SunScreen 3.1 Lite Installation Guide

Chapter 1 Installation Overview

This chapter introduces SunScreen 3.1 Lite installation concepts.

Topics covered include:

What Is SunScreen 3.1 Lite?

SunScreen 3.1 Lite is a software security solution that is installed on a Solaris®-based machine. It lets companies connect their departmental networks to public internetworks securely. Depending on how you install it, SunScreen 3.1 Lite can function as a firewall and router for hosts on the network it protects.

The Screen is the firewall responsible for screening packets. You use an Administration Station to define the objects and rules that form the security policy and administer the Screen. The number of Screens and Administration Stations depends on your site's network topology and security policies. You can install all of SunScreen 3.1 Lite on a single machine (local administration) or you can install the administration software and the Screen software on different machines (remote administration).

You need a Screen at every point in the network where you want to restrict access. In the strictest sense, you need one Screen for each point in the network that has direct public access (usually one per site). One Administration Station can manage multiple Screens, although you can install more Administration Stations for redundancy and ease of access. Encryption and authentication protects access and limits management of a Screen to an authorized Administration Station.

Local Administration

With local administration, you administer the Screen on the Screen itself (as shown in the following figure). Local administration does not require an encrypted connection as no network traffic is generated.

Figure 1-1 Example of a Locally Administered Screen


Remote Administration

With remote administration, you use a separate machine called an Administration Station to administer the Screen (as shown in the following figure). Remote administration uses encrypted communication (using SKIP) between the Screen and Administration Station so the information about the security policy in place on the Screen cannot be obtained by others.

Figure 1-2 Example of a Remotely Administered Screen


Routing Mode

This Lite version of SunScreen 3.1 only operates in routing mode (where the Screen performs routing as well as firewall functions).

Typically, you operate the Screen in routing mode if you need a machine to act both as a router and a firewall. In this mode, you need at least two exposed IP interfaces, and a hop visible to traceroute and other network utilities.

Be aware of the following considerations when operating in routing mode:

What Are the Differences Between the Full and Lite SunScreen 3.1 Versions?

SunScreen 3.1 Lite is a stateful, packet-filtering firewall that has a subset of the features in SunScreen 3.1. It protects individual servers and small work groups.

Supported Features

SunScreen 3.1 Lite supports the following SunScreen3.1 features. A SunScreen 3.1 Lite firewall:


SunScreen 3.1 Lite does not support the following SunScreen features. A SunScreen 3.1 Lite firewall:

Before You Install

Before you install SunScreen 3.1 Lite, you should complete the following tasks:

After installing SunScreen 3.1 Lite, you are ready to set up and implement the security policy for your network. For instructions on administering your SunScreen, refer to the SunScreen 3.1 Administration Guide. For a detailed example of a SunScreen routing configuration, refer to the SunScreen 3.1 Configuration Examples document.

Upgrading to SunScreen 3.1

Upgrading to this Lite version of SunScreen 3.1 from previous versions of SunScreen EFS, SunScreen SPF-200, or FireWall-1 is not supported. The full version of SunScreen 3.1 will support these upgrades.

Security Issues

The machines that are used as gateways, or that are in vulnerable positions on the network, should have only the minimum Solaris packages installed. This action reduces the number of potentially exploitable applications.

Software and Hardware Requirements

The following table lists the minimum hardware and operating system requirements for installing SunScreen 3.1 Lite.

Table 1-1 SunScreen Installation Requirements



Operating environment 

  • Solaris 8 (with IPv4 only) operating environment for SPARCTM and Intel platforms.

  • Requires a Java-enabled Web browser compliant with JDKTM 1.1.3 or later.


All SPARC, UltraSPARC, and Intel platforms supported by the Solaris 8 operating environment. 

Disk space

Minimum of 1 Gbyte. This space is needed to support the Solaris operating environment, the SunScreen product, and sufficient space for storing of packet logs. SunScreen requirements alone are approximately 300 Mbytes. 


  • Administration Station: Minimum of 32-Mbytes, 64-Mbytes strongly recommended.

  • Screen: Minimum of 32-Mbytes.

Network interfaces 

For SPARC and UltraSPARC systems in Routing mode:  

  • 10 Mbps or 100 Mbps Ethernet interfaces (le, qe, hme, be, qfe)

  • Gigabit Ethernet interfaces

  • Token Ring interfaces

  • ATM (155 and 622 Mbps in LAN emulation mode or Classic IP mode)

  • FDDI, or PCI-based Ethernet cards.

