Preface

SunScreen^TM 3.1 for the Solaris Operating environment is part of the family of SunScreen products that provide a solution to security authentication and privacy requirements. SunScreen gives companies a means of securing department networks connected to a public internetwork.

This SunScreen 3.1 Administration Guide provides all the information necessary to configure and administer SunScreen on your network. Other manuals in the SunScreen documentation set include the SunScreen Installation Guide, the SunScreen Reference Manual, the SunScreen Configuration Examples manual, and the SKIP User's Guide.

Who Should Use This Book

The SunScreen 3.1 Administration Guide is intended for SunScreen system administrators responsible for the operation, support, and maintenance of network security. In this guide, it is assumed that you are familiar with UNIX system administration and TCP/IP networking concepts, and with your network topology.

SunScreen 3.1 Lite

SunScreen 3.1 Lite is a stateful, packet-filtering firewall that has a subset of the features in SunScreen 3.1. It protects individual servers and small work groups.

This manual applies to both the SunScreen 3.1 Lite and the full version of SunScreen 3.1. Keep the following difference and similarities in mind when configuring and administering SunScreen 3.1 Lite.

Supported Features

SunScreen 3.1 Lite supports the following SunScreen features. A SunScreen 3.1 Lite firewall:

• Can do basic packet filtering.

• Can administer a Screen from a remote Administration Station.

• Can be used in Virtual private networks (VPNs).

• Can be used for CMG Secondary machines.

• Uses SunScreen SKIP (Simple Key-Management for Internet Protocols) for encryption. SunScreen SKIP is included as part of SunScreen 3.1 Lite and is automatically installed.

Limitations

SunScreen 3.1 Lite does not support the following SunScreen features. A SunScreen 3.1 Lite firewall:

• Cannot be a member of a high availability (HA) cluster.

• Does not support stealth-mode operation.

• Does not support proxies.

• Cannot create and cannot be made the primary Screen in in a CMG group.

• Cannot support more than two interfaces; the filtering mechanisms ignore any other interfaces.

• Cannot support more than ten unregistered IP addresses that can be translated to registered address using Network Address Translation (NAT); it is limited to two NAT rules.

• Ignores the time-of-day field. It makes all rules active while that policy is active.

• Does not support and cannot create the time objects.

• Does not support and cannot create the ADMIN, HA, or STEALTH interfaces.

How This Guide Is Organized

The SunScreen 3.1 Administration Guide contains the following chapters and appendixes:

• Chapter 1, Starting the Administration GUI and Logging In covers the basic concepts as well as the procedures for starting and configuring the Java-based browser, and logging in to the administration graphical user interface (GUI). It also covers how you define the access levels for administrative users.

• Chapter 2, Getting Status and Managing Logs describes the Information page in the administration GUI, viewing statistics and logs, and setting the retrieval mode.

• Chapter 3, Working with Common Objects contains the procedures for using the administration GUI to add, delete, and rename the Common Objects.

• Chapter 4, Creating and Managing Rules describes packet filtering, administrative access rules, Network Address Translation (NAT), and Virtual Private Networks (VPN).

• Chapter 5, Creating and Managing Policies tells you how to how to create a policy file that describes how you want your SunScreen firewall to function. This chapter also contains many policy management procedures.

• Chapter 6, Using High Availability describes setting up and managing a Highly Available (HA) SunScreen configuration.

• Chapter 7, Setting Up and Using Proxies tells you how to use proxies to provide content filtering and user authentication.

• Chapter 8, Configuring Centralized Management Groups descrtibes how you set up multple SunScreen to be managed from one location.

• Chapter 9, Adding Remote Administration Stations After Installation describes how you can add aditionalremote administration stations to your network.

• Appendix A, Using the Command Line contains procedures for using the UNIX command line to manage a SunScreen firewall.

• Appendix B, Quick Start Procedures contains detailed information about:

  • Telnet proxy service with and without proxy user authentication

  • FTP proxy service with and without proxy user authentication

  • HTTP proxy service

  • SMTP proxy service

  • Configuring RADIUS Authentication

  • Telnet and FTP proxy service with RADIUS user authentication

  • SecurID clients supported by SunScreen

  • Telnet and FTP proxy service with SecurID user authentication

  • Port-by-port using mixed mode with proxies

Ordering Sun Documents

Fatbrain.com, an Internet professional bookstore, stocks select product documentation from Sun Microsystems, Inc.

