3com 3CR990 Administration Manual

Category
Software
Type
Administration Manual
3Com
®
Embedded Firewall
Software for the 3CR990
Network Interface Card (NIC) Family
Administration Guide
http://www.3com.com/
http://support.3com.com/registration/frontpg.pl
Published December 2001
Administration guide version 1.0.0
3Com Corporation
5400 Bayfront Plaza
Santa Clara, California
95052-8145
U.S.A.
Copyright © 2001 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to
make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part
of 3Com Corporation to provide notification of such revision or change.
3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not
limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make
improvements or changes in the product(s) and/or the program(s) described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as
a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are
unable to locate a copy, please contact 3Com and a copy will be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following:
All technical data and computer software are commercial in nature. Software is delivered as “Commercial Computer Software” as defined in DFARS
252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in
3Com’s standard commercial license for the software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015
(Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any
licensed program or documentation contained in, or delivered to you in conjunction with, this user guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries.
3Com, EtherCD, and EtherLink are registered trademarks and the 3Com logo is a trademark of 3Com Corporation.
Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Novell is a registered trademark and ZENworks is a
trademark of Novell, Inc.
All other company and product names may be trademarks of the respective companies with which they are associated.
EXPORT RESTRICTIONS
This 3Com product and/or software contains encryption and may require U.S. and/or local government authorization prior to export or import to
another country.
Contents
Preface: Using This Guide
1
Who Should Read this Guide 1
How this Guide is Organized 1
Viewing and Printing this Document Online 2
Finding Information 2
1
Planning and Overview
3
What is the 3Com Embedded Firewall (EFW)? 3
EFW Architectural Components and Concepts 5
EFW Management Console 5
MMC Management Console 6
EFW Policy Servers 7
EFW Devices 7
EFW Domain 8
Overview of EFW Operations 9
EFW and Your Network 10
Addressing Constraints 10
Routing Constraints 10
Turning off Policy Enforcement 10
Proxying EFW Traffic Through a Perimeter Firewall 11
Using IPSEC Under Windows 2000 11
EFW System Security 11
Data Security 11
Operational Security 13
Planning Your Configuration 14
Determine Your Security Goals 14
Determine Where You Want to Deploy Individual EFW Devices 15
Determine What Device Sets You Will Need 15
EFW Flexible Implementation 16
Determine How You Want to Distribute EFW Firmware 16
Contents
2
Installing and Initially Configuring EFW
19
System Requirements 20
Overview of EFW Software 21
Installing and Uninstalling EFW Software 21
Installing the Policy Server Software 21
Installing the Management Console Using Java Web Start 22
Uninstalling EFW 23
Uninstalling an EFW NIC 23
Uninstalling the Policy Server and Management Console 24
Starting and Stopping System Components 24
Joining a New Policy Server to a Domain 25
Starting and Logging in to the Management Console 26
Licensing Overview 27
Managing Licenses in the Management Console 28
Adding an Activation Key 29
Creating a Recovery Diskette 29
Registering EFW NICs Manually 30
Distributing and Installing the EFW NIC Firmware 30
Installing and Registering EFW Devices Using the Diskette-keyed Process 31
Creating a DOS-bootable Diskette 31
Creating a Keying Diskette 32
Installing the EFW NIC from the Installation CD 32
Applying a Keying Diskette 33
Adding and Registering EFW NICs Over the Network 33
Special Considerations for Multi-NIC Systems 34
3
Managing EFW Devices Using the Policy Servers
35
What is a Policy Server? 35
Primary and Backup Policy Servers 35
Configuring Policy Servers for Redundancy 36
Organizing Policy Servers and EFW Devices 37
Setting up Device Sets 38
Creating a Device Set 38
Moving EFW Devices to a Different Device Set 40
Monitoring EFW Status 40
Monitoring Policy Server Status 40
Synchronizing Policy Servers Manually 40
