3com 3CR990 Administration Manual

3Com

®

Embedded Firewall

Software for the 3CR990

Network Interface Card (NIC) Family

Administration Guide

http://www.3com.com/

http://support.3com.com/registration/frontpg.pl

Published December 2001

Administration guide version 1.0.0

3Com Corporation

■

5400 Bayfront Plaza

■

Santa Clara, California

■

95052-8145

■

U.S.A.

make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.

3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part

of 3Com Corporation to provide notification of such revision or change.

3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not

limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make

improvements or changes in the product(s) and/or the program(s) described in this documentation at any time.

If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as

a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are

unable to locate a copy, please contact 3Com and a copy will be provided to you.

UNITED STATES GOVERNMENT LEGEND

If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following:

All technical data and computer software are commercial in nature. Software is delivered as “Commercial Computer Software” as defined in DFARS

252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in

3Com’s standard commercial license for the software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015

(Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any

licensed program or documentation contained in, or delivered to you in conjunction with, this user guide.

Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries.

3Com, EtherCD, and EtherLink are registered trademarks and the 3Com logo is a trademark of 3Com Corporation.

Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Novell is a registered trademark and ZENworks is a

trademark of Novell, Inc.

All other company and product names may be trademarks of the respective companies with which they are associated.

EXPORT RESTRICTIONS

This 3Com product and/or software contains encryption and may require U.S. and/or local government authorization prior to export or import to

another country.

