PDF User Manual

  1. Home
  2. Manuals
  3. 3Com 3CR990 Quick Start Manual

3Com 3CR990 Quick Start Manual

Made by: 3Com
Type: Quick Start Guide
Category: Network Card
Pages: 18
Size: 0.4 MB


Download PDF User Manual

Related Product Video


Full Text Searchable PDF User Manual

background image






 Embedded Firewall 


Software for the 3CR990
Network Interface Card (NIC) Family


Quick Start Guide




Published December 2001


background image


3Com Corporation



5400 Bayfront Plaza



Santa Clara, California








Copyright © 2001 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any 
form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) 
without written permission from 3Com Corporation.

3Com, EtherCD, and EtherLink are registered trademarks and the 3Com logo is a trademark of 3Com Corporation. 
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be 
registered in other countries.

Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. 

All other company and product names may be trademarks of the respective companies with which they are associated.

3Com Corporation reserves the right to revise this documentation and to make changes in content from time to 
time without obligation on the part of 3Com Corporation to provide notification of such revision or change.

3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or 
expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory 
quality, and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or 
the program(s) described in this documentation at any time.

If there is any software on removable media described in this documentation, it is furnished under a license 
agreement included with the product as a separate document, in the hard copy documentation, or on the 
removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please 
contact 3Com and a copy will be provided to you.




If you are a United States government agency, then this documentation and the software described herein are 
provided to you subject to the following: 


All technical data and computer software are commercial in nature and developed solely at private expense. 
Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a 
“commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 
3Com’s standard commercial license for the software. Technical data is provided with limited rights only as 
provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not 
to remove or deface any portion of any legend provided on any licensed program or documentation contained in, 
or delivered to you in conjunction with, this user guide.




This 3Com product and/or software contains encryption and may require U.S. and/or local government 
authorization prior to export or import to another country.


background image




What You Will Need     1
Installing EFW Policy Server and 
Management Console Software     2
Initializing the Policy Server     3
Starting the Management Console and 
connecting to the Policy Server     4
Setting up License-activation Keys     4
Creating and retaining a recovery diskette     5
Importing the “No sniffing, no spoofing” pre-defined Policy and 
Assigning it to the Default Device Set     6
Installing and Registering an EFW NIC     7

Verifying NIC Registration     8

Changing the Policy for an EFW NIC     8

Importing the “Windows 2000 Standard” Rule Set     9
Creating a Policy     9
Creating a Sample Device Set     11
Moving the EFW NIC to the New Device Set     12

Testing Policy Enforcement and Viewing Audit Data     12
Expanding Your EFW Configuration     13


background image


background image




Quick Start Guide


This quick start guide assists you in installing and configuring a basic EFW 
system that you can use as a starting point to tailor the system to your 
organization’s security needs. 

After completing the steps in this guide, you will have a basic EFW system 
setup that includes:



An operational Policy Server and Management Console



A single embedded firewall (EFW) NIC



An understanding of how to import and create policies 



An understanding of how to change the policy for a NIC

The final section in this guide points you to key sections in the 



Embedded Firewall Administration Guide


 that provide detailed information 

for expanding your EFW system to best suit your security needs.


What You Will Need


Before you install the EFW software, you will need:



A computer to host the Policy Server and Management Console that 
meets the following requirements:



Operating system: Microsoft Windows 2000 or Windows NT 4-SP4



CPU: 600 Mhz or higher (recommended)



RAM: 128 MB



Disk space 150 MB



Monitor/video: 256 colors or higher, screen area set to 600 x 800 or 



System with a static IP address



A second computer to host an embedded firewall that meets the 
following requirements:



Operating system: Microsoft Windows 2000, Windows XP Professional, 
Windows NT 4-SP3, or Windows 98



CPU: No minimum requirement



RAM: 16 MB



Web browser with access to the Internet (for testing purposes)



3CR990 NIC with factory drivers installed and operational in 
the network


background image


Quick Start Guide





Network connectivity between the two systems listed above



Capability to move file folders larger than a diskette between the two 
systems (for example, a zip drive on each system, file compression 
software and FTP on both systems, a shared drive, etc.)



One 3.5” diskette for creating a recovery diskette



Administrative privileges on both systems (required to install and run EFW 
software as instructed here)

You should also become familiar with the 


3Com Embedded Firewall 

Administration Guide


. If you encounter problems during installation, refer 

to Appendix B, “Troubleshooting,” in that guide. It offers a list of common 
problems you may encounter and offers suggestions for solving these 
problems. If you have any further questions, contact 3Com technical support 
as described in the administration guide. 


