- DL manuals
- 3Com
- Network Card
- 3CR990
- Administration Manual
3Com 3CR990 Administration Manual - Contents
Contents
Preface: Using This Guide
1
Who Should Read this Guide 1
How this Guide is Organized 1
Viewing and Printing this Document Online 2
Finding Information 2
1
Planning and Overview
3
What is the 3Com Embedded Firewall (EFW)? 3
EFW Architectural Components and Concepts 5
EFW Management Console 5
MMC Management Console 6
EFW Policy Servers 7
EFW Devices 7
EFW Domain 8
Overview of EFW Operations 9
EFW and Your Network 10
Addressing Constraints 10
Routing Constraints 10
Turning off Policy Enforcement 10
Proxying EFW Traffic Through a Perimeter Firewall 11
Using IPSEC Under Windows 2000 11
EFW System Security 11
Data Security 11
Operational Security 13
Planning Your Configuration 14
Determine Your Security Goals 14
Determine Where You Want to Deploy Individual EFW Devices 15
Determine What Device Sets You Will Need 15
EFW Flexible Implementation 16
Determine How You Want to Distribute EFW Firmware 16
Summary of 3CR990
Page 1
3com ® embedded firewall software for the 3cr990 network interface card (nic) family administration guide http://www.3com.Com/ http://support.3com.Com/registration/frontpg.Pl published december 2001 administration guide version 1.0.0
Page 2
3com corporation ■ 5400 bayfront plaza ■ santa clara, california ■ 95052-8145 ■ u.S.A. Copyright © 2001 3com corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adap...
Page 3: Contents
Contents preface: using this guide 1 who should read this guide 1 how this guide is organized 1 viewing and printing this document online 2 finding information 2 1 planning and overview 3 what is the 3com embedded firewall (efw)? 3 efw architectural components and concepts 5 efw management console 5...
Page 4
Contents 2 installing and initially configuring efw 19 system requirements 20 overview of efw software 21 installing and uninstalling efw software 21 installing the policy server software 21 installing the management console using java web start 22 uninstalling efw 23 uninstalling an efw nic 23 unin...
Page 5
Contents 4 managing policies 45 policy overview 45 changing a policy without distributing the change 45 pre-defined policies 46 importing pre-defined policies and rule sets 46 policy settings 47 rules 47 organizing rules for optimum performance within a policy 48 determining the size of a policy 48 ...
Page 6
Contents c using zenworks to install efw 79 d technical support 81 online technical services 81 world wide web site 81 3com knowledgebase web services 81 3com ftp site 81 support from your network supplier 82 support from 3com 82 returning products for repair 82.
Page 7: Preface: Using This Guide
1 preface: using this guide this guide provides detailed information about installing and managing the 3com ® embedded firewall (efw) software. Who should read this guide this guide is intended for the person responsible for installing, configuring, and managing the 3com efw environment. Typically, ...
Page 8
Preface: using this guide 2 viewing and printing this document online you may find when you view this document online in pdf format that the screen images are blurry. If you need to see the image more clearly, you can either enlarge it (which may not eliminate the blurriness) or you can print it. (t...
Page 9: Planning and Overview
3 1 planning and overview this chapter provides an overview of the 3com embedded firewall (efw) and its basic components, concepts, and operations. It also provides general information to assist you in planning the best configuration for your site. This chapter contains the following topics: ■ “what...
Page 10
1 planning and overview 4 efw allows an administrator to specify policies for efw devices using the management console. A policy is a set of security criteria enforced by an efw device. A policy comprises various settings and an ordered list of rules, called an access control list (acl), that determ...
Page 11
Efw architectural components and concepts 5 efw architectural components and concepts efw consists of the following major architectural components and concepts: ■ efw management console ■ efw policy servers ■ efw devices ■ efw domain(s) each of the components and concepts listed above is shown in th...
Page 12
1 planning and overview 6 the management console window is divided into two separate areas: ■ tree-view frame —the left-hand portion of the window that displays the tree structure of the available policy servers, policies, or device sets. (see the sample window shown on the next page.) the drag-and-...
Page 13
Efw architectural components and concepts 7 efw policy servers efw policy servers control efw devices by implementing administrative actions received from the management console in the following ways: ■ accept the high-level commands issued from the management console and convert them into low-level...