Monitoring EFW Device Status and Missed Heartbeats 41
Monitoring NIC Connectivity and Policy Status 42
Maintaining EFW NICs 42
Using the Recovery Diskette 44
Restoring Inoperable EFW NICs 44
Determining Whether EFW is Installed on a NIC 44
Contents
4
Managing Policies
45
Policy Overview 45
Changing a Policy Without Distributing the Change 45
Pre-defined Policies 46
Importing Pre-defined Policies and Rule Sets 46
Policy Settings 47
Rules 47
Organizing Rules for Optimum Performance Within a Policy 48
Determining the Size of a Policy 48
Creating Policies and Rules 49
Creating a New Policy 49
Creating Rules 50
Setting up TCP SYN Filtering 50
Creating a Rule Set from a Policy 52
Editing a Rule Set Using the Rule Set Manager 53
Verifying a Policy Using Test Mode 53
Distributing a Policy to the Network 55
Secured EFW Device—Allow Traffic versus Block All Traffic 56
Exporting or Importing Policies or Rule Sets 56
Exporting Policies or Rule Sets 56
Importing Policies and Rule Sets 56
5
Performing Other Administration Tasks
59
Finding Information Using the Management Console 59
Administrator Manager Login 59
To Create a New Administrator 59
To Edit an Existing Administrator’s User Name or Password 60
To Delete an Administrator 60
Audit Information 60
Creating or Editing Audit Queries 61
Displaying Audit Query Results 62
Understanding Audit Query Results 63
Backing up the Database 65
Restoring the Database 66
A
Pre-Defined Rule Sets
67
B
Troubleshooting
69
Common problem solutions 69
System Connectivity 76
Policy Server-to-NIC Communication Check 76
Policy Server-to-Policy Server Communication Check 77
Management Console-to-Policy Server Communication Check 77
Contents
C
Using ZENworks to Install EFW
79
D
Technical Support
81
Online Technical Services 81
World Wide Web Site 81
3Com Knowledgebase Web Services 81
3Com FTP Site 81
Support from Your Network Supplier 82
Support from 3Com 82
Returning Products for Repair 82
1
Preface: Using This Guide
This guide provides detailed information about installing and managing the 3Com
®
Embedded Firewall (EFW) software.
Who Should Read this Guide
This guide is intended for the person responsible for installing, configuring, and managing
the 3Com EFW environment. Typically, this person’s job title is “network administrator.” It
is assumed that the administrator is familiar with networks and network terminology, and
with the Internet and its associated terms and applications.
How this Guide is Organized
This guide is divided into the following chapters and appendices:
Chapter or Appendix Title This Chapter or Appendix
Chapter 1: “Planning and Overview” Provides an overview of the embedded firewall system and its
basic components and concepts, along with general steps to
assist you in planning the best configuration for your site.
Chapter 2: “Installing and
Initially Configuring EFW”
Provides the information needed to install and deploy EFW in
your network.
Chapter 3: “Managing EFW Devices
Using the Policy Servers”
Provides detailed information about managing EFW devices
using the Policy Servers.
Chapter 4: “Managing Policies” Provides detailed information on creating and assigning
policies.
Chapter 5: “Performing Other
Administration Tasks”
Provides information on performing general administrative
tasks, such as searching for specific information within the
Management Console, and viewing audit data.
Appendix A: “Pre-Defined Rule Sets” Provides information on EFW pre-defined rule sets.
Appendix B: “Troubleshooting” Lists common problems you may encounter with EFW and
offers suggestions for solving these problems.
Appendix C: “Using ZENworks to
Install EFW”
Provides information on installing a 3Com NIC using
Novell’s ZENworks.
Appendix D: “Technical Support” Describes access to 3Com technical support information
through a variety of services.
Preface: Using This Guide
2
Viewing and Printing this Document Online
You may find when you view this document online in PDF format that the screen images
are blurry. If you need to see the image more clearly, you can either enlarge it (which may
not eliminate the blurriness) or you can print it. (The images are very clear when printed.)
For the best results, print this PDF document on a PostScript printer using a PostScript driver.
If your printer understands PostScript but does not have a PostScript driver installed,
you need to install a PostScript driver. You can download one from www.adobe.com.