Contents

Preface: Using This Guide

1

Who Should Read this Guide 1

How this Guide is Organized 1

Viewing and Printing this Document Online 2

Finding Information 2

1

Planning and Overview

3

What is the 3Com Embedded Firewall (EFW)? 3

EFW Architectural Components and Concepts 5

EFW Management Console 5

MMC Management Console 6

EFW Policy Servers 7

EFW Devices 7

EFW Domain 8

Overview of EFW Operations 9

EFW and Your Network 10

Addressing Constraints 10

Routing Constraints 10

Turning off Policy Enforcement 10

Proxying EFW Trafﬁc Through a Perimeter Firewall 11

Using IPSEC Under Windows 2000 11

EFW System Security 11

Data Security 11

Operational Security 13

Planning Your Conﬁguration 14

Determine Your Security Goals 14

Determine Where You Want to Deploy Individual EFW Devices 15

Determine What Device Sets You Will Need 15

EFW Flexible Implementation 16

Determine How You Want to Distribute EFW Firmware 16

Contents

2

Installing and Initially Conﬁguring EFW

19

System Requirements 20

Overview of EFW Software 21

Installing and Uninstalling EFW Software 21

Installing the Policy Server Software 21

Installing the Management Console Using Java Web Start 22

Uninstalling EFW 23

Uninstalling an EFW NIC 23

Uninstalling the Policy Server and Management Console 24

Starting and Stopping System Components 24

Joining a New Policy Server to a Domain 25

Starting and Logging in to the Management Console 26

Licensing Overview 27

Managing Licenses in the Management Console 28

Adding an Activation Key 29

Creating a Recovery Diskette 29

Registering EFW NICs Manually 30

Distributing and Installing the EFW NIC Firmware 30

Installing and Registering EFW Devices Using the Diskette-keyed Process 31

Creating a DOS-bootable Diskette 31

Creating a Keying Diskette 32

Installing the EFW NIC from the Installation CD 32

Applying a Keying Diskette 33

Adding and Registering EFW NICs Over the Network 33

Special Considerations for Multi-NIC Systems 34

3

Managing EFW Devices Using the Policy Servers

35

What is a Policy Server? 35

Primary and Backup Policy Servers 35

Conﬁguring Policy Servers for Redundancy 36

Organizing Policy Servers and EFW Devices 37

Setting up Device Sets 38

Creating a Device Set 38

Moving EFW Devices to a Different Device Set 40

Monitoring EFW Status 40

Monitoring Policy Server Status 40

Synchronizing Policy Servers Manually 40

Monitoring EFW Device Status and Missed Heartbeats 41

Monitoring NIC Connectivity and Policy Status 42

Maintaining EFW NICs 42

Using the Recovery Diskette 44

Restoring Inoperable EFW NICs 44

Determining Whether EFW is Installed on a NIC 44

Contents

4

Managing Policies

45

Policy Overview 45

Changing a Policy Without Distributing the Change 45

Pre-deﬁned Policies 46

Importing Pre-deﬁned Policies and Rule Sets 46

Policy Settings 47

Rules 47

Organizing Rules for Optimum Performance Within a Policy 48

Determining the Size of a Policy 48

Creating Policies and Rules 49

Creating a New Policy 49

Creating Rules 50

Setting up TCP SYN Filtering 50

Creating a Rule Set from a Policy 52

Editing a Rule Set Using the Rule Set Manager 53

Verifying a Policy Using Test Mode 53

Distributing a Policy to the Network 55

Secured EFW Device—Allow Trafﬁc versus Block All Trafﬁc 56

Exporting or Importing Policies or Rule Sets 56

Exporting Policies or Rule Sets 56

Importing Policies and Rule Sets 56

5

Performing Other Administration Tasks

59

Finding Information Using the Management Console 59

Administrator Manager Login 59

To Create a New Administrator 59

To Edit an Existing Administrator’s User Name or Password 60

To Delete an Administrator 60

Audit Information 60

Creating or Editing Audit Queries 61

Displaying Audit Query Results 62

Understanding Audit Query Results 63

Backing up the Database 65

Restoring the Database 66

A

Pre-Deﬁned Rule Sets

67

B

Troubleshooting

69

Common problem solutions 69

System Connectivity 76

Policy Server-to-NIC Communication Check 76

Policy Server-to-Policy Server Communication Check 77

Management Console-to-Policy Server Communication Check 77

Contents

C

Using ZENworks to Install EFW

79

D

Technical Support

81

Online Technical Services 81

World Wide Web Site 81

3Com Knowledgebase Web Services 81

3Com FTP Site 81

Support from Your Network Supplier 82

Support from 3Com 82

Returning Products for Repair 82

1

Preface: Using This Guide

This guide provides detailed information about installing and managing the 3Com

®

Embedded Firewall (EFW) software.

Who Should Read this Guide

This guide is intended for the person responsible for installing, conﬁguring, and managing

the 3Com EFW environment. Typically, this person’s job title is “network administrator.” It

is assumed that the administrator is familiar with networks and network terminology, and

with the Internet and its associated terms and applications.

How this Guide is Organized

This guide is divided into the following chapters and appendices:

Chapter or Appendix Title This Chapter or Appendix

Chapter 1: “Planning and Overview” Provides an overview of the embedded firewall system and its

basic components and concepts, along with general steps to

assist you in planning the best configuration for your site.

Chapter 2: “Installing and

Initially Configuring EFW”

Provides the information needed to install and deploy EFW in

your network.

Chapter 3: “Managing EFW Devices

Using the Policy Servers”

Provides detailed information about managing EFW devices

using the Policy Servers.

Chapter 4: “Managing Policies” Provides detailed information on creating and assigning

policies.

Chapter 5: “Performing Other

Administration Tasks”

Provides information on performing general administrative

tasks, such as searching for specific information within the

Management Console, and viewing audit data.

Appendix A: “Pre-Defined Rule Sets” Provides information on EFW pre-defined rule sets.

Appendix B: “Troubleshooting” Lists common problems you may encounter with EFW and

offers suggestions for solving these problems.

Appendix C: “Using ZENworks to

Install EFW”

Provides information on installing a 3Com NIC using

Novell’s ZENworks.

™

Appendix D: “Technical Support” Describes access to 3Com technical support information

through a variety of services.

Preface: Using This Guide

2

Viewing and Printing this Document Online

You may ﬁnd when you view this document online in PDF format that the screen images

are blurry. If you need to see the image more clearly, you can either enlarge it (which may

not eliminate the blurriness) or you can print it. (The images are very clear when printed.)

For the best results, print this PDF document on a PostScript printer using a PostScript driver.

■

If your printer understands PostScript but does not have a PostScript driver installed,

you need to install a PostScript driver. You can download one from www.adobe.com.

■

If your printer is not a PostScript printer and your document does not print as

expected, attempt one of the following corrective actions:

■

If your printer has the

Print as Image

option, select it and then try printing.

