Category Archives: Deployment

Deployment of WFilter NG Firewall

How to deploy a passby internet content filter with your cisco switch?

You don’t need to buy a expensive firewall or UTM appliance to do internet content filtering and usage monitoring.
In this post, I will guide you to deploy a passby internet content filter simply with a cisco switch.

First, suppose you have a cisco switch with below network diagram.
cisco1

 

Most cisco switch supports “port mirroring(SPAN)” feature. You may use below commands to enable it:

1. Set source port

Switch(config)#monitor session 1 source interface Fa0/23

2. Set target port

Switch(config)#monitor session 1 destination interface Fa0/22 ingress vlan 1

Then, you need to install a passby filtering program(ie: WFilter internet content filter) in a windows PC, and connect this PC to the “target port”. So you can monitor and filter internet access of network clients. Please note: “ingress” must be enabled for filtering to work.

The new diagram:

cisco2

Pass-by filtering can also be as powerful as a pass-through UTM device, except for bandwidth rate limiting. For more information, please check: WFilter deployment.

How to bind ip address with mac address in network?

IP and MAC address binding is usually configured in network switch or router(gateway). An effective IP-MAC binding solution needs to:
1. Be able to integrate with the DHCP server to assign static IPs to clients.
2. Have option to block or allow internet for un-bound devices.
3. Be able to do IP-MAC binding in multi-subnet networks.

In this post, I will demonstrate the “IP-MAC binding” feature in WFilter NG firewall. For IP-MAC binding in “WFilter internet content filter”, please check: “WFilter IP-MAC binding solution“.

1. IP-MAC Binding List

You can define the IP-MAC binding list in “Modules”->”Access Policy”->”IP-MAC Binding”. When listed, these devices will always be assigned with static IP addresses when using dynamic IP address.

ipbound01

2. Settings

Below options are available in the “IP-MAC binding” module:
1. For unlisted IP addresses, you can choose “Allow all”, “Block all” or “Block below IP ranges”.
2. For unlisted MAC addresses(devices), you can configure whether to assign IP address or not.

ipbound02

3. Multi-subnet IP-MAC binding solution

Your network is multi-subnet? No worry. With “MAC address detector”, WFilter NGF is able to retrieve MAC addresses from your core switch. So you can bind IP address with MAC address, even in a multi-subnet network.

Maccd00.jpg

A guide of “IP-MAC binding” in WFilter NGF can be found at: IP-MAC binding.

Difference between WSG appliance models

WSG(WFilter Security Gateway) appliance has two series of models: professional and enterprise. For example, WSG-100P means WSG professional for 100 users; while WSG-100E means WSG enterprise for 100 users.
WSG enterprise has full the features of WFilter NG firewall. Compare to WFilter enterprise, WSG professional is lack of some enterprise-level features: “Internet Usage”, “AD Integration”, “ISP”, and “Hot Standby”.

Hardware difference

Since WSG professional does not record internet usage which requires a lot disk space, WSG professional appliance only have a small harddisk(8GB) for reports only. And the RAM is also less.

WSG professional and WSG enterprise have the same box appearance.

Software difference

WSG professional has no “Internet Usage”, “AD Integration”, “ISP Management”, and “Hot Standby”. Other features are all the same. Please check the screenshots.

usage

ad_integration

Isp user01.png

 

So in case you don’t need usage recording and other enterprise-level features, you can choose WSG professional, which is much more cost-effective.

WFilter NGF vs. open source firewall systems.

There are dozens of open source firewall systems to download. Some are complete free, some provides limited free features. Does “free” sound attractive? but they have dis-advantages. In this post, I would like to discuss the comparsion of WFilter NGF with open source firewall systems.

Disadvantages of open source firewalls

  1. Limited features. Most open source firewalls does not have other enterprise-level features, such as “ usage recording/reports” , “domain integration”…
  2. Lack of support. Most systems only have forum support, unless paid.
  3. Slow response. Bugs may need months to be fixed.

Comparison

WFilter NGF is designed for business networks, with a lot enterprise-level features. In case you want a free solution, open source firewalls can help. However, if you need more features and better support, you’d better choose some commerical products. Below is a list of WFilter NGF advantages comparing to open source firewalls:

  1. Designed for business networks.
  2. Enterprise-level features: usage recording, powerful report system, AD integration…
  3. 7 * 24 dedicated support via email/phone/skype/teamviewer.
  4. Faster response. Improvements and bugs will be fixed ASAP.

WFilter NGF vs. internet filtering appliances.

Internet filtering appliances(UTM) are very popular in business networks. In this article, I would discuss the difference of WFilter NGF with internet filtering appliances.

Comparing to WFilter NGF, appliances are easier to be deployed. You don’t need to install the system by yourself.

Advantages of appliances

  1. Easier to be deployed.
  2. No hardware compatiablity issue.

Disadvantages of appliances

  1. Most appliances can only work for 2-3 years.
  2. Bad expansion. In case you have more network clients, you need to buy new appliances.
  3. Very expensive. Even upgrade is not free.

Comparison

Despite of the above disadvantages, Internet filtering appliances are ideal for business network security.  With WFilter NGF,  you need to test hardware and install the system by yourself. However, it also has below advantages:

  1. You can DIY your own appliance.
  2. License is upgradable and movable.
  3. Free upgrade for lifetime.
  4. Most cost-effective.

