Category Archives: Deployment

Deployment of WFilter NG Firewall

WFilter ICF vs. internet filtering appliances

With rich enterprise-level features, internet filtering appliances(UTM) are very popular in business networks. In this article, I would discuss the difference of WFilter ICF internet content filtering solution with internet filtering appliances solutions. Internet filtering appliances have below advantages and disadvantages.

Advantages:

  1. More features. UTM appliances integerate more features, including web filter, VPN, firewall, anti-virus…
  2. Easier to be deployed.

Disadvantages:

  1. Most appliances can only work for 2-3 years.
  2. Bad expansion. In case you have more network clients, you need to buy new appliances.
  3. Very expensive. Even upgrade is not free.

Comparison

Despite of the above disadvantages, Internet filtering appliances are ideal for business network security.  Though it is more difficult to be deployed with less features, WFilter ICF software also has below advantages:

  1. Software solution without additional device, can be deployed with minimal change to network topology.
  2. License is upgradable and movable.
  3. Free upgrade for lifetime.
  4. Most cost-effective.
  5. If you prefer UTM solutions, please also check our: WFilter NG firewall.

WFilter ICF vs. dns internet filtering solutions

DNS internet filtering solution provides you a configurable dns server. Dns query to a blocked domain will be redirected to a denial page. This solution has below advantages and disadvantages.

Advantages:

  1. Easier to be deployed. You only need to change your dns server to get filtered.
  2. Can filter domains via a black list or url category.
  3. Can provide usage history and reports.

Disadvantages:

  1. The filtering dns server may not be as fast as public domain servers.
  2. Clients can break filtering by modifying dns servers.
  3. All clients can only share a same blocking policy.
  4. Can not block applications.
  5. Can only record dns query quest. No bandwidth reports or visited url reports.

Comparison

Compared to this internet filtering solutions, WFilter ICF is more difficult to be deployed. However, WFilter is much more powerful:

  1. When pass-by deployed, WFilter has no influence to your network performance.
  2. Client can not bypass filtering because WFilter inspects all network packets.
  3. You can set individual blocking policy for each client.
  4. More filtering features, including web filtering, web downloading blacklist, url keywords filtering, application control, ip-mac binding…
  5. More monitoring features and reports. WFilter can record visited domains, url, bandwidth… You can get various reports and statistics.

So if you only need to filter some domains or categories for the whole network, dns filtering would be a good choice. If you need more detailed reports or more dedicated blocking policy, WFilter ICF can be more helpful.

 

 

WFilter ICF vs. client & browser plugin internet filtering solutions

Client or browser plugin internet filtering solutions require you to install a client agent or browser plugin in client pc to filter websites. This solution has below advantages and disadvantages.

Advantages:

  1. Easier to be deployed. You can install client agent or plugin instantly.
  2. Can block domains or filter websites via cloud-based url category database.

Disadvantages:

  1. Can not filter smart phones internet access.
  2. Need to be installed in every client pc.
  3. Clients can break filtering by changing browser, or killing the agent process.

Comparison

Compared to this internet filtering solutions, WFilter ICF is more difficult to be deployed. However, WFilter is more powerful and easier for maintaince:

  1. WFilter can filter the whole network by one installation.
  2. All type of clients can be filtered, including smartphone, andriod, mac, windows, linux.
  3. No client installation is required.
  4. More features: internet usage monitoring and reporting, application control, web filter…

So, for personal/family usage, client & browser plugin web filtering solution might be a good choice. But when you need to manage a business network, WFilter ICF provides a better solution.

WFilter Pass-by deployment for multiple VLANs network.

WFilter Enterprise( WFilter internet content filter) supports monitoring and filtering of multiple VLANs clients from a central WFilter pc.