■

Print only speciﬁc page(s) rather than sending the entire document to the printer.

Finding Information

This guide is in Acrobat (soft copy) format only and does not contain an index. However,

you can use Acrobat’s Find feature to search for every instance of any word or phrase that

you want. In many ways this feature is superior to an index, which relies on the indexer as

to what is included. Doing a search allows you, the user, to decide what is relevant and

what is not.

3

1

Planning and Overview

This chapter provides an overview of the 3Com Embedded Firewall (EFW) and its basic

components, concepts, and operations. It also provides general information to assist you

in planning the best conﬁguration for your site. This chapter contains the following topics:

■

“What is the 3Com Embedded Firewall (EFW)?” below

■

“EFW Architectural Components and Concepts” on page 5

■

“Overview of EFW Operations” on page 9

■

“EFW and Your Network” on page 10

■

“EFW System Security” on page 11

■

“Planning Your Conﬁguration” on page 14

What is the 3Com Embedded Firewall (EFW)?

EFW is software that applies security policy enforcement (packet ﬁltering) capabilities to

all trafﬁc transmitted from and received by individual server and desktop (workstation)

machines. NICs running EFW software (called

EFW devices)

enforce policies in the EFW

system. The following devices currently support EFW:

■

3Com Server 10/100 PCI NIC with 3XP (models 3CR990SVR95 and 3CR990SVR97)

■

3Com 10/100 PCI NIC with 3XP (models 3CR990-TX-95 and 3CR990-TX-97)

EFW software provides transparent packet ﬁltering in accordance with rules that are set

up by an administrator. The rules are deﬁned through a centralized Management Console,

and are communicated to EFW devices via the Policy Server. The ﬁgure on the next page

demonstrates security organization using EFW.

NOTE:

The model numbers listed above are NICs that support DES and 3-DES

encryption, respectively. The EFW Policy Server automatically adjusts its level of

encryption to match that of the devices it is managing.

1

Planning and Overview

4

EFW allows an administrator to specify policies for EFW devices using the Management

Console. A

policy

is a set of security criteria enforced by an EFW device. A policy comprises

various settings and an ordered list of rules, called an access control list (ACL), that

determine what actions take place and what events are audited for any EFW device

associated with that policy.

A

rule

consists of various parameters that determine the characteristics for which

incoming and outgoing packets are screened, and speciﬁes what action is taken if a

match occurs. For more detailed information on policies and rules, see Chapter 4,

"Managing Policies."

A

device set

is a group of EFW devices (3CR990 NICs) that enforce a speciﬁc policy. Each

device set in the EFW system must have a policy assigned to it. A single policy may be

assigned to more than one device set. For more detailed information on device sets, see

Chapter 3, "Managing EFW Devices Using the Policy Servers."

Server

Workstation

EFW

device

EFW

device

Server

Workstation

EFW

device

EFW

device

Server

Workstation

EFW

device

EFW

device

Corporate

firewall

Policy

server

EFW

device

Internet

EFW

device

Remote

client

Management

console

EFW

device

EFW Architectural Components and Concepts

5

EFW Architectural Components and Concepts

EFW consists of the following major architectural components and concepts:

■

EFW Management Console

■

EFW Policy Servers

■

EFW devices

■

EFW domain(s)

Each of the components and concepts listed above is shown in the ﬁgure below and

discussed in the following subsections.

EFW Management Console

The EFW Management Console is the administrative interface to the Policy Server.

Administrators conﬁgure the system and view data using the Management Console.

You can protect the Management Console machine or server machine or both with an

EFW device. The Management Console can be installed and run on the same machine as

a Policy Server, or remotely on a different machine.

NOTE:

While you are not required to protect the Management Console machine

with an EFW NIC, it is recommended to protect against attacks.

Workstation

EFW

device

Workstation

EFW

device

Management

console

EFW

device

Policy server

EFW

device

Server

EFW

device

Server

EFW

device

Policy server

EFW

device

EFW

device

Policy server

EFW

device

EFW domain 1

EFW domain 2

1

Planning and Overview

6

The Management Console window is divided into two separate areas:

■

Tree-view frame

—The left-hand portion of the window that displays the tree

structure of the available Policy Servers, policies, or device sets. (See the sample

window shown on the next page.) The drag-and-drop capability is available in the

tree-view frame.