For Intel-based systems: 10 Mbps or 100 Mbps Ethernet interfaces (dnet, elxl). See supported devices listed at: /hcl/hcl.html


CD-ROM drive (also a diskette drive if using issued certificates). 

Operating System Package Requirements

Ensure that the required Solaris packages reside on both the Screen and the Administration Station.

Screen Solaris Packages

If you do not plan on using the administration GUI on your Screen (either because you are doing remote administration or you have chosen to use only the command-line interface for administration), you will only need to install the Core distribution of the Solaris operating environment, as well as the packages listed in this section.

Note -

If you only install the Core distribution of Solaris, you will either have to change your DISPLAY variable for using the installer wizard to a machine with a windowing system or install using the command-line installation procedure described in "Command Line Installation."

If you plan on using the administration GUI on your Screen itself, you will need to install the End User distribution of Solaris, as well as the packages listed in this section.

Table 1-2 Screen Solaris Packages

Type of Package 

Package Name 




TF-8 L10N For Language Environment User Files 



Java JIT compiler 



JavaVM run time environment 



SPARCompilers Bundled libC 



SPARCompilers Bundled shared libm 



SPARCompilers Bundled tools 



Programming Tools 



Volume Management (Root) 



Volume Management (Usr) 



ICE components 



X Window System platform software 



X Window System & Graphics Runtime Library Links 



Motif RunTime Kit 



System Localization 



Documentation Tools 

Note -

The SUNWsprot package that SunScreen needs is on the second CD of Solaris 8.

Administration Station Solaris Packages

If you will be using remote administration, add the following packages to the Administration Station from your Solaris CD, if not already on your system:

Note -

In addition to the patches provided by SunScreen 3.1, make sure you install all recommended security patches available for your operating environment. For security reasons, you should always keep your operating environment current with available patches.

Table 1-3 Administration Station Solaris Packages

Type of Package 

Package Name 




JavaVM run time environment 



Motif RunTime Kit 



X Window System Platform software 

Additional Requirements and Restrictions

Web Browser Requirements

SunScreen 3.1 Lite allows any machine with a Java-enabled Web browser compliant with JDK 1.1.3 or later to function as an Administration Station. But, the version of the JVM or plug-in you are using with the browser dictates the operations you are able to perform on the Administration Station. You can use any supported browser to look at status information and logs, as well as modify and save policy configurations. However, some browser configurations do not support local system access.

Accessing Local System Resources

Because Netscape Navigator and Internet Explorer do not support the Java mechanism for applet signing, the administration GUI cannot get access to your system's local resources (browser security mechanisms prevent this type of access.)

The operations that require access to your local system resources are:

If you do not need to perform any of these operations, you can use any of the supported browsers without local file access. To work around local access limitations you can use one of the following options:

Browsers Without Local File Access

Browsers With Local File Access

The following Web browsers support local file access using the required Java Plug-in.

SunScreen 3.1 Lite provides the required Java plug-in (version 1.1.2) as part of its distribution. The plug-in is located in the directory javaplugins.To install it, see the following plug-in installation instructions.

To Install the Required Java Plug-In
  1. Ensure that the SunScreen 3.1 CD-ROM is inserted in the CD-ROM drive.

  2. Navigate down the SunScreen 3.1 directory structure to the plug-in location.

  3. Install the Java plug-in by typing:

    "% cp /tmp ""% cd /tmp ""% sh"

  4. Save the identitydb.obj file by typing:

    "% cd /opt/SUNWicg/SunScreen/admin/htdocs/plugin/plugins/""% cp identitydb.obj $HOME""% cd"

  5. Set the environment variable if using sh or ksh by typing:

    "$ NPX_PLUGIN_PATH=$HOME/.netscape/plugins:$NPX_PLUGIN_PATH""$ export NPX_PLUGIN_PATH""or if using csh:""% setenv NPX_PLUGIN_PATH $HOME/.netscape/plugins:$NPX_PLUGIN_PATH"

  6. Run the Netscape browser and use the URL for the plug-in version of the SunScreen 3.1 administration GUI:

     % netscape http://localhost:3852/plugin &