![background image](http://html1.mh-extra.com/html/3com/3cr990/3cr990_administration-manual_3104117019.webp)
EFW System Security
13
■
Policy Server local EFW NIC
Each Policy Server host may manage its own local EFW NIC, installed directly on the
Policy Server computer itself. EFW provides a pre-defined policy for this NIC, which
allows only traffic required for Policy Server operation. In particular, this policy
prohibits remote access to the database. This policy is a second layer of defense
beyond that provided by the database security mechanisms. If your Policy Server host
requires additional network access beyond that provided by this policy, you may add
rules to the policy to allow additional protocols.
The installation procedure for the local NIC is the same as any other EFW-secured
computer. You may use the network or diskette-keyed method. If you plan to secure
the NIC on your Policy Server using the diskette-keyed method, you may install the
EFW NIC component using the
3Com Embedded Firewall Installation CD
when you
install the Policy Server and Management Console, or at a later time by selecting the
Modify
installation option. When you boot into Windows after applying a keying
diskette, you see that the local NIC has made first contact with its Policy Server and is
displayed in the Management Console.
Operational Security
The following features maintain secure operation of EFW in the face of potentially
disruptive behavior by end users and the network:
■
EFW NIC self-protection
The EFW capability on an EFW NIC can only be “uninstalled” via the Management
Console. Other than tampering with the physical hardware, there is no method for an
end user to reconfigure the NIC to turn off or uninstall EFW. Uninstalling EFW using
the standard Windows function removes only the EFW agent software. For more
information on managing EFW NICs, see “Maintaining EFW NICs” on page 42.
■
Fallback mode
If a secured computer boots up and cannot contact any Policy Server in its domain, it
enforces a “policy” called the fallback mode (for example, if the EFW agent has been
uninstalled). The fallback mode is a setting that was part of the policy being enforced
on this computer before the reboot. The choices for fallback mode are: Block All Traffic,
Allow All Traffic, and No Sniffing. Depending upon the particular characteristics of
your network and users, the selection of fallback mode can be important for the
effectiveness of EFW and the availability of networking services for your users. For more
information on selecting a fallback mode, see “Creating Policies and Rules” on
page 49.
NOTE:
When installing a local EFW NIC in a domain containing multiple Policy
Servers, you may see the NIC assigned to one of the other servers when it
registers. To assign the NIC to the local Policy Server, use the Management
Console to change the NIC’s primary server.
NOTE:
It is not recommended to run the Policy Server on the same computer
as a Windows Domain Controller, because the Domain Controller requires many
network privileges. These network privileges would place the Policy Server at risk,
because it cannot be effectively protected by its local EFW NIC.