SunScreen 3.2 Installation Guide

Chapter 1 Installation Overview

This chapter gives an overview of the SunScreen software installation.

Topics covered include:

What Is SunScreen?

SunScreen is a layered software security solution that is installed on Solaris(TM)-based systems to enable companies to connect their departmental networks to public internetworks securely. Depending on the type of installation, SunScreen can function as both a firewall and router ( in routing mode) or like a bridge for hosts on the network it protects (in stealth mode.)

The Screen is the firewall responsible for screening packets. An Administration Station can be used to define objects and rules that form the security policy and to administer the Screen remotely. Administration can be performed on the Screen itself or from a remote Administration Station. The number of Screens and Administration Stations depends on your site's network topology and security policies. The SunScreen firewall and administration software can be installed on a single system or on separate systems when using an Administration Station to remotely administer the Screen.

Install a Screen at every point in the network where you want to restrict access. In the strictest sense, install one Screen for each point in the network that has direct public access (typically, one per site). One Administration Station can manage multiple Screens, although more Administration Stations can be installed for redundancy and ease of access. Encryption and authentication protects access and limits management of a Screen to an authorized Administration Station.

For encryption, SunScreen supports Internet Protocol Security (IPsec) with manual keying (see "IPsec Key" in the SunScreen 3.2 Administration Guide). Solaris Internet Key Exchange (IKE) and SunScreen Simple Key Management for Internet Protocol (SKIP) (see "Certificate Objects" in the SunScreen 3.2 Administration Guide for information about IKE and SKIP). SunScreen can be configured to encrypt packets using IPsec with manual keying or IKE, as well as with SKIP. IKE and SKIP can be used on the same Screen but they cannot encrypt the same traffic.

Note -

To communicate with the Screen using IKE, you must download the SUNWcryr and SUNWcryrx packages onto the Administration Station from: http://www.sun.com/software/solaris/encryption/download.html. This requirement applies in the case of Solaris 9 only if you need to use encryption other than DES or 3DES (which are included with the operating system).

SunScreen Operation Modes

You can install the SunScreen software in routing mode or in stealth mode.

It is possible to mix the two modes so that the interfaces protecting your system from the outside network are stealth and the interfaces to your internal network are routing. When mixing modes, install the Screen in routing mode first, then configure the stealth interfaces.

Caution -

Mixing interface modes requires careful consideration. Before you attempt this configuration, refer to the SunScreen 3.2 Administration Guide and the SunScreen 3.2 Configuration Examples documents, the latter of which includes an example of a mixed mode configuration.

Routing Mode

Choose routing mode when you need to filter packets between multiple networks connected by a Solaris-based system. A system in routing mode acts as both a router and a firewall. To use proxies or to install additional network services on the Screen, the interfaces must be configure in routing mode. Routing mode requires at least two exposed IP interfaces.

Be aware of the following considerations when operating in routing mode:

Solaris software provides IP routing for the Screen.
As with any router, the Screen is situated between subnets.
Adding a new router to your network can require a reorganization of your network and renumbering of your hosts.
Solaris software IP stack on the Screen's filtering interfaces exposes an IP address, as opposed to a stealth configuration that does not.

Stealth Mode

Choose stealth mode to increase your defense against attacks and when routing functions are not needed. In stealth mode, your system behaves like a bridge in that no IP interfaces are exposed to the public or private network and packets are filtered by the Screen transparently. While operating in stealth mode, the Screen cannot be seen or detected through traceroute or similar network tools.

Be aware of the following considerations when operating in stealth mode:

Packets are not routed, instead the Screen behaves like a bridge.
IP address renumbering on hosts is not required.
Only when using remote administration does any network interface need to be configured.

Security Issues

The systems that are used as gateways, or that are in vulnerable positions on the network, need only have the minimum Solaris software packages installed, which reduces the number of potentially exploitable applications (see "Software and Hardware Requirements" in this manual.

When installing SunScreen in stealth mode, you are asked if you want to harden the Screen. Hardening is optional and if chosen, automatically removes any Solaris software files and packages that might otherwise make the Screen vulnerable to an attack (in accordance with the best practices as described in http://www.sun.com/blueprints/browsesubject.html#security). Hardening in SunScreen 3.2 is based upon JASS (JumpStart Architecture and Security Scripts). More information regarding JASS is available at: http://www.sun.com/blueprints. The hardening process can be performed during installation or at a later time by running the script: /usr/lib/sunscreen/lib/harden_os. For more information on hardening, see the "Installing in Stealth Mode With Remote Administration Using IKE" and "Installing in Stealth Mode With Remote Administration Using SKIP" chapters in this manual.

