Category Archives: Internet monitor

How to block google images with WFilter ?

Google is redirecting all http requests to https. Since https traffic is secure,this makes it impossible for web filter to monitor and filter google access via https.

Fortunately, google provides a way to disable ssl search for IT administrators to deploy contents filtering products. For more details, please check: https://support.google.com/websearch/answer/186669?hl=en

In this example, I will guide you to block google images with WFilter. This solution requires a local dns server to redirect google traffic. Only clients using this dns server will be redirected. Or you can manually edit the “hosts” file in client computers.

1. Disable Google SSL (HTTPS) Search

1.1 To disable ssl search, you need to redirect all google traffic to nosslsearch.google.com. Let’s use nslookup to find the ip address of nosslsearch.google.com first.

Run command: “nslookup nosslsearch.google.com 8.8.8.8”. You can find the IP : “216.239.32.20”.

1.2 Configuration of the DNS server

In DNS server,add two zones:”google.com” and “google.com.hk”(google in your country) . In each zone, add an “A” record to “www” with IP address “216.239.32.20”.



1.3 Client computers shall use this DNS server as the “Preferred DNS Server”.

1.4 Open Google to check.

Before redirecting, it’s https.

Now, it’s http.

2.block google images with WFilter

In below steps, I will demonstrate you to block google images with WFilter’s website black list.

2.1 Add a “block google images” policy. Check “Website Black/White List” and click “New”.

Add a new “Black List” named “google images”, in “List”, input “www.google.com.hk/imghp*” and “cn.bing.com/images*” .

2.2 Apply the “block google images” policy.

2.3 google images will be blocked.

Bing images will be blocked.

How to monitor wireless users in network with WFilter?

Since most wireless devices obtain IP addresses dynamically, management of wireless devices has become a challenge to network administrators. It’s not easy to identify wireless devices by IP addresses or MAC addresses. However, with WFilter, you can identify wireless devices by users.

When enabled, mobile users need to authenticate themselves to access internet. Both active directly authentication and WFilter local authentication are supported. Then you can check devices and users in WFilter console in a few clicks.

In this example, I will guide you to enable AD account monitoring for wireless devices.

1.Enable Domain account monitoring

In “Account Monitoring “, choose “Windows Active Directory”, click “Enabled”, add a Domain Controller.

2.Advanced Settings

Click “Advanced Settings”, choose “Require web authentication for devices which do not log into the domain”, Save Settings. You also can choose “Block all internet access when web authentication is required”and “Require re-authentication when an user has no internet activity for 30 minute(s)”.

3.Web authentication

Users will not be able to access internet until they’re authenticated. When user authentication web page will show up when browser is open as shown in below figure.

4.Online Users

In WFilter’s “Online Users”, you can get a list of online devices and users.

How to push web pages to network clients with Wfilter ?

In WFilter 4.1 version,a new feature named “web content pushing” is added. This feature enables you to push a web page to client devices at a time interval. You can define time interval, triggers for pushing and pushing pages.

In this example, I will guide you to use the “web content pushing”in WFilter 4.1.

1.Wfilter Settings

1.1New a blocking level

Add a “company broadcast” policy in “Policy Settings”->”Blocking Level Settings”. Check “Enable Web Content Pushing” and click “New”.

Add a new “web content pushing” named “broadcast”, in “Triggers”, input “www.baidu.com” which means this web pushing shall be triggered when baidu.com is visited.

In “Content”, you can put anything you want to broadcast. It will be displayed when triggered.

Apply this blocking policy to target ip ranges.

1.2 When an user visits baidu.com, the broadcast message will show up every ten minutes.

WFilter deployment with openwrt router.

1. Openwrt Introduction

OpenWrt is a highly extensible GNU/Linux distribution for embedded devices. As a third party firmware, openwrt can extend your wireless router into a powerful Linux system. With openwrt, even if your router hardware does not support “port mirroring” function, you can also enable traffic mirroring by software mirroring.

This blog will guide you to install “port-mirroring” program in your openwrt router and deploy WFilter for internet monitoring and filtering. We assume you already has an openwrt router, if not, please check openwrt homepage to get the latest firmware.

2. Port-mirroring program

Port-mirroring is an open source project sponsored by IMFirewall Software, it is designed to mirror network traffic on linux systems.

2.1. Installation

For detailed installation guide, please check Port-mirroring open source packet mirroring. In this guide, let’s take linksys wrt54g router as an example (with openwrt backfire firmware). Steps:

a). Update openwrt package list.

b). Install the port-mirroring program

opkg install http://port-mirroring.googlecode.com/files/port-mirroring_1.2-1_backfire_brcm47xx.ipk.

2.2. Configuration

You need to edit /etc/config/port-mirroring to set the mirroring target and mirrored source interfaces.

In this example, we choose “wlan0″ wireless adapter as the mirrored source interface.

2.3. Start Port-mirroring

/etc/init.d/port-mirroring start

3. Check monitoring in WFilter

Now WFilter shall be able to monitor client computers.

Use dumpPacket.exe of WFilter to generate a packet dump file.

Sometimes, on an indeterminate problem of using WFilter, we might need a packet dump file for diagnosis. WFilter has a packet dump tool named “dumpPacket.exe”, which will dump packets on the monitoring adapter.

This tutorial will guide you to generate a packet dump file using “dumpPacket.exe”.

First, lauch “dumpPacket.exe” from “Start”->”IMFirewall WFilter”->”Tools”. If you didn’t install WFilter shortcuts, you can find this tool in WFilter directory.


It will ask you to enter a testing ip address. For example, if
you need to check a monitoring problem for ip “192.168.1.20″, you can
input “192.168.1.20″ here. If you just want to capture some packet
samples, you may just press “enter” here! Press “enter” means dumping
packets for all computers.

