WFilter Deployment Guide

3.2

Author:: IMFirewall Software
HomePage:: http://www.imfirewall.us

System Requirements
WFilter Components
Installation Notice
General Deployment Recommendations
Network Configuration

Single Segment Networks
Multiple Segments Networks
- Central Placement
- Distributed Placement
Networks Using Proxy Servers

Appendix

How to Monitor All Internet Traffic?
Broadcasted Hub's Usage and Speed Analysis
Switch's Usage and Port Mirroring

Switch's Usage
How to Enable Port Mirroring?

1 System Requirements

1) Minimum Requirements

CPU: 1.0GHz Intel Celeron or equivalent
RAM: 256M
OS: Windows2000/XP/2003/Vista
Microsoft IE6.0 or later

2) Recommended Requirements

CPU: 1.8GHz Intel Pentium4
RAM: 512M
OS: Windows2000/XP/2003/Vista
Microsoft IE6.0 or later

3) How to calculate the hard disk and memory space WFilter needed?

RAM needed = computer number(N) * 1M

Hard disk space needed = computer number(N) * 2M * days

2 WFilter Components

Componment Name	Describe	Default Install Directory
WFilter	Main installation package. Installed list: 1. Service: WFilterd. 2. Process: startsys.exe,webservd.exe.	C:\Program Files\IMFirewall\WFilter

3 Installation Notice

1. Before you install WFilter, please make sure you remove all earlier version of WFilter from your computer.
2. WFilter needs to open TCP port 9090 and 9091 for communication. Many firewall program prevents unauthorized program from opening a local port. We recommend you to adjust your firewall settings to allow these programs to access the network: webservd.exe,startsys.exe, cgiproj.exe(which is in www/cgi-bin directory), liveupdate.exe, livecategory.exe.
3. WFilter requires a web browser to use its web interface. A browser version like IE 5.5 or higher is recommended. Using older browser may cause WFilter's web interface display incorrectly.

4 General Deployment Recommendations

WFilter provides an independent Internet content filtering solution. WFilter can support most common Internet communication protocols and using WFilter will not affect your network performance.

Consider the capability of a computer, we recommend you to monitor no more than 1000 computers from a single windows machine. To monitor more computer, WFilter should be distributed on two or more dedicated machines, depending on your operating environment. These dedicated machines can use a central database for data storage.

WFilter is fully compatible with routers, switches and gateways. Typically, you can deploy WFilter in below network environment:

Single Segment Networks
Multiple Segments Networks
Networks Using Proxy Servers

Network Considerations

1. WFilter must be deployed in the network at a single location where it can monitor all Internet traffic on the internal network. How to monitor all Internet traffic?
2. The machine with WFilter installed on shall be able to communicate with other computers.
3. If you are using a network database to store data, the machine with WFilter installed on shall be able to communicate with the database server.

Some deployment examples in practice are listed in our deployment examples. For better understanding, please refer to WFilter Deployment Examples.

5 Network Configuration

5.1 Single Segment Networks

A single segment network is a logically connected nodes operating in the same portion of the network. These nodes can be PCs, printers, other networked devices. In a such a network, WFilters must be installed where they can monitor Internet traffic across the entire network. You may set the monitor mode to "by MAC address" in "Monitoring Settings".

As in Figure5.1.1, local computers use a wired router to connect to the Internet. Under this type network, it requires a port mirroring switch or a broadcasted hub to installed between the router and the switch. And the machine with WFilter installed on shall be connected to the monitor port of the port mirroring switch or the hub.

As most broadcasted hub only works in 10Mb speed, we recommend you use a port mirroring switch if your internet bandwidth is larger than 4Mb.

Figure 5.1

5.2 Multiple Segments Networks

Depending on the device connecting multiple network segments, some traffic may not be sent to all segments. A router, bridge or smart hub may serve as traffic control, preventing unneeded traffic from being sent to a segment. In such a situation, we can not use "by MAC address" mode because the MAC address of a computer will be masked by the router.

Two solutions are available for multiply segments network:

5.2.1 Central Placement

You can put WFilter at a single location and use "by IP address" mode. But this will cause some trouble if your users change their IP address rapidly. We suggest you use "IP-MAC binding" to avoid unauthorized change of IP address.

As in Figure 5.2.1, it requires a port mirroring switch or a broadcasted hub be installed between the router and the switch. And the machine with WFilter installed on shall be connected to the monitor port of the port mirroring switch or the hub. You also need to set monitor mode to "by IP address" in "Monitor Settings" of WFilter.

Figure 5.2.1

5.2.2 Distributed Placement

The second solution is deploying WFilter in each network segment. And all the dedicated machines of WFilter use a central network database.

Figure 5.2.2

5.3 Network Using Proxy Servers

If your proxy server runs on a windows system, you may install WFilter on the proxy server to monitor the whole network.

If you prefer not to install WFilter on the proxy server. You can install a port mirroring switch or a broadcasted hub between the switch and the proxy server.

Network Topology:

Figure 5.3.1

You also need to add the proxy server ip address into the "Local Servers" in "Monitor Settings" of WFilter.

6 Appendix

6.1 How to Monitor All Internet Traffic?

Basically, a computer connected to a switch or a route can only receive its own traffic. To monitor other computers, your machine shall be able to monitor other computer's Internet traffic.

A broadcasted hub is a data packet repeater commonly used in broadcast networks. In a broadcast network, a node will send a packet that traverses through every other node until the recipient accepts the packet. Every node in the network will conceivably receive this packet of data until the recipient processes the packet. In a broadcast network, all packets are sent in this manner. So each computer connected to a broadcasted hub can monitor other computers.

