode, WFilter identifies a computer by its MAC address. MAC address is assigned by the manufacturer of a network interface card (NIC) and are stored in its hardware. It won’t change unless the NIC hardware is replaced.

When you set a recording policy or blocking policy to one computer in “user-computer table”, certain settings will be bound to its mac address. Even its ip address is changed, certain settings will not be lost.

However, “By MAC address” monitoring mode is only available for single-segment networks, because a computer’s mac address can not be retrieved when it’s located behind a router.

Therefore, in a single-segment network, “by mac addresses” will be a good choice if your ip addresses are dynamic.

3. Identify computers by IP addresses

If your network is multi-segments, you only can use “by ip address” monitoring mode. Therefore, we recommend you to make ip addresses static in a multi-segments network. If you want to leave the ip addresses as dynamic, the only solution left is “Monitor and block by AD users” as discussed above.

More information, please check “WFilter Enterprise”.

Other related links:

How to block internet
downloading?

How to monitor
internet usage on company networks?

Internet monitoring
software for business

How to
filter web surfing?

How to block
websites and restrict internet access?

How to block HTTPS
websites on my network?

How to setup ip-mac binding in WFilter?
How to block facebook at work of network computers?

How to block facebook at work of network computers?

Facebook is a social utility that connects people with friends and others who work, study and live around them. However, employees might spend too much time on this website during working hours.


This tutorial will guide you to setup an internet policy to block facebook access at work with WFilter 3.3 version.


You can block facebook access at different levels:



  1. Block facebook website completely.
  2. Allow facebook website, but block facebook chatting.
  3. Allow facebook website, but block facebook applications and games.

1. Block facebook website completely


1). Block facebook website by “Website Black/White List”.


Add “*.facebook.com” into a website black list.


Now HTTP access of facebook will be blocked.


2). Block https facebook by “HTTPS Black/White List”


Since facebook also provide https access, for complete blocking, you also need to block https facebook by “HTTPS Black/White List”.


Add “*.facebook.com” into a HTTPS black list.



Please notice, reopening of your browser is required for the HTTPS black list to work.


2. Block facebook IM chatting


You may use WFilter to block “facebook IM” directly in “Blocking Level Settings”->”Messengers”.



You will not be able to send a message when facebook IM is blocked.



3. Block facebook applications and games


Facebook applications and games will be blocked simply by adding “apps.facebook.com” into a website black list.




More information, please check “WFilter Enterprise”.


Other related links:


How to block internet downloading?
How to monitor internet usage on company networks?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?


How to check whether a switch supports port mirroring?

To monitor internet activities of all computers in your network, the WFilter computer shall be connected to a mirroring port of your switch, or install WFilter into a gateway computer.

Some inexperienced users might don’t know whether a switch can support port mirroring. Hence we list how to check whether port mirroring is supported by your switch.

First, check the features list of your switch.

“Port mirroring” is also called as “port SPAN”, “port monitoring”. A port mirroring switch is usually called “a manageable switch” or “managed switch”.
If you can find certain keywords in your switch features list or manual, “port mirroring” is supported.

Example 1: description of cisco 2950.


Example 2: feature list of NETGEAR GS108T.

Second, check switch Web UI to find mirroring options.

Most manageable switches provide you a web UI or console interface for you to change it settings. If you can find “port mirroring” or “port monitoring” options in its Web UI, certainly port mirroring is supported.

Example 1: Web UI of dlink 3226.

Example 2: Web UI of netgear GS748AT.

For more information, please check: Why WFilter can only monitor itself? How to monitor other computers in network?

How to block Mail.Ru Agent in network?

1. What is the Mail.Ru Agent?


Mail.Ru is the leading Internet portal in Russia in communication and entertainment. Its key product is the biggest communication portal for Russian speaking audience that includes the largest free webmail service, instant messenger Mail.Ru Agent, national social network Moi Mir@Mail.Ru and search engine Poisk@Mail.Ru, Mail.Ru headquarters is in Moscow.


Also Mail.Ru is the leader in online game publishing with over 50 percent market share in Russia. The company is a publisher of more than 100 game titles in Russia, Europe, Asia, including such popular original titles as Troetsarstvie, Legend: Legacy of the Dragons, Allods Online as well as successful international licenses such as Perfect World II, Lord of the Rings Online. Also Mail.Ru owns 50 percent in NIKITA.ONLINE.


This turtorial will guide you to block Mail.Ru Agent in your network.


2. How to block Mail.Ru Agent and Web-Mail.Ru?


2.1. First, add a new Custom Protocol


Because “Mail.Ru Agent” is not in Wfilter default pattern database, you need to add a custom protocol.