For a list of documents and how to order them, visit the Sun Documentation Center on Fatbrain.com at http://www1.fatbrain.com/documentation/sun.

Accessing Sun Documentation Online

The docs.sun.com^SM Web site enables you to access Sun technical documentation online. You can browse the docs.sun.com archive or search for a specific book title or subject. The URL is http://docs.sun.com.

Getting Support for SunScreen Products

If you require technical support, contact your Sun sales representative or Sun Authorized Reseller. See

http://www.sun.com/service/contacting/index.html for information on contacting Sun and

http://internet.central.sun.com/service/support/index.html for information on Sun's support services.

Typographic Conventions

The following table describes the typographic changes used in this book.

Table P-1 Typographic Conventions

Typeface or Symbol	Meaning	Example
AaBbCc123	The names of commands, files, and directories; on-screen computer output	Edit your .login file. Use ls -a to list all files. machine_name% you have mail.
AaBbCc123	What you type, contrasted with on-screen computer output	machine_name% su Password:
AaBbCc123	Command-line placeholder: replace with a real name or value	To delete a file, type rm filename.
AaBbCc123	Book titles, new words, or terms, or words to be emphasized.	Read Chapter 6 in User's Guide. These are called class options. You must be root to do this.

Shell Prompts in Command Examples

The following table shows the default system prompt and superuser prompt for the C shell, Bourne shell, and Korn shell.

Table P-2 Shell Prompts

Shell	Prompt
C shell prompt	machine_name%
C shell superuser prompt	machine_name#
Bourne shell and Korn shell prompt	$
Bourne shell and Korn shell superuser prompt	#

Related Books and Publications

You may want to refer to the following sources for background information on network security, cryptography, and SKIP.

• Computer Security Policies and SunScreen Firewalls Kathryn M. Walker and Linda Croswhite Cavanaugh Sun Microsystems Press, 1998, ISBN 0-13-096015-0

• Access Denied Gene Scott Adams Andrews McMeel, September 1996 ISBN: 0836221915

• Building Internet Firewalls, 1st edition D. Brent Chapman and Elizabeth D. Zwicky O'Reilly & Associates, September 1995, ISBN 1-56592-124-0

• Firewalls and Internet Security: Repelling the Wily Hacker William R Cheswick and Steven M. Bellovin Addison-Wesley, June 1994, ISBN 0-201-63357-4

• Internetworking with TCP/IP, Volume 1: Principles, Protocols, and Architecture Douglas E. Comer Prentice Hall, March 1995, ISBN 0-13-216987-8

• Practical UNIX and Internet Security, 2nd edition Simson Garfinkel and Gene Spafford O'Reilly & Associates, April 1996, ISBN 1-56592-148-8

• SOLARIS Security, 1st edition Peter H. Gregory Sun Microsystems Press, 2000, ISBN 0-13-096053-5

• TCP/IP Network Administration, 2nd edition Craig Hunt O'Reilly & Associates, December 1997, ISBN 1-56592-322-7

• Network Security: Private Communication in a Public World Charlie Kaufman, Radia Perlman, and Mike Speciner Prentice Hall, March 1995, ISBN 0-13-061466-1

• Applied Cryptography, 2nd edition Bruce Schneier John Wiley & Sons, 1996, ISBN 0-471-12845-7

• Network Security Essentials: Applications and Standards William Stallings Prentice Hall, November 1999, ISBN 0-13-016093-8

• Cryptography and Network Security: Principles and Practice William Stallings Prentice Hall, June 1998, ISBN 0-13-869017-0

• TCP/IP Illustrated, Volume 1 The Protocols W. Richard Stevens Addison-Wesley, January 1994, ISBN 0-201-63346-9

• TCP/IP Illustrated, Volume 3: TCP for Transactions, HTTP, NNTP, and the UNIX Domain Protocols W. Richard Stevens Addison-Wesley, January 1996, ISBN 0-201-63495-3

• UNIX Network Programming, Volume 1: Networking APIs: Sockets and XTI W. Richard Stevens Prentice Hall, January 1994, ISBN 0-201-63346-9

• UNIX Network Programming, Volume 2: Interprocess Communications W. Richard Stevens Prentice Hall, August 1998, ISBN 0-103-81081-9

• Firewalls 24seven, 1st edition Matthew Strebe and Charles Perkins Sybex, Inc., 1999, ISBN 0-782-12529-8

• SKIP IP-Level Cryptography [http://skip.incog.com/]

• Sun Software and Networking Security [http://www.sun.com/security/]