Note -

Do not harden your Screen if some of your interfaces are in stealth mode and other interfaces are in routing mode. See the chapter "Configuring a Stealth Mode Screen" in the SunScreen 3.2 Configuration Examples document for an example of a mixed-mode configuration.

Before You Install SunScreen

Before installing SunScreen, complete the following tasks:

Be acquainted with the SunScreen documentation set, especially the SunScreen 3.2 Release Notes document, which gives the latest product information.
Make a map of your network. See "Determining Your Security Policy" in this manual for worksheets and instructions to aid you in determining your network configuration and your desired security level.
Ensure that the system you have identified to run the SunScreen software is secure.
Consider reinstalling the Solaris software from CD-ROM to ensure its stability.
If you are running the Solaris 8 software, install the recommended kernel and security patches from http://sunsolve.sun.com. In addition, make sure the following patches are installed.
- For all installations:
  - SPARC(TM) 108528-06; Intel 108529-05: kernel update patch.
- For systems with a qfe board installed:
  - SPARC 108806-02: Sun Quad Fast Ethernet qfe driver patch.
- For systems running Trusted Solaris 8:
  - SPARC 110337-02: Security CIPSO TCP kernel support patch.
When using SKIP CA-issued keys and certificates, make sure a set is available for each host.

After installing the SunScreen software, you begin to set up and implement your network's security policy. For administrative instructions, refer to the SunScreen 3.2 Administration Guide. For examples of security policy configurations, see the SunScreen 3.2 Configuration Examples document. For more information regarding the SunScreen product, see SunScreen 3.2 Administrator's Overview document.

Software and Hardware Requirements

The table below lists the installation requirements for SunScreen 3.2.

SunScreen includes HotJava^TM 1.1, SunScreen SKIP for Solaris, and IKE software.

To read the SunScreen documentation from the administration GUI, you must have the Adobe Acrobat Reader plug-in installed on your system.

Note -

Because of a limitation in SunScreen SKIP, release 1.5.1 for Solaris, the RC2 encryption algorithm is not available when running Solaris 8 in 64-bit mode.

Table 1-1 SunScreen 3.2 Installation Requirements


Requirement	Description
Operating environment	Solaris 9 (with IPv4 only) in either 32-bit or 64-bit mode for (SPARC systems only) Trusted Solaris 8 (SPARC systems only)
Browsers supported:	A Java^TM-enabled Web browser compliant with JDK^TM, release 1.1.3 through 1.1.8 HotJava^TM 1.1 running on the SPARC platform Internet Explorer 4.0 (with or without the Java plug-in) on the Windows platform Netscape 4.0.1 or higher, can be used for all administrative functions except those requiring local file access. (See below for system requirements for Internet Explorer and Netscape to run Java plug-ins.) Note that a Solaris platform with SKIP and/or IKE installed can be used as an Administration Station for command line-based remote administration.
Hardware	All SPARCstation(TM) workstations, UltraSPARC systems supported by the Solaris 9 operating environment. All SPARCstations and UltraSPARC systems supported by Trusted Solaris 8.
Disk space	Minimum of 1 Gbyte (with at least 300 Mbytes unused). This space is needed for the following: configuration database = `/etc/sunscreen` = 10 MB [Can grow larger over the course of hundreds of policy or configuration changes] logs and temporary files = `/var/sunscreen` = 120 MB [Can grow larger if the SunScreen log size parameter is increased from its default of 100 MB] internal files = `/usr/lib/sunscreen` = 50 MB man pages = `/usr/share/man` = 1 MB
Memory	For administration software installation: a minimum of 32 Mbytes is required and 64 Mbytes is strongly recommended. For Screen-only software installation: a minimum of 32 Mbytes.
Network interfaces supported	For the Screen: [The Screen can support up to 15 stealth interfaces at one time.Stealth configurations do not support ATM, FDDI, token ring, or the use of proxies. SunScreen HA in routing mode does not support FDDI, token ring, ATM, Gigabit Ethernet, or failover of IKE-based IPsec connections] For SPARC and UltraSPARC systems in routing mode: 10-Mbps or 100-Mbps Ethernet interfaces (`le`, `qe`, `hme`, `be`, `qfe`, `pnet`) Gigabit Ethernet (ge) interfaces Token Ring interfaces (trp) ATM (155 and 622 Mbps) in LAN emulation mode (lane) or classic IP mode (ba) FDDI (nf), or PCI-based Ethernet cards For SPARC and UltraSPARC systems in stealth mode: 10-Mbps, 100-Mbps, Fast Ethernet, or Gigabit Ethernet interfaces High availability requires that the two machines be connected by means of a nonswitching hub. [Some switches, including Alteon, Radware's Fireproof, and Foundry's ServerIron, can be configured to work with SunScreen HA clusters. Each Screen is set up as an individual Screen, with different IP addresses, and no interconnect. You can use as many Screens as the switch supports. Note that because SunScreen is a stateful firewall, TCP connections do not failover. ] For the Administration Station: [A remote Administration Station can connect directly to a Screen only through an Ethernet local area network (LAN) or a fiber distributed data interface (FDDI). ] For SPARC systems: 10-Mbps or 100-Mbps Ethernet interfaces (`le`, `qe`, `hme`, `be`, `qfe`), or FDDI, or PCI-based Ethernet cards. An Administration Station can connect to the Screen by an asynchronous transfer mode (ATM) or Token Ring LAN, but only after it is connected directly to the network by way of an Ethernet or FDDI connection first.
Media	CD-ROM drive (and a diskette drive, if you are using certain types of CA-issued certificates.