In a switched network, packets are not broadcasted, but are processed in the switched hub which, in turn, will create a direct connection between the sending and recipient nodes using the unicast transmission principles. This eliminates the need to broadcast packets to each node, thus lowering traffic overhead.

The advent of switched networks resulted in Network IDS having great difficulty in promiscuously monitoring their networks. This can be overcome by configuring a switch to replicate the data from all ports or VLAN's onto a single port. This function has a multitude of names including: Port Mirroring, Monitoring Port, Spanning Port, SPAN port and Link Mode port.

Generally Port Mirroring and port span usually indicates the ability to copy the traffic from a single port to a mirror port.

Some switches do not allow SPAN ports to transmit packets, this is an issue if you wish to use WFilter blocking features. If the mirror port of your switch is recv-only, you need to add a network adapter to the computer WFilter in installed on to enable blocking features.

As described above,to monitor all Internet traffic,should consider two conditions:

The machine with WFilter installed shall be connected to a broadcasted hub or the mirror port of a switch.
All Internet traffic passes through this broadcasted hub or switch.

6.2 Broadcasted Hub's Usage and Speed Analysis

Usage

A broadcasted hub is a data packet repeater commonly used in broadcast networks.

Most broadcasted hubs provide a uplink port to connect with a up layer device. You shall connect the up layer device to the uplink port of the hub ( Note: Do not use the port next to the uplink port).

As in Figure 6.2:

Figure 6.2

HUB's Speed Analysis

Most broadcasted hubs only work in 10Mb speed, and all the computers connected to the hub will share the bandwidth. For example, if two computer connected, each will have 5Mb bandwidth. So we recommend you use a port mirroring switch if your internet bandwidth larger than 4Mb.

6.3 Switch's Usage and Port Mirroring

6.3.1 Switch's usage

The machine with WFilter installed shall be connected to the mirror port of a switch. As in Figure6.3.

Figure6.3

You only need to mirror the traffic of the router to WFilter.

6.3.2 How to enable port mirroring?

Introduction

Different switch provide different configuration.Below we provide some common switchs' port mirroring configuration.

1. Huawei Switch

How to use "Huawei Lanswitch View" management system to add a mirror port:

Click "Device Setup" or "Stack Setup".
Click "Port Mirroring".
Click "Add" button, for stack , click "switch" and choose a switch from the list.
Click "Reflect from" and choose the ports been mirrored.
Click "Reflect to" and choose the mirror port.

2. 3COM Switch

In 3COM switch,port mirroring is named as "Roving Analysis".The port been mirrored is called as "Monitor Port", The mirror port is called as "Analyzer Port".Configuration commands:

Define an analyzer port

"feature rovingAnalysis add", or "f r a"
For example:
Select menu option: feature rovingAn alysis add
Select analysis slot: 1
Select analysis port: 2

Define monitor ports

"feature rovingAnalysis start" or "f r sta"
For example:
Select menu option: feature rovingAn alysis start
Select slot to monitor (1-12): 1
Select port to monitor&nb sp; (1-8): 3

Stop port mirroring

"feature rovingAnalysis stop" or "f r sto"

3. Cisco CATALYST Switch

CISCO CATALYST has two series. The mirror port is named as "analysis port".

1. Catalyst 2900XL/3500XL/2950(CLI based)

port monitor
For example:F0/1,F0/2,F0/5 belong to VLAN1
interface FastEthernet0/1
port monitor FastEthernet0/2
port monitor FastEthernet0/5
port monitor VLAN1

2. Catalyst 4000/5000/6000(IOS based)

set span
For example:6/1,6/2 belong to VLAN1.6/3,6/4,6/5 belong to VLAN2.
set span 6/1,6/3-5 6/2

4.DELL Switch

Use the user interface and modify these parameters :
Destination Port: mirror port
Source Port: ports being mirrored.
Add: Add port mirroring.
Type:Port mirroring type, Possibly choices:
"RX"-Only monitor incoming traffic.
"TX"-Only monitor outgoing traffic.
"Both"-Monitor all traffic.

Steps:
1. Choose the "Destination Port" in the "Port Mirroring" dialog and click "Add". 2. Define the "Source Port" and "Type".Then click "Apply Changes". 3. Define the morror port.

CLI command example:
Console(config)# interface ethernet 1/e1
Console(config-if)# port monitor 1/e8
Console# show ports monitor
Source port Destination Port Type Status
----------- ---------------- ----- -------
1/e1 1/e8 RX, TX Active

5.NetCore Switch

The netcore switch provides four monitor state:

Off-Close port mirroring
Rx-Monitor incoming traffic.
Tx-Monitor outgoing traffic.
Both-Monitor all traffic.

Open NetCore's super-terminal,press "5" to enter the port mirror configure dialog, then press "1" to set the port mirror state.
For example:

1. Set status(1,off, 2.Rx, 3.Tx, 4.Both):4
2. Set mirror port:1
3. Set port being mirrored:8
Press "Esc" to return.

6.Avaya Switch

Commands:

{set|clear } Port Mirror

set port mirror:

set port mirror source-port
mirror-portsampling { always } [ max-packets -sec] [ piggyback-port ]
disable port mirror:

7.Intel Switch

The port being mirrored is called as "Source Port".
The monitor port is called as "Mirror Port".
Steps:

Click "Mirror Ports" in "navigation" menu.
Select source port in the "Configure Source" column.
Set the mirror port.
Click "Apply" to apply the changes.

Monitor mode:

1. Always: Monitor all traffic.
2. Periodic: Monitor all traffic in defined interval.The interval can be set in "Sampling Interval configuration".
3. Disabled: Close port mirroring.

Please refer to the switch's documents for more information.