Close the dumping window. If you’re doing a certain test, you need to wait until the test is done. For example, sending an email message.  If you’re dumping packets for all computers, you only need to wait for 3-5 seconds because the dump file can be very large. If the dumping file is too large, you can do the test again in a shorter time.

The dump.cap file can be found in “temp” directory of WFilter. The dump.cap file is pcap format, which can be opened by wireshark and other pcap applications.

How to check whether port mirroring settings are correct?

To make WFilter work, you need to setup port mirroring in your switch. However, sometimes you might still cannot monitor other computers even port mirroring is configured. It has several possibilities:

1. WFilter computer shall be connected directly to the mirroring port.
2. Configured ports does not match real ports.
3. Both outbound and inbound traffic is required by WFilter. If you only mirror one direction packets, WFilter can not work properly.
4. Incorrect WFilter settings. (wrong ip segment or monitoring adapter…)
5. Firewall/anti-virus programs blocks non-local packets. For example, nod32 will block non-local packets, so even port mirroring settings are correct, the mirrored traffic still can not reach WFilter. We recommend you to shutdown your firewall and anti-virus programs for checking.

To locate the problem, first we need to confirm whether packets are mirrored to WFilter computer. It can be checked in a simple way following below steps:


Upon successful mirroring, the “Received” packets number shall be much larger than the “Sent” packets. If not, you need to check certain mirroring settings or cable connections.

How to activate WFilter?

WFilter supports online activation and Email activation.

If
you choose to activate your product over the Internet, upon your
submisson the activation wizard will detect your Internet connection
and connect to a secure server to transfer your register key to us. The
registration is passed back to you, automatically activating WFilter,
if the register key is valid.

If you choose to activate your
product by email activation, you should input the register key in text
box and click the “confirm”. You will get an activation code. Please
send them to the support email box. The validation code will be sent
back to you within 24 hours. Please copy them in the valiation code
textbox to activate your product.

1. Steps of Online Activation

Online activation requires an available internet connection to connect to WFilter activation server.
1). In “Help”->”About” of WFilter, click “Product Activation”.


2). Input your key number and use “online activation” to do online activation.


3). Successful activation.


2. Steps of Email Activation

Online activation requires an available internet connection. If you can not connect to WFilter activation server, you also can use “Email Activation”.
1). Input your key number and use “email activation” to do online activation.

2). In “Email Activation”, copy the activation code and send to support email address.


3) It might take several hours to receive the reply email since the response email is sent manually.


4). In “Help”->”About” of WFilter, you need to enter the received validation code into WFilter.



3. De-activation

Sometimes, you might want to move the key to another computer. You need to de-activate this key first.
Click “deactivate” in “Help”->”About” to de-activate the key.

How to block instant messaging on company network?

Instant Messaging can be a benefit to business when used properly,
but IM is often abused by employees and poses significant liability and
security risks.

The free consumer IM client
programs in widest use, such as AIM, ICQ, Yahoo and MSN Messenger, pose many
security concerns. More than text-based chat, IM programs also include peer to peer file
transfer capabilities, which can pose security risks in two ways.
Internal users can send documents that may be confidential out of your
network, circumventing your network’s perimeter defenses against file
sharing programs or e-mail attachments. On the other hand, external
users can send files that might contain viruses or malicious code to
users on the internal network. In addition, a liability risk arises if
employees use the file transfer feature to share copyrighted music,
movie or software files in violation of the law.

To make your business efficient, it is necessary for you to monitor, filter and block instant messaging in your network.

You may want to apply an internet messenger usage policy like this:

1. Only authrozied users can use certain IM tools.

2. File transfer via messengers shall be blocked.

3. Only work-related IM accounts can be used.

As most firewall programs do not support that kind of feature, you need an internet monitoring and filtering program like “WFilter Enterprise”. “WFilter Enteprise” enables you to monitor, manage and block internet access of all computers on a mirroring port. For internet messaging blocking, WFilter supports:

1. Blocking certain messenger protocols.

2. Blocking file transfer via messengers.

3. Blocking certain messenger account using black/white list.

Figures:


Block file transfer in messengers:


MSN black/white list:

More information, please check “WFilter Enterprise”.
Other related links:
How to block websites at work during working hours?
How to block video streaming on company network?
How to block internet downloading?
How to monitor internet bandwidth?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?

How to block internet downloading?

  Unmanaged internet downloading can consume most of your bandwidth, In practice, many, often most, of the files shared on peer-to-peer
networks are copies of copyrighted popular music and movies. 

  So, it is important for corporations to manage, control and block p2p traffic and block unwanted file downloading.

  Files can be downloaded via various ways as described below:

  1. Downloading from HTTP/FTP websites.

  2. Downloading from p2p networks.

  3. Downloading from instant messenger buddies.

  For security purpose, downloading from p2p networks shall be completely forbidden in company networks. And only HTTP/FTP downloading from trusted websites can be allowed.

  Instant messenger file transfer makes it convenient to share files with our friends. It is fast and secure. However, because IM is so popular, virus writers can use it to spread malicious programs. These viruses are spread, in most cases, when a person clicks a link or opens an infected file that was sent in an instant message that appeared to come from a friend. Therefore, messenger file transfer also put your network in danger.

  “WFilter Enterprise”  makes it simple to manage file transfers between local network and the internet. Using WFilter, you may:

  1. Limit file downloading size.

  2. Block web downloading by file type.

  3. Block web downloading by content type. (Mime type)

  4. Block p2p traffic.

  5. Block file transfer via messengers.

  Figures:

 

Other related links:
How to monitor internet bandwidth?
Internet blocking
How to filter web surfing?
How to monitor internet usage on company network?
Internet monitoring software for business
Internet monitoring software