Installing EFW Policy Server and 
Management Console Software 


The steps below provide instructions for installing a Policy Server and 
Management Console on a single system using the Typical installation method.




Insert the 3Com product CD in the appropriate drive; the Installation 
wizard launches automatically, and a Welcome window appears. 








. The License Agreement window appears.




Read the terms of the license agreement, and select 


I accept the terms 

in the license agreement


. Click 




. The Customer Information 

window appears.




Type your user name and organization name in the appropriate fields. 




. The Installation Type window appears.






Typical Centralized Management


. This selection installs the Policy 

Server software and Management Console software.








. In the EFW Domain Association window, select 


Create a new 

EFW domain









. The Ready to Install the Program window appears.








. The Installation wizard installs the features you selected. 

A status bar appears, allowing you to monitor the installation progress. 




When the Installation wizard is complete, the InstallShield Wizard 
Completed window appears.


background image


Initializing the Policy Server










 to complete the installation process.




When the window appears asking if you want to start the Policy Server 
now, click 






Initializing the Policy Server


The first time you start the Policy Server, the Join Existing EFW Domain or 
Create EFW Domain window appears. Follow the steps below.




Select the host name or IP address for the new Policy Server from the 
list displayed. 

If all EFW NICs and Policy Server hosts in your EFW domain will reside on 
one network, select the host name.

Otherwise, select an IP address such that:



the NICs to belong to this EFW domain can resolve this address



traffic originating at the Policy Server machine and going to the EFW 
NICs in this domain is routed through the network card on the Policy 
Server machine corresponding to this address.

In most cases only one IP address is offered on this screen.






Confirm Create New Domain






Enter a domain name in the Domain Name field.

The domain name is used only as a reference to assist you in identifying a 
particular domain, if multiple domains are created.








. A Policy Server Startup window appears, displaying the status of 

the various Policy Server components. 

When “Policy Server Initialized” appears at the bottom of the window, the 
Policy Server is fully operational. To close this window, click the X in the 
upper right corner of the window. (This window is informational only and 
may be left open or closed at any time without affecting the Policy Server.)




 Under some network configurations, you may successfully 

select the host name option here, even if your EFW domain is spread 
across several networks. If you are interested in examining this option 
in detail now, refer to the section “Joining a New Policy Server to a 
Domain” in the 


3Com Embedded Firewall Administration Guide.




After first start-up, the Policy Server automatically starts when 

the system is rebooted.


background image


Quick Start Guide




Starting the Management Console and 
Connecting to the Policy Server


The Management Console is the administrative interface to the Policy Server. 
You can configure the system and view data using the Management Console. 
To start the Management Console, follow the steps below.




From the Windows Start menu, select 






3Com Embedded 

Firewall Management


. One of the following two options appears:



3Com Embedded Firewall Management Console—


If this option 

appears, select it to open the 3Com Embedded Firewall Login window.



3Com MMC Embedded Firewall Management Console



If this option 

appears, select it to open the 3Com MMC Embedded Firewall 
Management Console, and then double-click 


Embedded Firewall 

Management Console


. The 3Com Embedded Firewall Login window 





Enter your EFW login name and password in the appropriate fields. 
The default EFW login and password for a new system are as follows:














Select the Policy Server that you just created from the Policy Server list. 








. The Embedded Firewall Management Console window 

appears, and the Policy Server to which you are connected is listed in 
the tree-view frame of the Server tab.


Setting up License-activation Keys


License-activation key numbers are provided with the EFW software. The first 
time you log in to the system, you must enter these keys to enable all of the 
EFW functionality. Three types of licenses exist: Policy Server licenses, EFW 
server NIC licenses, and EFW desktop NIC licenses. To complete the steps in 
this quick start guide, you need to add an activation key for the Policy Server 
you created, and for the EFW NIC you will be adding in a later section of 
this guide. 




An information window appears the first time you connect to 

the Management Console, notifying you that no Policy Server or NIC 
licenses currently exist. You will learn how to add license-activation 
keys in the following section of this guide. Click 




 to close the License 

Warning window.


background image


Creating and retaining a recovery diskette




To add the activation keys, follow the steps below.




In the Management Console 




 menu, select 


License Manager


The License Summary window appears.






Add Keys


. The Add Activation Key window appears. Enter the 

activation key and click 




 for each activation key that you want to add.




When you have finished adding activation keys, click 




 to close the 

Add Activation Key window. 








 to close the License Summary window. All EFW system 

functionality is now available.

For more information on license-activation keys, refer to the section “Licensing 
Overview” in the 3Com Embedded Firewall Administration Guide.

