1 Planning and Overview
14
Planning Your Configuration
A number of issues need to be considered and resolved before you actually install and
configure EFW in your network. This section walks you through each planning stage to
help ensure smooth integration of EFW into your network.
Determine Your Security Goals
Every organization has different security needs. With EFW, you can customize your system
to protect as much or as little as you want. EFW is shipped with a number of pre-defined
policies. Depending on your security needs, you can tailor pre-defined policies to suit your
needs, or create your own using the Management Console. For details on creating and
managing policies, see Chapter 4, "Managing Policies."
The following general security goals will help you determine what security goals are
important for your organization.
■ Prevent the launch of untraceable attacks from a computer on your network.
This goal is for administrators who want to prevent users from launching an attack
from inside the network while modifying their source IP addresses (that is, spoofing).
To prevent spoofing from a specific computer, you may use the “No Sniffing, No
Spoofing” pre-defined policy for that computer, or you may select or create any other
policy, and select the “No Spoofing, No Routing” policy setting.
■ Prevent a launch of attacks using network capabilities that are rarely needed
for legitimate purposes within your network.
A system is most secure when only necessary capabilities are allowed on the network.
For instance, most computers in your organization have no legitimate need for
sending and receiving fragmented packets through your network. Therefore, you can
configure a policy for those computers to disallow fragmented packets, preventing a
possible attack that uses packet fragments to flood your system.
Network capabilities you may limit for machines that have no legitimate use for them
include:
■ Fragmented packets
■ Non-IP traffic
■ Packet sniffing (receiving packets not addressed to the machine’s IP address)
■ Any unnecessary protocols
To prevent an attack from using unnecessary capabilities on your network, you first
have to determine what capabilities you need and don’t need. After you have
determined these capabilities, you can simply configure the policy to allow or disallow
the various capabilities within your network. For example, if you want to create a
policy that prevents fragmented packets from entering your system, you would simply
de-select the “Allow Fragmented IP Packets” policy setting. To prevent the use of a
protocol, add a rule to the Policy ACL to deny the protocol between all IP addresses.
■ Restrict access to some servers containing sensitive data to selected sets of
workstations or limit the applications a workstation can access or both.
Most organizations have certain servers which contain information that only
specific people should be allowed to access, such as information specific to a
human resources department. You can create a policy to ensure that only authorized
workstations are allowed to access a particular server on your system. To restrict
access, build a custom policy for the protected server that defines the IP addresses
of all workstations which are allowed access to that server and denies all other access
attempts. You will also need to ensure that no workstation is allowed to spoof its IP
address and masquerade as one of the “acceptable” workstations which are allowed
to access the server.