This chapter introduces SunScreen 3.1 Lite installation concepts.
Topics covered include:
What is SunScreen 3.1 Lite?
Operating the firewall in routing mode
Before installing SunScreen
Security issues
Software and hardware requirements
Operating system package requirements
Additional requirements and restrictions
Web browser requirements
SunScreen 3.1 Lite is a software security solution that is installed on a Solaris®-based machine. It lets companies connect their departmental networks to public internetworks securely. Depending on how you install it, SunScreen 3.1 Lite can function as a firewall and router for hosts on the network it protects.
The Screen is the firewall responsible for screening packets. You use an Administration Station to define the objects and rules that form the security policy and administer the Screen. The number of Screens and Administration Stations depends on your site's network topology and security policies. You can install all of SunScreen 3.1 Lite on a single machine (local administration) or you can install the administration software and the Screen software on different machines (remote administration).
You need a Screen at every point in the network where you want to restrict access. In the strictest sense, you need one Screen for each point in the network that has direct public access (usually one per site). One Administration Station can manage multiple Screens, although you can install more Administration Stations for redundancy and ease of access. Encryption and authentication protects access and limits management of a Screen to an authorized Administration Station.
With local administration, you administer the Screen on the Screen itself (as shown in the following figure). Local administration does not require an encrypted connection as no network traffic is generated.
With remote administration, you use a separate machine called an Administration Station to administer the Screen (as shown in the following figure). Remote administration uses encrypted communication (using SKIP) between the Screen and Administration Station so the information about the security policy in place on the Screen cannot be obtained by others.
This Lite version of SunScreen 3.1 only operates in routing mode (where the Screen performs routing as well as firewall functions).
Typically, you operate the Screen in routing mode if you need a machine to act both as a router and a firewall. In this mode, you need at least two exposed IP interfaces, and a hop visible to traceroute and other network utilities.
Be aware of the following considerations when operating in routing mode:
The existing Solaris machine must be acting as a router. The Screen uses the Solaris operating environment to provide IP routing.
The Screen makes use of the Solaris IP stack on the filtering interfaces, so it does not possess stealth characteristics.
You must divide up different networks as you would with any router.
The addition of a SunScreen 3.1 Lite to your network can require re-numbering IP addresses on your hosts (if you did not already have a router where your SunScreen is being placed).
SunScreen 3.1 Lite is a stateful, packet-filtering firewall that has a subset of the features in SunScreen 3.1. It protects individual servers and small work groups.
SunScreen 3.1 Lite supports the following SunScreen3.1 features. A SunScreen 3.1 Lite firewall:
Can do basic packet filtering.
Can administer a Screen from a remote Administration Station.
Can be used for centrally managed secondary machines.
Uses SunScreen SKIP (Simple Key-Management for Internet Protocols) for encryption, which is included as part of SunScreen 3.1 Lite and is automatically installed.
SunScreen 3.1 Lite does not support the following SunScreen features. A SunScreen 3.1 Lite firewall:
Cannot create and cannot be made the primary Screen in a centrally managed group.
Cannot support more than two interfaces; the filtering mechanisms ignore any other interfaces.
Cannot support more than ten unregistered IP addresses that can be translated to a registered address using network address translation (NAT); it is limited to two NAT rules.
Ignores the time-of-day field. It makes all rules active while that policy is active.
Does not support and cannot create the ADMIN, HA, or STEALTH interfaces.
Before you install SunScreen 3.1 Lite, you should complete the following tasks:
Be acquainted with these documents:
SunScreen 3.1 Release Notes
SunScreen SKIP 1.5.1 User's Guide
Ensure that the system that is to run SunScreen is secure--consider reinstalling the Solaris operating environment from CD-ROM to ensure that it has not been altered.
If you are using issued keys and certificates, make sure a set of Key and Certificate diskettes is available for each host.
After installing SunScreen 3.1 Lite, you are ready to set up and implement the security policy for your network. For instructions on administering your SunScreen, refer to the SunScreen 3.1 Administration Guide. For a detailed example of a SunScreen routing configuration, refer to the SunScreen 3.1 Configuration Examples document.
Upgrading to this Lite version of SunScreen 3.1 from previous versions of SunScreen EFS, SunScreen SPF-200, or FireWall-1 is not supported. The full version of SunScreen 3.1 will support these upgrades.
The machines that are used as gateways, or that are in vulnerable positions on the network, should have only the minimum Solaris packages installed. This action reduces the number of potentially exploitable applications.
The following table lists the minimum hardware and operating system requirements for installing SunScreen 3.1 Lite.
Table 1-1 SunScreen Installation Requirements
Ensure that the required Solaris packages reside on both the Screen and the Administration Station.
If you do not plan on using the administration GUI on your Screen (either because you are doing remote administration or you have chosen to use only the command-line interface for administration), you will only need to install the Core distribution of the Solaris operating environment, as well as the packages listed in this section.
If you only install the Core distribution of Solaris, you will either have to change your DISPLAY variable for using the installer wizard to a machine with a windowing system or install using the command-line installation procedure described in "Command Line Installation."
If you plan on using the administration GUI on your Screen itself, you will need to install the End User distribution of Solaris, as well as the packages listed in this section.