■

Working frame

—The right-hand portion of the window that displays speciﬁc

information and conﬁguration ﬁelds for the Policy Servers, policies, device sets, etc.

(See the sample window.) Any item you click on in the tree-view frame displays the

corresponding information in the working frame.

MMC Management Console

The Microsoft Management Console (MMC) provides direct access to the most often used

functions in the EFW Management Console offered within a Microsoft Management

framework. (See the sample window below.) Once you have invoked any of the MMC

functions, you have access to all EFW Management Console functions via the menu

options on the EFW Management Console windows. You do not need to return to the

MMC to access other functions. The window supporting the function you request from

the MMC is displayed ﬁrst after EFW login.

NOTE:

More than one administrator may be connected to a Management Console

in a single EFW domain at the same time with read-only access. However, only one

administrator in that domain is allowed to have Normal (full access to the

administrative functions) at any one time.

A multi-arrow icon in front of

a field indicates that modification

of the field may cause a distribution

to EFW devices.

Tree-view

frame

Working

frame

EFW Architectural Components and Concepts

7

EFW Policy Servers

EFW Policy Servers control EFW devices by implementing administrative actions received

from the Management Console in the following ways:

■

Accept the high-level commands issued from the Management Console and convert

them into low-level packet ﬁltering rules for the EFW devices.

■

Receive and process heartbeat messages from EFW devices that contain updates on

the IP addresses and resident policy version for the devices.

■

Receive and process audit messages from the EFW devices.

■

Store system data in an embedded database management system (DBMS).

Each EFW device must be assigned to a primary Policy Server. A Policy Server can also

specify a second Policy Server to act as a backup Policy Server if the primary server fails.

If desired, a third Policy Server can also be speciﬁed in case neither the primary nor

secondary servers are available or reachable.

The primary Policy Server has initial responsibility for distributing policy updates to EFW

devices. Furthermore, each embedded ﬁrewall caches its primary Policy Server locally and

contacts that Policy Server at EFW device initialization (for example, when the host

containing an EFW device is booted).

EFW Devices

EFW devices ﬁlter incoming and outgoing packets based on the rules and policy settings

for the speciﬁc policy they are enforcing. A policy is distributed to the EFW devices by the

Policy Servers.

Each EFW device must be associated with a device set. A device set is a group of EFW

devices (3CR990 NICs) that are associated with a speciﬁc policy. You can deﬁne any

number of device sets and assign EFW devices to any one of those device sets. However,

an EFW device cannot be placed in more than one device set.

A machine that is secured by an EFW device (the

secured computer

) can be either a server

or a workstation. A secured computer can have any number of EFW devices, each using

different policies (if desired), as long as each EFW device has a different IP address.

The ﬁgure on the next page shows EFW devices on both a workstation and server.

NOTE:

A software agent, called the EFW agent, also runs on a secured computer

to support some of the embedded ﬁrewall operations.

NOTE:

A Policy Server may be protected by its own EFW device. While you are not

required to protect the Policy Server machine, it is recommended to protect

against attacks.

1

Planning and Overview

8

EFW Domain

An EFW domain is a collection of Policy Server and EFW device components that can share

EFW-related data, such as the following policy and EFW device information:

■

A policy deﬁned within an EFW domain can be assigned to any EFW device in that

domain.

■

Any Policy Server in a domain can serve as a backup Policy Server for any EFW device

in this domain since it has access to all information about this EFW device.

■

Audit queries can search all audit data generated within a domain.

An EFW domain can consist of as many as three Policy Servers. Although the EFW system

software does not place any limits on the number of devices for which a Policy Server is

the primary Policy Server, to ensure better performance a maximum of 1,000 EFW devices

per Policy Server is recommended. A Management Console connected to any Policy Server

in a domain has access to all EFW data for that domain. When you are connected to any

Policy Server within a domain, you can view or make changes to any EFW device in that

domain, regardless of whether it is a primary or backup server for that EFW device.

When installing a new Policy Server, you must indicate whether the Policy Server is the

ﬁrst Policy Server in a new domain or if it is joining an existing domain. If it is joining an

existing domain, you must identify a Policy Server that already belongs to that domain.