Creating and retaining a recovery diskette

Communication is encrypted between EFW devices and the Policy Server, 
between the Management Console and the Policy Server, and between Policy 
Servers. Policy Servers identify themselves to each other, to the Management 
Console, and to their EFW devices (NICs) using two public/private key pairs 
generated upon creation of a new EFW domain. 

After installing your first policy server in an EFW domain, it is critical to make a 
copy of the files named public.key and server.keystore from your installation. 
Save this data indefinitely in a safe, secure location.

In the unlikely event of a disaster, such as a disk crash on all of your policy 
server machines and a simultaneous loss of all disk backups for these 
machines, this recovery diskette allows you to “clone” your policy server and 
regain management control of your NICs. A clean installation of the policy 
server cannot communicate with your EFW NICs (which is the intended design, 
for security reasons).

If you do not create a recovery diskette and you lose all policy server 
installation data, you will not be able to recover your NICs. 
continue to enforce the fallback mode specified in their last EFW policy, 
indefinitely. These NICs must be replaced in order to obtain a different policy.

To create a recovery diskette, follow the steps below.

Insert a formatted 3.5” diskette into the a: drive of the computer hosting 

the Policy Server.

Save the public.key and server.keystore files to diskette. (These files are 

located in Program Files -> 3Com Corporation -> 3Com EFW.) 


background image

Quick Start Guide


Remove and label the diskette, and store it in a secure location for as long 

as any EFW NIC remains in the domain for this Policy Server.

Importing the “No sniffing, no spoofing” Pre-defined 
Policy and Assigning it to the Default Device Set

After you have added the appropriate license-activation keys, you can import 
or create policies to assign to your EFW NICs. In this section you will import a 
single pre-defined policy (the “No sniffing, no spoofing” policy) and assign it 
to the existing default device set. After this policy is assigned to the default 
device set, any NICs that automatically register with the Policy Server receive 
the “No sniffing, no spoofing” policy because these NICs are automatically 
placed in the default device set upon registration. 

To import the “No sniffing, no spoofing” pre-defined policy, follow the 
steps below.

From the Main menu, select Import Policy/Rule set. The Import Policy/Rule 

Set window appears.

Select Policy and click Next.

Click Browse


and navigate to Program Files -> 3Com Corporation -> 3Com 

EFW -> predefined-policies-rulesets.xml. Click Next. A list of the policies 
contained in the file appears.

Select the No sniffing, no spoofing pre-defined policy and click Next

A summary window appears, showing the policy you selected.

Click Import. A message appears indicating whether the import was 


Click Finish.

After you have imported the “No sniffing, no spoofing” policy, you can assign 
it to the default device set by following the steps below. 

In the Management Console, click the Device Sets tab in the bottom left 

portion of the window.

Click Default Device Set in the tree-view frame. An information window 

for the default device set appears in the working frame.

Click the Policy drop-down list, and select No sniffing, no spoofing policy.

Click Save.


background image

Installing and Registering an EFW NIC


Installing and Registering an EFW NIC

You are now ready to install and register an EFW NIC using the network 
installation method.

In the Management Console Tools menu, select Create NIC Installation

The EFW NIC Install Package wizard launches automatically.

Select Network


as the installation package type and click Next.

From the drop-down list, select the first contact Policy Server for the NIC 

installation when prompted. (This Policy Server is the one that you created 
during the installation process earlier in this guide.) Click Next

Choose the location to which you want to save the installation 

information. (A network installation package does not fit on a 3.5” 
diskette.) Click Next

Review the information you entered, and click Create to create the 

installation package for the network. When prompted, click Finish

Manually copy the contents of the folder specified in Step 4 to a 

temporary directory on the computer that will receive the EFW NIC 
installation (on a computer on which a 3Com 3CR990 NIC is installed).

NOTE: You may assign any policy to the default device set. The “No 
sniffing, no spoofing” policy is generally a good choice, since it 
increases network security and blocks few legitimate activities on the 
network. If you have a system that requires sniffing, spoofing, or both 
capabilities, you can manually register it and assign it to a device set 
with a different policy, or you can allow it to register with the system 
to the default device set and then move it to a different device set.

NOTE: If diagnostics are desired for a NIC installation, install them first 
from the 3Com EtherCD


 before installing EFW. Installing them over 

EFW may make the card inoperable.

NOTE: After installation of EFW on a card, installing any non-EFW 
firmware over this EFW installation may render the card inoperable. 
If you wish to install non-EFW firmware on an EFW NIC, you must 
first successfully delete the NIC from its EFW domain using the 
Management Console, as noted in the section “Uninstalling an EFW 
NIC” in the 3Com Embedded Firewall Administration Guide.


background image

Quick Start Guide


On the computer receiving the EFW NIC installation, run the setup.exe file 

located in the temporary directory that was copied in Step 6. (For larger 
installations of multiple NICs, you can simply run the installation from a 
login script or other installation utility.) 