Page 14
1 planning and overview 8 efw domain an efw domain is a collection of policy server and efw device components that can share efw-related data, such as the following policy and efw device information: ■ a policy defined within an efw domain can be assigned to any efw device in that domain. ■ any poli...
Page 15
Overview of efw operations 9 overview of efw operations after initial installation of an efw policy server and a management console, you may add additional policy servers and nics to an efw domain at any time. When an efw nic is installed, it makes first contact with a policy server upon first boot-...
Page 16
1 planning and overview 10 efw and your network addressing constraints efw supports the deployment of embedded firewalls on computers that either are configured for dhcp or have an address that is mapped by network address translation (nat) from the viewpoint of the policy server. All policy servers...
Page 17
Efw system security 11 proxying efw traffic through a perimeter firewall multiple proxies are required to proxy efw-related traffic through a perimeter firewall. Assuming use of the default port settings, the following scenarios describe the various proxy requirements. ■ a policy server inside a per...
Page 18
1 planning and overview 12 ■ file security efw data includes both policy information and audit records that contain raw contents of packets. These packets may include login names and passwords that could be transmitted over your network. As long as the disk partition on which you install the policy ...
Page 19
Efw system security 13 ■ policy server local efw nic each policy server host may manage its own local efw nic, installed directly on the policy server computer itself. Efw provides a pre-defined policy for this nic, which allows only traffic required for policy server operation. In particular, this ...
Page 20
1 planning and overview 14 planning your configuration a number of issues need to be considered and resolved before you actually install and configure efw in your network. This section walks you through each planning stage to help ensure smooth integration of efw into your network. Determine your se...
Page 21
Planning your configuration 15 for example, if an application on the human resources server uses a protocol for which efw has provided a pre-defined rule set, you may augment this rule set with the source ip address of each computer allowed access to the human resources server, and then paste these ...
Page 22
1 planning and overview 16 once you have determined where your efw devices will be deployed and what policies you need, you can determine what device sets you will need and which efw devices you want to assign to each device set. For example, you may want to set up a device set for each department w...
Page 23
Planning your configuration 17 firmware that ignores policies distributed from the policy server. Since the efw firmware is responsible for verifying itself, there is no way you can detect such an attack from the policy server. With network-based distribution, any computer with access to download th...
Page 25: Installing and
19 2 installing and initially configuring efw this chapter provides the information needed to install and deploy 3com embedded firewall (efw) software on your system. It contains the following topics: ■ “system requirements” on page 20 ■ “overview of efw software” on page 21 ■ “installing and uninst...
Page 26
2 installing and initially configuring efw 20 system requirements before you install the efw software, verify that your system meets the following requirements: management console component requirements operating system microsoft windows 2000, nt 4-sp4, or 98 a cpu 400 mhz or higher (recommended) ra...
Page 27
Overview of efw software 21 overview of efw software the efw software comprises: ■ policy server software—software installed on any machine that will be used as a policy server. ■ management console software—administrative interface software installed on any machine that will be used to configure th...
Page 28
2 installing and initially configuring efw 22 6 click next. In the efw domain association window, determine whether the computer on which you are installing the policy server software will be placed in a new domain or in an existing domain by selecting either of the following options: ■ creating a n...
Page 29
Installing and uninstalling efw software 23 to install the management console on a remote system using java web start, follow the steps below. 1 copy the contents of the java web start folder from the efw installation cd to the documents area of your web server. 2 configure the web server so that al...
Page 30
2 installing and initially configuring efw 24 uninstalling the policy server and management console to uninstall the policy server and management console, follow the steps below. 1 (optional) close the management console program. 2 (optional) stop the efw policy server service using the windows serv...
Page 31
Starting and stopping system components 25 joining a new policy server to a domain to join a new policy server to a domain, follow the steps below. 1 if you are starting the policy server for the first time, the join existing efw domain or create efw domain window appears. In this window, you may re...
Page 32
2 installing and initially configuring efw 26 if you select the host name, when converted by the policy server machine to an ip address, it must be resolvable by all machines that host embedded firewalls in this efw domain. If there is only one ip address offered on this screen, this address is the ...
Page 33
Licensing overview 27 2 enter your login name and password in the appropriate fields. The default efw login and password for a new system are as follows: ■ login: admin ■ password: admin 3 select the policy server to which you want to connect from the list of policy servers. To connect to a new poli...
Page 34
2 installing and initially configuring efw 28 managing licenses in the management console you can monitor the status of licenses and configure various licensing options using the management console. To view licensing data, select license manager from the tools menu. The license summary window appear...
Page 35
Creating a recovery diskette 29 adding an activation key to add a policy server or nic activation key, follow the steps below. 1 in the management console tools menu, select license manager. The license summary window appears. 2 click add keys. The add activation key window appears. Enter the policy...
Page 36
2 installing and initially configuring efw 30 registering efw nics manually if you are installing the efw nics using the diskette-keyed process, you must register nics manually from the management console. If you are installing the efw firmware using the network installation, you have the option of ...
Page 37
Distributing and installing the efw nic firmware 31 ■ network distribution distributing firmware via the network is more convenient, but it may be less secure. With efw network installation, it is not necessary to physically access the computer to install efw. For more information on network distrib...
Page 38
2 installing and initially configuring efw 32 creating a keying diskette 1 in the management console under the tools menu, select create nic installation. The efw nic install package wizard launches automatically. 2 select keying diskette as the installation type. 3 enter a password to protect the k...
Page 39
Distributing and installing the efw nic firmware 33 12 click install. A progress window appears as the program installs the efw nic. The installation completed window appears. 13 click finish. To complete installation of the efw nic, you must now apply the keying diskette as described below. Applyin...
Page 40
2 installing and initially configuring efw 34 6 distribute and install the efw firmware and efw agent via the network by updating your windows login script or other standard installation utility to run the installation software when the user next logs in. You may also move the installation folder yo...
Page 41: Managing Efw Devices
35 3 managing efw devices using the policy servers this chapter provides detailed information about managing efw devices using the policy servers. It contains the following topics: ■ “what is a policy server?” below ■ “configuring policy servers for redundancy” on page 36 ■ “organizing policy server...
Page 42
3 managing efw devices using the policy servers 36 ■ audit and heartbeat and audit information is sent to the server from which the nic has last heard, which means that no audit or heartbeats are sent until a server responds to a wake-up. These messages could be lost if the server is not available o...
Page 43
Organizing policy servers and efw devices 37 organizing policy servers and efw devices you can organize policy servers and efw devices however you want, subject to the following constraints: ■ no more than three policy servers can be in any one efw domain. ■ the backup policy servers specified for a...
Page 44
3 managing efw devices using the policy servers 38 setting up device sets each efw device must belong to a device set. Each device set is assigned to a policy. An example of how policies and device sets work together is shown in the figure below. Creating a device set a device set is a collection of...
Page 45
Setting up device sets 39 to create device sets, follow the steps below. 1 from the main menu, select new -> device set. The new device set window appears. 2 enter the name of the new device set in the device set name field. The maximum number of characters that can be entered in the name field is 6...
Page 46
3 managing efw devices using the policy servers 40 moving efw devices to a different device set to move one or more efw devices to a different device set, follow the steps below. 1 in the management console, click on the device sets tab in the tree-view frame. 2 click on the device set that contains...
Page 47
Monitoring efw status 41 typical situations that require manual synchronization include: ■ restarting a policy server—if a policy server is offline and you bring it back online, the policy server should automatically re-synchronize with its domain. If it cannot, a dialog window appears asking which ...
Page 48
3 managing efw devices using the policy servers 42 monitoring nic connectivity and policy status you can use the status button to check the connectivity and policy status of a single nic. Clicking the status button sends a status request to the selected nic. The result is a nic status window that in...
Page 49
Maintaining efw nics 43 if you install diagnostics on the computer after efw installation, the installation appears to succeed, but the nic becomes inoperable. In this case, to gain diagnostic capability on an efw nic once the nic is operational again: a uninstall efw from this nic (see “uninstallin...
Page 50
3 managing efw devices using the policy servers 44 using the recovery diskette if you are attempting to recover a nic and none of the policy servers in the domain for that nic remain in operation, you need to clone one of the policy servers to regain control of the nic and return the nic to a generi...
Page 51: Managing Policies
45 4 managing policies this chapter provides detailed information on creating and assigning policies. It contains the following topics: ■ “policy overview” below ■ “creating policies and rules” on page 49 ■ “verifying a policy using test mode” on page 53 ■ “distributing a policy to the network” on p...
Page 52
4 managing policies 46 pre-defined policies efw comes with the following pre-defined policies that you can use to meet many common security goals. You can also use pre-defined policies as a starting point for more specialized policies. The following pre-defined policies are included: if you determin...
Page 53
Policy overview 47 policy settings a policy setting is similar to a rule in that it implies a specific criterion and a subsequent action. The following policy settings can be specified for each policy: rules a rule consists of various parameters that determine the characteristics for which incoming ...
Page 54
4 managing policies 48 when a packet arrives at an efw nic, the acl is processed by stepping through the list of rules from first to last until a match is found. Usually, once a match is found and the appropriate action is taken, the process is complete. However, you may configure the policy to igno...
Page 55
Creating policies and rules 49 creating policies and rules a policy is created and modified using the management console. Each policy consists of a name, various policy settings, and an acl (an ordered list of rules). Creating a new policy to create a new policy, follow the steps below. 1 in the man...
Page 56
4 managing policies 50 4 type a description of the policy in the description field. This field is optional and exists solely to assist you in assigning policies. You can include information about what the policy does, or when to use it. 5 select the policy settings you want to apply to this policy. ...
Page 57
Creating policies and rules 51 the following rule parameters can be configured when creating or modifying a rule: rule-filter parameter this parameter rule name (optional) is the name of the rule. Double-click on the rule name to access the rule name editor. The rule name editor allows you to enter ...
Page 58
4 managing policies 52 creating a rule set from a policy you can group a number of rules within a particular policy into a rule set that can then be used again in other policies. To create a rule set, follow the steps below. 1 click the policy tab and select the policy from which you are creating th...
Page 59
Verifying a policy using test mode 53 4 (optional) provide a description of the rule set in the description field. 5 select one or more rules from the acl. (to select multiple rules to add to the rule set, hold down the shift key.) 6 click ok. The new rule set is added to the policy. Editing a rule ...
Page 60
4 managing policies 54 5 to place the policy back into normal operating mode, in the policy window, select policy in normal operation, and click save. Test mode applied to an entire policy is useful for trying out policies that contain “deny” action rules followed by an “allow” default rule. To test...
Page 61
Distributing a policy to the network 55 when you feel comfortable with the policies, you can remove the test mode to fully implement the policies into your system. Distributing a policy to the network distributing a policy consists of sending a policy out to one or more efw devices. This distributio...
Page 62
4 managing policies 56 secured efw device—allow traffic versus block all traffic when an attack is detected as having originated from an efw device, the attack can be stopped using the management console by selecting the appropriate efw device, and clicking block all traffic at the bottom of the nic...
Page 63
Exporting or importing policies or rule sets 57 4 click next. A list of the policies and rule sets contained in the file is displayed. 5 select the items you want to import, and click next. A summary window appears, showing the policies and rule sets you selected. 6 click import. A message appears i...
Page 65: Performing Other
59 5 performing other administration tasks this chapter provides information on performing general administration tasks, such as searching for specific information in the management console and viewing audit information. It contains the following topics: ■ “finding information using the management c...
Page 66
5 performing other administration tasks 60 to edit an existing administrator’s user name or password 1 to edit the user name, select the administrator you want to edit from the list. 2 click edit. 3 to edit the name, type a new name in the user name field. 4 to edit the password, type a new password...
Page 67
Audit information 61 creating or editing audit queries to create a new audit query or edit an existing audit query, follow the steps below. 1 in the management console under the audit menu, select audit browser. The audit browser window appears. 2 under the query menu, select one of the following op...
Page 68
5 performing other administration tasks 62 6 in the advanced options box, select the max results per query you want from the drop-down list. The default is 5,000. 7 in the advanced options box, select the number of results per table you want to see listed from the drop-down list. 8 in the advanced o...
Page 69
Audit information 63 3 click the icon. The query results appear in a new window. The audit query results are displayed one page at a time in table format. The audit query results are divided into two categories, indicated by two tabs located at the bottom of the window: ■ policy and administrator—au...
Page 70
5 performing other administration tasks 64 ■ request id (policy and administrator tab only): this field displays an id that links all of the audit events that were affected by a specific policy distribution. Therefore, if you sort the audit events by request id, all events related to a single policy...
Page 71
Backing up the database 65 ■ icmp type (rule tab only): this field displays a number (or message type) that relates to a particular icmp message and its definition. For information on icmp message types, refer to tcp/ip illustrated, volume 1: the protocols (the addison- wesley professional computing...
Page 72
5 performing other administration tasks 66 restoring the database you can restore a previously backed up copy of the database using the management console. To restore your database, follow the steps below. 1 in the management console under the main menu, select backup and restore database. 2 select ...
Page 73: Pre-Defined Rule Sets
67 a pre-defined rule sets this appendix provides information on efw pre-defined rule sets. Pre-defined rule set name description windows nt 4.0 standard allow minimal services for a typical microsoft windows nt 4.0 host to boot, login and access files on the network. By default, this rule set does ...
Page 74
A pre-defined rule sets 68 dns client allow the host to request name service using dns. Ftp server allow the host to provide file transfers using ftp. Ftp client allow the host to request file transfers using ftp. Http server allow the host to provide web service using http. Http client allow the ho...
Page 75: Troubleshooting
69 b troubleshooting this appendix lists common problems you may encounter with the embedded firewall and offers suggestions for solving these problems. Common problem solutions many system problems can be traced to connectivity issues between efw system components. Information regarding system conn...
Page 76
B troubleshooting 70 policy server suggested solution received a “cannot start rmi registry” message when starting the policy server this message usually indicates the rmi port specified in the windows registry under mycomputer\hkey_local_machine\software\3com\efw\rmiport is being used by another ap...
Page 77
Common problem solutions 71 policy server suggested solution backup policy servers are not taking over as expected ■ verify the backup policy server is online by confirming that the status displayed in the management console policy server window is normal, or by viewing the status of the policy serv...
Page 78
B troubleshooting 72 server/nic connectivity suggested solution secured computer did not make first contact with a policy server in the domain for an automatically registered nic, you can determine that it has not made first contact if it does not appear in the default device set in the tree-view po...
Page 79
Common problem solutions 73 policy enforcement suggested solution a nic is not enforcing a policy ■ check the rules in your policy to make sure that the test check box is not selected, and that the enable check box is selected (otherwise, the action field is ignored and filtering skips to the next r...
Page 80
B troubleshooting 74 installation suggested solution during installation of efw nic on windows 95, receive message: “a required .Dll file ws2_32.Dll, was not found.” your windows 95 system has not been upgraded for windows socket 2. To host an embedded firewall, windows 95, must be updated for windo...
Page 81
Common problem solutions 75 uninstalling efw suggested solution note: for complete instructions on uninstalling efw, see “uninstalling efw” on page 23. An end user on a secured computer uninstalled efw using the windows add/ remove program if you use the windows add/remove program to remove efw, onl...
Page 82
B troubleshooting 76 system connectivity a number of problems with efw can be solved by checking the system connectivity and the binding between the components of the efw system. Policy server-to-nic communication check to determine if policy server-to-nic communication is functioning as expected, f...
Page 83
System connectivity 77 3 verify that the nic can reach its policy server. ■ ping from the secured computer to the policy server to verify that the secured computer can reach the policy server at an address shown in embdfw.Ini file. If it can’t, you may have a network outage or a network routing issu...
Page 85
79 c using zenworks to install efw to install a 3com efw nic using novell’s zenworks, follow the steps below. 1 on your efw management console, select create nic installation from the tools menu. 2 after creating the network nic installation, copy the files to your netware server. 3 start novell’s s...
Page 86
C using zenworks to install efw 80 13 edit the details of your new application. A identification tab: check run application once. B environment tab: remove existing system requirements and add an operating system with the version (98, nt). C distribution tab: check always reboot, and you can choose ...
Page 87: Technical Support
81 d technical support 3com provides easy access to technical support information through a variety of services. This appendix describes these services. Information contained in this appendix is correct at time of publication. For the most recent information, 3com recommends that you access the 3com...
Page 88
D technical support 82 support from your network supplier if you require additional assistance, consult your network supplier. Many suppliers are authorized 3com service partners who are qualified to provide a variety of services, including network planning, installation, hardware maintenance, appli...