If your printer is not a PostScript printer and your document does not print as
expected, attempt one of the following corrective actions:
If your printer has the
Print as Image
option, select it and then try printing.
Print only specific page(s) rather than sending the entire document to the printer.
Finding Information
This guide is in Acrobat (soft copy) format only and does not contain an index. However,
you can use Acrobat’s Find feature to search for every instance of any word or phrase that
you want. In many ways this feature is superior to an index, which relies on the indexer as
to what is included. Doing a search allows you, the user, to decide what is relevant and
what is not.
3
1
Planning and Overview
This chapter provides an overview of the 3Com Embedded Firewall (EFW) and its basic
components, concepts, and operations. It also provides general information to assist you
in planning the best configuration for your site. This chapter contains the following topics:
“What is the 3Com Embedded Firewall (EFW)?” below
“EFW Architectural Components and Concepts” on page 5
“Overview of EFW Operations” on page 9
“EFW and Your Network” on page 10
“EFW System Security” on page 11
“Planning Your Configuration” on page 14
What is the 3Com Embedded Firewall (EFW)?
EFW is software that applies security policy enforcement (packet filtering) capabilities to
all traffic transmitted from and received by individual server and desktop (workstation)
machines. NICs running EFW software (called
EFW devices)
enforce policies in the EFW
system. The following devices currently support EFW:
3Com Server 10/100 PCI NIC with 3XP (models 3CR990SVR95 and 3CR990SVR97)
3Com 10/100 PCI NIC with 3XP (models 3CR990-TX-95 and 3CR990-TX-97)
EFW software provides transparent packet filtering in accordance with rules that are set
up by an administrator. The rules are defined through a centralized Management Console,
and are communicated to EFW devices via the Policy Server. The figure on the next page
demonstrates security organization using EFW.
NOTE:
The model numbers listed above are NICs that support DES and 3-DES
encryption, respectively. The EFW Policy Server automatically adjusts its level of
encryption to match that of the devices it is managing.
1
Planning and Overview
4
EFW allows an administrator to specify policies for EFW devices using the Management
Console. A
policy
is a set of security criteria enforced by an EFW device. A policy comprises
various settings and an ordered list of rules, called an access control list (ACL), that
determine what actions take place and what events are audited for any EFW device
associated with that policy.
A
rule
consists of various parameters that determine the characteristics for which
incoming and outgoing packets are screened, and specifies what action is taken if a
match occurs. For more detailed information on policies and rules, see Chapter 4,
"Managing Policies."
A
device set
is a group of EFW devices (3CR990 NICs) that enforce a specific policy. Each
device set in the EFW system must have a policy assigned to it. A single policy may be
assigned to more than one device set. For more detailed information on device sets, see
Chapter 3, "Managing EFW Devices Using the Policy Servers."
Server
Workstation
EFW
device
EFW
device
Server
Workstation
EFW
device
EFW
device
Server
Workstation
EFW
device
EFW
device
Corporate
firewall
Policy
server
EFW
device
Internet
EFW
device
Remote
client
Management
console
EFW
device
EFW Architectural Components and Concepts
5
EFW Architectural Components and Concepts
EFW consists of the following major architectural components and concepts:
EFW Management Console
EFW Policy Servers
EFW devices
EFW domain(s)
Each of the components and concepts listed above is shown in the figure below and
discussed in the following subsections.
EFW Management Console
The EFW Management Console is the administrative interface to the Policy Server.
Administrators configure the system and view data using the Management Console.
You can protect the Management Console machine or server machine or both with an
EFW device. The Management Console can be installed and run on the same machine as
a Policy Server, or remotely on a different machine.
NOTE:
While you are not required to protect the Management Console machine
with an EFW NIC, it is recommended to protect against attacks.
Workstation
EFW
device
Workstation
EFW
device
Management
console
EFW
device
Policy server
EFW
device
Server
Server
EFW
device
Server
EFW
device
Policy server
EFW
device
EFW
device
Policy server
EFW
device
EFW domain 1
EFW domain 2
1
Planning and Overview
6
The Management Console window is divided into two separate areas:
Tree-view frame
—The left-hand portion of the window that displays the tree
structure of the available Policy Servers, policies, or device sets. (See the sample
window shown on the next page.) The drag-and-drop capability is available in the
tree-view frame.
