NAT
Network address translation (NAT) enables you to map from unregistered addresses to registered addresses allocated by your Internet service provider (ISP). The NAT function in SunScreen uses this translation to replace the IP addresses in a packet with other IP addresses. This allows you to use unregistered addresses to number your internal networks and hosts and yet have full connectivity to the Internet. Using this approach with a small Class C network, which supports only 254 hosts (externally), you can use a private Class B network, which supports as many as 65,000 hosts or 255 networks of 254 hosts (internally).
The following worksheets include:
-
NAT map
-
Screen's interfaces
-
Authorized users
-
Administration Stations
NAT Map
Use the NAT Map worksheet to list type, address, and the translated address.
-
Type, either static or dynamic
-
Address, both source and destination
-
Translated address, both source and destination
|
Type |
Address |
Translated Address |
||
|---|---|---|---|---|
|
Static Dynamic |
Source |
Destination |
Source |
Destination |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Screen Interfaces
Use the Screen Interfaces worksheet to list:
-
Type
-
Interface name
-
Group address
-
Logging details, including SNMP alerts, logging, and ICMP rejects
|
Logging Details |
|||||
|---|---|---|---|---|---|
|
Type |
Interface Name |
Group Address |
SNMP Alert |
Logging |
ICMP Reject |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Authorized Users
Use the Authorized Users worksheet to list:
-
Name
-
Authorized user
-
Details
|
Name |
Authorized User |
Details |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Administration Stations
Use the Administration Station Interface worksheet to list:
-
Name of certificate associated with Administration Station
-
Address of the Administration Station
-
Key algorithm
-
Data algorithm
-
MAC algorithm
-
Admin user name
-
Access level
|
Name of Certificate Associated With Admin Station |
Address of Admin Station |
Key Algorithm |
Data Algorithm |
MAC Algorithm |
Admin User Name |
Access Level |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Rules
You use rules to control access to your computer network and to control encryption for access to your data. In preparing to implement rules, you must determine:
-
The overall services that are available on your network
-
The services available to a particular user or host and user groups over particular IP addresses
-
The correct action for the services and addresses for that user or host
Note -
By default, the Screen drops any packets that do not specifically match a rule. This means you can more easily create rules, since you only have to write a rule for the services you want to pass.
Use the Rules worksheet to organize the individual rules you want to use. Space is provided for you to create your own service groups. Make copies of the worksheet, as necessary.
Following the Rules worksheet is a completed sample of a worksheet that includes the requisite services that you may want for a particular network.
|
Ordered Rule Index |
Service or Service Group |
Source Address |
Destination Address |
Action |
Encryption |
User or Groups of Users (Optional) |
Time of Day (Optional) |
Screen (Optional) |
|---|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Ordered Rule Index |
Service or Service Group |
Source Address |
Destination Address |
Action |
Encryption |
|---|---|---|---|---|---|
|
1 |
ftp |
Internal-net |
Internet |
ALLOW |
NONE |
|
2 |
ftp |
* |
ftp Server |
ALLOW |
NONE |
|
3 |
ftp |
Internet |
Internal-net |
DENY |
NONE |
Four Action Types
The following shows the four action types: ALLOW, DENY, ENCRYPT, and SECURE.
-
ALLOW options:
-
LOG_NONE
-
LOG_SUMMARY
-
LOG_DETAIL
-
SNMP_NONE
-
SNMP
-
A proxy type can be chosen if the service can be proxied by one of the SunScreen proxies.
-
-
DENY options:
-
LOG_NONE
-
LOG_SUMMARY
-
LOG_DETAIL
-
SNMP_NONE
-
SNMP
-
ICMP_NONE
-
ICMP_NET_UNREACHABLE
-
ICMP_HOST_UNREACHABLE
-
ICMP_PORT_UNREACHABLE
-
ICMP_NET_FORBIDDEN
-
ICMP_HOST_FORBIDDEN
-
-
ENCRYPT options:
-
NONE
-
SKIP_Version_1 (for connection to a SunScreen SPF-100 system only)
You must decide on:
-
SKIP_Version_2 (for connection to all other SKIP-enabled devices) (Optional: Tunnel addresses are allowed)
You must decide on:
-
Manual IPsec
-
Forward ESP
-
Forward AH
-
Reverse ESP
-
Reverse AH
Note -Forward and Reverse can be set the same or different. This is designated on the administration GUI by the Asymmetric and Symmetric options.
-
Transport or Tunnel Mode
-
Optional:
-
Source Screen (object)
-
Destination Screen (object)
-
Source Tunnel
-
Destination Tunnel
-
-
-
Solaris IKE
-
-
VPN options:
This option is selected only when forming VPN rules using the previously defined VPN gateways.
After you define and map out your network and decide on your security policy, use data objects, such as services and addresses, to configure SunScreen with the policy rules to control access to your network. At installation, the SunScreen software automatically creates a policy named Initial that you can use to build your own security policies.
Additional information on creating security policies can be found at: http://www.sun.com/software/white-papers/wp-security-devsecpolicy/
- © 2010, Oracle Corporation and/or its affiliates