            The first pattern:


            Name: Mail.Ru_TCP
            Desc: Mail.Ru_TCP
            Type: TCP SEND
            Offset: 0
            Format: 0
            Content: ^\xef\xbe\xad\xde


            The second pattern:


            Name: Mail.Ru_HTTP
            Desc: Mail.Ru_HTTP
            Type: HTTP SEND
            Offset: 0
            Format: Host
            Content: ^(mra|webagent)\.mail\.ru


              The third pattern:

            Name: Mail.Ru_TCP_2
            Desc: Mail.Ru_TCP_2
            Type: TCP RECV
            Offset: 0
            Format: 0
            Content: ^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:2041\x0a$


 


2.2. Enable blocking of “Mail.ru Agent” in certain blocking policy.




Apply this blocking policy to certain computers.


 


3. Now Mail.Ru Agent will be completely blocked.




4. Web-Mail.Ru is also blocked.



More information, please check “WFilter Enterprise”.


Other related links:


How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?


 

How to add a logo image into WFilter blocking page?

WFilter blocking denial page presents a blocking message to blocked users when a web page is blocked. Sometimes, you may want to add your logo image into WFilter blocking denial page.

This tutorial will guide you to add a logo image with “WFilter Enterprise 3.3″.

1. It is simple to add your logo when you have a website with this image. As you can see in below figures, just click “Add image” and input your logo url when editing a denial page.

2. However, if you don’t have an available website, you need to upload your image file to WFilter “image” directory for WFilter to find it. Please follow below steps:
1). Copy your image file to “www/image” directory of WFilter.
2). Click “Add image” in certain denial page, please notice you need to input full url address of your logo here. For example, if the IP address of WFilter computer is “192.168.1.20″, you need to input “http://192.168.1.20:9090/image/yourlogo” here. Do not use “http://localhost:9090/image/yourlogo”.

Webpage being blocked:

3. If you’re familiar with HTML code, you also can edit the
denial page source manually in “config/Denypage” directory of WFilter.

More information, please check “WFilter Enterprise”.
Other related links:
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?

What’s the difference between Pass-by filtering and Pass-through filtering?

Filtering technologies are divided into two types: Pass-through (sever plug-in based) and Pass-by (standalone-based).

 

A Pass-by filter usually monitors and filters network traffic with the help of port mirroring while a Pass-through filter monitors and filters network traffic on a gateway or bridge.

 

The differences between Pass-by filtering and Pass-through filtering: Advantages of Pass-by filtering:

 

1. Pass-by filtering is easier to be deployed. You only need to setup a mirroring port in your switch without the need to change your network topology. However, since pass-through filtering needs to be installed in the gateway or bridge, usually you need to change your network topology to deploy a pass-through filtering product.

 

2. Pass-by filtering product, such as WFilter Enterprise, only deals with copies of network packets, without any delay of the original packets. Even a pass-by filtering product stops working, your internet connection stays alive.

 

However, because a Pass-through product “stops and checks” network packets, it is unavoidable to make slight delay to your internet access. And, when a pass-through filtering product stops working, you will lose your internet connection.

 

Disadvantages of Pass-by filtering:

 

1. Port mirroring is required for pass-by filtering, you can not monitor or filter your network without a manageable switch.

 

2. A pass-by filtering product sends RST packets to terminate TCP connections, however, UDP traffic can not be blocked by pass-by filtering. Usually, you also need to block certain UDP ports in your router for completely blocking.

 

3. Traffic shaping and QoS is unavailable in pass-by filtering, since it only deals with copies of network packets.

For more information about WFilter technical details, please check: WFilter Inside Technologies.

WFilter in comparison to other similar products.

There are a lot of products for you to manage your network: firewall, content filtering, web filtering proxy… Some users might get confused to choose them.
Since more and more customers had requested a comparison of WFilter to other similar products, I wrote this guide to list some important differences.

WFilter is a passby internet monitoring and filtering software program. It monitors network traffic from a mirroring port in your switch. When a TCP connection needs to be blocked, WFilter will send 1-2 RST packets to reset this connection. This is called “Passby Filtering”. More technical details of WFilter can be found at: WFilter Technologies

WFilter VS firewall program/appliance

Advantages:

1. WFilter monitor and archive most internet activities, while firewalls don’t keep internet usage details.

2. WFilter parses protocols at the application layer, it can recognize 100+ common protocols according to their signatures and behaviors. Most firewall program/application filters packets based on ports or ip addresses.