Working frame
—The right-hand portion of the window that displays specific
information and configuration fields for the Policy Servers, policies, device sets, etc.
(See the sample window.) Any item you click on in the tree-view frame displays the
corresponding information in the working frame.
MMC Management Console
The Microsoft Management Console (MMC) provides direct access to the most often used
functions in the EFW Management Console offered within a Microsoft Management
framework. (See the sample window below.) Once you have invoked any of the MMC
functions, you have access to all EFW Management Console functions via the menu
options on the EFW Management Console windows. You do not need to return to the
MMC to access other functions. The window supporting the function you request from
the MMC is displayed first after EFW login.
NOTE:
More than one administrator may be connected to a Management Console
in a single EFW domain at the same time with read-only access. However, only one
administrator in that domain is allowed to have Normal (full access to the
administrative functions) at any one time.
A multi-arrow icon in front of
a field indicates that modification
of the field may cause a distribution
to EFW devices.
Tree-view
frame
Working
frame
EFW Architectural Components and Concepts
7
EFW Policy Servers
EFW Policy Servers control EFW devices by implementing administrative actions received
from the Management Console in the following ways:
Accept the high-level commands issued from the Management Console and convert
them into low-level packet filtering rules for the EFW devices.
Receive and process heartbeat messages from EFW devices that contain updates on
the IP addresses and resident policy version for the devices.
Receive and process audit messages from the EFW devices.
Store system data in an embedded database management system (DBMS).
Each EFW device must be assigned to a primary Policy Server. A Policy Server can also
specify a second Policy Server to act as a backup Policy Server if the primary server fails.
If desired, a third Policy Server can also be specified in case neither the primary nor
secondary servers are available or reachable.
The primary Policy Server has initial responsibility for distributing policy updates to EFW
devices. Furthermore, each embedded firewall caches its primary Policy Server locally and
contacts that Policy Server at EFW device initialization (for example, when the host
containing an EFW device is booted).
EFW Devices
EFW devices filter incoming and outgoing packets based on the rules and policy settings
for the specific policy they are enforcing. A policy is distributed to the EFW devices by the
Policy Servers.
Each EFW device must be associated with a device set. A device set is a group of EFW
devices (3CR990 NICs) that are associated with a specific policy. You can define any
number of device sets and assign EFW devices to any one of those device sets. However,
an EFW device cannot be placed in more than one device set.
A machine that is secured by an EFW device (the
secured computer
) can be either a server
or a workstation. A secured computer can have any number of EFW devices, each using
different policies (if desired), as long as each EFW device has a different IP address.
The figure on the next page shows EFW devices on both a workstation and server.
NOTE:
A software agent, called the EFW agent, also runs on a secured computer
to support some of the embedded firewall operations.
NOTE:
A Policy Server may be protected by its own EFW device. While you are not
required to protect the Policy Server machine, it is recommended to protect
against attacks.
1
Planning and Overview
8
EFW Domain
An EFW domain is a collection of Policy Server and EFW device components that can share
EFW-related data, such as the following policy and EFW device information:
A policy defined within an EFW domain can be assigned to any EFW device in that
domain.
Any Policy Server in a domain can serve as a backup Policy Server for any EFW device
in this domain since it has access to all information about this EFW device.
Audit queries can search all audit data generated within a domain.
An EFW domain can consist of as many as three Policy Servers. Although the EFW system
software does not place any limits on the number of devices for which a Policy Server is
the primary Policy Server, to ensure better performance a maximum of 1,000 EFW devices
per Policy Server is recommended. A Management Console connected to any Policy Server
in a domain has access to all EFW data for that domain. When you are connected to any
Policy Server within a domain, you can view or make changes to any EFW device in that
domain, regardless of whether it is a primary or backup server for that EFW device.
When installing a new Policy Server, you must indicate whether the Policy Server is the
first Policy Server in a new domain or if it is joining an existing domain. If it is joining an
existing domain, you must identify a Policy Server that already belongs to that domain.
The new Policy Server automatically obtains all domain information from the existing
Policy Server when it joins the domain.
NOTE:
Organizations that require more than three Policy Servers or 3,000 EFW
devices need to partition their enterprise into multiple EFW domains. However, the
same Management Console may be used to access any domain.
Server
Workstation
EFW
device
Management
Console
EFW
device
Policy Server
EFW
device
Secured
computer
Secured
computer
(with multiple NICs)
EFW
device
EFW
device
Overview of EFW Operations
9
Overview of EFW Operations
After initial installation of an EFW Policy Server and a Management Console, you may
add additional Policy Servers and NICs to an EFW domain at any time. When an EFW
NIC is installed, it makes first contact with a Policy Server upon first boot-up of its host
computer. The Policy Server automatically downloads the policy for that NIC. This policy is
the one assigned to the default device set, unless the NIC has been registered manually in
advance in another device set. (For information on registering NICs manually, see
“Registering EFW NICs Manually” on page 30.)
All registered NICs remain visible in the EFW console, regardless of their operational
status, until they are deleted from the EFW domain using the Management Console as
described on page 23.
An administrator may distribute a new or changed policy to a NIC device set at any time
using the Management Console. If any EFW-secured computer is offline at the time of a
policy distribution, it receives the new or updated policy the next time it boots up. (For
information on creating policies, see “Creating Policies and Rules” on page 49.)
EFW devices periodically send heartbeats to the Policy Server. A
heartbeat
is a short message
informing the Policy Server that the EFW device is operational. It also contains information
on the policy that the EFW device is implementing and the EFW device’s IP address.
A
wake-up
is a short message that alerts the Policy Server when a significant event
happens on the EFW device’s host machine (the most common event that causes a wake-
up is when the host machine is booted). The heartbeat interval for an EFW device resets
itself each time a wake-up is sent.
If policy distribution fails when the secured computer is online, the next heartbeat sent
from the embedded firewall to the Policy Server allows the Policy Server to determine that
the secured computer needs a policy update, and the EFW NIC receives the correct policy
at that time. A common reason this failure could happen is that a NAT (network address
translation) machine between the NIC and its Policy Server has recently changed the IP
address mapping for the secured computer. In this case, the Policy Server’s attempt to
distribute to the computer’s old address fails. (For information on monitoring heartbeats,
see “Monitoring EFW Device Status and Missed Heartbeats” on page 41.)
An EFW NIC does not retain its policy across boot-ups. It receives new policy information
from the Policy Server each time it boots. If an EFW NIC cannot reach any Policy Server in
the domain at this time, it enforces the fallback mode specified in the last policy it
received. (For information on setting the fallback mode, see “Creating a New Policy” on
page 49.)
EFW NICs send audit messages to the Policy Server. All audit messages are stored in the
database as audit records. The events audited for a NIC are determined by a NIC's policy.
The user can query audit records directly or export them for analysis. In addition, the Policy
Server audits administrative actions. (For information on viewing audit information, see
“Audit Information” on page 60.)
The EFW system is designed so that the EFW capability of the NIC cannot be disabled by
any action from the secured computer hosting the NIC. Attempts to do so may render the
NIC inoperable. To disable the EFW capability of a NIC, you must first delete the NIC in the
EFW Management Console. (For information on disabling the EFW capability of a NIC, see
“Maintaining EFW NICs” on page 42.)
1 Planning and Overview
10
EFW and Your Network
Addressing Constraints
EFW supports the deployment of embedded firewalls on computers that either are
configured for DHCP or have an address that is mapped by network address translation
(NAT) from the viewpoint of the Policy Server.
All Policy Servers in a domain must be able to use the same IP address to contact a
particular NIC. Therefore, the embedded firewall cannot support a scenario in which
a NAT machine separates a primary or backup Policy Server from a NIC but does not
separate some other primary or backup Policy Server from the same NIC.