The new Policy Server automatically obtains all domain information from the existing

Policy Server when it joins the domain.

NOTE:

Organizations that require more than three Policy Servers or 3,000 EFW

devices need to partition their enterprise into multiple EFW domains. However, the

same Management Console may be used to access any domain.

Server

Workstation

EFW

device

Management

Console

EFW

device

Policy Server

EFW

device

Secured

computer

Secured

computer

(with multiple NICs)

EFW

device

EFW

device

Overview of EFW Operations

9

Overview of EFW Operations

After initial installation of an EFW Policy Server and a Management Console, you may

add additional Policy Servers and NICs to an EFW domain at any time. When an EFW

NIC is installed, it makes ﬁrst contact with a Policy Server upon ﬁrst boot-up of its host

computer. The Policy Server automatically downloads the policy for that NIC. This policy is

the one assigned to the default device set, unless the NIC has been registered manually in

advance in another device set. (For information on registering NICs manually, see

“Registering EFW NICs Manually” on page 30.)

All registered NICs remain visible in the EFW console, regardless of their operational

status, until they are deleted from the EFW domain using the Management Console as

described on page 23.

An administrator may distribute a new or changed policy to a NIC device set at any time

using the Management Console. If any EFW-secured computer is ofﬂine at the time of a

policy distribution, it receives the new or updated policy the next time it boots up. (For

information on creating policies, see “Creating Policies and Rules” on page 49.)

EFW devices periodically send heartbeats to the Policy Server. A

heartbeat

is a short message

informing the Policy Server that the EFW device is operational. It also contains information

on the policy that the EFW device is implementing and the EFW device’s IP address.

A

wake-up

is a short message that alerts the Policy Server when a signiﬁcant event

happens on the EFW device’s host machine (the most common event that causes a wake-

up is when the host machine is booted). The heartbeat interval for an EFW device resets

itself each time a wake-up is sent.

If policy distribution fails when the secured computer is online, the next heartbeat sent

from the embedded ﬁrewall to the Policy Server allows the Policy Server to determine that

the secured computer needs a policy update, and the EFW NIC receives the correct policy

at that time. A common reason this failure could happen is that a NAT (network address

translation) machine between the NIC and its Policy Server has recently changed the IP

address mapping for the secured computer. In this case, the Policy Server’s attempt to

distribute to the computer’s old address fails. (For information on monitoring heartbeats,

see “Monitoring EFW Device Status and Missed Heartbeats” on page 41.)

An EFW NIC does not retain its policy across boot-ups. It receives new policy information

from the Policy Server each time it boots. If an EFW NIC cannot reach any Policy Server in

the domain at this time, it enforces the fallback mode speciﬁed in the last policy it

received. (For information on setting the fallback mode, see “Creating a New Policy” on

page 49.)

EFW NICs send audit messages to the Policy Server. All audit messages are stored in the

database as audit records. The events audited for a NIC are determined by a NIC's policy.

The user can query audit records directly or export them for analysis. In addition, the Policy

Server audits administrative actions. (For information on viewing audit information, see

“Audit Information” on page 60.)

The EFW system is designed so that the EFW capability of the NIC cannot be disabled by

any action from the secured computer hosting the NIC. Attempts to do so may render the

NIC inoperable. To disable the EFW capability of a NIC, you must ﬁrst delete the NIC in the

EFW Management Console. (For information on disabling the EFW capability of a NIC, see

“Maintaining EFW NICs” on page 42.)

1 Planning and Overview

10

EFW and Your Network

Addressing Constraints

EFW supports the deployment of embedded ﬁrewalls on computers that either are

conﬁgured for DHCP or have an address that is mapped by network address translation

(NAT) from the viewpoint of the Policy Server.

All Policy Servers in a domain must be able to use the same IP address to contact a

particular NIC. Therefore, the embedded ﬁrewall cannot support a scenario in which

a NAT machine separates a primary or backup Policy Server from a NIC but does not

separate some other primary or backup Policy Server from the same NIC.

If you are manually registering NICs, use the DNS name to register a NIC whose IP address

may change due to DHCP or NAT machine reconﬁguration. Also, use the MAC address

or IP address to register two NICs on the same machine that have the same associated

DNS name.

