SunScreen 3.1 Lite Installation Guide

Chapter 1 Installation Overview

This chapter introduces SunScreen 3.1 Lite installation concepts.

Topics covered include:

What is SunScreen 3.1 Lite?
Operating the firewall in routing mode
Before installing SunScreen
Security issues
Software and hardware requirements
Operating system package requirements
Additional requirements and restrictions
Web browser requirements

What Is SunScreen 3.1 Lite?

SunScreen 3.1 Lite is a software security solution that is installed on a Solaris®-based machine. It lets companies connect their departmental networks to public internetworks securely. Depending on how you install it, SunScreen 3.1 Lite can function as a firewall and router for hosts on the network it protects.

The Screen is the firewall responsible for screening packets. You use an Administration Station to define the objects and rules that form the security policy and administer the Screen. The number of Screens and Administration Stations depends on your site's network topology and security policies. You can install all of SunScreen 3.1 Lite on a single machine (local administration) or you can install the administration software and the Screen software on different machines (remote administration).

You need a Screen at every point in the network where you want to restrict access. In the strictest sense, you need one Screen for each point in the network that has direct public access (usually one per site). One Administration Station can manage multiple Screens, although you can install more Administration Stations for redundancy and ease of access. Encryption and authentication protects access and limits management of a Screen to an authorized Administration Station.

Local Administration

With local administration, you administer the Screen on the Screen itself (as shown in the following figure). Local administration does not require an encrypted connection as no network traffic is generated.

Figure 1-1 Example of a Locally Administered Screen

Remote Administration

With remote administration, you use a separate machine called an Administration Station to administer the Screen (as shown in the following figure). Remote administration uses encrypted communication (using SKIP) between the Screen and Administration Station so the information about the security policy in place on the Screen cannot be obtained by others.

Figure 1-2 Example of a Remotely Administered Screen

Routing Mode

This Lite version of SunScreen 3.1 only operates in routing mode (where the Screen performs routing as well as firewall functions).

Typically, you operate the Screen in routing mode if you need a machine to act both as a router and a firewall. In this mode, you need at least two exposed IP interfaces, and a hop visible to traceroute and other network utilities.

Be aware of the following considerations when operating in routing mode:

The existing Solaris machine must be acting as a router. The Screen uses the Solaris operating environment to provide IP routing.
The Screen makes use of the Solaris IP stack on the filtering interfaces, so it does not possess stealth characteristics.
You must divide up different networks as you would with any router.
The addition of a SunScreen 3.1 Lite to your network can require re-numbering IP addresses on your hosts (if you did not already have a router where your SunScreen is being placed).

What Are the Differences Between the Full and Lite SunScreen 3.1 Versions?

SunScreen 3.1 Lite is a stateful, packet-filtering firewall that has a subset of the features in SunScreen 3.1. It protects individual servers and small work groups.

Supported Features

SunScreen 3.1 Lite supports the following SunScreen3.1 features. A SunScreen 3.1 Lite firewall:

Can do basic packet filtering.
Can administer a Screen from a remote Administration Station.
Can be used in virtual private networks (VPNs ).
Can be used for centrally managed secondary machines.
Uses SunScreen SKIP (Simple Key-Management for Internet Protocols) for encryption, which is included as part of SunScreen 3.1 Lite and is automatically installed.

Limitations

SunScreen 3.1 Lite does not support the following SunScreen features. A SunScreen 3.1 Lite firewall:

Cannot be a member of a high availability (HA) cluster.
Does not support stealth-mode operation.
Does not support proxies .
Cannot create and cannot be made the primary Screen in a centrally managed group.
Cannot support more than two interfaces ; the filtering mechanisms ignore any other interfaces.
Cannot support more than ten unregistered IP addresses that can be translated to a registered address using network address translation (NAT); it is limited to two NAT rules.
Ignores the time-of-day field. It makes all rules active while that policy is active.
Does not support and cannot create the time objects .
Does not support and cannot create the ADMIN , HA , or STEALTH interfaces.

Before You Install

Before you install SunScreen 3.1 Lite, you should complete the following tasks:

Be acquainted with these documents:
- SunScreen 3.1 Release Notes
- SunScreen SKIP 1.5.1 User's Guide
Ensure that the system that is to run SunScreen is secure--consider reinstalling the Solaris operating environment from CD-ROM to ensure that it has not been altered.
If you are using issued keys and certificates, make sure a set of Key and Certificate diskettes is available for each host.