3. WFilter analyse copies of internet packets from a mirroring port of your switch. It is easy to be deployed, without any delay of your network. However, a firewall program/appliance needs to be deployed at the edge of your network. And since each packet goes through the firewall program/appliance, there will be a slight delay.

4. If the WFilter server goes down, the Internet connection stays alive. If the firewall program/appliance hangs, you will not be able to access internet.

5. WFilter is a content filtering product. It is designed to monitor and filter internet usage of employees to raise your productivity. However, a firewall program/appliance is designed to filter network packets and protect your network.

Disadvantages:

1. WFilter can not block UDP packets. So you also need to block UDP ports in your router/firewall.

2. WFilter consumes more memory and disk space of your computer. If you archive all internet activity, it might consume 2-3M disk space for each monitored computer every day.

WFilter VS open source web filtering projects

Some open source projects, like “SQUID” and “dansguardian”, also provide web filtering solutions. Below I list some major differences:

1. Most open source projects work as a proxy server. It requires you to change your internet access to proxy mode.

2. Most open source projects are web filtering only. Blocking of p2p traffic, internet monitoring/archieving are not supported.

3. Lack of statistics and reports for open source projects.

4. Lack of support for open source projects. Since protocols are changing, live update/support is required to keep your pattern database up to date, while most open source projects don’t have such support. In IMFirewall protocol lab, to keep our pattern database up to date, we have a system to monitor most common internet products/protocols, so when a new version of certain product is released, our team will work on it immediately.

Try “WFilter Enterprise” by yourself: http://www.wfiltericf.com/WFilter.htm

How to block TeamViewer on my network using WFilter?

TeamViewer is a computer software package for remote control, desktop sharing, and file transfer between computers. The software operates with Microsoft Windows, Mac OS X, iOS, and Linux. It is possible to access a machine running TeamViewer with a web browser.

With TeamViewer, it will be very convenient for employees to access computers in their homes, transfer files to remote computers. So for security purpose, sometimes you may want to block TeamViewer on your network.

This tutorial will guide you to block TeamViewer with “WFilter Enterprise 3.3″.

Because blocking of Teamviewer is not supported by default in WFilter, in this example, we uses “Customize Protocols” feature of WFilter to define TeamViewer protocol.

First, Add “TeamViewer” Protocol.


.
TeamViewer has two patterns:
1. “teamviewer01″:
  Type — “HTTP SEND”
  Format — “X-IM-URL”
  Content — “s=.*\&(p|id)=.*\&client=.*”

2. “teamviewer02″:
  Type — “TCP ALL”
  Format — “0″
  Content — “^\x17\x24[\x00-\xff]{2}[\x00-\x02]“


Second, Enable blocking of teamViewer in certain blocking levels.



And apply this blocking policy to certain computers.



Now, TeamViewer will be blocked.

WFilter blocking events:



Failure connection of teamViewer.



More information, please check “WFilter Enterprise”.
Other related links:
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?

How to block HTTPS websites on my network?

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure (website security testing) identification of the server. It uses port 443. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems.
As more and more websites provide both HTTP and HTTPS access. For example, facebook.com can be access both from “http://www.facebook.com” and “https://www.facebook.com”. So you can not block facebook completely until both http and https are blocked. However, HTTPS are widely used in payment transactions, web email authentication …, so block all HTTPS traffic will not be a good choice.

“WFilter Enterprise” provides you a “HTTPS black/white List” for you to filter HTTPS websites by its domain name.

First, enable “HTTPS Black/white List”.


Second, add HTTPS domains in the black list.

More information, please check “WFilter Enterprise”.
Other
related links:
How to block
internet downloading?

How
to monitor internet usage on company network?

Internet
monitoring software for business

How to filter web
surfing?

How to block websites and restrict internet access?
How to Block Bittorrent and bitcomet?
How to block msn file transfer?
How to block certain websites to save your productivity?
How to block AIM using WFilter?

How to block sending emails with attachment on company network?

WFilter can be used to block sending/receiving emails, block sending attachments and filter email accounts. And you only need to install WFilter in one computer to monitor all computers in your network.

This tutorial will guide you to block outgoing emails with attachments.

1. Block outgoing emails with attachment(s)

This feature can block sending of emails with attachments via SMTP protocol.

1.1 Add a new blocking level, as in the below figure:

1.2 Set a proper “Level Name” and “Level Desc”, check “Block sending emails with attachment(s)”, as in Figure 2:

1.3 Apply this new blocking level to certain users in “User-computer Table”, as in the below figure:

1.4 Emails with attachment(s) will be blocked, as in Figure 4: