Category Archives: Internet Monitoring

How to block online file storage websites and file transfer applications?

Online storage solutions provide client applications and webpages for uploading and downloading files to and from their service. To stop business sensitive data being uploaded, you may want to block file storage websites and certain kind of applications.

In this post, I will try to explain the detailed steps with WFilter Enterprise.

First you need to install WFilter and make a correct deployment. Then you can add blocking policies.

1. Block online storage websites.

To block websites by categories, you need to enable “Block webpages by categories” and click “New…” in the dropdown list to create a category filtering rule. Then set “online storage” to “Deny”.

This option enables you to block most online storage websites, including both http and https sites.(ie: wetransfer.com)

block_filestorage01 block_filestorage02

2. Block file transfer applications.

To block file transfer applications, please click “edit” in “Applications” of your blocking policy. Then set certain protocols in “File transfers” to “Deny”. This option blocks pc and mobile applications clients. A supported protocol list can be found at WFilter supported protocols list.

block_filestorage03

Please note that the supported protocols and websites of WFilter can not cover all file transfer types.  If you want to block an application not in the supported list, please feel free to contact us. We will add it for you by free.

Also, for complete blocking of file transfers, you’re recommended to enable “website whitelist” of WFilter, so only work related websites can be accessed. And you also need to forbid usb and bluetooth devices.

 

 

 

WFilter MultiPing: how to ping multiple hosts and get report diagram?

A new extension of WFilter, multiping, is recently released.

This extension can ping multiple hosts at a time, with a graph statistics. With this extension, you can monitor the network performance of your servers, even for a whole day.

Settings and screenshots of WFilter multiping extension

Define hosts to be monitored.

Diagram of history ping performance.

This extension can be installed in “WFilter Enterprise”, “WFilter Free” and “WFilterROS”.

Homepage: WFilter multiping extension

Document: Graph ping performance of multiple hosts

How to monitor and filter internet activities of PPPOE users?

PPPOE is widely used for user authentication and traffic accounting. However, it’s a little difficult to monitor and filter PPPOE clients’ internet usage and behavior.

In this example, we will demonstrate you to monitor and filter PPPOE clients with WFilter Free. Please notice that only non-encrypted and uncompressed PPPOE traffic can be supported. So the first step is to configure your PPPOE server for non-encryption and non-compression.

1. PPPOE server settings

Let’s take windows 2003 and RouteOS for examples.

1). 2003 Server Configuration

If you are using windows 2003 server as the PPPOE server, please follow below steps to configure:

In “Properties” of the “Routing and Remote Access”, disable “software compression” and “LCP” in the “PPP” tab.

Edit “remote access policy” for “no encryption” in “Edit Profile”. Notice: The default two policies shall all be modified.



2). ROS Configuration

If you are using routeOS as PPPOE server, please follow these steps to disable compression and encryption:

In “PPP” tab of “Profiles”, click “Protocols” and disable compression and encryption.

2. Monitor PPPOE clients in WFilter

2.1) Choose the internal adapter

Now WFilter is able to parse PPPOE traffic. In this example, we just install WFilter free in the windows 2003 PPPOE server.

You need to choose the internal adapter as the “monitoring adapter” in “System Settings”->”Monitoring Settings” of WFilter.


2.2). Setup client policy

Add a block policy to block web surfing.


Apply this policy to PPPOE clients’ ip ranges


2.3). Check Blocking

PPPOE clients get blocked.

Blocking events in WFilter.

WFilter deployment with gargoyle router.

1. Gargoyle Router Introduction

Gargoyle is an OpenWrt distribution which aims to be easy to use through a simplified Web interface. Gargoyle can extend your wireless router into a powerful Linux system. even if your router hardware does not support “port mirroring” function, you can also enable traffic mirroring by software mirroring.

This blog will guide you to install “port-mirroring” program in your Gargoyle router and deploy WFilter for internet monitoring and filtering. We assume you already has an Gargoyle router, if not, please check Gargoyle homepage to get the latest firmware.

2. Port-mirroring program

Port-mirroring is an open source project sponsored by IMFirewall Software, it is designed to mirror network traffic on linux systems.

2.1. Installation

For detailed installation guide, please check Port-mirroring open source packet mirroring. In this guide, let’s take linksys wrt54g router as an example.

Steps:

a). opkg update.

b). opkg install http://port-mirroring.googlecode.com/files/port-mirroring_1.3-1_12.09_brcm47xx.ipk

Because gargoyle is based on openwrt attitude adjustment 12.09 branch, we need to install the build for openwrt 12.09.

2.2. Configuration

You need to edit /etc/config/port-mirroring to set the mirroring target and mirrored source interfaces.

In this example, we choose “eth0″ wireless adapter as the mirrored source interface.

2.3. Start Port-mirroring

/etc/init.d/port-mirroring start

3. Check monitoring in WFilter

Now WFilter shall be able to monitor client computers.

WFilter deployment with a network tap.

1. What is network tap?

Network tap is also a good way to monitor network traffic. Comparing to “port mirroring” switch, it has several advantages:

  1. Handy and flexible, requires no power supply.
  2. Once a network tap is in place, the network can be monitored without interfering with the network itself.
  3. Low cost, you even can dry it by yourself.

Guide to make a network tap can be found at below links:

  1. Throwing Star LAN Tap
  2. Building an Ethernet Tap
  3. Throwing Star LAN Tap
  4. Create a passive network tap for your home network

The disadvantages of network tap:

  1. Can not monitor gigabit networks. Requires “filterable tap”.
  2. The monitoring port does not allow outgoing traffic. Therefore you need three network cards in the monitoring computer, two for monitoring, another for communication.

This blog will guide you to deploy WFilter with “Throwing Star LAN Tap”.

2. Deploy the LAN Tap.

First, you need to attach three network cards in the monitoring computer.

In this example, this lan tap is connected between the router and first switch(J1 and J2). Monitoring ports J3 and J4 are connected to two adapters of the monitoring computer.

Actually it does not require ip address for the monitoring adapters. In this example, we assign “192.168.1.181″, “192.168.1.182″ to the two monitoring adapters(Assigning an ip address makes it easier for us to identify the adapter in WFilter). The third adapter is assigned with “192.168.2.189″.

3. Setup WFilter

Check the two monitoring adapters in “System Settings”->”Monitoring Settings”. The blocking adapter shall be choosed as the third adapter for sending blocking packets.

Now we’re able to monitor client computers. You will notice that one monitoring adapter only get incoming packets, while another adapter only get outgoing packets. This is how network tap is designed.


Client computers also can be blocked.

WFilter deployment with openwrt router.

1. Openwrt Introduction

OpenWrt is a highly extensible GNU/Linux distribution for embedded devices. As a third party firmware, openwrt can extend your wireless router into a powerful Linux system. With openwrt, even if your router hardware does not support “port mirroring” function, you can also enable traffic mirroring by software mirroring.

This blog will guide you to install “port-mirroring” program in your openwrt router and deploy WFilter for internet monitoring and filtering. We assume you already has an openwrt router, if not, please check openwrt homepage to get the latest firmware.

2. Port-mirroring program

Port-mirroring is an open source project sponsored by IMFirewall Software, it is designed to mirror network traffic on linux systems.

2.1. Installation

For detailed installation guide, please check Port-mirroring open source packet mirroring. In this guide, let’s take linksys wrt54g router as an example (with openwrt backfire firmware). Steps:

a). Update openwrt package list.

b). Install the port-mirroring program

opkg install http://port-mirroring.googlecode.com/files/port-mirroring_1.2-1_backfire_brcm47xx.ipk.

2.2. Configuration

You need to edit /etc/config/port-mirroring to set the mirroring target and mirrored source interfaces.

In this example, we choose “wlan0″ wireless adapter as the mirrored source interface.

2.3. Start Port-mirroring

/etc/init.d/port-mirroring start

3. Check monitoring in WFilter

Now WFilter shall be able to monitor client computers.

How to block pps streaming movies in iphone and android?

WFilter can block online streaming traffic in your network, even for mobile devices. In this tutorial we will guide you to block pps streaming in iphone and android with WFilter 4.0.

Create a “block PPS” policy

Apply this policy to certain devices

Check blocking

PPS in android is now unavailable.

PPS in iphone becomes infinite loading.

Blocking events in WFilter.

How to deploy WFilter in a VMware ESXi server?

VMware ESX and ESXi server are widely used in business networks. This document will guide you to deploy WFilter in a ESXi server to filter internet traffic of virtual systems.

In a VMware ESXi server, WFilter can work both in “Pass-by” and “Pass-through” modes. For more details about these two modes, please check: WFilter deployment modes

It is simple for WFilter to work in “Pass-by” mode in a VMware ESXi server. You simply need to install WFilter in a VMWare virtual computer and allow “Promiscuous mode” of the virtual switch. However, because WFilter can not filter UDP traffic in pass-by mode, you also need to configure udp blocking in an up-layer router/firewall. Please check: How to block certain UDP ports in router/firewall?

In this tutorial, we will introduce you to deploy WFilter in pass-through mode in a VMware ESXi server.

Deploy WFilter in pass-through mode in a VMware ESXi server.

To deploy WFilter in pass-through mode on a VMware ESXi server, following conditions are required:

  1. A virtual computer with two adapters to install WFilter.
  2. At least two virtual switches.
  3. The two adapters shall be connected to different virtual switches.

As in below figure, the wfilter server “94-wfilter-server” is connected between “vSwitch0″ and “vSwitch1″. In this topology, all virtual computers in vSwitch1 will be monitored and filtered by the WFilter server “94-wfilter-server”.

Step 1, create a new virtual switch

As in below figure, a new virtual switch with no physical adapter is created.

Step 2, connect the two adapters to different virtual switches

To bridge the virtual switches, two adapters of the WFilter server shall be connected to different virtual switches.

Step 3, allow “Promiscuous mode” of virtual switches

The virtual switches connected to the wfilter server shall be configured to accept “Promiscuous Mode”.

Now, you also need to bridge the two adapters inside the WFilter server. And the WFilter program shall be configured to work in “Pass-through mode”. Please check this document for more details: Deploy WFilter in a windows network bridge.

Does port mirroring influence my network speed?

For pass-by monitoring and filtering, you need to setup a mirroring port in your switch. When port mirroring feature is enabled, the switch will replicate data from other ports onto a single port for monitoring purpose. Since the original packets will not be hold or delayed, port mirroring does not affect your network speed theoretically.

However, inproper port mirroring settings will cause heavy load in your switch and even cause packet loss.

So please consider the following points when configuring a mirroring port:

  1. Do not mirror multiple ports to one port until necessary.
  2. If it is required to mirror multiple ports, please make sure the total mirrored ports throughput will not exceeds the mirroring port throughput limit.
  3. For WFilter, mirroring the internet port is enough. Usually, only the router/firewall port needs to be mirrored.
  4. If your switch does not allow outgoing traffic on the mirroring port, or you’re using WFilter to filter internet access for more than 50 computers, it is recommended to use two network adapters: one is for monitoring only, another one is for filtering.

How to check whether port mirroring settings are correct?
How to check whether a switch supports port mirroring?
Why a port mirroring switch is required to monitor my network?