Category Archives: Content Filter

Software solutions to monitor internet usage in business networks.

To save internet bandwidth and raise productivity, administrators need to know bandwidth usage and internet activities in business networks. There are network firewall appliances with this ability, while in this post, I will introduce several software monitoring solutions.

monitor_usage

1. Passby monitoring on a mirroring port.

“Port mirror” is a feature of manageable switches or routers. With “port mirroring”, you can get a copy of packets from other ports. So you can setup a software program in the target port pc to monitor all network traffic. This is called as “passby monitoring”. The network diagram:

With WFilter internet content filter installed, you will be able to monitor bandwidth, internet activities and deploy internet access policies. Screenshots:

2. SNMP-based monitoring

Comparing to “port mirroring”, SNMP-based monitoring is easier to setup with less features. However, it’s also very convenient to monitor bandwidth with SNMP. Below are screenshots from PRTG.

Image result for PRTG

3. Linux network bridge

Network bridge is more powerful,  with the ability to monitor traffic, allocate bandwidth, filter internet activities… A network bridge shall be deployed between your router/firewall and switch.

Ros guide bridge.png

To setup a network bridge, you need a pc with two network cards(wired adapters only). I would recommend you to use WFilter NG firewall as the operation system. It’s a dedicated linux distribution for internet content filtering and firewall. Below are screenshots from WFilter NGF:

freelicense03

freelicense04

freelicense07

How to deploy a passby internet content filter with your cisco switch?

You don’t need to buy a expensive firewall or UTM appliance to do internet content filtering and usage monitoring.
In this post, I will guide you to deploy a passby internet content filter simply with a cisco switch.

First, suppose you have a cisco switch with below network diagram.
cisco1

 

Most cisco switch supports “port mirroring(SPAN)” feature. You may use below commands to enable it:

1. Set source port

Switch(config)#monitor session 1 source interface Fa0/23

2. Set target port

Switch(config)#monitor session 1 destination interface Fa0/22 ingress vlan 1

Then, you need to install a passby filtering program(ie: WFilter internet content filter) in a windows PC, and connect this PC to the “target port”. So you can monitor and filter internet access of network clients. Please note: “ingress” must be enabled for filtering to work.

The new diagram:

cisco2

Pass-by filtering can also be as powerful as a pass-through UTM device, except for bandwidth rate limiting. For more information, please check: WFilter deployment.

How to block website category in WFilter ICF?

This post will demonstrate the steps to block website categories of network clients, with WFilter internet content filter(WFilter ICF 4.1).

WFilter contains an integrated URL database, which includes about 60 website categories. With website category filtering features, you can block certain categories by a few clicks. This website category filtering feature is also available in WFilter NG firewall.

1. Add a new blocking policy

New a blocking policy in “Policy Settings”->”Blocking Levels”. In “Category”, you need to check “Block webpages by categories”. Then click “New…” in the dropdown list.

filter_category01

2. Block certain categories.

To block a website category, you simply need to set “Access Policy” to “Deny” . In this example, we set “Sexual” sites to “Deny”.

filter_category02

3. Apply this blocking policy.

In “user-device list”, set default “blocking policy” to the new added “block websites category” policy. So all network clients will be blocked.

filter_category03

4. Check the blocking.

filter_category04

WFilter NGF vs. internet filtering appliances.

Internet filtering appliances(UTM) are very popular in business networks. In this article, I would discuss the difference of WFilter NGF with internet filtering appliances.

Comparing to WFilter NGF, appliances are easier to be deployed. You don’t need to install the system by yourself.

Advantages of appliances

  1. Easier to be deployed.
  2. No hardware compatiablity issue.

Disadvantages of appliances

  1. Most appliances can only work for 2-3 years.
  2. Bad expansion. In case you have more network clients, you need to buy new appliances.
  3. Very expensive. Even upgrade is not free.

Comparison

Despite of the above disadvantages, Internet filtering appliances are ideal for business network security.  With WFilter NGF,  you need to test hardware and install the system by yourself. However, it also has below advantages:

  1. You can DIY your own appliance.
  2. License is upgradable and movable.
  3. Free upgrade for lifetime.
  4. Most cost-effective.

So if you like WFilter NGF features, or prefer a more cost-effective solution, please choose “WFilter NG firewall”.

How to block non-domain devices to access internet in network?

Some users asked about how to prevent non-domain devices to have internet access in business network. So this is the guide, using WFilter Enterprise.

As you know,  WFilter can be integrated with microsoft active directory. So you can monitor and filter internet usage by domain usernames. For details, please check: Active directory Integration of WFilter

To stop non-domain devices, please follow below steps:

1. Set a restricted policy to devices in “Default IP Policy” of “user-device list”.

So devices will only have restricted internet access.

block_non_domain01_en

2. Set real policy to domain users in “Users” of “user-device list”.block_non_domain02_en

3. Modify the “Policy Apply” option.

In “Advanced Settings” of “Account Monitoring Settings”, you need to set “Policy Apply” to “User Policy First”. So user policy will overwrite device policy.

block_non_domain03_en

 

Following upbove steps,  non-domain devices have restricted internet access only. When logged with a domain user, user policy will be applied.

 

WFilter integrates with active directory — solution of content filtering with domain users.

Filtering by IP address and MAC address is enough for most networks. However, in networks with dynamic IP addresses or BYOD networks, you may not identify clients by IP or MAC. In this case, AD integration is a widely adopted solution for internet content filtering.

Both “WFilter Enterprise” and “WFilter NG Firewall” provides “AD integration” solution, which enables you to do reporting, monitoring and filtering with domain users.

1. AD Integration in “WFilter Enterprise”.

More details can be found at: Active directory Integration of WFilter Enterprise

2. WFilter NG Firewall

With WFilter NG Firewall, not only you can do “AD integration”,  you also can add “Local accounts” for monitoring, filtering and VPN access.

Faq en adconf001.png

Faq en adconf003.png

Please check: WFilter NG Firewall Active directory Integration Solutions

Introduction to WFilter NGF’s bandwidth optimize features.

You will come to the following solutions when your internet bandwidth is insufficient:

Actullay, these three solutions have disadvantages:

  • 1. Without access control, using multiple broadband connections can not bring better experience. It because downloading and streaming can easily consume most of your bandwidth.
  • 2. “Application blocking” can save your bandwidth. However, users experience are impacted. Users will complain about no streaming or downloading.
  • 3. Rate limiting does not optimize your bandwidth. Users will still complain about slow internet speed.

WFilter NG firewall brings a total solution for bandwidth optimization.

1. Powerful access control policy

With “Access Policy” modules, you can block p2p downloading, online streaming, streaming websites. Please check: Access Policy

2. Multi-WAN load balancing and routing

In case you have multiple broadband connections, WFilter NGF’s “Multi-WAN” module can help you to:

  • 1. Load balancing on multiple broadband connections.
  • 2. Setup routing policies. For example, a). business servers are routed to a dedicated connection, b). video sites are routed to another connection.

For more details, please check: Muti-WAN

3. Bandwidth priority

With the “Priority” module, traffic with higher priority goes first. For example, you can set business servers traffic to the highest priority. So even the network is extremly busy, servers bandwidth won’t be influenced.

When installed, there are default rules: email > web > p2p and streaming. You also can customize your own rules.

For more details, please check: bandwidth priority

4. Bandwidth shaper

This module is for you to set bandwidth rate for clients. You can set the rate to ip ranges, user group or department.

Each group have a “maximum bandwidth rate” and “minimum bandwidth rate”. The minimum rate ensures the clients to have this bandwidth rate even the line is busy.

For more details, please check: bandwidth shaper

Try WFilter NGF now: WFilter NG firewall

WFilter NG Firewall, a linux based next generation firewall and routerOS, is released.

After two years of development, we’re now pleased to announce a new product: “WFilter NG Firewall”, a linux based next generation firewall and routerOS.

WFilter NG Firewall is a routerOS system, which can only be installed in a x86 pc by now. It integrates most features of “WFilter Enterprise”, together with several new features “bandwidth optimizer”, “Multi-WAN”, “user authentication”, “VPN” and others.

WFilter ROS brings you powerful live connection monitoring and access control. Features highlights:

  1. Live connection monitoring and control: you can kill live connections, or add user to the punish group.
  2. URL database supports up to 60+ web categories
  3. Set internet access policy by network, ip address, mac address or username.
  4. Monitor MAC addresses of clients in subnet. Please check: MAC Detector
  5. IP-MAC binding in multi-segments networks. Please check: IP-MAC Binding
  6. Smart bandwidth optimizer and shaper. Please check: Bandwidth Optimizer

Both “enterprise license” or “free license” are supported. The free license is for life-time and has no users limit.

You may download WFilter ROS at: http://www.wfilterros.com

WFilter 4.1 added monitoring by mac address solution for multiple-segment networks.

What is “by mac address monitoring mode”?

WFilter supports both “by ip address monitoring mode” and “by mac address monitoring mode”.

In “by mac address mode”, WFilter identifies a client device based on it’s physical MAC address. Even ip address of this device is modified(either by DHCP or by hand), WFilter still can identify it correctly. So the monitoring mode is useful in DHCP networks.

I would recommend you to choose monitoring mode in below steps:

  1. If ip addresses are static(or can be static), “by ip address” monitoring mode is recommended.
  2. If ip addresses are dynamic, “by mac address monitoring mode” is recommended for single-segment networks.

2. by mac address solution for multiple-segment networks

In a multiple-segment network, the core switch(gateway) will hide the real mac addresses of client devices, which makes the mac address monitoring mode not working.

In WFilter Enterprise 4.1, a program named “MAC Address Collector” is included. This program can detect and gather mac addresses of client devices via SNMP or ARP.

With “mac address collector”, you can monitor by mac addresses even in multiple-segment network.

More details and guide documents can be found at: Monitoring by mac addresses solutions

How to monitor and filter internet activities of PPPOE users?

PPPOE is widely used for user authentication and traffic accounting. However, it’s a little difficult to monitor and filter PPPOE clients’ internet usage and behavior.

In this example, we will demonstrate you to monitor and filter PPPOE clients with WFilter Free. Please notice that only non-encrypted and uncompressed PPPOE traffic can be supported. So the first step is to configure your PPPOE server for non-encryption and non-compression.

1. PPPOE server settings

Let’s take windows 2003 and RouteOS for examples.

1). 2003 Server Configuration

If you are using windows 2003 server as the PPPOE server, please follow below steps to configure:

In “Properties” of the “Routing and Remote Access”, disable “software compression” and “LCP” in the “PPP” tab.

Edit “remote access policy” for “no encryption” in “Edit Profile”. Notice: The default two policies shall all be modified.



2). ROS Configuration

If you are using routeOS as PPPOE server, please follow these steps to disable compression and encryption:

In “PPP” tab of “Profiles”, click “Protocols” and disable compression and encryption.

2. Monitor PPPOE clients in WFilter

2.1) Choose the internal adapter

Now WFilter is able to parse PPPOE traffic. In this example, we just install WFilter free in the windows 2003 PPPOE server.

You need to choose the internal adapter as the “monitoring adapter” in “System Settings”->”Monitoring Settings” of WFilter.


2.2). Setup client policy

Add a block policy to block web surfing.


Apply this policy to PPPOE clients’ ip ranges


2.3). Check Blocking

PPPOE clients get blocked.

Blocking events in WFilter.