The No Spooﬁng policy setting does not support a DHCP address change without a

reboot. This event causes the secured computer to be unable to send trafﬁc to the

network until it reboots. The request to get a new IP address is blocked by the NIC, and

the computer will have relinquished its old address.

Your Policy Server address may also be mapped using NAT. All NICs in a domain must

be able to use the same IP address to contact any given Policy Server in their domain.

Therefore, the embedded ﬁrewall cannot support a scenario where all of the following

are true:

■ A NAT machine separates some of the NICs from a primary or backup Policy Server.

■ This NAT machine maps the Policy Server address to a different IP address.

■ Other NICs using this server as a primary or backup have no NAT machine separating

them from this Policy Server.

Routing Constraints

EFW NICs initially screen incoming trafﬁc for commands from the Policy Server by examining

the source IP address. Therefore, trafﬁc from a Policy Server to NICs in the domain must be

routed through the Ethernet card on the Policy Server, which has the address that its NICs

are expecting. This address is selected (implicitly or explicitly) when you select the name for

this server on ﬁrst start-up. The IP address an EFW NIC is expecting can be found in the

embdfw.ini ﬁle on its host computer.

Turning off Policy Enforcement

If you detect serious network connectivity problems, you can temporarily turn off EFW policy

enforcement using the Management Console to quickly determine whether EFW policy

enforcement is a factor in the connectivity problem. To turn off EFW policy enforcement,

in the Tools menu select System State -> Turn Off Policy Enforcement. The background of

the Management Console tree-view frame turns green when policy enforcement is turned

off to prevent an administrator from accidentally leaving the system in this state. When

policy enforcement is turned off, ﬁltering ceases for all NICs in that domain. To regain policy

enforcement, from the Tools menu select System State -> Normal.

CAUTION: For connectivity issues related to a limited number of secured

computers, you may want to move the affected NICs to a new device set with a

policy that allows all trafﬁc. This move has less impact on security than turning off

policy enforcement for the entire system.

EFW System Security

11

Proxying EFW Trafﬁc Through a Perimeter Firewall

Multiple proxies are required to proxy EFW-related trafﬁc through a perimeter ﬁrewall.

Assuming use of the default port settings, the following scenarios describe the various

proxy requirements.

■ A Policy Server inside a perimeter ﬁrewall that controls NICs in DMZ or external

networks (or a remote Policy Server controlling internal NICs) requires a single UDP

proxy on a port range from 2081 to 2082.

■ A Policy Server in one network that is behind a ﬁrewall, and a Management Console

in an external network that controls a Policy Server through the ﬁrewall requires three

proxies:

■ 2072 TCP: Control messages/replication

■ 2074 TCP: Java RMI

■ 2073: Certiﬁcate Authentication

■ Policy Servers in the same EFW domain that need to synchronize through a perimeter

ﬁrewall require ﬁve proxies:

■ 2072 TCP: Control messages

■ 2073 TCP: Certiﬁcate Authentication

■ 2074 TCP: Java RMI

■ 2075 TCP: First Backup Server Replication

■ 2078 TCP: Second Backup Server Replication

Using IPSEC Under Windows 2000

Windows 2000 supports host-to-host IPSEC (IP Security). As an added beneﬁt, the

3CR990 NIC off loads IPSEC cryptographic processing from the operating system, which

enhances IPSEC performance. EFW treats IPSEC like any other protocol: it can permit or

deny it. Be aware that any protocol can be tunneled through IPSEC, and EFW does not

ﬁlter the protocols inside that tunnel. To speciﬁcally allow the use of IPSEC in your policies,

use the Windows 2000 IPSEC predeﬁned rule set (see Appendix A).

EFW System Security

This section discusses the security features incorporated in the EFW system to ensure

security of both data and EFW operations.

Data Security

The data that is managed by the Policy Server is critical to the security of your network.

Therefore, the EFW system implements the following security features to protect your data:

■ EFW administrator login and password

Any access to the EFW Management Console requires a login and password, which

are valid for accessing any data in an EFW domain. Administrator login names and

passwords are managed under the Tools menu. The EFW system is shipped with a

built-in default login name of “admin” and with a password of “admin.”

CAUTION: When you place your EFW system into production use, disable the

default login-password pair. For example, you can change the password for

“admin” to something known only to authorized EFW administrators. You may

also add a new user-password pair and then delete this default user.

1 Planning and Overview

12

■ File security

EFW data includes both policy information and audit records that contain raw

contents of packets. These packets may include login names and passwords that

could be transmitted over your network. As long as the disk partition on which you

install the Policy Server is formatted with NTFS (NT File System), ﬁles used by the Policy

Server can be accessed only by a user with Windows administrative privileges. If you

use the FAT or FAT32 ﬁle system, any authorized user of the computer for the Policy

Server could access EFW data. Further, if these ﬁles are shared over the network,

many users could potentially access these ﬁles.

■ Database security

EFW uses an underlying SQL database, called MySQL. Access to execute SQL

commands for this database is protected by passwords generated at installation time.

In addition, access using a remote SQL client is prohibited. Direct user access to the

EFW database via SQL is not necessary for EFW operations.

■ Secure communication

Communication is encrypted between EFW devices and the Policy Server, between the

Management Console and the Policy Server, and between Policy Servers. Policy Servers

identify themselves to each other, to the Management Console, and to their EFW devices

using two public-private key pairs generated upon creation of a new EFW domain.

The installation procedure in Chapter 2 of this guide includes a step to save these key

pairs to a diskette. The key pair data supports a method to recover control of EFW

NICs in the event of a catastrophic loss of all Policy Servers and data in a domain. (For

example, disk crashes on all Policy Server machines in a domain.) For a description of

the recovery procedure, see “Using the Recovery Diskette” on page 44. Possession of

an EFW key pair diskette could assist a knowledgeable but unauthorized user in

turning off the EFW capability on an EFW NIC.

The ﬁrst time you connect a remote Management Console running on a particular

computer to any Policy Server in a domain, you will be asked to accept a digital

certiﬁcate generated to secure this communication. The system displays a ﬁngerprint for

this certiﬁcate. Subsequent attempts to connect will verify the ﬁngerprint presented by

the server with the previously accepted certiﬁcate. Thus, the ﬁngerprint would normally

be displayed only the ﬁrst time you connect from a machine. If you see a different

ﬁngerprint, this difference could indicate an attempt by an attacker to masquerade

another program as a Policy Server (for example, to gain login-password information).

For communication between NICs and the Policy Server, the system automatically

determines the level of encryption used, based upon the encryption capability of

the EFW NICs. If EFW NICs are installed using the network installation method, they

generate their own initial encryption keys and report them to the Policy Server. If

installed with the diskette-keyed method, the initial key is generated by the Policy

Server and distributed to the EFW NICs via a diskette. For a comparison of these two

methods, see “Determine How You Want to Distribute EFW Firmware” on page 16.

CAUTION: To protect EFW data from unauthorized users, install the Policy Server

on a disk partition formatted with NTFS.

CAUTION: Create and keep an EFW key pair diskette in a secure location, as long

as any EFW NIC remains in the domain for this Policy Server.

EFW System Security

13

■ Policy Server local EFW NIC

Each Policy Server host may manage its own local EFW NIC, installed directly on the

Policy Server computer itself. EFW provides a pre-deﬁned policy for this NIC, which

allows only trafﬁc required for Policy Server operation. In particular, this policy

prohibits remote access to the database. This policy is a second layer of defense

beyond that provided by the database security mechanisms. If your Policy Server host

requires additional network access beyond that provided by this policy, you may add

rules to the policy to allow additional protocols.

The installation procedure for the local NIC is the same as any other EFW-secured

computer. You may use the network or diskette-keyed method. If you plan to secure

the NIC on your Policy Server using the diskette-keyed method, you may install the

EFW NIC component using the 3Com Embedded Firewall Installation CD when you

install the Policy Server and Management Console, or at a later time by selecting the

Modify installation option. When you boot into Windows after applying a keying

diskette, you see that the local NIC has made ﬁrst contact with its Policy Server and is

displayed in the Management Console.

Operational Security

The following features maintain secure operation of EFW in the face of potentially

disruptive behavior by end users and the network:

■ EFW NIC self-protection

The EFW capability on an EFW NIC can only be “uninstalled” via the Management

Console. Other than tampering with the physical hardware, there is no method for an

end user to reconﬁgure the NIC to turn off or uninstall EFW. Uninstalling EFW using

the standard Windows function removes only the EFW agent software. For more

information on managing EFW NICs, see “Maintaining EFW NICs” on page 42.

■ Fallback mode

If a secured computer boots up and cannot contact any Policy Server in its domain, it

enforces a “policy” called the fallback mode (for example, if the EFW agent has been

uninstalled). The fallback mode is a setting that was part of the policy being enforced

on this computer before the reboot. The choices for fallback mode are: Block All Trafﬁc,

Allow All Trafﬁc, and No Snifﬁng. Depending upon the particular characteristics of

your network and users, the selection of fallback mode can be important for the

effectiveness of EFW and the availability of networking services for your users. For more

information on selecting a fallback mode, see “Creating Policies and Rules” on

page 49.

NOTE: When installing a local EFW NIC in a domain containing multiple Policy

Servers, you may see the NIC assigned to one of the other servers when it

registers. To assign the NIC to the local Policy Server, use the Management

Console to change the NIC’s primary server.

NOTE: It is not recommended to run the Policy Server on the same computer

as a Windows Domain Controller, because the Domain Controller requires many

network privileges. These network privileges would place the Policy Server at risk,

because it cannot be effectively protected by its local EFW NIC.

1 Planning and Overview

14

Planning Your Conﬁguration

A number of issues need to be considered and resolved before you actually install and

conﬁgure EFW in your network. This section walks you through each planning stage to

help ensure smooth integration of EFW into your network.

Determine Your Security Goals

Every organization has different security needs. With EFW, you can customize your system

to protect as much or as little as you want. EFW is shipped with a number of pre-deﬁned

policies. Depending on your security needs, you can tailor pre-deﬁned policies to suit your

needs, or create your own using the Management Console. For details on creating and

managing policies, see Chapter 4, "Managing Policies."

The following general security goals will help you determine what security goals are

important for your organization.

■ Prevent the launch of untraceable attacks from a computer on your network.

This goal is for administrators who want to prevent users from launching an attack

from inside the network while modifying their source IP addresses (that is, spooﬁng).

To prevent spooﬁng from a speciﬁc computer, you may use the “No Snifﬁng, No

Spooﬁng” pre-deﬁned policy for that computer, or you may select or create any other

policy, and select the “No Spooﬁng, No Routing” policy setting.

■ Prevent a launch of attacks using network capabilities that are rarely needed

for legitimate purposes within your network.

A system is most secure when only necessary capabilities are allowed on the network.

For instance, most computers in your organization have no legitimate need for

sending and receiving fragmented packets through your network. Therefore, you can

conﬁgure a policy for those computers to disallow fragmented packets, preventing a

possible attack that uses packet fragments to ﬂood your system.

Network capabilities you may limit for machines that have no legitimate use for them

include:

■ Fragmented packets

■ Non-IP trafﬁc

■ Packet snifﬁng (receiving packets not addressed to the machine’s IP address)

■ Any unnecessary protocols

To prevent an attack from using unnecessary capabilities on your network, you ﬁrst

have to determine what capabilities you need and don’t need. After you have

determined these capabilities, you can simply conﬁgure the policy to allow or disallow

the various capabilities within your network. For example, if you want to create a

policy that prevents fragmented packets from entering your system, you would simply

de-select the “Allow Fragmented IP Packets” policy setting. To prevent the use of a

protocol, add a rule to the Policy ACL to deny the protocol between all IP addresses.

■ Restrict access to some servers containing sensitive data to selected sets of

workstations or limit the applications a workstation can access or both.

Most organizations have certain servers which contain information that only

speciﬁc people should be allowed to access, such as information speciﬁc to a

human resources department. You can create a policy to ensure that only authorized

workstations are allowed to access a particular server on your system. To restrict

access, build a custom policy for the protected server that deﬁnes the IP addresses

of all workstations which are allowed access to that server and denies all other access

attempts. You will also need to ensure that no workstation is allowed to spoof its IP

address and masquerade as one of the “acceptable” workstations which are allowed

to access the server.

Page is loading ...

3com 3CR990 Administration Manual

Related papers

Other documents