Table 1-2 Screen Solaris Packages
Type of Package |
Package Name |
Description |
system |
SUNWeuluf |
TF-8 L10N For Language Environment User Files |
system |
SUNWjvjit |
Java JIT compiler |
system |
SUNWjvrt |
JavaVM run time environment |
system |
SUNWlibC |
SPARCompilers Bundled libC |
system |
SUNWlibms |
SPARCompilers Bundled shared libm |
system |
SUNWsprot |
SPARCompilers Bundled tools |
system |
SUNWtoo |
Programming Tools |
system |
SUNWvolr |
Volume Management (Root) |
system |
SUNWvolu |
Volume Management (Usr) |
system |
SUNWxwice |
ICE components |
system |
SUNWxwplt |
X Window System platform software |
system |
SUNWxwrtl |
X Window System & Graphics Runtime Library Links |
system |
SUNWmfrun |
Motif RunTime Kit |
system |
SUNWloc |
System Localization |
system |
SUNWdoc |
Documentation Tools |
The SUNWsprot package that SunScreen needs is on the second CD of Solaris 8.
If you will be using remote administration, add the following packages to the Administration Station from your Solaris CD, if not already on your system:
In addition to the patches provided by SunScreen 3.1, make sure you install all recommended security patches available for your operating environment. For security reasons, you should always keep your operating environment current with available patches.
Type of Package |
Package Name |
Description |
---|---|---|
system |
SUNWjvrt |
JavaVM run time environment |
system |
SUNWmfrun |
Motif RunTime Kit |
system |
SUNWxwplt |
X Window System Platform software |
SunScreen 3.1 Lite only supports IPv4 in the Solaris 8 operating environment.
The Screen can support up to 2 network interfaces at one time.
The SunScreen CD includes the SunScreenTM SKIP for Solaris software. The PC version of SKIP is available separately or as part of the Secure Net bundle.
A remote Administration Station can connect directly to a Screen only through an Ethernet local area network (LAN) or a fiber distributed data interface (FDDI). An Administration Station can connect to the Screen by an asynchronous transfer mode (ATM) or Token Ring LAN, but only after it is connected directly to the network by way of an Ethernet or FDDI connection first.
Configure all network interfaces that will be used. See the documentation accompanying the Solaris operating environment, if needed.
Netscape Navigator 4.5, or higher, with its own Java VM has the limitation that you cannot read or write files.
IE 4.01 with its own JVM has the limitation that you cannot read or write files.
You can find compliant versions of the Netscape Navigator and HotJava browsers on the Solaris 8 Easy Access CD in the SunScreen directory in package format.
SunScreen 3.1 Lite allows any machine with a Java-enabled Web browser compliant with JDK 1.1.3 or later to function as an Administration Station. But, the version of the JVM or plug-in you are using with the browser dictates the operations you are able to perform on the Administration Station. You can use any supported browser to look at status information and logs, as well as modify and save policy configurations. However, some browser configurations do not support local system access.
Because Netscape Navigator and Internet Explorer do not support the Java mechanism for applet signing, the administration GUI cannot get access to your system's local resources (browser security mechanisms prevent this type of access.)
The operations that require access to your local system resources are:
Loading certificates from a diskette
Backing up all policies
Restoring all policies
Saving log files
Loading jar signatures
If you do not need to perform any of these operations, you can use any of the supported browsers without local file access. To work around local access limitations you can use one of the following options:
Use the Java plug-in.
Use the HotJava browser, version 1.1.
Netscape Navigator 4.5, or higher, with its own Java VM has the limitation that you cannot read or write files.
IE 4.01 with its own JVM has the limitation that you cannot read or write files.
You can find compliant versions of the Netscape Navigator and HotJava browsers on the Solaris 8 Easy Access CD in the SunScreen directory in package format.
The following Web browsers support local file access using the required Java Plug-in.
Internet Explorer (IE) 4.x with the Java plug-in on Windows 95/98 or NT only.
HotJava browser.
IE 5.0 with its own JVM, this configuration can read or write files but is not a supported configuration.
The Netscape Navigator default Java plug-in provided with Solaris 8 is not compatible with the SunScreen 3.1 Lite administration applet. To save log files and load certificates using Netscape Navigator 4.5 or 4.7, you must install the older version of the Java plug-in that is included on the CD-ROM or use the HotJava browser (also included).
SunScreen 3.1 Lite provides the required Java plug-in (version 1.1.2) as part of its distribution. The plug-in is located in the directory javaplugins.To install it, see the following plug-in installation instructions.
Ensure that the SunScreen 3.1 CD-ROM is inserted in the CD-ROM drive.
Navigate down the SunScreen 3.1 directory structure to the plug-in location.
Install the Java plug-in by typing:
"% cp plugin-112i-solsparc.sh /tmp ""% cd /tmp ""% sh plugin-112i-solsparc.sh" |
Save the identitydb.obj file by typing:
"% cd /opt/SUNWicg/SunScreen/admin/htdocs/plugin/plugins/""% cp identitydb.obj $HOME""% cd" |
Set the environment variable if using sh or ksh by typing:
"$ NPX_PLUGIN_PATH=$HOME/.netscape/plugins:$NPX_PLUGIN_PATH""$ export NPX_PLUGIN_PATH""or if using csh:""% setenv NPX_PLUGIN_PATH $HOME/.netscape/plugins:$NPX_PLUGIN_PATH" |
Run the Netscape browser and use the URL for the plug-in version of the SunScreen 3.1 administration GUI:
% netscape http://localhost:3852/plugin & |