Verifying NIC Registration

The NIC automatically registers with the Policy Server on the final reboot 
that is required by the installation process. When the computer has finished 
rebooting, the EFW NIC is displayed in the Management Console. To verify 
that the EFW NIC registered correctly, follow the steps below.

In the Management Console, click the Device Sets tab in the lower left 

corner of the window.

Select Edit -> Refresh.

Click on the Default Device Set in the tree-view frame. The NIC should be 

listed in the default device set.

If desired, remove the temporary directory created for the NIC installation 


For information on other installation methods, refer to the section 
“Distributing and Installing the EFW NIC Firmware” in the 3Com Embedded 
Firewall Administration Guide

Changing the Policy for an EFW NIC

You can allow all EFW NICs to register with the default device set, and then 
move them to a different device set at a later time. To demonstrate this move, 
you will:

create a rule set,

create a policy and add the new rule set,

assign the new policy to a device set, and

move the EFW NIC to the device set.

NOTE: Before you change the policy for the EFW NIC, test your Internet 
access to ensure that the system hosting the EFW NIC can navigate 
to the 3Com Web site, by connecting to www.3com.com. In a later 
section, you will attempt to access the same Web site, which at that 
point should be denied by the policy being enforced.


background image

Changing the Policy for an EFW NIC


Importing the “Windows 2000 Standard” Rule Set

Before you create the sample policy, you need to import the Windows 2000 
Standard rule set, which will be added to the sample policy in the next section. 

To import the Windows 2000 Standard rule set, follow the steps below.

From the Main menu, select Import Policy/Rule set. The Import Policy/Rule 

Set window appears.

Select Rule Set and click Next.

Click Browse


and navigate to Program Files -> 3Com Corporation -> 3Com 

EFW -> predefined-policies-rulesets.xml. Click Next. A list of the rule sets 
contained in the file is displayed.

Select the Windows 2000 Standard pre-defined rule set and click Next

A summary window appears, showing the rule set you selected.

Click Import. A message appears indicating whether the import was 


Click Finish.

After you have imported the Windows 2000 Standard rule set, you can create 
a sample policy by following the steps in the section below. 

Creating a Policy

In this section you will create a sample policy (called the “No IP Initiation 
policy) that can be used on a system where the security goal is to minimize 
the threat to your network if the machine is taken over by a hostile external 
or internal agent. To achieve this goal, you will create a policy that:

Allows the system to boot up as a member of a Windows domain 
(achieved by implementing the Windows 2000 Standard rule set in 
step 6 on the next page).

Does not allow the system to initiate any TCP communication beyond 
that allowed to boot up and connect to the network domain, etc. This 
disallowance prevents a hostile agent from using this machine as a 
launching point for an attack on the network (achieved by the rule 
created in step 7 on the next page).

This type of policy would normally be used for a server machine. It is not 
appropriate for an end-user workstation because it would not allow the user 
to initiate any network traffic.


background image

Quick Start Guide


To create the “No IP Initiation” policy, follow the steps below.

In the Management Console Main menu, select New -> Policy. The Create 

a New Policy window appears.

Type No IP Initiation in the Policy field and click OK. The new policy 

information appears in the working frame.

Select the following policy-setting check boxes:

No Sniffing

No Spoofing, No Routing

Allow non-IP Traffic

Allow Fragmented IP Packets

Allow IP Options

Select Allow All Traffic in the Fallback Mode drop-down list. A fallback 

policy is used by a NIC if it is unable to reach the Policy Server on boot-up. 

Type a description of the policy in the Description field, if desired. This field 

is optional and exists solely to assist an administrator in assigning policies. 
You can include information about what the policy does, or when to use 
it (for example, the bulleted information provided at the beginning of 
this section).

The access control list (ACL) initially contains only the default rule. Add the 

Windows 2000 Standard rule set as follows:

In the Policy menu, select Rule Set (or click the 

 icon). The Rule Set 

Manager window appears.

Click on the Windows 2000 Standard Rule Set (that you imported in 

step 4 on page 9) to select it, and then click Add To Policy. 

Click Close. The rule set should appear in the ACL.

Create a “Deny outbound TCP SYN” rule as follows:

In the Policy menu, select Add Rule (or click the 

 icon). A new rule 

appears in the ACL.

Click in the Rule Name cell, and type Deny outbound TCP SYN.

Click in the Action cell, and select Deny from the drop-down list.

Click in the Source IP Address cell, and select EFW Device IP from the 

drop-down list.

Click in the IP Protocol cell, and select tcp (6) init from the 

drop-down list.


background image

Changing the Policy for an EFW NIC


Click in the Direction cell, and select Out from the drop-down list.

Click the check box in the Audit cell to enable audit. 

You now have an effective “Deny outbound TCP SYN” rule. This rule 
should directly follow the Windows Standard 2000 rule set you added 
in step 6. If it does not, highlight the Deny outbound TCP SYN rule 
row, and use the arrow buttons to position it directly after the 
Windows 2000 Standard rule set.

Click Save to save the new policy information.

For more information on creating policies, refer to the section “Creating 
Policies and Rules” in the 3Com Embedded Firewall Administration Guide.

Creating a Sample Device Set

Next you will create a sample device set that enforces the policy you created 
in the previous section. A device set is a collection of EFW devices that are 
associated with a specific policy. You can define any number of device sets and 
assign EFW devices to any one of those device sets.

To create the sample device set, follow the steps below.

From the Main menu, select New -> Device Set. The New Device Set 

window appears.

Type Sample in the Device Set Name field. 

Select the No IP Initiation policy, which you created in the previous section, 

from the Policy for the New Device Set box. 

Click OK. The device set information appears in the working frame.

Select a heartbeat interval of 15 minutes from the Heartbeat drop-down 

list. (The heartbeat determines how often the EFW devices issue a 
heartbeat, or status update, to the Policy Server.) 

Type Sample device set enforcing the No IP Initiation policy in the 

Description field. This field is optional and exists solely to assist an 
administrator in identifying the contents of the device set.

Click Save.


background image

Quick Start Guide


Moving the EFW NIC to the New Device Set

Now that you have multiple device sets, you can move the EFW NIC from 
the default device set to the No IP Initiation device set that you created in 
the previous section by following the steps below.

In the Management Console, click the Device Sets tab in the 

tree-view frame.

Click Default Device Set. This device set contains the EFW NIC that you 

added earlier in this guide.

In the Device box, highlight the EFW device, and then click Move

A list of alternative device sets appears. Select the Sample device set that 

you created in the previous section, and click OK. You will see a feedback 
window indicating that the new policy has been distributed to the 
embedded firewall. The EFW device is moved to the new device set and 
now enforces the new policy.

Testing Policy Enforcement and Viewing Audit Data

At this point you should have an EFW NIC enforcing the No IP Initiation policy. 
To ensure that the policy is functioning as expected, the following steps 
attempt to connect to the Internet by initiating the TCP protocol HTTP, which 
should be denied by the policy being enforced. You will then view the audit 
generated by the failed attempt.

On the machine hosting the EFW NIC, attempt to connect to 

www.3com.com. If you were denied access to the site, the EFW NIC 
is correctly enforcing the “No IP Initiation” policy. If you were able to 
connect to the site, go back to the “Creating a Policy” section in this 
guide and verify that you correctly set up the policy rules.

To view the audit generated by this access attempt using the Management 

Console, follow the steps below:

In the Audit menu, select Audit Browser (or click the 


In the Query menu, select New (or click the 

 icon). The Query Editor 

window appears.

Type All Recent Audit Records in the Query Name field.

In the Rule tab, select the All Devices check box in the For area, and the 

All rule matches check box in the Show area.

In the Policy tab, select the All Policies check box in the For area, and 

the All policy events check box in the Show area.


background image

Expanding Your EFW Configuration


In the Administrator tab, select the All administrator components check 

box in the For area, and the All administrator events check box in the 
Show area.

Click OK.

In the Audit Browser window in the List of Queries, click on the All 

Recent Audit Records query you just created. In the Query menu, select 
Execute (or click the 


Double-click on any event in the table to see detailed information for 
that event.

The audit results should appear in table format. For information on 
viewing audit results, refer to the section “Audit Information” in the 
3Com Embedded Firewall Administration Guide.

Expanding Your EFW Configuration

Now that you have a basic EFW system configured and running, you can 
expand your configuration as needed to best suit your organization’s security 
needs. The following list provides some sectional references to the 3Com 
Embedded Firewall Administration Guide 
that will assist you in expanding 
your configuration.

To add additional EFW NICs to your system, refer to”

Distributing and 

Installing the EFW NIC Firmware


To create additional policies, refer to “

Creating Policies and Rules.”

To add additional Policy Servers for redundancy, refer to “


Policy Servers for Redundancy.”

To install additional remote Management Consoles, refer to “

Installing and 

Uninstalling EFW Software


For an overview of EFW and its basic components, concepts, and 
operations, refer to Chapter 1, “Planning and Overview.”


background image