If you are manually registering NICs, use the DNS name to register a NIC whose IP address
may change due to DHCP or NAT machine reconfiguration. Also, use the MAC address
or IP address to register two NICs on the same machine that have the same associated
DNS name.
The No Spoofing policy setting does not support a DHCP address change without a
reboot. This event causes the secured computer to be unable to send traffic to the
network until it reboots. The request to get a new IP address is blocked by the NIC, and
the computer will have relinquished its old address.
Your Policy Server address may also be mapped using NAT. All NICs in a domain must
be able to use the same IP address to contact any given Policy Server in their domain.
Therefore, the embedded firewall cannot support a scenario where all of the following
are true:
A NAT machine separates some of the NICs from a primary or backup Policy Server.
This NAT machine maps the Policy Server address to a different IP address.
Other NICs using this server as a primary or backup have no NAT machine separating
them from this Policy Server.
Routing Constraints
EFW NICs initially screen incoming traffic for commands from the Policy Server by examining
the source IP address. Therefore, traffic from a Policy Server to NICs in the domain must be
routed through the Ethernet card on the Policy Server, which has the address that its NICs
are expecting. This address is selected (implicitly or explicitly) when you select the name for
this server on first start-up. The IP address an EFW NIC is expecting can be found in the
embdfw.ini file on its host computer.
Turning off Policy Enforcement
If you detect serious network connectivity problems, you can temporarily turn off EFW policy
enforcement using the Management Console to quickly determine whether EFW policy
enforcement is a factor in the connectivity problem. To turn off EFW policy enforcement,
in the Tools menu select System State -> Turn Off Policy Enforcement. The background of
the Management Console tree-view frame turns green when policy enforcement is turned
off to prevent an administrator from accidentally leaving the system in this state. When
policy enforcement is turned off, filtering ceases for all NICs in that domain. To regain policy
enforcement, from the Tools menu select System State -> Normal.
CAUTION: For connectivity issues related to a limited number of secured
computers, you may want to move the affected NICs to a new device set with a
policy that allows all traffic. This move has less impact on security than turning off
policy enforcement for the entire system.
EFW System Security
11
Proxying EFW Traffic Through a Perimeter Firewall
Multiple proxies are required to proxy EFW-related traffic through a perimeter firewall.
Assuming use of the default port settings, the following scenarios describe the various
proxy requirements.
A Policy Server inside a perimeter firewall that controls NICs in DMZ or external
networks (or a remote Policy Server controlling internal NICs) requires a single UDP
proxy on a port range from 2081 to 2082.
A Policy Server in one network that is behind a firewall, and a Management Console
in an external network that controls a Policy Server through the firewall requires three
proxies:
2072 TCP: Control messages/replication
2074 TCP: Java RMI
2073: Certificate Authentication
Policy Servers in the same EFW domain that need to synchronize through a perimeter
firewall require five proxies:
2072 TCP: Control messages
2073 TCP: Certificate Authentication
2074 TCP: Java RMI
2075 TCP: First Backup Server Replication
2078 TCP: Second Backup Server Replication
Using IPSEC Under Windows 2000
Windows 2000 supports host-to-host IPSEC (IP Security). As an added benefit, the
3CR990 NIC off loads IPSEC cryptographic processing from the operating system, which
enhances IPSEC performance. EFW treats IPSEC like any other protocol: it can permit or
deny it. Be aware that any protocol can be tunneled through IPSEC, and EFW does not
filter the protocols inside that tunnel. To specifically allow the use of IPSEC in your policies,
use the Windows 2000 IPSEC predefined rule set (see Appendix A).
EFW System Security
This section discusses the security features incorporated in the EFW system to ensure
security of both data and EFW operations.
Data Security
The data that is managed by the Policy Server is critical to the security of your network.
Therefore, the EFW system implements the following security features to protect your data:
EFW administrator login and password
Any access to the EFW Management Console requires a login and password, which
are valid for accessing any data in an EFW domain. Administrator login names and
passwords are managed under the Tools menu. The EFW system is shipped with a
built-in default login name of “admin” and with a password of “admin.”