Operating System Package Requirements

Ensure that the required Solaris software packages reside on the Screen and the Administration Station as described below.

Note -

Install third-party content scanning products on a system separate from your SunScreen firewall to avoid possible security risks, as well as to avoid overloading your system when the content is large.

Solaris Software Packages for the Screen

When installing the SunScreen software on your Screen remotely from an Administration Station or if you choose to use the command-line interface instead of the administration GUI, install the Solaris Core Distribution software as well as the packages listed in the following table from your Solaris CD, if not already on your system.

Note -

When installing only the Solaris Core Distribution software, either change your DISPLAY variable for using the installer to a windowing system or install SunScreen using the command-line installation procedure described in the "Command Line Installation" appendix in this manual.

When installing the SunScreen software on your Screen locally , install the Solaris End User Distribution software as well as the packages listed in the following table from your Solaris CD, if not already on your system.

Table 1-2 Solaris Packages for Screen System


Package Name	Description
`SUNWlibc`	Sun Workshop Compilers Bundled libC
`SUNWlibms`	Sun WorkShop Bundled shared libm
`SUNWsprot`	Solaris Bundled tools
`SUNWxwplt`	X Window System platform software
`SUNWmfrun`	Motif RunTime Kit
`SUNWloc`	System Localization
`SUNWxwice`	X Window System Inter-Client Exchange (ICE) Components
`SUNWxwrtl`	X Window System & Graphics Runtime Library Links in /usr/lib
`SUNWtoo`	Programming Tools
`SUNWtoox`	Programming Tools (64-bit)
`SUNWeuluf`	UTF-8 L10N For Language Environment User Files
`SUNWeulux`	UTF-8 L10N For Language Environment User Files (64-bit)
`SUNWjvrt`	JavaVM run time environment
For Trusted Solaris 8 only `SUNWj2rt`	JDK 1.2 run time environment
For Solaris 9 only `SUNWj3rt` `SUNWapchr` `SUNWapchu` `SUNWeu8os` `SUNWeu8osx`	J2SDK 1.4 runtime environment Apache Web Server (root) Apache Web Server (usr) American English/UTF-8 L10N For OS Environment User Files American English/UTF-8 L10N For OS Environment User Files (64-bit)
`SUNWcryr`	Cryptography packages for IKE. Optional for Solaris 9 unless AES or Blowfish is required. Required for Trusted Solaris.
`SUNWcryrx`	Cryptography packages for IKE(64-bit). Optional for Solaris 9 unless AES or Blowfish is required. Required for Trusted Solaris.

Solaris Software Packages for the Administration Station

When installing the SunScreen software remotely using the administration GUI, install the following packages on your Administration Station from your Solaris CD, if not already on your system.

Table 1-3 Solaris Packages for Administration Station


Package Name	Description
`SUNWjvrt`	JavaVM run time environment
`SUNWxwplt`	X Window System platform software
`SUNWmfrun`	Motif RunTime Kit
`SUNWcryr`	Cryptography packages for IKE. Optional for Solaris 9 unless AES or Blowfish is required. Required for Trusted Solaris 8.
`SUNWcryrx`	Cryptography packages for IKE(64-bit). Optional for Solaris 9 unless AES or Blowfish is required. Required for Trusted Solaris 8.

Note -

In addition to the patches included on your SunScreen CD, make sure you install all recommended security patches available for your operating environment. For security reasons, always keep your operating environment up to date with available patches.

Additional Requirements and Restrictions

Use the command-line interface to create IKE self-generated certificates.
SunScreen 3.2 on the Solaris 8 operating environment supports IPv4 packets according to the policy but blocks IPv6 packets.
A routing-mode Screen supports an unlimited amount of network interfaces, all of which must be configured in Solaris; while a stealth-mode Screen supports up to 15 network interfaces at one time, and only the network interface that is used for remote administration is configured in Solaris. See the documentation accompanying your Solaris software.
The SunScreen CD includes the SunScreen SKIP, revision 1.5.1, software. The SunScreen SKIP version of Windows 95/98 and NT4.0 is available separately.
A remote Administration Station connects directly to a Screen only through an Ethernet local area network (LAN) or a Fiber Distributed Data Interface (FDDI). Once connected directly to the network by way of an Ethernet or FDDI connection, it can connect to the Screen by an asynchronous transfer mode (ATM) or Token Ring LAN.

Encryption Requirements

ForTrusted Solaris 8, to use IPsec manual keying or IKE, you must download the SUNWcryr and SUNWcryrx encryption packages onto both the Screen and the Administration Station.

For Solaris 9, support for DES and 3DES is built into the operating system. You only need to download the encryption packages if you need support for AES or Blowfish.

In either case, to download the packages go to http://www.sun.com/software/solaris/encryption/download.html

Web Server Requirements

For downloading the Java applets used by the administration GUI, the the Solaris 8 and 9 software uses Apache Web Server.

Note -

Web server onfiguration files are contained in /etc/sunscreen/httpd/.

Web Browser Requirements

SunScreen allows any system with a Java-enabled Web browser compliant with JDK 1.1.3 through 1.1.8 to function as an Administration Station. However, the version of the JVM(TM) or plug-in you are using with the browser dictates the operations you are able to perform on the Administration Station.

HotJava 1.1.5 is included on the SunScreen CD.

You can use any supported browser to look at status information and logs as well as modify and save policy configurations. However, some browser configurations do not support local system access.

Note -

The Netscape Navigator(TM) default Java plug-in provided with the Solaris 8 software is not compatible with the SunScreen 3.2 administration applet. To save log files and load certificates using Netscape Navigator 4.5 or higher, you must install the older version (version 1.1.2, which is included in the SunScreen distribution) of the Java plug-in or use the HotJava browser (included).

How to install the Java plug-in, version 1.1.2, save the identitydb.obj file, and set the NPX_PLUGIN_PATH environment variable is described in"Administration GUI Browser Requirements" section of this chapter.

Trusted Solaris

You can install and use SunScreen 3.2 on systems running Trusted Solaris 8 . See "Installing on Trusted Solaris" in this manual for more information.

High Availability

High availability (HA) enables you to deploy groups of Screens together in situations in which the connection between a protected inside network and an insecure outside network is critical. For a detailed description regarding installing an HA cluster, see "Using High Availability" in the SunScreen 3.2 Administration Guide.

Upgrading Your System to SunScreen 3.2

The SunScreen CD includes software to upgrade to SunScreen 3.2 for the following:

SunScreen 3.1 and SunScreen 3.1 Lite
SunScreen EFS 1.1, 2.0, and 3.0
SunScreen SPF-200

Detailed instructions for upgrading your SunScreen system are in "Upgrading to SunScreen 3.2" in this manual.

Converting From FireWall-1 to SunScreen

To use your existing FireWall-1 configurations for a similar security policy on SunScreen, you can either: Convert the FireWall-1 system to become the Screen or convert the FireWall-1 security policies and use them on a system running SunScreen. See "Converting FireWall-1 to SunScreen in Routing Mode" in this manual.

Links to Other SunScreen Features

SunScreen 3.2 includes: