For pass-by monitoring and filtering, you need to setup a mirroring port in your switch. When port mirroring feature is enabled, the switch will replicate data from other ports onto a single port for monitoring purpose. Since the original packets will not be hold or delayed, port mirroring does not affect your network speed theoretically.
However, inproper port mirroring settings will cause heavy load in your switch and even cause packet loss.
So please consider the following points when configuring a mirroring port:
- Do not mirror multiple ports to one port until necessary.
- If it is required to mirror multiple ports, please make sure the total mirrored ports throughput will not exceeds the mirroring port throughput limit.
- For WFilter, mirroring the internet port is enough. Usually, only the router/firewall port needs to be mirrored.
- If your switch does not allow outgoing traffic on the mirroring port, or you're using WFilter to filter internet access for more than 50 computers, it is recommended to use two network adapters: one is for monitoring only, another one is for filtering.
How to check whether port mirroring settings are correct?How to check whether a switch supports port mirroring?Why a port mirroring switch is required to monitor my network?
The internet has been turned to an invaluable tool in business. However, the availability of internet currently has given
an important risk factor to the employer liability and at the same time
consumes the employers 90% of hours in productivity.
Therefore internet access shall be filtered and restricted to keep the working productivity of your employees.
There have several ways to filter internet access:
1. Setup an network internet filtering program.
With a filtering program, you will be able to filter internet access of all computers in your network from ONE computer only.
There have a lot such products in the market. For example, WFilter
Enterprise, or Websense Enterprise are very helpful for you to filter internet access of network computers. Passby internet filtering products usually require you to setup a mirroring port in a manageable switch. Setting up a mirroring port does no change to your network toplogly and it will not influence your network performance.
2. Setup ACL policy in your Router/Firewall/UTM. Firewall devices can
enable you to block websites/ports/ip addresses. So you also can setup
ACL rules in your firewall to block certain traffic. For more
information about UTM solution, please visit http://www.astaro.com
3. Filter websites from the dns server. You may try "opendns" solution.
Opendns solution is simple and easy to setup. However, with this
solution, there can only have one policy for your entire network.
WFilter 4.0 version will be released soon after nearly two years development.
The new version made a lot improvement and optimization of current features. Also a series of new features are added, such as "WFilter Dashboard", "Central Management of WFilter servers", "WFilter Local Account", "Multi-adapter Monitoring", and several new alert types. Below is a brief introduction to these new features:
1. WFilter Dashboard
WFilter Dashboard allow you to check the monitoring status, log storage status, system warnings from a central dashboard.
2. WFilter Servers Management
This feature enables you to manage several WFilter servers from a central localtion.
3. Default IP Policy
The "Default IP Policy" feature enables you to set different policies to different ip ranges, when a new computer found it's default ip policy will be applied.
4. Search of Network Computers
You can use the "Search Computers" feature to search computers in your network. It's more convenient than the passive computer finding in the old version.
5. More Alert Types
More alert types are added: disk space alert, new computer alert, ip address changing alert...
6. More Powerful Account Monitoring
WFilter's "account monitoring" feature can integrate WFilter with your active directory. So you can deploy monitoring based on user accounts. The new version added "WFilter local accounts" feature. When you don't have an available active directory, you also can use "WFilter local account" feature to monitor/filter by user accounts.
6.1 Integrate Active Directory
6.2 WFilter local account
7. Multi-adapters Monitoring
WFilter 4.0 can support monitoring on multiple adapters to support complicated networkings.
Internet can be a benefit to business when used properly, but internet is often abused by employees and poses significant liability and security risks:
- 1. Internet downloading and malicious websites are harmful to your network.
- 2. Online messengers, social networks websites are killing your productivity.
- 3. P2P programs and IPTV applications can easily consume most of your bandwidth.
- 4. Sharing of copyrighted popular music and movies is illegal in most jurisdictions.
Therefore, it is necessary for business administrators to track employees internet usage and restrict internet usage in company networks.
Below I list several aspects to track and filter internet activity on company networks.
1. Keep a record of internet activities.
To track internet usage, you can setup a mirroring port in your switch, and connect an internet monitoring product to this mirroring port to archive all internet activities.
Please check this blog article: How to monitor internet usage on company network?
2. Restrict websites access
- 1. Only work-related websites are allowed during work time.
- 2. Destructive websites like violence, adult, shall be blocked always.
- 3. Downloading websites shall be blocked to save bandwidth if you are suffering from slow internet speed.
For those companies who are very strict with websites browsing, you can implement a website whitelist, by which, only websites in the whitelist can be visited.
How to whitelist websites?
3. Block bandwidth consuming protocols
To keep your internet working smoothly, bandwidth consuming protocols like p2p downloading, online streaming shall be blocked during working hours.
Please check:
1. How to monitor internet bandwidth?
2. How to block p2p traffic in your network?
Routing and Remote Access is a network service in Microsoft Windows Server 2008, Windows Server 2003, and Windows 2000 Server that can provides Network address translator (NAT) for connecting a private network to the Internet. An example network topology is as below: 
Since all internet traffic goes through the RRAS server, it's very simple for you to monitor and filter internet activities: "just install WFilter in this server."
The RRAS server has two adapters: the internal NIC and external NIC, you shall be able to see two adapters in the "monitoring adapter settings" of "System Settings"->"Monitoring Settings". 
We recommend you to choose the internal NIC as the monitoring and blocking adapter, because you will be able to monitor, block and report on individual network computers.
However, if you choose the external NIC as the monitoring and blocking adapter, WFilter will treat the whole network as one computer, because the RRAS server will translate all subnet ip addresses to its public ip address.
We have noticed that some users prefer to monitor on the internal NIC to save license number, because you only need ONE 1-user license to monitor the public ip address. However, we recommend you not to do it, because this is not WFilter designed to work, and there might have an over-blocking issue for some p2p protocols.
More information, please check "WFilter Enterprise".
Other related links:
How to block UDP ports in RRAS windows server 2003?
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?
As a pass-by filtering product, WFilter only can block TCP traffic. For complete blocking of p2p traffic, you're required to block UDP ports 1024-65534 in your router or firewall. For more information about pass-by filtering, please check: difference between Pass-by filtering and Pass-through filtering.
Since some networks use a windows server with "Routing and Remote Access Service"(RRAS) as the gateway, you also can configure the "IP Filter" in RRAS to block UDP ports. In this tutorial, we will guide you to block all UDP ports except DNS(53) in windows server 2003.
1. Open "Routing and Remote Access" in "Control Panel"->"Administrative Tools".
2. Click "General"->"properties".
3. Click "Inbound Filters".
4. Add DNS port UDP 53 into the allow list
Click "New"->"Add IP Filter", choose "Protocol" as "UDP", "Sourceport" as "53", "Destination port" as "0"(means all).
5. Add all TCP into the allow list
Click "New"->"Add IP Filter", choose "Protocol" as "TCP", "Sourceport" as "0", "Destination port" as "0".
6. Block others
Check "Drop all packets except those that meet the criteria below" to block other traffic. 
By now, UDP ports are all blocked except UDP 53(DNS). And WFilter is now full functional to block p2p/IM/iptv traffic.
More information, please check "WFilter Enterprise".
Other related links:
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?
WFilter can monitor and filter computers internet activities in your network. In WFilter, two monitoring modes are available: "by ip address" and "by MAC address". In "by ip address" monitoring mode, WFilter identifies a computer based on its ip address, while it identifies a computer based on its MAC address in "by mac address" monitoring mode.
However, if computers ip addresses are not fixed in your network. You might have trouble to identify a computer to set its monitoring/blocking policy.
This tutorial will introduce you several solutions to identify computers in your network in WFilter.
1. Monitor and block by AD users
Since WFilter can be integrated with Microsoft active directory, you don't need to face the trouble of identifying computers if you have an available AD.
With "account monitoring" enabled, you can set blocking policy based on AD users, despite which computers they are using.
Please check this document for more details about "account monitoring": How to do monitoring based on user accounts?
2. Identify computers by MAC addresses
With "by mac address" monitoring mode, WFilter identifies a computer by its MAC address. MAC address is assigned by the manufacturer of a network interface card (NIC) and are stored in its hardware. It won't change unless the NIC hardware is replaced.
When you set a recording policy or blocking policy to one computer in "user-computer table", certain settings will be bound to its mac address. Even its ip address is changed, certain settings will not be lost.
However, "By MAC address" monitoring mode is only available for single-segment networks, because a computer's mac address can not be retrieved when it's located behind a router.
Therefore, in a single-segment network, "by mac addresses" will be a good choice if your ip addresses are dynamic.
3. Identify computers by IP addresses
If your network is multi-segments, you only can use "by ip address" monitoring mode. Therefore, we recommend you to make ip addresses static in a multi-segments network. If you want to leave the ip addresses as dynamic, the only solution left is "Monitor and block by AD users" as discussed above.
More information, please check "WFilter Enterprise".
Other related links:
How to block internet
downloading?
How to monitor
internet usage on company networks?
Internet monitoring
software for business
How to
filter web surfing?
How to block
websites and restrict internet access?
How to block HTTPS
websites on my network?
How to setup ip-mac binding in WFilter?
How to block facebook at work of network computers?
Facebook is a social utility that connects people with friends and others who work, study and live around them. However, employees might spend too much time on this website during working hours.
This tutorial will guide you to setup an internet policy to block facebook access at work with WFilter 3.3 version.
You can block facebook access at different levels:
- Block facebook website completely.
- Allow facebook website, but block facebook chatting.
- Allow facebook website, but block facebook applications and games.
1. Block facebook website completely
1). Block facebook website by "Website Black/White List".
Add "*.facebook.com" into a website black list. 
Now HTTP access of facebook will be blocked. 
2). Block https facebook by "HTTPS Black/White List"
Since facebook also provide https access, for complete blocking, you also need to block https facebook by "HTTPS Black/White List". 
Add "*.facebook.com" into a HTTPS black list.  
Please notice, reopening of your browser is required for the HTTPS black list to work.
2. Block facebook IM chatting
You may use WFilter to block "facebook IM" directly in "Blocking Level Settings"->"Messengers". 
You will not be able to send a message when facebook IM is blocked.  
3. Block facebook applications and games
Facebook applications and games will be blocked simply by adding "apps.facebook.com" into a website black list.  
More information, please check "WFilter Enterprise".
Other related links:
How to block internet downloading?
How to monitor internet usage on company networks?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?
Guest computers might come and leave for a network. However, unmanaged internet access of guest computers could be a nightmare for your network. Guest computers can consume most of your bandwidth with p2p downloading, and download copyrighted materials or virus which might be harmful.
This tutorial will guide you to setup a default internet blocking policy for guest computers with WFilter 3.3 version.
1. Set a different ip address range for guest computers.
If guest computers share a same ip address range with your existing computers, you won't be able to recognize them. For management purpose, the guest computers shall be in a different ip address range. For example:
1. Allocate all you existing computers with static ip addresses from "192.168.1.0" to "192.168.1.200".
2. In your wireless AP, set the DHCP range from "192.168.1.200" to "192.168.1.250".
Now every guest computers(mostly laptops) will get an ip address in range "192.168.1.200 - 192.168.1.250". Then you can set a blocking policy for them in WFilter.
2. Setup default blocking policies for certain ip ranges.
Now you can setup a default blocking policy for ip address in range "192.168.1.200 - 192.168.1.250". Every new computers in this ip range will be applied with this default policy.
 
Please notice: If you can not setup a different DHCP range for guest computers, you also can enable this "default monitoring policy" for new found computers. This feature is for WFilter to automatically configure monitoring and blocking policy when it detects a new computer. More information, please check "WFilter Enterprise".
Other related links:
How to
block internet downloading?
How
to monitor internet usage on company network?
Internet
monitoring software for business
How to filter
web surfing?
How
to block websites and restrict internet access?
How
to block HTTPS websites on my network?
How WFilter works to monitor and archive internet activities?WFilter is an enterprise Internet filtering software program. A business or
organization can implement its Internet communication policy into
WFilter and let it perform the work.
WFilter intercepts, records and monitors Internet behaviors of users
on a network, for the purpose of ensuring policy compliance, or
measurement on job performance in an organization. A mirroring port replicates the data from other ports or VLAN's. To monitor all internet activity, WFilter needs to be connected to a mirroring port of your switch. And the mirroring port shall be configured to mirror your internet traffic. When connected to a mirroring port, WFilter gets packet copies of all internet traffic, then decodes and saves them into log files. This is how WFilter works to monitor internet usage. For more information about how to setup port mirroring, please check: WFilter Deployment Examples.To check whether your port mirroring is properly configured, please check: How to check whether port mirroring is properly configured?If you don't have a manageable switch, you need to setup a windows gateway or proxy server to do monitoring, please check: How to monitor internet usage without a manageable switch?How WFilter works to block internet connections?Many users had asked: "Since WFilter only handles packet copies and the original packets don't pass through WFilter machine, how WFilter works to block internet connections?" Actually, there are two filtering technology: pass-through filtering and pass-by filtering. With a pass-through filtering solution, packets shall pass through the filtering product; if a packet needs to be blocked, the filtering product just drop it. However, a pass-by filtering product only handles copies of network packets, it can not hold the original packets. Therefore, it sends RST packets to terminate TCP connections. This is how WFilter works to block connections. Please notice: 1. Since WFilter needs to send RST packets to block a connection, the "blocking adapter" of WFilter shall be able to access your network. The blocking adapter shall be configured in "System Settings"->"Monitoring Settings" of WFilter. 2. Some switches do not allow outgoing traffic on the mirroring port, if so, you need to setup a separate NIC as the blocking adapter. Even outgoing traffic is allowed on the mirroring port, we recommend you to use a secondary NIC for blocking when you're managing over 100 computers. Otherwise, the monitoring adapter will be overloaded. 3. If you have multiple VLANs, the blocking adapter shall belong to a VLAN which can communicate with other VLANs. 4. Sometimes you might need to set "Automatic Metric" of the blocking adapter for windows to recognize this adapter as the primary adapter. Please check this blog topic: Blocking adapter doesn't work when using two network cards with WFilter.For more information about difference of the two filtering solutions, please check: What's the difference between Pass-by filtering and Pass-through filtering?More details about WFilter filtering technology, please check: WFilter Technologies and Security
1. What is the Mail.Ru Agent?
Mail.Ru is the leading Internet portal in Russia in communication and entertainment. Its key product is the biggest communication portal for Russian speaking audience that includes the largest free webmail service, instant messenger Mail.Ru Agent, national social network Moi Mir@Mail.Ru and search engine Poisk@Mail.Ru, Mail.Ru headquarters is in Moscow.
Also Mail.Ru is the leader in online game publishing with over 50 percent market share in Russia. The company is a publisher of more than 100 game titles in Russia, Europe, Asia, including such popular original titles as Troetsarstvie, Legend: Legacy of the Dragons, Allods Online as well as successful international licenses such as Perfect World II, Lord of the Rings Online. Also Mail.Ru owns 50 percent in NIKITA.ONLINE.
This turtorial will guide you to block Mail.Ru Agent in your network.
2. How to block Mail.Ru Agent and Web-Mail.Ru?
2.1. First, add a new Custom Protocol
Because "Mail.Ru Agent" is not in Wfilter default pattern database, you need to add a custom protocol.
The first pattern:
Name: Mail.Ru_TCP
Desc: Mail.Ru_TCP
Type: TCP SEND
Offset: 0
Format: 0
Content: ^\xef\xbe\xad\xde
The second pattern:
Name: Mail.Ru_HTTP
Desc: Mail.Ru_HTTP
Type: HTTP SEND
Offset: 0
Format: Host
Content: ^(mra|webagent)\.mail\.ru
The third pattern:
Name: Mail.Ru_TCP_2
Desc: Mail.Ru_TCP_2
Type: TCP RECV
Offset: 0
Format: 0
Content: ^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:2041\x0a$
2.2. Enable blocking of "Mail.ru Agent" in certain blocking policy.
Apply this blocking policy to certain computers.
3. Now Mail.Ru Agent will be completely blocked.
4. Web-Mail.Ru is also blocked.
More information, please check "WFilter Enterprise".
Other related links:
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?
Even a content filtering product is deployed in your network, some experienced users still can bypass the content filter via proxies.
There are three kinds of proxies:
1). Proxy server
Proxy server provides proxy service for applications to access internet via proxy protocol, including HTTP, FTP., SSL and SOCKS proxy. SOCKS protocol description
2). Proxy Website
A proxy site is a web page which allows you to browse your favorite web sites – even though your access to those web sites might be blocked by a content filter.
3). VPN tunnel service
Online VPN service, for example: tor. Please check this blog for how to block tor.
In this tutorial, I will guide you to block proxy servers and proxy websites.
1. How to block proxy servers?
We can block proxy servers simply by block proxy protocol, such as HTTP, SOCKS.
2 Block proxy websites
2.1 Using website black list to block proxy sites
You can add proxy websites to a website black list to be blocked.
However, since a website black list can not contain all proxy websites, we recommend you to enable “URL keywords filtering” and “Web access rules” to block proxy websites based on our URL database and URL keywords.
2.2 Using URL keywords to block proxy sites
Add “proxy”, “unblock” to “Proxies”. So URLs with certain keywords will be blocked.
2.3 Using “Web access rules” to block proxy sites
Websites in “Proxies” category will be blocked. WFilter already has a default URL database which contains most common websites. 
1. What is tor ?
Tor is a system intended to enable online anonymity, composed of client software and a network of servers which can mask information about users' locations and other factors which might identify them. Use of this system makes it more difficult to trace internet traffic to the user, including visits to Web sites, online posts, instant messages, and other communication forms. It is intended to protect users' personal freedom, privacy, and ability to conduct confidential business, by keeping their internet activities from being monitored. The software is open-source and the network is free of charge to use.
Since client workstations can use tor to bypass internet filtering, so you may want to block tor traffic in your network.
In this tutorial, we will guide you to block tor traffic with "WFilter
Enterprise 3.3".
2. How to block tor with Wfilter?
Because tor uses HTTP/TLS to encrypt its traffic, we need to use "HTTPS black/white list" feature of WFilter to filter HTTPS websites to block tor.
First, create a new "HTTPS White List" and add the allowed HTTPS domains in it. As in below figure:
Enable "HTTPS black/white list" in certain blocking level settings.
Finally, apply this blocking policy to certain computers.
3. Now tor will be completely blocked.
Blocking events in WFilter:
More information, please check "WFilter Enterprise".
Other related links:
How to block
internet downloading?
How
to monitor internet usage on company network?
Internet
monitoring software for business
How to filter web
surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?
Sometimes you might want to block automatic windows update on your network without the need to manually configure every workstation.
To block windows update, certain websites in the below list shall be blocked.
- *.windowsupdate.com
- *.update.microsoft.com
You can block certain websites in your firewall to achieve that. In this tutorial, I will guide you to block windows update with "WFilter Enterprise 3.3".
First, add a website black list and enable it in a certain blocking policy.
In the website black list, you need to add "*.windowsupdate.com" and "*.update.microsoft.com".
Second, apply this blocking policy to certain computers.
Now, windows update will be completely blocked. 
WFilter blocking denial page presents a blocking message to blocked users when a web page is blocked. Sometimes, you may want to add your logo image into WFilter blocking denial page. This tutorial will guide you to add a logo image with "WFilter Enterprise 3.3". 1. It is simple to add your logo when you have a website with this image. As you can see in below figures, just click "Add image" and input your logo url when editing a denial page.   2. However, if you don't have an available website, you need to upload your image file to WFilter "image" directory for WFilter to find it. Please follow below steps: 1). Copy your image file to "www/image" directory of WFilter. 2). Click "Add image" in certain denial page, please notice you need to input full url address of your logo here. For example, if the IP address of WFilter computer is "192.168.1.20", you need to input "http://192.168.1.20:9090/image/yourlogo" here. Do not use "http://localhost:9090/image/yourlogo".  Webpage being blocked:  3. If you're familiar with HTML code, you also can edit the
denial page source manually in "config/Denypage" directory of WFilter. More information, please check "WFilter Enterprise".
Other related links: How to block internet downloading?How to monitor internet usage on company network?Internet monitoring software for businessHow to filter web surfing?How to block websites and restrict internet access?
Wireless communication brings fundamental changes to data networking and telecommunications. Nowadays, more and more organizations and home users build up wireless networks. And in many situations, wired networks and wireless networks exist together. This topic demonstrates two solutions to monitor wireless networks internet activities.
1. Monitoring with a manageable switch.
A typical network contains both wired and wireless networks:
Because port mirroring can not mirror wireless traffic, we need to setup port mirroring in the wired part. In this example, we add a manageable switch TL-SL2210WEB between the router and wireless AP to mirror the AP's traffic.
"Port 1" of the manageable switch is connected to the router, "port 2" is connected to WFilter computer, and "port 3" connected to the wireless Access Point.
By setting "Port 1" as the mirrored port and "Port 2" as the mirroring port, we will be able to monitor all internet traffic.
By now, you can monitor all the wired and wireless computers.
2. Deployment with a proxy server.
If you don't have an available manageable switch, you also can do monitoring in a local proxy server.
As in the below figure, by setting up a proxy server and install WFilter in the proxy server, computers using this proxy server to access internet will all be monitored.
Please refer to "Deploy WFilter with a Proxy Server" for more information.
What is port mirroring?
Usually, a computer connected to a switch or a router can only receive its own network packets. A switch with port mirroring function allows you to monitor network packets from a mirroring port.
With port mirroring is enabled, the switch sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packets can be analyzed.
How to monitor network without a port mirroring switch?
There’re three methods to monitor your network without a manageable switch.
1. Using a broadcasted Hub
A broadcasted hub is a data packet repeater commonly used in broadcast networks.
Most broadcasted hubs provide a uplink port to connect with a up layer device. You shall connect the up layer device to the uplink port of the hub (Note: Do not use the port next to the uplink port).
However, most broadcasted hubs only work in 10Mb speed, and all the computers connected to the hub will share the bandwidth, which is not so fast as a switch. So we recommend you use a manageable switch instead.
2. Windows Gateway, Proxy Server or Bridge
Windows Gateway
If a port mirroring switch is unavailable, you can setup a windows gateway by your network edge. With an internet monitoring/filtering product in this windows gateway,
you will be able to monitor all internet traffic of network computers.
How to configure Windows 2008 Server IP Routing?
Proxy Sever
A Proxy Sever is a computer that offers a network service to allow clients to make indirect network connections to internet.
Like the gateway solution, you also can do monitoring/filtering in the proxy server. To make things simple, some proxy servers have monitoring/filtering modules integrated,
while some monitoring/filtering programs also have a proxy module integrated.
For example, you can easily enable the proxy server service in WFilter enterprise. For more details about WFilter proxy settings, please check:
http://www.imfirewall.us/help/doc/deploy_proxy.htm
Bridge
Bridges (sometimes called “Transparent bridges”) work at OSI model Layer 2. Bridges just forward data depending on the destination address in the data packet.
By deploying a bridge in your internet entrance, you can setup a monitoring product in this bridge to monitor internet activities of your whole network.
3. ARP Spoofing
ARP spoofing, also called ARP Cache poisoning, is one of the hacking methods to spoof the contents of an ARP table on a remote computer on the LAN. With ARP spoofing,
you act as a relay server between client computers and the real gateway, so you will be able to monitor their traffic. However, as a hacking technology, ARP spoofing will make your network unstable.
So I recommend you not to use it unless necessary.
There are a lot of products for you to manage your network: firewall, content filtering, web filtering proxy... Some users might get confused to choose them. Since more and more customers had requested a comparison of WFilter to other similar products, I wrote this guide to list some important differences. WFilter is a passby internet monitoring and filtering software program. It monitors network traffic from a mirroring port in your switch. When a TCP connection needs to be blocked, WFilter will send 1-2 RST packets to reset this connection. This is called "Passby Filtering". More technical details of WFilter can be found at: WFilter TechnologiesWFilter VS firewall program/applianceAdvantages:1. WFilter monitor and archive most internet activities, while firewalls don't keep internet usage details. 2. WFilter parses protocols at the application layer, it can recognize 100+ common protocols according to their signatures and behaviors. Most firewall program/application filters packets based on ports or ip addresses. 3. WFilter analyse copies of internet packets from a mirroring port of your switch. It is easy to be deployed, without any delay of your network. However, a firewall program/appliance needs to be deployed at the edge of your network. And since each packet goes through the firewall program/appliance, there will be a slight delay. 4. If the WFilter server goes down, the Internet connection stays alive. If the firewall program/appliance hangs, you will not be able to access internet. 5. WFilter is a content filtering product. It is designed to monitor and filter internet usage of employees to raise your productivity. However, a firewall program/appliance is designed to filter network packets and protect your network. Disadvantages:1. WFilter can not block UDP packets. So you also need to block UDP ports in your router/firewall. 2. WFilter consumes more memory and disk space of your computer. If you archive all internet activity, it might consume 2-3M disk space for each monitored computer every day. WFilter VS open source web filtering projectsSome open source projects, like "SQUID" and "dansguardian", also provide web filtering solutions. Below I list some major differences: 1. Most open source projects work as a proxy server. It requires you to change your internet access to proxy mode. 2. Most open source projects are web filtering only. Blocking of p2p traffic, internet monitoring/archieving are not supported. 3. Lack of statistics and reports for open source projects. 4. Lack of support for open source projects. Since protocols are changing, live update/support is required to keep your pattern database up to date, while most open source projects don't have such support. In IMFirewall protocol lab, to keep our pattern database up to date, we have a system to monitor most common internet products/protocols, so when a new version of certain product is released, our team will work on it immediately. Try "WFilter Enterprise" by yourself: http://www.imfirewall.us/WFilter.htm
TeamViewer is a computer software package for remote control, desktop sharing, and file transfer between computers. The software operates with Microsoft Windows, Mac OS X, iOS, and Linux. It is possible to access a machine running TeamViewer with a web browser.
With TeamViewer, it will be very convenient for employees to access computers in their homes, transfer files to remote computers. So for security purpose, sometimes you may want to block TeamViewer on your network. This tutorial will guide you to block TeamViewer with "WFilter Enterprise 3.3". Because blocking of Teamviewer is not supported by default in WFilter, in this example, we uses "Customize Protocols " feature of WFilter to define TeamViewer protocol.
First, Add "TeamViewer" Protocol.
. TeamViewer has two patterns: 1. "teamviewer01": Type -- "HTTP SEND" Format -- "X-IM-URL" Content --- "s=.*\&(p|id)=.*\&client=.*" 2. "teamviewer02": Type -- "TCP ALL" Format -- "0" Content -- "^\x17\x24[\x00-\xff]{2}\x00" Second, Enable blocking of teamViewer in certain blocking levels. And apply this blocking policy to certain computers.  Now, TeamViewer will be blocked.WFilter blocking events:  Failure connection of teamViewer.  More information, please check "WFilter Enterprise".
Other related links: How to block internet downloading?How to monitor internet usage on company network?Internet monitoring software for businessHow to filter web surfing?How to block websites and restrict internet access?
One customer reported that BBC online video can not be blocked by WFilter, even "Block Online HTTP Video and Downloading of Video Files" is checked in certain blocking levels. So we did some research and found, other than HTTP protocol, the BBC websites also use the RTMP (Real Time Messaging Protocol) to play online video. Because blocking of RTMP is not supported by default in WFilter(will be added soon), this tutorial will guide you to block BBC online video by the "Customize Protocols " feature of WFilter.
First, Add a new protocol named "RTMP".  1. Protocol Settings: Protocol Name: RTMP Protocol Desc: Real Time Messaging Protocol Type: Streaming 2. Pattern1 Name: RTMP_HTTP Desc: RTMP_HTTP Type: HTTP SEND Offset: 0 Format: User-Agent Content: Shockwave\sFlash 3. Pattern2 Name: RTMP Desc: RTMP Type: TCP_SEND Offset: 0 Begin Byte: 03 Format: 0 Content: \x03[\x00-\xff]{4}\x80\x00 Second, Enable blocking of RTMP in certain blocking levels. Now, BBC videos will be successfully blocked. Related Topic: How to block bbc iplayer?
Internet can be a benefit to business when used properly, but internet
is often abused by employees and poses significant liability and
security risks. Used
improperly, the Internet can subject every organization to harassment claims,
countless hours of lost productivity and innumerable security leaks and
vulnerabilities. Several important risks caused by improper internet usage: 1. Virus Infection 2. Lost Productivity 3. Legal liability 4. Bandwidth consumer So it is necessary for you to restrict employees internet access on your network. To achieve this goal, first you need an internet access policy, which should be able to: 1. Clarify what constitutes acceptable use of Internet services. 2. Ensure employees understand who to contact with questions regarding acceptable use. 3. Ensure employees understand the penalties that arise from Internet misuse. 4. Help lessen an organization's spyware and virus infestation rates. 5. Provide human resources with signed documentation from each employee stating a pledge not to improperly use Internet services. 6. Help mitigate productivity losses. 7. Decrease dependence upon technology solutions used to enforce employee behavior. 8. Reduce the organization's liability resulting from harassment claims, copyright violations originating onsite and other illegal acts. You also need an internet filtering product to assure your internet policy. Let's take "WFilter Enterprise" as an example, it enables you to monitor and filter internet access for all computers from a mirroring port of your switch. You only need to install WFilter in one computer to monitor the whole network. Key Features:
- Keep a detailed record of each web surfing and web posting.
- Record all incoming and outgoing email content and attachment.
- Monitor and archive instance messengers chat contents and activities.
- Monitor and archive files transferred by web, ftp and IM tools.
- Implement a policy to filter internet access during working hours.
- Websites, messengers and p2p file downloading can be blocked to save bandwidth and raise productivity.
- You only need to install WFilter in ONE computer to manage your whole network.
http://www.imfirewall.us
Though official Google Talk protocol is XMPP, it is more
complicated and flexible than XMPP. Google Talk (GTalk) provides several ways for you to access your gtalk account, including:
- 1). Official "Google Talk" client.
- 2). Gmail chat in google mail account.
- 3). Google Talk Gadget -- a web version of Gtalk.
This makes it complicated for you to block usage of google talk on company network. This tutorial will guide you to block google talk, gmail chat and google talk gadget using WFilter.
WFilter identifies Google talk connections by signature matching. Blocking google talk is simple in WFilter.
The below examples demonstrates blocking of google talk and gmail chat.
1. Blocking of jabber, gmail chat and gadget
Set a blocking policy in WFilter to block jabber and google talk: 
2. Blocked Google talk:
 
3. Blocked gadget
 4. Blocked gmail chat
For security purpose, you might want to block employees file uploading to internet on your network. However, since there are so many tools can be used for uploading, it is extremely difficult to block them all. Files can be uploaded in various ways: 1. Upload to certain websites, eg: webmail, file sharing websites... 2. Using msn/yahoo/icq messengers to send files. 3. Email attachments. 4. FTP 5. Other third party tools. WFilter provide a simply solution to block file uploading on company networks. Using WFilter, you can block file uploading and file transfers of all computers from ONE computer. This tutorial will guide you to block file uploading using WFilter. First, block file uploading to websites. Please notice "block uploading files via web pages" only works on HTTP websites. To control HTTPs websites, you can use "HTTPS black/white list" in "Others" of WFilter. Second, block email attachments.
 Third, block FTP and file transfer via messengers.
 Last, block unknown protocols.Blocking unknown protocols blocks file uploading using other unknown third party programs.  More information, please check "WFilter Enterprise".
Other related links: How to block internet downloading?How to monitor internet usage on company network?Internet monitoring software for businessHow to filter web surfing?How to block websites and restrict internet access?How to Block Bittorrent and bitcomet? How to block msn file transfer?How to block certain websites to save your productivity? How to block AIM using WFilter?
Sometimes you may want to block facebook games during working hours. This tutorial will guide you to block facebook games using "WFilter Enterprise". First, add a website black list. Second, choose this website black list in certain blocking policy.
Third, apply this blocking policy to certain computers.
Now, facebook game is blocked.
BBC iPlayer (formerly known as Integrated Media Player (iMP), Interactive Media Player, and MyBBCPlayer) is an internet television service, P2P, cable television, and several mobile devices developed by the BBC to extend its existing RealPlayer-based "Radio Player" and other streamed video clip content. As online iPlayer may consume much internet bandwidth, this tutorial will guide you to block BBC iPlayer using WFilter. We suppose WFilter is already properly installed and is capable of monitoring/blocking other computers, if not, please read How to monitor internet usage on company network first. WFilter's "website black list" is based on website domains, so we can not use "website black list" to block iPlayer, since iPlayer is a subfolder of www.bbc.co.uk without a individual domain. However, we still can use "URL Keywords Filtering" feature to block url with certain keywords. The below example demonstrates blocking of url with keyword "iplayer". 1. Create a blocking policy, and enable "URL Keywords Filtering". 2. Choose "Streaming Media" category and click the edit icon to edit its keywords list. Please notice: WFilter already has some default keywords(the default
keywords are hidden). For example, "video" is already included in the
"Streaming Media" category. If you only want to block "iplayer", you can add a new category in "Category Settings"->"Customize Categories" of WFilter. In this example, we need to add "iplayer" to the keywords list:  3. Apply this blocking policy to certain computers.  4. By now, urls with keywords "iplayer" will be blocked. More information, please check "WFilter Enterprise".
Other related links: How to block internet downloading?How to monitor internet usage on company network?Internet monitoring software for businessHow to filter web surfing?How to block websites and restrict internet access?How to Block Bittorrent and bitcomet? How to block msn file transfer?How to block certain websites to save your productivity? How to block AIM using WFilter?
WFilter can be used to block sending/receiving emails, block sending attachments and filter email accounts. And you only need to install WFilter in one computer to monitor all computers in your network. This tutorial will guide you to block outgoing emails with attachments.
This feature can block sending of emails with attachments via SMTP protocol.
1.1 Add a new blocking level, as in the below figure:
 1.2 Set a proper "Level Name" and "Level Desc", check "Block sending emails with attachment(s)", as in Figure 2:  1.3 Apply this new blocking level to certain users in "User-computer Table", as in the below figure:  1.4 Emails with attachment(s) will be blocked, as in Figure 4:  
Some switches does not allow outgoing traffic on a mirroring port. In this case, WFilter needs a separate blocking adapter to send blocking packets. And if you're monitoring and filtering more than 100 computers, we recommend you to use a different blocking adapter as the monitoring adapter. When the two network cards are installed, we will want the Windows system to use the blocking adapter to access your network. However, sometime the Windows system might pick up the monitoring adapter and fails to connect to your network. This problem can be resolved by the "Automatic Metric" setting in Windows. A metric is a value that is assigned to an IP route for a particular
network interface that identifies the cost that is associated with
using that route. The Automatic Metric feature is configured independently for each network interface in the network. This feature is useful in situations where you have more than one
network interface of the same speed, for example, when each network
interface has been assigned a default gateway. In this situation, you
may want to manually configure the metric on one network interface, and
enable the Automatic Metric feature to configure the metric of the
other network interface. This setup can enable you to control the
network interface that is used first in the routing of IP traffic. In our case, the "Automatic Metric" of the blocking adapter shall be smaller than the monitoring adapter. So by setting "Automatic Metric" of the blocking adapter to "1", and the monitoring adapter to "2", Windows system will use the blocking adapter to access your network.   
Sometimes, on an indeterminate problem of using WFilter, we might need a packet dump file for diagnosis. WFilter has a packet dump tool named "dumpPacket.exe", which will dump packets on the monitoring adapter.
This tutorial will guide you to generate a packet dump file using "dumpPacket.exe".
First, lauch "dumpPacket.exe" from "Start"->"IMFirewall WFilter"->"Tools". If you didn't install WFilter shortcuts, you can find this tool in WFilter directory.
 It will ask you to enter a testing ip address. For example, if
you need to check a monitoring problem for ip "192.168.1.20", you can
input "192.168.1.20" here. If you just want to capture some packet
samples, you may just press "enter" here! Press "enter" means dumping
packets for all computers.
 Close the dumping window. If you're doing a certain test, you need to wait until the test is done. For example, sending an email message. If you're dumping packets for all computers, you only need to wait for 3-5 seconds because the dump file can be very large. If the dumping file is too large, you can do the test again in a shorter time.  The dump.cap file can be found in "temp" directory of WFilter. The dump.cap file is pcap format, which can be opened by wireshark and other pcap applications. 
To make WFilter work, you need to setup port mirroring in your switch. However, sometimes you might still cannot monitor other computers even port mirroring is configured. It has several possibilities: 1. WFilter computer shall be connected directly to the mirroring port. 2. Configured ports does not match real ports. 3. Both outbound and inbound traffic is required by WFilter. If you only mirror one direction packets, WFilter can not work properly. 4. Incorrect WFilter settings. (wrong ip segment or monitoring adapter...) 5. Firewall/anti-virus programs blocks non-local packets. For example, nod32 will block non-local packets, so even port mirroring settings are correct, the mirrored traffic still can not reach WFilter. We recommend you to shutdown your firewall and anti-virus programs for checking. To locate the problem, first we need to confirm whether packets are mirrored to WFilter computer. It can be checked in a simple way following below steps:   Upon successful mirroring, the "Received" packets number shall be much larger than the "Sent" packets. If not, you need to check certain mirroring settings or cable connections.
LimeWire is a free peer-to-peer file sharing (P2P) client for Windows, Mac OS X, Linux, and other operating systems supported by the Java software platform. It uses the Gnutella network and also the BitTorrent protocol. Using Limewire, users can easily download copies of copyrighted materials and illegal or objectionable content. In LimeWire versions prior to 5.0, users could accidentally configure the software to allow access to any file on their computer, including documents with personal information. Though recent versions of LimeWire do not allow unintentional sharing of documents or applications, it still opens a share directory to share downloaded files by default. Therefore, to save your bandwidth and keep your network safe, you might want to block limewire program on your network. However, though the default TCP port of Gnutella2 is 6346. You can not block limewire only by blocking this port in your router or firewall, because Limewire allow users to change its default port. This tutorial will guide you to block limewire downloading using WFilter. WFilter blocks Limewire traffic based on signature matching despite which port it is using. Limewire can be blocked only by a single click.
 Blocked limewire:  Blocking logs of limewire in WFilter:  WFilter homepage: http://www.imfirewall.us/WFilter.htm
Traffic Shaping and Prioritization is becoming more and more common in the corporate market. Most companies with remote offices are now connected via a WAN (Wide Area Network). Applications tend to become centrally hosted at the head office and remote offices are expected to pull data from central databases and server farms. As applications become more hungry in terms of bandwidth and prices of dedicated circuits being relatively high in most areas of the world, instead of increasing the size of their WAN circuits, companies feel the need to properly manage their circuits to make sure business-oriented traffic gets priority over best-effort traffic. Traffic shaping is thus a good means for companies to avoid purchasing additional bandwidth while properly managing these resources. With a linux gateway, you have a very rich set of tools for managing and manipulating the transmission of packets. More details can be found at: http://linux-ip.net/articles/Traffic-Control-HOWTO/index.html, However, sometimes it might be difficult for you to deploy a linux gateway server. This tutorial will guide to implement a passby bandwidth management solution, which enables you to manage internet bandwidth through a mirroring port on your switch. Port mirroring allows you to setup a port in the switch to receive packets of other ports. Setting up a mirror port does no change to your network topology, and it will not affect your network speed. Let's take WFilter as an example: First, setup a mirroring port.When the port mirroring is properly setup, WFilter will be able to monitor all computers internet activities.  Bandwidth Management SettingsUsing WFilter's bandwidth management feature, you can set a maximum accumulating bandwidth of each computer for a period time. In this example, each user can have 200M internet bandwidth every day. Only messengers and emails are allowed when the bandwidth limit is reached. 
You also can setup a policy to block certain users when available
internet bandwidth of the entire network is not enough. For example,
When entire network traffic exceeds 80% of available internet
bandwidth, p2p traffic will be blocked.
 Bandwidth Alert SettingsAnd the bandwidth alert feature will send you an alert email when the accumulating bandwidth of a computer is too large.  More information, please check "WFilter Enterprise". Other related links: How to block websites at work during working hours?How to block video streaming on company network?How to block internet downloading?How to monitor internet bandwidth?How to monitor internet usage on company network?How to block instant messaging on company network?How to filter websites and restrict website access?
You may assign static ip addresses to computers manually or in your DHCP server. However, it is difficult to prevent users from changing their ip addresses or mac addresses. Though it is more reasonable to setup ip-mac binding in routers or switches, software solution is also a good option, as it is easier to setup and manage.
This tutorial will guide you to bind ip addresses to mac addresses in WFilter, an internet filtering and monitoring software product.
First, you need to setup a mirror port in your switch to do monitoring.
For how to deploy internet monitoring and filtering, check this guide: How to monitor internet usage?
Second, in "Control Settings"->"IP Management" of WFilter, you can setup ip-mac binding just by a few clicks.
 i
When ip-mac binding is setup, internet access will be blocked when the user tries to change ip address or mac address.
Please notice: "ip-mac binding" feature of WFilter only works for single segment networks. It is because the real MAC addresses of computers can not be retrieved in a multiple-segments network.
WFilter supports online activation and Email activation.
If
you choose to activate your product over the Internet, upon your
submisson the activation wizard will detect your Internet connection
and connect to a secure server to transfer your register key to us. The
registration is passed back to you, automatically activating WFilter,
if the register key is valid.
If you choose to activate your
product by email activation, you should input the register key in text
box and click the "confirm". You will get an activation code. Please
send them to the support email box. The validation code will be sent
back to you within 24 hours. Please copy them in the valiation code
textbox to activate your product. 1. Steps of Online ActivationOnline activation requires an available internet connection to connect to WFilter activation server. 1). In "Help"->"About" of WFilter, click "Product Activation".  2). Input your key number and use "online activation" to do online activation.  3). Successful activation.   2. Steps of Email ActivationOnline activation requires an available internet connection. If you can not connect to WFilter activation server, you also can use "Email Activation". 1). Input your key number and use "email activation" to do online activation.  2). In "Email Activation", copy the activation code and send to support email address.   3) It might take several hours to receive the reply email since the response email is sent manually.  4). In "Help"->"About" of WFilter, you need to enter the received validation code into WFilter.   3. De-activationSometimes, you might want to move the key to another computer. You need to de-activate this key first. Click "deactivate" in "Help"->"About" to de-activate the key.
Unmanaged websites surfing is killing your productivity. And your computer and network is open to attack when visiting harmful sites. So it is important to block unwanted websites in your network. Blocking of websites can be done in many ways. These include using free software and windows settings. There are even many add-ons for browsers like Firefox which let you check and restrict websites. This tutorial will guide you to filter and block websites access in 4 ways. 1. manually editing the "host" file. In "Local Disk (C:) > WINDOWS > system32> drivers > etc", you will find a file named "host". The Hosts file contains the mappings of IP addresses to host names. This file is loaded into memory (cache) at startup, then Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. This prevents access to the listed sites by redirecting any connection attempts back to the local (your) machine. You may use "notepad.exe" to edit this Hosts file. Example - the following entry 127.0.0.1 ad.doubleclick.net blocks all files supplied by that DoubleClick Server to the web page you are viewing. 2. Opendns OpenDNS offers DNS resolution for consumers and businesses as an alternative to using their Internet service provider's DNS servers. By collecting a list of malicious sites, OpenDNS blocks access to these sites when a user tries to access them through their service. OpenDNS enables you to block websites by 50+ categories. OpenDNS also provides whitelist and blacklist features to enable you to create exception cases ("always allow" and "always block") to complement category-based filtering. To use OpenDNS service, you need to change your DNS server settings manually. More information, please visit http://www.opendns.com3. Router, Firewall or UTM If you have a powerful router or UTM device, you also can setup web filtering on it. For more information about UTM solution, please visit http://www.astaro.com4. Internet filtering products You also can use internet filtering products to do web filtering. An internet filtering product can be deployed in your network, and it enables you to monitor, filter and block internet activities of all computers from a mirroring port. More than web filtering, internet filtering product can also block file downloading, block p2p traffic and block messenger. For internet filtering software, you can try "WFilter Enterprise", http://www.imfirewall.us
Instant Messaging can be a benefit to business when used properly,
but IM is often abused by employees and poses significant liability and
security risks.
The free consumer IM client
programs in widest use, such as AIM, ICQ, Yahoo and MSN Messenger, pose many
security concerns. More than text-based chat, IM programs also include peer to peer file
transfer capabilities, which can pose security risks in two ways.
Internal users can send documents that may be confidential out of your
network, circumventing your network's perimeter defenses against file
sharing programs or e-mail attachments. On the other hand, external
users can send files that might contain viruses or malicious code to
users on the internal network. In addition, a liability risk arises if
employees use the file transfer feature to share copyrighted music,
movie or software files in violation of the law. To make your business efficient, it is necessary for you to monitor, filter and block instant messaging in your network. You may want to apply an internet messenger usage policy like this: 1. Only authrozied users can use certain IM tools. 2. File transfer via messengers shall be blocked. 3. Only work-related IM accounts can be used. As most firewall programs do not support that kind of feature, you need an internet monitoring and filtering program like "WFilter Enterprise". "WFilter Enteprise" enables you to monitor, manage and block internet access of all computers on a mirroring port. For internet messaging blocking, WFilter supports: 1. Blocking certain messenger protocols. 2. Blocking file transfer via messengers. 3. Blocking certain messenger account using black/white list. Figures:  Block file transfer in messengers:  MSN black/white list:  More information, please check "WFilter Enterprise". Other related links: How to block websites at work during working hours?How to block video streaming on company network?How to block internet downloading?How to monitor internet bandwidth?How to monitor internet usage on company network?Internet monitoring software for businessHow to filter web surfing?
Unmanaged websites surfing is killing your productivity. Employees may spend hours to read news, watch online video and play online web games. So, to save productivity, it is necessary for organizations to block certain websites and restrict internet access. You need to implement an internet policy as: 1. Only work-related websites are allowed during work time. 2. Destructive websites like violence, adult, shall be blocked always. 3. Downloading websites shall be blocked to save bandwidth if you are suffering from slow internet speed. However, in today's internet, a website can not be blocked only by blocking its ip address or domain. It is still accessable by: 1. Open proxy servers. 2. Third party tunneling proxy service. 3. Tunnel VPN service. To make your blocking effecient, you also need to block certain proxy/tunneling protocols. WFilter makes it simple to block websites and proxy service. 1. Filter certain websites
You can filter certain websites by "website black/white list" and "website category":   2. Block Proxy Service and VPN protocols.WFilter supports proxy protocol transparently. No addtional setting is required to block open proxy server. You may setup a "HTTPS black/white list" to block unwanted VPN.  More information, please check "WFilter Enterprise". Other related links: How to block video streaming on company network?How to block internet downloading?How to monitor internet bandwidth?How to monitor internet usage on company network?Internet monitoring software for businessHow to filter web surfing?
Online audio/video streaming can consume most of your bandwidth. To save your bandwidth, you might want to block online steaming traffic on your network. Generally speaking, online streaming can run on different protocols: 1. Video websites, like youtube. You can watch video directly on the webpages. 2. Standard Real Time Streaming Protocol(RTSP). 3. P2P based streaming products, like pplive, ppstream. 4. Video downloading websites. Therefore, for complete blocking of video streaming, you need to block all above video traffic. First, block "streaming" category websites: Second, block downloading of video files: Third, blocking RTSP and other online streaming protocols: More information, please check "protocols supported by WFilter". Other related links: How to block internet downloading?How to monitor internet bandwidth?How to monitor internet usage on company network?Internet monitoring software for businessHow to filter web surfing?How to block websites and restrict internet access?How to Block Bittorrent and bitcomet? How to block msn file transfer?How to block certain websites to save your productivity? How to block AIM using WFilter
Unmanaged internet downloading can consume most of your bandwidth, In practice, many, often most, of the files shared on peer-to-peer
networks are copies of copyrighted popular music and movies.
So, it is important for corporations to manage, control and block p2p traffic and block unwanted file downloading. Files can be downloaded via various ways as described below: 1. Downloading from HTTP/FTP websites. 2. Downloading from p2p networks.
3. Downloading from instant messenger buddies. For security purpose, downloading from p2p networks shall be completely forbidden in company networks. And only HTTP/FTP downloading from trusted websites can be allowed. Instant messenger file transfer makes it convenient to share files with our friends. It is fast and secure. However, because IM is so popular, virus writers can use it to spread malicious programs. These viruses are spread, in most cases, when a person clicks a link or opens an infected file that was sent in an instant message that appeared to come from a friend. Therefore, messenger file transfer also put your network in danger. "WFilter Enterprise" makes it simple to manage file transfers between local network and the internet. Using WFilter, you may: 1. Limit file downloading size. 2. Block web downloading by file type. 3. Block web downloading by content type. (Mime type) 4. Block p2p traffic. 5. Block file transfer via messengers. Figures: 
 Other related links: How to monitor internet bandwidth?Internet blockingHow to filter web surfing?How to monitor internet usage on company network?Internet monitoring software for businessInternet monitoring software
Introduction
WFilter supports various ways to filter web surfing activity:
- Block Web Surfing Completely
- Enable Website Black/White List
- Enable URL Keywords Filtering
- Enable Website Category Access Policy
- Websites Exception List
- Enable HTTPS Black/White List
When enabled, all HTTP web surfing will be blocked, except for domains in the "Websites Exception List".
1.1 Add a new blocking level, as in the below figure:
 Figure 1 1.2 Set a proper "Level Name" and "Level Desc", check the "Block Web Surfing". If you want to display a blocking page when blocked, you need to enable "Display a Deny Page When Blocking", as in Figure 2:  Figure 2 1.3 Apply this new blocking level to certain users in "User-computer Table", as in the below figure:
 Figure 3 1.4 Websites will be blocked, as in Figure 4:  Figure 4  Figure 5 Website black/white list can set black list or white list for websites based on domain name.
When black list is enabled, websites in the black list will be blocked. When white list is enabled, only websites in the white list can be visited.
2.1 Add a new blocking level, as in the below figure:
Figure 6 2.2 Set a proper "Level Name" and "Level Desc", check the "Enable Website black/white list", as in Figure 7: Figure 7 2.3 Add certain websites into a black list, as in Figure 8:  Figure 8 2.4 Apply this new blocking level to certain users in "User-computer Table", as in the below figure:
Figure 9 2.5 Websites in the black list will be blocked, as in Figure 10: Figure 10 Figure 11 URL keywords filtering can filter webpages by url address. Using this feature, you can block searching for certain keywords in search engines.
3.1 Add a new blocking level, as in the below figure:
Figure 12
3.2 Set a proper "Level Name" and "Level Desc", check the "Enable URL Keywords Filtering", as in Figure 13: Figure 13 3.3 Check the keywords category to be blocked, as in Figure 14:  Figure 14 3.4 Apply this new blocking level to certain users in "User-computer Table", as in the below figure:
Figure 15 3.5 In this example, searching for "game" will be blocked, as in Figure 16 and Figure 17: Figure 16  Figure 17 Website category access rules can filter websites based on websites categories. Four filtering modes are supported: "Allow", "Deny", "Warn" and "Time Quota".
4.1 Add a new blocking level, as in the below figure:
Figure 18 4.2 Set a proper "Level Name" and "Level Desc", check the "Enable web category rule", as in Figure 19:  Figure 19 4.3 Set certain filtering mode for certain categories, as in Figure 20:  Figure 20 4.4 Apply this new blocking level to certain users in "User-computer Table", as in the below figure:
Figure 21 4.6 In this example, time quota is enabled for "Game" websites, as in Figure 22:
 Figure 22 Websites in the exception list will not be blocked by other rules.
 Figure 23 Above functions can only filter HTTP websites, to block HTTPS websites, you need to enable the "HTTPS Black/White List".
6.1 Add a new blocking level, as in the below figure:
Figure 24 6.2 Set a proper "Level Name" and "Level Desc", check the "Enable HTTPS Black/White List", as in Figure 25: Figure 25 6.3 Add certain websites into a HTTPS Black list, as in Figure 26:  Figure 26 6.4 Apply this new blocking level to certain users in "User-computer Table", as in the below figure:
Figure 27 6.5 As in Figure 28 and 29, certain HTTPS websites will be blocked.  Figure 28  Figure 29 |
Some websites, like facebook, youtube, are rather time consumable.
If you do nothing to filter certain websites, your employees may spend several hours a day on web surfing.
So How to block certain websites to save your productivity?
1. Some router/gateway might have the ability to block certain websites.
2. Firewall appliances, like cisco PIX, will also be a good choice.
3. The third, you can choose internet filtering software to do web filter and blocking.
Block MSN file transfer: impossible mission?
It is convenient to transfer files via messengers like msn/live, yahoo, icq... But it is also necessary for organizations to block unauthorized file transfers to keep their networks safe.
However, messenger software uses several ways to avoid being blocked. They use dynamic ports, encrypted connections, variety connection type to bypass network firewall.
Let me take msn as an example. By our test, there have four type of msn file transfer as described below:
1. For two buddies, if one of them is connected to internet directly, direct connection will be established to transfer files. This is the quickest way. There has three type of direct connections with dynamic ports which is negotiated by two sides.
1.1) Direct TCP connection.
1.2) Direct TCP connection use TLS encryption.
1.3) Direct UDP transmission.
2. If direct connection can not be established, msn servers can act as a relay server to transfer files. The file transfer packets will be among with normal msn messages.
As you can see from above, there is no way to block msn file transfer simply by blocking some ports in the firewall. The firewall should be smart enough to recognize msn file transfer direct connections, and it shall be able to pick up file transfer packets from normal msn messages.
Block MSN File Transfer
Internet Monitor
Block P2P
IMFirewall P2P Classify Engine Introduction
1 Introduction
IMFirewall Software is a professional Internet filtering software provider. We focus on Internet information security and providing customers with a comprehensive approach to manage the Internet usage of enterprise network since founded in 2004. By 2007-10, protocols number supported in our pattern database has reached over 90. And our pattern analysis team is monitoring and analyzing protocols everyday.
2 Supported Pattern Type
Three pattern types are supported:
1. Signature Pattern
You may call it digit signature. As most p2p programs do not has a fix port range nor central servers. The only way to match them is by signature match. IMFirewall pattern matching engine scans every connection for signature of existing protocols..
2. Port Pattern
IMFirewall pattern matching engine can also recognize protocols by port or port range.
3. HTTP Pattern
Because more and more protocols are using HTTP protocol or HTTP tunnel to communicate, our pattern-matching engine also checks http mime-header for signatures. HTTP pattern is powerful to recognize http-based protocols.
3 Pattern Matching Speed
We test the speed of each pattern when new pattern found, the standard speed is 20,000 matches in 1 second.
4 Quick Response for New (Updated) Protocols
As protocols may vary from time to time, it is necessary to keep the pattern database up to date in time.
We have a protocol/programs monitoring system, which will monitor the website and files on official websites of each protocol. Once there is a change, the system will notify our protocol analysis team to test it.
This makes us a quick response for new (updated) protocols. Usually, a updated protocol can be added to our pattern database in 2-3 business days.
Links: Supported protocols list of WFilter
Someone told me WFilter can not block bittorrent downloading. So I did some research yesterday.
I downloaded both bittorrent and bitcomet from their official website. I also downloaded an availble torrent file from bittorrent.com.
Turning "Block P2P" on in WFilter console, then use bitcomet to download, the download never begined. However, when I use bittorrent to download, it will start downloading after trying for a few seconds.
This is really interesting. Since WFilter can detect and block bittorrent traffic using pattern match, this should not happen. So what's the reason? After detailed analysis of the network traffic, I found bittorrent also download data directly from bittorrent.com using http protocol. That means bittorrent not only use p2p downloading, but also can download files directly from the website.
Knowing that, I added "bittorrent.com" in the black list of wfilter's website black&white list, then did the download again. Aha, bittorrent never be able to download any files.
MSN, also called as live messenger is widely used. Windows Live Messenger gives you brilliant ways to connect and share your photos (and other stuff). Contact lists, emoticons, instant access to your friends.
However, sending and receiving files using MSN will face some security risk. External users can send files that might contain viruses or malicious code to users on the internal network. In addition, a liability risk arises if employees use the file transfer feature to share copyrighted music, movie or software files in violation of the law.
How to block msn file transfer?
MSN transfers files using dynamic ports which are negotiated. So it is impossilbe to block msn file transfer ports.
WFilter provides a efficient way to block msn file transfer. By using WFilter, It is very easy for you to detect and block MSN file transfers.
A more detailed example can be found here:
Example of blocking msn
A pure peer-to-peer network does not have the notion of clients or servers, but only equal peer nodes that simultaneously function as both "clients" and "servers" to the other nodes on the network. This model of network arrangement differs from the client-server model where communication is usually to and from a central server.
Some networks and channels such as Napster, OpenNAP and IRC server channels use a client-server structure for some tasks (e.g. searching) and a peer-to-peer structure for others. Networks such as Gnutella use a peer-to-peer structure for all purposes, and are sometimes referred to as true peer-to-peer networks, although Gnutella is greatly facilitated by directory servers that inform peers of the network addresses of other peers.
As you can see from above, a peer-to-peer network is complex and it is almost impossible for you to block p2p in the router or the gateway.
WFilter provides a efficient way to block p2p traffic by signature match. By using WFilter, It is very easy for you to detect and block p2p traffic and file downloading.
WFilter related features:
- Detect p2p traffic in your network.
- Implement a policy to block certain p2p traffic.
- Support over 30 p2p protocols, cover most common p2p softwares.
- Define a file extension list forbidden from being download.
AOL Instant Messenger (often referred to as "AIM") is an instant messaging application that allows registered users to communicate in real time via text, voice, and video transmission over the Internet. It is maintained by AOL LLC. The official website is www.aim.com.
AIM is widely used all over the world. However, employees are using AIM to chat privacy topics, send and receive files, which will decrease working productivity, waste time and raise security risk.
So it is important to block AIM in enterprise network.
How to block AIM in your network?
AIM messenger can connect in several ways. Default is TCP port 5190. However, if you block AIM port 5190 in your firewall. It will turn to use port 80, 443 instead. And also, AIM messenger can use a HTTP/SOCK4/SOCK5 proxy server to reach the server. Even the worth, AIM traffics through port 80 using HTTP protocol, if you allow your employees to browser website, the 80 port must be available. And AIM has official clients, and many unofficial clients like gaim, trillian are also popular.
So, is blocking AIM mission impossible?
Of course not, but professional internet filter tools are needed. To block aim traffic, it needs the blocking aim tool has the ability to pick up aim traffic from large amount of connections.
I recommend you use WFilter to block aim, block msn and block messenger.
WFilter related features:
- Monitor AIM and ICQ messenger usage.
- Record chat contents of AIM and ICQ.
- Record files transfered by AIM/ICQ.
- Implement a policy to block AIM/ICQ or certain AIM/ICQ accounts.
- Block AIM file transfers, block icq file transfers.
- Support offical messenger client and other third party clients like gaim, trillian.
WFilter other monitor features:
Chat Monitor, MSN Messenger Chat Monitor, Yahoo Chat Monitor and other instant messenger monitor, block MSN, block Yahoo, block AIM, and other instant messenger block, block p2p, block p2p traffic, filter internet, block internet, internet monitor, monitor employee internet activity...
Wireless communication brings fundamental changes to data networking and telecommunications. Now days, more and more organizations and home users build up wireless networks. And in many situations, wired networks and wireless networks exist together. This topic demonstrates a solution to monitor wireless networks internet activities.
A typical network contains both wired and wireless networks:
To monitor both the wired network and the wireless network, we add a tplink port mirror switch TL-SL2210WEB here.
Port1 of it is connected to the router, port2 connected to WFilter and port3 connected to the wireless Access Point.
The port mirror configuration is as below:
By now, you can monitor all the wireless computers.
WFilter Deployment
----Using Dlink2366
A company use a router connected to internet. A Dlink2366 as the central switch.
The network topology diagram:
In this issue, we only need to do port mirroring in the Dlink2366 to do monitoring.
Dlink 2366 port mirror configuration:
As in the diagram above, port 16 is connected with the router and port 1 is connected to the computer with WFilter installed on.
WFilter related features:
Chat Monitor, Monitor employees, internet monitor, msn chat monitor, aim monitor, yahoo monitor, block p2p, block msn, block aim, block yahoo, block messenger, filter internet.
WFilter Deployment
---- CISCO2950 + ISA2004
Company A use ISA server 2004 as the proxy server, a cisco 2950 switch as the central switch.
The topology diagram:
For this kind of topology, we have two solutions:
Solution 1: Install WFilter at the ISA server computer can directly monitor all computers.
Solution 2: Install WFilter at another computer and configure port mirror at cisco 2950.
Notice: By default, WFilter only analysis traffic between local network and the internet. So if you are using a local proxy server, WFilter will not analysis the traffic between the proxy server and the client computers by default. You need to add the proxy server ip address to "Local Servers" in "Monitor Settings" of WFilter to make WFilter work.
How to configure port mirror of CISCO 2950?
As indicated in the above diagram, the ISA server is connected to port 23 of the switch and WFilter is connected to port 22. To make WFilter work, you only need to mirror port 23's traffic to port 22.
Syntax:
monitor session session_number {destination {interface interface-id [, | -] [encapsulation {dot1q}] [ingress vlan vlan id] | remote vlan vlan-id reflector-port interface-id} | {source {interface interface-id [, | -] [both | rx | tx] | remote vlan vlan-id}}
In this example:
1. Set port 23 as the source mirror port
monitor session 1 source interface Fa0/23
2. Set port 22 as the destination port
monitor session 1 destination interface Fa0/22 ingress vlan 1
Notice: By default, the mirror port of cisco 2950 is recv-only. However, WFilter shall be able to send packages to implement block features. So in this example, we add "ingress vlan 1" to enable send of port 22.
Some cisco switch do not support ingress syntax, if your switch does not support ingress, you can set a different "blocking adaptor". Please follow below steps:
1. Set port 23 as the source mirror port.
monitor session 1 source interface Fa0/23
2. Set port 22 as the target mirror port(recv-only)
monitor session 1 destination interface Fa0/22
3. Add a network card in the computer with WFilter install on, connected to a normal port of the switch.
4. Change the "blocking adatpor" to the new added adaptor in "Monitor Settings" of WFilter.
WFilter related features:
Chat Monitor, Monitor employees, internet monitor, msn chat monitor, aim monitor, yahoo monitor, block p2p, block msn, block aim, block yahoo, block messenger, filter internet.
|
Copyright © 2012 IMFirewall Software. All rights reserved.
DasBlog 'Portal' theme by Johnny Hughes.
Pick a theme:
|
|