CAUTION: When you place your EFW system into production use, disable the
default login-password pair. For example, you can change the password for
“admin” to something known only to authorized EFW administrators. You may
also add a new user-password pair and then delete this default user.
1 Planning and Overview
12
File security
EFW data includes both policy information and audit records that contain raw
contents of packets. These packets may include login names and passwords that
could be transmitted over your network. As long as the disk partition on which you
install the Policy Server is formatted with NTFS (NT File System), files used by the Policy
Server can be accessed only by a user with Windows administrative privileges. If you
use the FAT or FAT32 file system, any authorized user of the computer for the Policy
Server could access EFW data. Further, if these files are shared over the network,
many users could potentially access these files.
Database security
EFW uses an underlying SQL database, called MySQL. Access to execute SQL
commands for this database is protected by passwords generated at installation time.
In addition, access using a remote SQL client is prohibited. Direct user access to the
EFW database via SQL is not necessary for EFW operations.
Secure communication
Communication is encrypted between EFW devices and the Policy Server, between the
Management Console and the Policy Server, and between Policy Servers. Policy Servers
identify themselves to each other, to the Management Console, and to their EFW devices
using two public-private key pairs generated upon creation of a new EFW domain.
The installation procedure in Chapter 2 of this guide includes a step to save these key
pairs to a diskette. The key pair data supports a method to recover control of EFW
NICs in the event of a catastrophic loss of all Policy Servers and data in a domain. (For
example, disk crashes on all Policy Server machines in a domain.) For a description of
the recovery procedure, see “Using the Recovery Diskette” on page 44. Possession of
an EFW key pair diskette could assist a knowledgeable but unauthorized user in
turning off the EFW capability on an EFW NIC.
The first time you connect a remote Management Console running on a particular
computer to any Policy Server in a domain, you will be asked to accept a digital
certificate generated to secure this communication. The system displays a fingerprint for
this certificate. Subsequent attempts to connect will verify the fingerprint presented by
the server with the previously accepted certificate. Thus, the fingerprint would normally
be displayed only the first time you connect from a machine. If you see a different
fingerprint, this difference could indicate an attempt by an attacker to masquerade
another program as a Policy Server (for example, to gain login-password information).
For communication between NICs and the Policy Server, the system automatically
determines the level of encryption used, based upon the encryption capability of
the EFW NICs. If EFW NICs are installed using the network installation method, they
generate their own initial encryption keys and report them to the Policy Server. If
installed with the diskette-keyed method, the initial key is generated by the Policy
Server and distributed to the EFW NICs via a diskette. For a comparison of these two
methods, see “Determine How You Want to Distribute EFW Firmware” on page 16.
CAUTION: To protect EFW data from unauthorized users, install the Policy Server
on a disk partition formatted with NTFS.
CAUTION: Create and keep an EFW key pair diskette in a secure location, as long
as any EFW NIC remains in the domain for this Policy Server.
EFW System Security
13
Policy Server local EFW NIC
Each Policy Server host may manage its own local EFW NIC, installed directly on the
Policy Server computer itself. EFW provides a pre-defined policy for this NIC, which
allows only traffic required for Policy Server operation. In particular, this policy
prohibits remote access to the database. This policy is a second layer of defense
beyond that provided by the database security mechanisms. If your Policy Server host
requires additional network access beyond that provided by this policy, you may add
rules to the policy to allow additional protocols.
The installation procedure for the local NIC is the same as any other EFW-secured
computer. You may use the network or diskette-keyed method. If you plan to secure
the NIC on your Policy Server using the diskette-keyed method, you may install the
EFW NIC component using the 3Com Embedded Firewall Installation CD when you
install the Policy Server and Management Console, or at a later time by selecting the
Modify installation option. When you boot into Windows after applying a keying
diskette, you see that the local NIC has made first contact with its Policy Server and is
displayed in the Management Console.
