manualshive.com logo in svg

3Com 3CR990, Руководство администратора

Административное руководство по продукту 3Com 3CR990 доступно для скачивания бесплатно на нашем сайте. Здесь вы можете найти полезные инструкции и руководства по использованию, чтобы получить максимальную пользу от вашего устройства. Посетите manualshive.com для загрузки руководства.

Поделиться
Скачать
background image

2      

Installing and Initially Configuring EFW

30

Registering EFW NICs Manually

If you are installing the EFW NICs using the diskette-keyed process, you must register NICs 
manually from the Management Console. If you are installing the EFW firmware using the 
network installation, you have the option of registering EFW NICs manually, or letting the 
EFW NICs register automatically upon first contact with a Policy Server. The advantage of 
manual registration is that when the EFW NIC first identifies itself to the Policy Server, the 
Policy Server can assign a previously specified policy for the EFW NIC. Without manual 
registration, the Policy Server simply adds the EFW NIC to the default device set and 
downloads the policy for that device set. 

For an EFW NIC that is registered manually, you can specify a host name, an IP address, or 
a MAC address. A static IP address can be required by selecting the corresponding check 
box. If you require static IP addresses, then the EFW NIC is always expected to have the 
same IP address that it showed when the EFW NIC first contacted a Policy Server. If the 
EFW NIC does not have the same IP address, the Policy Server does not respond to the 
EFW NIC and generates an audit event.

To register EFW NICs manually, follow the steps below.

1

In the Management Console under the Main menu, select 

New

 -> 

NIC Registration

The Manual NIC Registration window appears.

2

Select the type of NIC you are registering: 

Desktop NIC

 or 

Server NIC

.

3

Determine whether the NIC will be behind a NAT (network address translation) machine.

Direct

—Select this option if the NIC is not behind a NAT machine. You are 

prompted to enter the secured computer host name or IP address. You can also 
specify whether IP addresses must be static.

Behind a NAT Box

—Select this option if a NAT machine exists on the network path 

between the NIC and its primary or any backup Policy Server. If the NIC is behind a 
NAT machine, you are prompted to enter the EFW device name and MAC address.

4

From the Device Set drop-down list, select the device set to which the NIC will belong.

5

From the Policy Server drop-down list, select the primary Policy Server with which the 
NIC will be associated.

6

Click 

OK

 to register the EFW NIC manually.

Distributing and Installing the EFW NIC Firmware

Before installing the EFW firmware and agent software, a 3Com interface network card 
that supports EFW should be physically installed, and networking should be operational 
using the factory drivers for this card.

The EFW NIC firmware must be installed onto the EFW NICs. The firmware can be 
distributed in either of two ways:

Diskette-keyed distribution

For security reasons, you may want to distribute cryptographic keys used for 
communication with the Policy Server directly to a computer that will be secured 
via boot media.

For more information on diskette-keyed distribution, see “Determine How You Want 
to Distribute EFW Firmware” on page 16.

Содержание 3CR990

Страница 1: ...d Firewall Software for the 3CR990 Network Interface Card NIC Family Administration Guide http www 3com com http support 3com com registration frontpg pl Published December 2001 Administration guide v...

Страница 2: ...TES GOVERNMENT LEGEND If you are a United States government agency then this documentation and the software described herein are provided to you subject to the following All technical data and compute...

Страница 3: ...7 EFW Domain 8 Overview of EFW Operations 9 EFW and Your Network 10 Addressing Constraints 10 Routing Constraints 10 Turning off Policy Enforcement 10 Proxying EFW Traffic Through a Perimeter Firewall...

Страница 4: ...Devices Using the Diskette keyed Process 31 Creating a DOS bootable Diskette 31 Creating a Keying Diskette 32 Installing the EFW NIC from the Installation CD 32 Applying a Keying Diskette 33 Adding a...

Страница 5: ...Traffic 56 Exporting or Importing Policies or Rule Sets 56 Exporting Policies or Rule Sets 56 Importing Policies and Rule Sets 56 5 Performing Other Administration Tasks 59 Finding Information Using...

Страница 6: ...stall EFW 79 D Technical Support 81 Online Technical Services 81 World Wide Web Site 81 3Com Knowledgebase Web Services 81 3Com FTP Site 81 Support from Your Network Supplier 82 Support from 3Com 82 R...

Страница 7: ...iguration for your site Chapter 2 Installing and Initially Configuring EFW Provides the information needed to install and deploy EFW in your network Chapter 3 Managing EFW Devices Using the Policy Ser...

Страница 8: ...stScript driver You can download one from www adobe com If your printer is not a PostScript printer and your document does not print as expected attempt one of the following corrective actions If your...

Страница 9: ...c transmitted from and received by individual server and desktop workstation machines NICs running EFW software called EFW devices enforce policies in the EFW system The following devices currently su...

Страница 10: ...ackets are screened and specifies what action is taken if a match occurs For more detailed information on policies and rules see Chapter 4 Managing Policies A device set is a group of EFW devices 3CR9...

Страница 11: ...nistrators configure the system and view data using the Management Console You can protect the Management Console machine or server machine or both with an EFW device The Management Console can be ins...

Страница 12: ...es direct access to the most often used functions in the EFW Management Console offered within a Microsoft Management framework See the sample window below Once you have invoked any of the MMC functio...

Страница 13: ...r locally and contacts that Policy Server at EFW device initialization for example when the host containing an EFW device is booted EFW Devices EFW devices filter incoming and outgoing packets based o...

Страница 14: ...o any Policy Server in a domain has access to all EFW data for that domain When you are connected to any Policy Server within a domain you can view or make changes to any EFW device in that domain reg...

Страница 15: ...evice resets itself each time a wake up is sent If policy distribution fails when the secured computer is online the next heartbeat sent from the embedded firewall to the Policy Server allows the Poli...

Страница 16: ...Policy Server This NAT machine maps the Policy Server address to a different IP address Other NICs using this server as a primary or backup have no NAT machine separating them from this Policy Server...

Страница 17: ...PSEC cryptographic processing from the operating system which enhances IPSEC performance EFW treats IPSEC like any other protocol it can permit or deny it Be aware that any protocol can be tunneled th...

Страница 18: ...r example disk crashes on all Policy Server machines in a domain For a description of the recovery procedure see Using the Recovery Diskette on page 44 Possession of an EFW key pair diskette could ass...

Страница 19: ...EFW NIC can only be uninstalled via the Management Console Other than tampering with the physical hardware there is no method for an end user to reconfigure the NIC to turn off or uninstall EFW Uninst...

Страница 20: ...rough your network Therefore you can configure a policy for those computers to disallow fragmented packets preventing a possible attack that uses packet fragments to flood your system Network capabili...

Страница 21: ...the traffic required for these applications A common means for hackers to attack a network is to break into generally accessible computers such as corporate Web servers and then use them as the launc...

Страница 22: ...etermine How You Want to Distribute EFW Firmware EFW firmware is installed directly onto all NICs that will become EFW devices An EFW agent is also installed onto the host machine The EFW firmware and...

Страница 23: ...oper registration would be detected and rejected right away To increase security when using network based distribution make the default policy as restrictive as possible and limit access if possible t...

Страница 24: ......

Страница 25: ...ntains the following topics System Requirements on page 20 Overview of EFW Software on page 21 Installing and Uninstalling EFW Software on page 21 Starting and Stopping System Components on page 24 Li...

Страница 26: ...s 2000 NT 4 SP4 XP Professional 98 or 95a d EFW is not supported on Windows Me CPU No minimum requirement RAM 16 MB Network interface card NIC One of the 3Com models 3CR990SVR95 3CR990SVR97 3CR990 TX...

Страница 27: ...Type your user name and organization name in the appropriate fields Click Next The Installation Type window appears 5 Select either of the following installation options Typical Centralized Management...

Страница 28: ...complete the InstallShield Wizard Completed window appears 10 Click Finish to complete the Installation process A window appears asking if you would like to start the Policy Server If you click No you...

Страница 29: ...install is booted and live on the network that allows it to communicate with the Policy Server 2 In the Management Console select the EFW NIC you want to delete 3 In the Edit menu select Delete A conf...

Страница 30: ...ight corner of the window This window is informational only and may be left open or closed at any time without affecting the Policy Server NOTE To ensure that all files are removed answer Yes to any f...

Страница 31: ...s Selecting an IP address has the advantage of avoiding impact on your EFW system due to DNS name changes It is less attractive for display purposes than the host name but a user can modify the displa...

Страница 32: ...cy Server that is resolvable on the foreign network such as it s fully qualified DNS name or IP address In the Administrator Login field enter an EFW login name and password in the appropriate fields...

Страница 33: ...s follows Licenses for the Policy Server A single Policy Server license is required to gain access to all Management Console functions when connected to a newly installed Policy Server in a new EFW do...

Страница 34: ...r NIC Activated The number of valid licenses for each type that have been added to the system in this domain If the system accepted the entry of an activation key it is valid unless it has expired Use...

Страница 35: ...chines this recovery package allows you to clone your policy server and regain management control of your NICs A clean installation of the policy server cannot communicate with your EFW NICs which is...

Страница 36: ...NIC Registration window appears 2 Select the type of NIC you are registering Desktop NIC or Server NIC 3 Determine whether the NIC will be behind a NAT network address translation machine Direct Selec...

Страница 37: ...te on page 32 If you have the capability to boot into DOS 1 Insert a boot diskette and boot into DOS An a prompt appears 2 Type format a s and press Enter one time This action loads FORMAT and system...

Страница 38: ...xt The Installation Type window appears 5 Select Custom Centralized Management and or Secured NIC Click Next The Custom Setup window appears 6 Click on the icon next to Embedded Firewall NIC A drop do...

Страница 39: ...Policy Server then downloads whatever policy is assigned to the NIC s device set Once this communication with the Policy Server has taken place the last wake up or heartbeat field on the NIC informat...

Страница 40: ...of installation for a machine with multiple EFW devices note that the user interface when you apply the keying diskette presents you with a list of MAC addresses on the machine so you can determine t...

Страница 41: ...ion for example when the secured computer is booted The Policy Server is responsible for providing the EFW device policy at initialization time Each embedded firewall also caches its backup Policy Ser...

Страница 42: ...domain This replication happens regardless of whether any Policy Servers have assigned backup Policy Servers You may therefore connect via the Management Console to any Policy Server and perform confi...

Страница 43: ...er duties are spread across the various Policy Servers Multiple Policy Servers each serving as the primary Policy Server for some collection of EFW devices and each also serving as a backup to other P...

Страница 44: ...t the bottom of the window and then selecting that policy NOTE An EFW device cannot be placed in more than one device set EFW device EFW device EFW device EFW device EFW device EFW device Device set 1...

Страница 45: ...artbeat refreshes the Policy for an EFW device and allows the Policy Server to update the IP address for the EFW device For example if the IP address for a secured computer changes because of NAT the...

Страница 46: ...twork connection prevents Policy Server B from being informed another administrator could concurrently update the same policy on Policy Server B When the intermittent network problem is resolved the P...

Страница 47: ...dded firewall Heartbeat intervals are assigned to device sets rather than individual EFW devices All EFW devices in a device set have the same heartbeat interval When the Policy Server receives a hear...

Страница 48: ...y being enforced Policy is up to date Yes No or Unknown indicates the managing Policy Server is unavailable Maintaining EFW NICs A key characteristic of EFW is that it is hardware based and is designe...

Страница 49: ...tend to remove it from the system and wish to uninstall EFW on the card If this step is not taken moving an EFW card to a non EFW host or attempting to install non EFW firmware over an EFW card may re...

Страница 50: ...nstructions on installing EFW on a NIC using the Custom installation option see Installing and Uninstalling EFW Software on page 21 Determining Whether EFW is Installed on a NIC If the options listed...

Страница 51: ...used by a policy assigned to a device set containing EFW devices Assignment of a new device set containing EFW devices to a policy Assignment of a new device to a device set Use of the Distribute Poli...

Страница 52: ...n troubleshooting a network connection problem that has been reported for a secured computer Block all traffic Allows no traffic to be sent or received by the secured computer except for the managemen...

Страница 53: ...that is currently using it For example if you create a rule set that contains five rules add it to 10 different policies and later decide to modify one or more of the rules contained in that set you...

Страница 54: ...cy up to size 64 A server NIC can handle a policy up to size 128 The information below provides guidelines for calculating the size of a policy Selecting the No Spoofing policy setting increases the p...

Страница 55: ...case 3 Select a fallback mode from the Fallback Mode drop down list A fallback policy is used by a NIC if it is unable to reach the Policy Server on boot up The following options are available Allow A...

Страница 56: ...ine what action takes place as a result of this evaluation Setting up TCP SYN Filtering Selecting TCP 6 in a rule s IP Protocol field indicates that the action specified in that rule affects all TCP t...

Страница 57: ...addresses using the Source IP Address and Source Mask fields is as follows The system first converts each number that is part of the mask to an eight bit binary number For example each 255 in the defa...

Страница 58: ...to the device enforcing this policy outgoing from the secured computer enforcing this policy or both This determination is done by selecting In Out or Both from the drop down list NOTE Selecting Both...

Страница 59: ...4 When you have finished editing the rule set click Save 5 Click Close to exit the Rule Set Editor Verifying a Policy Using Test Mode When EFW filtering is initially turned on or when making changes t...

Страница 60: ...you can turn off test mode and implement the policy into your system If you do receive an audit record indicating a match of one of the deny rules in test mode you will first want to investigate wheth...

Страница 61: ...or encountered some other unexpected error when preparing to perform the distribution This distribution is attempted again and may fail again when the device next sends a wake up or heartbeat assumin...

Страница 62: ...ct the Allow Traffic button Exporting or Importing Policies or Rule Sets You can export or import existing policies or rule sets to other systems to prevent the inconvenience of re creating the same p...

Страница 63: ...d 5 Select the items you want to import and click Next A summary window appears showing the policies and rule sets you selected 6 Click Import A message appears indicating whether the import was succe...

Страница 64: ......

Страница 65: ...ion 2 Select one of the following search areas Device Policy 3 Specify the search criteria The fields vary depending on the type of search you select 4 Click OK The information is displayed in the win...

Страница 66: ...e policy settings No Sniffing or No Spoofing No Routing in a policy all NICs with this policy automatically audit any attempt to violate these settings No events related to other policy setting are au...

Страница 67: ...areas in the Rules tab 5 In the During Timeframe box you can specify a time frame for the audit events as follows NOTE Policy distribution failures to a NIC if there is no primary or backup server ava...

Страница 68: ...esults for a specific audit query follow the steps below 1 In the Management Console under the Audit menu select Audit Browser The Audit Browser window appears 2 In the List of Queries tab select the...

Страница 69: ...date and time click the Date and Time header This action organizes the audit events by date and time starting with the most recent To reverse the organization that is to organize the audit events sta...

Страница 70: ...event number associated with a particular audit event may change if you use the sort by column feature that is an event number of 1 always represents the audit event that is listed in the top row etc...

Страница 71: ...ingle window You can scroll to other audit events in the Audit Event Properties window by clicking the Up or Down arrows You also have the option to view Policy information for a specific audit event...

Страница 72: ...tore A confirmation window appears 7 Click Finish If any of the EFW devices you installed are not registered in the restored database these devices automatically re register with the system at the nex...

Страница 73: ...on this host NOTE During the login process the administrator s personalized settings are loaded and permission to exchange several randomly ported UDP packets between the host and its primary domain...

Страница 74: ...nt Allow the host to request Web service using HTTP ICMP Allow Network management services including ping echo and tracert commands NetBIOS Client Allow the host to request name datagram and session s...

Страница 75: ...ver license In the Tools menu select License Manager If you do not have a Policy Server license you need to add a license see Adding an Activation Key on page 29 If necessary exit the Management Conso...

Страница 76: ...to use different ports The Certificate Server port is specified by the following registry entry MyComputer HKEY_LOCAL_MACHINE SOFTWARE 3Com EFW certserverport Policy Servers are out of synchronization...

Страница 77: ...d in the query you executed You may not be able to get a network connection to the other Policy Server or the other Policy Server may be down see Policy Server to Policy Server Communication Check on...

Страница 78: ...akeup or Heartbeat field on the NIC information window Verify communication between the secured computer and the Policy Server see Policy Server to NIC Communication Check on page 76 Policy or configu...

Страница 79: ...ce been changed If so policies must be updated Host names used in the policy may have been mapped to different IP addresses since the policy was last distributed to this device For an immediate soluti...

Страница 80: ...you expect and recommended actions for different situations Decide on the case that applies to you and take the recommended action In all cases do not abort the keying diskette operation simply allow...

Страница 81: ...from the Management Console is the only way to effectively uninstall EFW from a NIC If you cannot delete the NIC from the Management Console but the NIC is online perform a Policy Server to NIC Commu...

Страница 82: ...in the Policy Server information window If it isn t listed the NIC does not respond to communications from that Policy Server Therefore you need to change the Policy Server assignment If the Policy S...

Страница 83: ...ava RMI protocol The Policy Server has an embedded RMI Registry listening on port 2074 by default Each remote server with which this Policy Server communicates requires a separate thread within the Po...

Страница 84: ......

Страница 85: ...t press Run Application Install Button It is not needed for this process 6 Copy the NIC installation directory step 2 default nicinstall to the client drive specified in step 4F You can use a command...

Страница 86: ...EFW is not installed until Windows is started again 14 At the end of the user or default logon script add the following command server sys public nalexpld exe end This command starts the Application...

Страница 87: ...s well as support options that range from technical education to maintenance and professional services 3Com Knowledgebase Web Services The 3Com Knowledgebase is a database of technical information to...

Страница 88: ...one support services To find out more about your support options go to the Web site associated with your region of the world shown below When you contact 3Com for assistance have the following informa...

Отзывы:

Нет отзывов

Похожие инструкции для 3CR990

D-Link NetDefend DFL-260E Reference Manual preview
NetDefend DFL-260E
Бренд: D-Link Страницы: 328
D-Link ShareCenter Pulse DNS-320 Quick Install Manual preview
ShareCenter Pulse DNS-320
Бренд: D-Link Страницы: 2
D-Link DFL-210 - NetDefend - Security Appliance Firewall Registration Manual preview
DFL-210 - NetDefend - Security Appliance
Бренд: D-Link Страницы: 19
D-Link DFL-M510 Faq preview
DFL-M510
Бренд: D-Link Страницы: 22
Dahua N300 Quick Start Manual preview
N300
Бренд: Dahua Страницы: 12
D-Link NetDefend DFL-1600 Quick Manual preview
NetDefend DFL-1600
Бренд: D-Link Страницы: 23
3Com 3CR860-95 - OfficeConnect Secure Router Features And Benefits preview
3CR860-95 - OfficeConnect Secure Router
Бренд: 3Com Страницы: 2
3Com 3C905-TX Installation Manual preview
3C905-TX
Бренд: 3Com Страницы: 26
Dahua DHI-NVR5224-24P-4KS2 Quick Start Manual preview
DHI-NVR5224-24P-4KS2
Бренд: Dahua Страницы: 24
Internet Security Systems Proventia A1204 User Manual preview
Proventia A1204
Бренд: Internet Security Systems Страницы: 42
HMS Networks Anybus Communicator ABC4021 User Manual preview
Anybus Communicator ABC4021
Бренд: HMS Networks Страницы: 60
Idis DR-1508P Operation Manual preview
DR-1508P
Бренд: Idis Страницы: 85
Supermicro AOC-MGP-i2 User Manual preview
AOC-MGP-i2
Бренд: Supermicro Страницы: 27
Sans Digital ELITENAS EN104L+(B) Quick Installation Manual preview
ELITENAS EN104L+(B)
Бренд: Sans Digital Страницы: 9
eWON 2101CD Installation Manual preview
2101CD
Бренд: eWON Страницы: 34
Zhone ETHX-2214-DS3 Installation Instructions Manual preview
ETHX-2214-DS3
Бренд: Zhone Страницы: 28
Stahl HFisolator 9730/26-11 Operating Instructions preview
HFisolator 9730/26-11
Бренд: Stahl Страницы: 2
Paradyne iMarc SLV 9820-2M Installation Instructions Manual preview
iMarc SLV 9820-2M
Бренд: Paradyne Страницы: 24

Бренды по названию

Популярные бренды

Загрузить еще бренды