SunScreen 3.1 Lite Installation Guide

Chapter 2 Installation Considerations

This chapter describes the issues you should consider before installing SunScreen 3.1 Lite.

These issues include:

Before installing, review the SunScreen 3.1 Release Notes for the latest information about this product.

Determining Your Security Policy

Before installing the SunScreen 3.1 Lite software, you should first determine your network security policy. For a more thorough discussion of this topic, read Computer Security Policies and SunScreen Firewalls by Kathryn M. Walker and Linda Croswhite Cavanaugh. Additional resources are listed in the Preface.

In brief, considerations when creating a security policy are:

Mapping Your Network Configuration

Prior to installing SunScreen 3.1 Lite, make a map of your network. This will help identify any potential security problems inherent in the way the network is currently connected. A diagram of your network will aid installation and should include:

Deciding on Your Initial Security Level

You must determine your initial level of security. You have three possible security levels from which to choose. Each security level corresponds to a different set of network services permitted to, from, and through the Screen. If you are in doubt about which security level to select for the Initial configuration, use a more permissive security mode. You can always reconfigure it to be more secure by changing the rules using the administration GUI.

Note -

If you only install the Core distribution of the Solaris software, you will either have to change your DISPLAY variable for using the installer wizard to a machine with a windowing system or install using the command-line installation procedure described in "Command Line Installation."

Security Levels

The security levels are:

Naming Services

You must also choose which naming service to use. You may choose one (NIS or DNS), both (NIS and DNS), or no naming service. Selection of NIS, DNS, or both NIS and DNS allows the name service packets to pass to the Screen. To use a local host file, deselect both services.

Worksheets for Defining Security Policies

Here are directions and worksheets to help you analyze and define your company's security policy requirements. Once established, SunScreen 3.1 Lite controls access to the network through a set of rules and interface definitions that are created in the administration GUI. The information you accumulate in this section will be used to define your policies. See the SunScreen Reference Manualfor more information. You can find a useful example of installing your Screen in routing mode in the SunScreen 3.1 Configuration Examples document.

To begin the process, create a group of all the IP addresses that SunScreen needs to know. SunScreen identifies network elements--network, subnetworks, and individual hosts--by IP address. Before you can define the rule, you must define all the elements or parts that make up the rule. Several types of addresses need to be defined in SunScreen.

Creating Service Groups

Use the following table to assist you in creating service groups that use any combination of the individual network services. A useful group to define at many sites is an "internet services" group, consisting of public services, such as FTP, e-mail, and WWW. You might want to familiarize yourself with the set of pre-defined network services to avoid creating unnecessary duplicates.

Table 2-1 Services or Service Groups
























SunScreen 3.1 Lite uses IP addresses to define the network elements that make up the configuration. These addresses are then used in defining the Screen's network interfaces and as the source and destination addresses for rules and NAT.

The address can be for a single computer, or it can be for a whole network or subnetwork. Additionally, addresses (individual and network) can be grouped together to form an address group. SunScreen 3.1 Lite allows you to define address groups that specifically include or exclude other defined addresses (single IP hosts, ranges, or groups).

Table 2-2 Address Explanations
 Host addresses For individual elements, such as the router and individual computers, you need to know the IP address, in standard dotted Internet-address notation (w.x.y.z format), and the name of the host.
 Address Ranges For networks and subnetworks, you need to know the beginning and ending addresses of the network or subnetwork, both in standard dotted Internet-address notation (w.x.y.z format).
 Address GroupsGroups of host addresses, network addresses, and other address groups can be combined to form logical groups of addresses that can then be manipulated as a single element. Groups may be inclusive or exclusive or a combination of both, but may not be cyclic as in cases where dress Group "A" includes (references) Address Group "B" which in turn includes Address Group "A".

The following figure shows an example of various types of addresses and can be used as a reference when completing your own network map.

Figure 2-1 Example of a Network Map


In this figure, the following examples of different types of addresses can be seen:

The Internet is an example of a group of addresses, in this case defined as all. The ftp-www server is an example of a single address. The corporate, sales, and engineering hosts are examples of ranges of addresses.

The following worksheets can help you organize the IP addresses. Expand them as necessary. Group the IP addresses and names for the following network elements:

Rules are used to control access to your computer network and to control encryption for access to your data. In preparing to implement rules, you have:

Table 2-3 Host Addresses


IP Address 





















Table 2-4 Address Ranges

































Table 2-5 Address Group


































NAT enables you to map from unregistered addresses to registered addresses allocated by your Internet service provider (ISP). The NAT function of SunScreen 3.1 Lite uses this translation to replace the IP addresses in a packet with other IP addresses. This allows you to use unregistered addresses to number your internal networks and hosts and yet have full connectivity to the Internet. With this Lite version, you can have up to 10 internal addresses that use NAT.

Table 2-6 NAT Map Table



Translated Address 

















Table 2-7 Screen's Interfaces


Interface Name 

Group Address 

Logging Details 

SNMP Alert 


ICMP Reject 













This Lite version of SunScreen 3.1 only supports two routing interfaces.

Administration Stations

Use this table to collect the information needed to add to Administration Stations.

Table 2-8 Administration Stations

Name of Certificate associated with Admin Station 

Address of 

Admin Station 

Key Algorithm 

Data Algorithm 

MAC Algorithm 

Admin User Name 

Access Level 








































































Use the following Rules worksheet to organize the individual rules you want to use. Space is provided for you to create your own service groups. Make copies of the worksheet, as necessary.

A filled-in sample of the Rules worksheet with the requisite services that you may want for a particular network is included following the Rules table.

Table 2-9 Rules

Ordered Rule Index 

Service or Service Group 

Source Address 

Destination Address 



User or Groups of Users Optional 

Time of Day Optional 

Screen Optional 


















































































Table 2-10 Sample for "Rules" Worksheet


Rule Index 

Service or Service Group 

Source Address(es) 

Destination Address(es) 









ftp Server 








Four Action Types

This section lists the available action types you use to construct ordered rules.

After you define and map out your network and decide on your policy, you use data objects, such as services and addresses, to configure SunScreen 3.1 Lite with the policy rules to control access to your network. When you installed SunScreen 3.1 Lite, you created a policy named "Initial," which is created so you can connect to the Policy Edit page and build your own security policies.