Below is the deployment diagram:wfilter-vlan

Please note:

  1. The WFilter pc shall have two network cards.
  2. NIC1 shall be connected to the mirroring port.
  3. NIC2 shall be connected to the management VLAN, which can communicate with other VLANs.
  4. The mirroring port shall be configure to monitor the uplink port. (Connected to the up-layer router or firewall)

In WFilter, you also need to setup the “mirroring adapter” and “blocking adapter” in “System Settings”->”Monitoring Settings”. The mirroring adapter shall be the adapter connected to the mirroring port, while the blocking adapter shall be connected to the management VLAN.

 

WFilter added “Email Notification” in the ISP module.

The ISP module of “WFilter NG firewall” designed for ISPs to manage users and bandwidth plans.

Beside “user web portal”, a recent update of “WFilter NG Firewall” added “Email Notification” feature. So users can get email notification of their bandwidth usage.

isp_emai_notification

As shown in the above diagram, you can set different email alert frequency for “valid users” and “cap exceeded users”, with different email contents.

This feature will be helpful for ISPs who prefer use email alert rather web portal.

WFilter email monitoring solutions for business networks.

Many users asked about email monitoring and recording features of WFilter. Actually, WFilter, including “WFilter Enterprise” and “WFilter NG firewall”, all are able to record SMTP, POP3, IMAP and web-based emails on network. However, there are some limitations of this feature.

This post will discuss WFilter’s email monitoring features and solutions.

1. Monitoring of email clients

An email client receives emails via POP/IMAP protocols, sends emails via SMTP protocol. In today, SSL encryption is widely used for email clients. There are two kinds of SSL encryption: “SSL Connection” and “STARTTLS”. With WFilter, you can:

  • Monitoring emails via plain SMTP/POP/IMAP.
  • Email attachments can also be recorded.

For SMTP/POP/IMAP over SSL, you have two solutions:

Solution 1: block SSL email connections to force email clients using plain email protocols.

block_ssl_mail_en

When blocking is applied, email clients need to be re-configured to disable SSL encryption.

block_ssl_mail_en2

Solution 2: Enable “SSL Email Inspection” with “WFilter NG Firewall”.

This feature can intercept SSL connections and record SSL emails. However, “STARTTLS” still can not be recorded, even “SSL Email Inspection” is enabled. Please check: SSL Email Inspection

2. Monitoring of Web Emails

Web email means receiving and sending emails within a web browser. Please note that web emails received can not be recorded, while http outgoing emails can be recorded by WFilter. Please note:

  1. Outgoing http web emails can be recorded.
  2. Https web emails can not be recorded.
  3. Not all http attachments can be recorded. It depends on the uploading protocol.
  4. For http web emails not recorded, you may contact us for a web email format upgrade.

 

Optimize bandwidth of your network with WFilter NG Firewall.

Sometimes you will come to the following solutions when your internet bandwidth is insufficient:

  1. Use more than one broadband connection.
  2. Block applications which consume much bandwidth. For example, you might use “WFilter Enterprise passby internet content filter windows software” to block downloading and online streaming.
  3. Limit the real-time bandwidth rate for clients. This can be done in your router of firewall.

However, these solutions have disadvantages:

  1. Without access control, using multiple broadband connections can not bring better experience. It because downloading and streaming can easily consume most of your bandwidth.
  2. “Application blocking” can save your bandwidth. However, users experience are impacted. Users will complain about no streaming or downloading.
  3. Rate limiting does not optimize your bandwidth. Users will still complain about slow internet speed.

WFilter NG Firewall brings total solutions for bandwidth optimization.

1. Powerful access control policy

With “Access Policy” modules, you can block p2p downloading, online streaming, streaming websites. Please check: Access Policy

2. Multi-WAN load balancing and routing

In case you have multiple broadband connections, WFilter NG Firewall’s “Multi-WAN” module can help you to:

  • Load balancing on multiple broadband connections.
  • Setup routing policies. For example, a). business servers are routed to a dedicated connection, b). video sites are routed to another connection.

For more details, please check: Muti-WAN

3. Bandwidth priority

With the “Priority” module, traffic with higher priority goes first. For example, you can set business servers traffic to the highest priority. So even the network is extremly busy, servers bandwidth won’t be influenced.

When installed, there are default rules: email > web > p2p and streaming. You also can customize your own rules.

For more details, please check: bandwidth priority

4. Bandwidth shaper

This module is for you to set bandwidth rate for clients. You can set the rate to ip ranges, user group or department.

Each group have a “maximum bandwidth rate” and “minimum bandwidth rate”. The minimum rate ensures the clients to have this bandwidth rate even the line is busy.

For more details, please check: bandwidth shaper
Try WFilter NG Firewall now: WFilter NG Firewall

WFilter 4.1 version is coming.

Finally, WFilter 4.1 version is coming to the beta testing after two years of development. Now let me show you the exciting new features in this new version.

1. More deployment solutions

More deployment solutions are added, especially for wifi networks. We also added solutions to monitor by mac address in multiple segments networks. In WFilter 4.0 version, only “by ip address” mode is supported, the new version will retrieve mac address information from your core switch via SNMP.

2. More monitored content

Added support for ip protocols and ip fragment. For web monitoring, WFilter new version will record browser type(userAgent) as well.

3. Faster UI speed

We adopted fastcgi technology in the new 4.1 version, which makes great improvement on UI loading speed. Monitoring performance is also improved.

4. New UI design

Added “common” menu for you to define common used menus, so you can open a page within one click.

We also re-designed the “online computers” page.


5. New “Protocols” system

With this “protocols” system, you can download and share protocols within a few clicks. You will never have the pain to configure new protocols any more.

6. New “Plugins” system

We integrated a set of tools for network monitoring and management, which is still growing. You can get plugins for network discovery, wfilter management and other related features.

7. New “web content push” feature

This feature enables you to push web content without a real blocking. You can define time interval, web push triggers for this content to appear regular in client computers.

8. More flexible policy settings

With the last version, it’s easier to assign policy for new detected devices, and set default OU policy for new detected AD users.

New version downloading URL: WFilter 4.1

Please notice: WFilter 4.1 version is still in beta testing, and some features are not fully tested. This version is only for preview and testing purpose. So if you already have a stable WFilter 4.0 running, it’s not wise to replace it with this beta version.

Wifi network monitoring solutions

Since most wireless network cards do not support “promiscuous mode”, it becomes complicated to deploy internet monitoring and filtering in a wifi network.

In this blog, I will list three common solutions for wifi network monitoring.

1. Port mirroring

Some wireless router can support “port mirroring” feature. If your router support this feature, you can enable the mirroring port and connect the WFilter computer to the mirroring port. The WFilter computer shall have a wired network card can be connected to the mirroring port by a cable.

This cisco article provides a good guide: Configuration of Port Mirroring on WRVS4400N Wireless-N Gigabit Security Router

2. Deploy WFilter in an upper layer device

In case you have an upper layer device with “port mirroring” feature, you can deploy WFilter in the upper layer. Check this solution: WFilter deployment in a wireless network

3. Configure the WFilter PC as internet gateway.

This solution is helpful when you only have ONE wireless router in your network, it’s rather simple for WFilter deployment. This solution rather helps when you don’t have a port mirroring switch or router.

Check this solution at here: A simple deployment of WFilter with wireless router

4. Turn your PC into a Wi-Fi HotSpot to deploy WFilter

You can turn your windows PC into a wifi hotspot, so clients connected to this wifi hotspot can be monitored by WFilter.

Check this solution at here: Turn your PC into a Wi-Fi HotSpot to deploy WFilter

5. Reflash your router into an embeded linux system.

If none of above solutions works for you, you can choose to reflash your router into openwrt/ddwrt/tomato/gargoyle firmware. These firmware allows you to install software port-mirroring solutions.

Here is a guide: WFilter deployment with openwrt router.