Operational Security
The following features maintain secure operation of EFW in the face of potentially
disruptive behavior by end users and the network:
EFW NIC self-protection
The EFW capability on an EFW NIC can only be “uninstalled” via the Management
Console. Other than tampering with the physical hardware, there is no method for an
end user to reconfigure the NIC to turn off or uninstall EFW. Uninstalling EFW using
the standard Windows function removes only the EFW agent software. For more
information on managing EFW NICs, see “Maintaining EFW NICs” on page 42.
Fallback mode
If a secured computer boots up and cannot contact any Policy Server in its domain, it
enforces a “policy” called the fallback mode (for example, if the EFW agent has been
uninstalled). The fallback mode is a setting that was part of the policy being enforced
on this computer before the reboot. The choices for fallback mode are: Block All Traffic,
Allow All Traffic, and No Sniffing. Depending upon the particular characteristics of
your network and users, the selection of fallback mode can be important for the
effectiveness of EFW and the availability of networking services for your users. For more
information on selecting a fallback mode, see “Creating Policies and Rules” on
page 49.
NOTE: When installing a local EFW NIC in a domain containing multiple Policy
Servers, you may see the NIC assigned to one of the other servers when it
registers. To assign the NIC to the local Policy Server, use the Management
Console to change the NIC’s primary server.
NOTE: It is not recommended to run the Policy Server on the same computer
as a Windows Domain Controller, because the Domain Controller requires many
network privileges. These network privileges would place the Policy Server at risk,
because it cannot be effectively protected by its local EFW NIC.
1 Planning and Overview
14
Planning Your Configuration
A number of issues need to be considered and resolved before you actually install and
configure EFW in your network. This section walks you through each planning stage to
help ensure smooth integration of EFW into your network.
Determine Your Security Goals
Every organization has different security needs. With EFW, you can customize your system
to protect as much or as little as you want. EFW is shipped with a number of pre-defined
policies. Depending on your security needs, you can tailor pre-defined policies to suit your
needs, or create your own using the Management Console. For details on creating and
managing policies, see Chapter 4, "Managing Policies."
The following general security goals will help you determine what security goals are
important for your organization.
Prevent the launch of untraceable attacks from a computer on your network.
This goal is for administrators who want to prevent users from launching an attack
from inside the network while modifying their source IP addresses (that is, spoofing).
To prevent spoofing from a specific computer, you may use the “No Sniffing, No
Spoofing” pre-defined policy for that computer, or you may select or create any other
policy, and select the “No Spoofing, No Routing” policy setting.
Prevent a launch of attacks using network capabilities that are rarely needed
for legitimate purposes within your network.
A system is most secure when only necessary capabilities are allowed on the network.
For instance, most computers in your organization have no legitimate need for
sending and receiving fragmented packets through your network. Therefore, you can
configure a policy for those computers to disallow fragmented packets, preventing a
possible attack that uses packet fragments to flood your system.
Network capabilities you may limit for machines that have no legitimate use for them
include:
Fragmented packets
Non-IP traffic
Packet sniffing (receiving packets not addressed to the machine’s IP address)
Any unnecessary protocols
To prevent an attack from using unnecessary capabilities on your network, you first
have to determine what capabilities you need and don’t need. After you have
determined these capabilities, you can simply configure the policy to allow or disallow
the various capabilities within your network. For example, if you want to create a
policy that prevents fragmented packets from entering your system, you would simply
de-select the “Allow Fragmented IP Packets” policy setting. To prevent the use of a
protocol, add a rule to the Policy ACL to deny the protocol between all IP addresses.
Restrict access to some servers containing sensitive data to selected sets of
workstations or limit the applications a workstation can access or both.
Most organizations have certain servers which contain information that only
specific people should be allowed to access, such as information specific to a
human resources department. You can create a policy to ensure that only authorized
workstations are allowed to access a particular server on your system. To restrict
access, build a custom policy for the protected server that defines the IP addresses
of all workstations which are allowed access to that server and denies all other access
attempts. You will also need to ensure that no workstation is allowed to spoof its IP
address and masquerade as one of the “acceptable” workstations which are allowed
to access the server.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88

3com 3CR990 Administration Manual

Category
Software
Type
Administration Manual

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI