Determine Where You Want To Deploy Individual Efw Devices; Determine What Device Sets You Will Need - 3Com 3CR990 Administration Manual

For example, if an application on the human resources server uses a protocol for
which EFW has provided a pre-defined rule set, you may augment this rule set with
the source IP address of each computer allowed access to the human resources server,
and then paste these rule sets together to create a policy for the human resources
server. Or, you may disallow access to the human resources server in a policy residing
on every computer in your organization, except for those specifically authorized.
Limit the access of some special workstations (for example, guest
I
workstations) to a limited set of network addresses and protocols.
Many organizations have special workstations that may be used by guests or
temporary employees, who often do not need to have more than very basic access
to the network. For example, you may have a guest workstation where you want the
user to have access only to the Internet, with no access to the corporate network.
To limit the access of a particular workstation, you can create a policy that allows only
specific protocols, such as HTTP, to the IP address of the corporate Internet gateway.
The workstation is able to access the Internet, but is prevented from accessing any
company information on the network. And, if the need arises to reconfigure this
workstation for an employee visiting from another location, it is as simple as
downloading a less-restrictive policy.
Limit the capabilities available for launching attacks from servers that are
I
dedicated to applications, such as Web servers or mail servers, by limiting
their network interactions to the traffic required for these applications.
A common means for hackers to attack a network is to break into generally accessible
computers, such as corporate Web servers and then use them as the launching point
to attack internal servers.
You can create a custom policy for a particular server which prevents that server, a
Web server, for example, from acting as a client for certain services, such as telnet, by
specifying the types of traffic to allow for that particular server. This policy prevents an
attack from spreading beyond the subverted node. EFW pre-defined rule sets contain
the protocols required to run many common application servers.
Monitor access to certain applications and servers in general, or from specific
I
portions of the network, while allowing this type of access to occur.
You can set up policies to allow certain activities on portions of the network to be
audited, while allowing traffic to flow uninterrupted. To set up audit capabilities
without restricting the flow of traffic, you can create a policy which contains rules
that match these services and select Allow and Audit for each rule.

Determine Where You Want to Deploy Individual EFW Devices

After you have determined your security goals, you need to determine which machines in
your network need to be protected. The following list provides some examples:
Critical internal servers (such as databases and mail servers)
I
Other workstations (such as guest workstations)
I
Exposed server (such as a Web server)
I

Determine What Device Sets You Will Need

EFW devices are associated with a particular policy through the device set to which they
are assigned. Each EFW device must be assigned to a device set, and each device set is
associated with a single policy that determines the behavior of the EFW devices assigned
to that device set.
Planning Your Configuration
15