Changing the Policy for an EFW NIC
9
Importing the “Windows 2000 Standard” Rule Set
Before you create the sample policy, you need to import the Windows 2000
Standard rule set, which will be added to the sample policy in the next section.
To import the Windows 2000 Standard rule set, follow the steps below.
1
From the Main menu, select
Import Policy/Rule set
. The Import Policy/Rule
Set window appears.
2
Select
Rule Set
and click
Next
.
3
Click
Browse
and navigate to
Program Files
->
3Com Corporation
->
3Com
EFW
->
predefined-policies-rulesets.xml
. Click
Next
. A list of the rule sets
contained in the file is displayed.
4
Select the
Windows 2000 Standard
pre-defined rule set and click
Next
.
A summary window appears, showing the rule set you selected.
5
Click
Import
. A message appears indicating whether the import was
successful.
6
Click
Finish
.
After you have imported the Windows 2000 Standard rule set, you can create
a sample policy by following the steps in the section below.
Creating a Policy
In this section you will create a sample policy (called the “No IP Initiation
”
policy) that can be used on a system where the security goal is to minimize
the threat to your network if the machine is taken over by a hostile external
or internal agent. To achieve this goal, you will create a policy that:
■
Allows the system to boot up as a member of a Windows domain
(achieved by implementing the Windows 2000 Standard rule set in
step 6 on the next page).
■
Does not allow the system to initiate any TCP communication beyond
that allowed to boot up and connect to the network domain, etc. This
disallowance prevents a hostile agent from using this machine as a
launching point for an attack on the network (achieved by the rule
created in step 7 on the next page).
This type of policy would normally be used for a server machine. It is not
appropriate for an end-user workstation because it would not allow the user
to initiate any network traffic.