After installing SunScreen 3.1 Lite, you are ready to set up and implement the security policy for your network. For instructions on administering your SunScreen, refer to the SunScreen 3.1 Administration Guide. For a detailed example of a SunScreen routing configuration, refer to the SunScreen 3.1 Configuration Examples document.

Upgrading to SunScreen 3.1

Upgrading to this Lite version of SunScreen 3.1 from previous versions of SunScreen EFS, SunScreen SPF-200, or FireWall-1 is not supported. The full version of SunScreen 3.1 will support these upgrades.

Security Issues

The machines that are used as gateways, or that are in vulnerable positions on the network, should have only the minimum Solaris packages installed. This action reduces the number of potentially exploitable applications.

Software and Hardware Requirements

The following table lists the minimum hardware and operating system requirements for installing SunScreen 3.1 Lite.

Table 1-1 SunScreen Installation Requirements


Requirement	Description
Operating environment	Solaris 8 (with IPv4 only) operating environment for SPARC^TM and Intel platforms. Requires a Java-enabled Web browser compliant with JDK^TM 1.1.3 or later.
Hardware	All SPARC, UltraSPARC, and Intel platforms supported by the Solaris 8 operating environment.
Disk space	Minimum of 1 Gbyte. This space is needed to support the Solaris operating environment, the SunScreen product, and sufficient space for storing of packet logs. SunScreen requirements alone are approximately 300 Mbytes.
Memory	Administration Station: Minimum of 32-Mbytes, 64-Mbytes strongly recommended. Screen: Minimum of 32-Mbytes.
Network interfaces	For SPARC and UltraSPARC systems in Routing mode: 10 Mbps or 100 Mbps Ethernet interfaces (`le`, `qe`, `hme`, `be`, `qfe`) Gigabit Ethernet interfaces Token Ring interfaces ATM (155 and 622 Mbps in LAN emulation mode or Classic IP mode) FDDI, or PCI-based Ethernet cards. For Intel-based systems: 10 Mbps or 100 Mbps Ethernet interfaces (`dnet`, `elxl`). See supported devices listed at: `http://access1.sun.com/drivers /hcl/hcl.html`
Media	CD-ROM drive (also a diskette drive if using issued certificates).

Operating System Package Requirements

Ensure that the required Solaris packages reside on both the Screen and the Administration Station.

Screen Solaris Packages

If you do not plan on using the administration GUI on your Screen (either because you are doing remote administration or you have chosen to use only the command-line interface for administration), you will only need to install the Core distribution of the Solaris operating environment, as well as the packages listed in this section.

Note -

If you only install the Core distribution of Solaris, you will either have to change your DISPLAY variable for using the installer wizard to a machine with a windowing system or install using the command-line installation procedure described in "Command Line Installation."

If you plan on using the administration GUI on your Screen itself, you will need to install the End User distribution of Solaris, as well as the packages listed in this section.

Table 1-2 Screen Solaris Packages


Type of Package	Package Name	Description
system	SUNWeuluf	TF-8 L10N For Language Environment User Files
system	`SUNWjvjit`	Java JIT compiler
system	S`UNWjvrt`	JavaVM run time environment
system	`SUNWlibC`	SPARCompilers Bundled libC
system	`SUNWlibms`	SPARCompilers Bundled shared libm
system	`SUNWsprot`	SPARCompilers Bundled tools
system	`SUNWtoo`	Programming Tools
system	`SUNWvolr`	Volume Management (Root)
system	`SUNWvolu`	Volume Management (Usr)
system	`SUNWxwice`	ICE components
system	`SUNWxwplt`	X Window System platform software
system	`SUNWxwrtl`	X Window System & Graphics Runtime Library Links
system	`SUNWmfrun`	Motif RunTime Kit
system	`SUNWloc`	System Localization
system	`SUNWdoc`	Documentation Tools

Note -

The SUNWsprot package that SunScreen needs is on the second CD of Solaris 8.

Administration Station Solaris Packages

If you will be using remote administration, add the following packages to the Administration Station from your Solaris CD, if not already on your system:

Note -

In addition to the patches provided by SunScreen 3.1, make sure you install all recommended security patches available for your operating environment. For security reasons, you should always keep your operating environment current with available patches.

Table 1-3 Administration Station Solaris Packages


Type of Package	Package Name	Description
system	`SUNWjvrt`	JavaVM run time environment
system	`SUNWmfrun`	Motif RunTime Kit
system	`SUNWxwplt`	X Window System Platform software

Additional Requirements and Restrictions

SunScreen 3.1 Lite only supports IPv4 in the Solaris 8 operating environment.
The Screen can support up to 2 network interfaces at one time.
The SunScreen CD includes the SunScreen^TM SKIP for Solaris software. The PC version of SKIP is available separately or as part of the Secure Net bundle.
A remote Administration Station can connect directly to a Screen only through an Ethernet local area network (LAN) or a fiber distributed data interface (FDDI). An Administration Station can connect to the Screen by an asynchronous transfer mode (ATM) or Token Ring LAN, but only after it is connected directly to the network by way of an Ethernet or FDDI connection first.
Configure all network interfaces that will be used. See the documentation accompanying the Solaris operating environment, if needed.
Netscape Navigator 4.5, or higher, with its own Java VM has the limitation that you cannot read or write files.
IE 4.01 with its own JVM has the limitation that you cannot read or write files.

Note -
You can find compliant versions of the Netscape Navigator and HotJava browsers on the Solaris 8 Easy Access CD in the SunScreen directory in package format.

Web Browser Requirements

SunScreen 3.1 Lite allows any machine with a Java-enabled Web browser compliant with JDK 1.1.3 or later to function as an Administration Station. But, the version of the JVM or plug-in you are using with the browser dictates the operations you are able to perform on the Administration Station. You can use any supported browser to look at status information and logs, as well as modify and save policy configurations. However, some browser configurations do not support local system access.

Accessing Local System Resources

Because Netscape Navigator and Internet Explorer do not support the Java mechanism for applet signing, the administration GUI cannot get access to your system's local resources (browser security mechanisms prevent this type of access.)

The operations that require access to your local system resources are:

Loading certificates from a diskette
Backing up all policies
Restoring all policies
Saving log files
Loading jar signatures

If you do not need to perform any of these operations, you can use any of the supported browsers without local file access. To work around local access limitations you can use one of the following options:

Use the Java plug-in.
Use the HotJava browser, version 1.1.

Browsers Without Local File Access

Netscape Navigator 4.5, or higher, with its own Java VM has the limitation that you cannot read or write files.
IE 4.01 with its own JVM has the limitation that you cannot read or write files.

Note -
You can find compliant versions of the Netscape Navigator and HotJava browsers on the Solaris 8 Easy Access CD in the SunScreen directory in package format.

Browsers With Local File Access

The following Web browsers support local file access using the required Java Plug-in.

Netscape Navigator^TM 4.x with the Java^TM plug-in.
Internet Explorer (IE) 4.x with the Java plug-in on Windows 95/98 or NT only.
HotJava browser.
IE 5.0 with its own JVM, this configuration can read or write files but is not a supported configuration.

Note -
The Netscape Navigator default Java plug-in provided with Solaris 8 is not compatible with the SunScreen 3.1 Lite administration applet. To save log files and load certificates using Netscape Navigator 4.5 or 4.7, you must install the older version of the Java plug-in that is included on the CD-ROM or use the HotJava browser (also included).

SunScreen 3.1 Lite provides the required Java plug-in (version 1.1.2) as part of its distribution. The plug-in is located in the directory javaplugins.To install it, see the following plug-in installation instructions.

To Install the Required Java Plug-In

Ensure that the SunScreen 3.1 CD-ROM is inserted in the CD-ROM drive.

Navigate down the SunScreen 3.1 directory structure to the plug-in location.

Install the Java plug-in by typing:

"% cp plugin-112i-solsparc.sh /tmp ""% cd /tmp ""% sh plugin-112i-solsparc.sh"

Save the identitydb.obj file by typing:

"% cd /opt/SUNWicg/SunScreen/admin/htdocs/plugin/plugins/""% cp identitydb.obj $HOME""% cd"

Set the environment variable if using sh or ksh by typing:

"$ NPX_PLUGIN_PATH=$HOME/.netscape/plugins:$NPX_PLUGIN_PATH""$ export NPX_PLUGIN_PATH""or if using csh:""% setenv NPX_PLUGIN_PATH $HOME/.netscape/plugins:$NPX_PLUGIN_PATH"

Run the Netscape browser and use the URL for the plug-in version of the SunScreen 3.1 administration GUI:
% netscape http://localhost:3852/plugin &