So if you like WFilter NGF features, or prefer a more cost-effective solution, please choose “WFilter NG firewall”.

WFilter ICF vs. proxy-based internet filtering solutions

Proxy-based internet filtering solution requires you to setup a proxy server, either transparent or non-transparent, then you can setup policies to filter web access. There are a lot open source or free products. This solution has below advantages and disadvantages.

Advantages:

  1. Free or open source.
  2. Can filter websites.

Disadvantages:

  1. Most are linux-based. You need a linux pc to setup the proxy.
  2. No support.
  3. Less features. Only for domain filtering.
  4. Add network latency.

Comparison

Proxy-based internet filtering solution is similar to the “website black list” in your router/firewall. If you only need to block some sites, it’s an option.

With WFilter ICF, you will get:

  1. Enterprise-level internet monitoring and filtering features.
  2. Dedicated support.
  3. No influence to network performance.
  4. Easier to be deployed.

WFilter ICF vs. internet filtering appliances

With rich enterprise-level features, internet filtering appliances(UTM) are very popular in business networks. In this article, I would discuss the difference of WFilter ICF internet content filtering solution with internet filtering appliances solutions. Internet filtering appliances have below advantages and disadvantages.

Advantages:

  1. More features. UTM appliances integerate more features, including web filter, VPN, firewall, anti-virus…
  2. Easier to be deployed.

Disadvantages:

  1. Most appliances can only work for 2-3 years.
  2. Bad expansion. In case you have more network clients, you need to buy new appliances.
  3. Very expensive. Even upgrade is not free.

Comparison

Despite of the above disadvantages, Internet filtering appliances are ideal for business network security.  Though it is more difficult to be deployed with less features, WFilter ICF software also has below advantages:

  1. Software solution without additional device, can be deployed with minimal change to network topology.
  2. License is upgradable and movable.
  3. Free upgrade for lifetime.
  4. Most cost-effective.
  5. If you prefer UTM solutions, please also check our: WFilter NG firewall.

WFilter ICF vs. dns internet filtering solutions

DNS internet filtering solution provides you a configurable dns server. Dns query to a blocked domain will be redirected to a denial page. This solution has below advantages and disadvantages.

Advantages:

  1. Easier to be deployed. You only need to change your dns server to get filtered.
  2. Can filter domains via a black list or url category.
  3. Can provide usage history and reports.

Disadvantages:

  1. The filtering dns server may not be as fast as public domain servers.
  2. Clients can break filtering by modifying dns servers.
  3. All clients can only share a same blocking policy.
  4. Can not block applications.
  5. Can only record dns query quest. No bandwidth reports or visited url reports.

Comparison

Compared to this internet filtering solutions, WFilter ICF is more difficult to be deployed. However, WFilter is much more powerful:

  1. When pass-by deployed, WFilter has no influence to your network performance.
  2. Client can not bypass filtering because WFilter inspects all network packets.
  3. You can set individual blocking policy for each client.
  4. More filtering features, including web filtering, web downloading blacklist, url keywords filtering, application control, ip-mac binding…
  5. More monitoring features and reports. WFilter can record visited domains, url, bandwidth… You can get various reports and statistics.

So if you only need to filter some domains or categories for the whole network, dns filtering would be a good choice. If you need more detailed reports or more dedicated blocking policy, WFilter ICF can be more helpful.

 

 

WFilter ICF vs. client & browser plugin internet filtering solutions

Client or browser plugin internet filtering solutions require you to install a client agent or browser plugin in client pc to filter websites. This solution has below advantages and disadvantages.

Advantages:

  1. Easier to be deployed. You can install client agent or plugin instantly.
  2. Can block domains or filter websites via cloud-based url category database.

Disadvantages:

  1. Can not filter smart phones internet access.
  2. Need to be installed in every client pc.
  3. Clients can break filtering by changing browser, or killing the agent process.

Comparison

Compared to this internet filtering solutions, WFilter ICF is more difficult to be deployed. However, WFilter is more powerful and easier for maintaince:

  1. WFilter can filter the whole network by one installation.
  2. All type of clients can be filtered, including smartphone, andriod, mac, windows, linux.
  3. No client installation is required.
  4. More features: internet usage monitoring and reporting, application control, web filter…

So, for personal/family usage, client & browser plugin web filtering solution might be a good choice. But when you need to manage a business network, WFilter ICF provides a better solution.

WFilter Pass-by deployment for multiple VLANs network.

WFilter Enterprise( WFilter internet content filter) supports monitoring and filtering of multiple VLANs clients from a central WFilter pc.

Below is the deployment diagram:wfilter-vlan

Please note:

  1. The WFilter pc shall have two network cards.
  2. NIC1 shall be connected to the mirroring port.
  3. NIC2 shall be connected to the management VLAN, which can communicate with other VLANs.
  4. The mirroring port shall be configure to monitor the uplink port. (Connected to the up-layer router or firewall)

In WFilter, you also need to setup the “mirroring adapter” and “blocking adapter” in “System Settings”->”Monitoring Settings”. The mirroring adapter shall be the adapter connected to the mirroring port, while the blocking adapter shall be connected to the management VLAN.