SunScreen EFS Release 3.0 Reference Manual

Chapter 1 SunScreen EFS 3.0 Overview

This chapter discusses the following topics:

What is SunScreen EFS 3.0?
SunScreen EFS 3.0 features
Software and hardware requirements
Compatibility with other SunScreen products
Online help and documentation

What Is SunScreen EFS 3.0?

SunScreen EFS 3.0 is a versatile firewall used for access control, authentication, and network data encryption. SunScreen EFS 3.0 integrates the two SunScreen firewall products SunScreen EFS and SunScreen SPF-200. SunScreen EFS 3.0 consists of a rules-based, dynamic packet-filtering engine for network-access control, and an encryption and authentication engine that enables you to create secure Virtual Private Network (VPN) gateways by integrating public-key encryption technology. It is the first firewall to address high availability (HA) for standard based encryption. Secure administration is provided through an easy-to-use administration graphical user interface (GUI) through a Web browser.

Note -

Stealth mode reflects the operation of the SunScreen SPF product; whereas, routing mode reflects prior releases of SunScreen EFS.

SunScreen EFS 3.0 consists of two components: Screen and Administration Station. The Screen is the firewall responsible for screening packets and for performing the necessary encryption and decryption. The Administration Station is where you define your security policy and from where you administer your Screen(s). The two components can be installed on separate machines for remote administration or on a single machine for local administration.

A machine can support as many as 15 interfaces, one of which should be the path to the external (public) network. Stealth and routing modes are supported on all SPARC and x86 systems listed on the Solaris supported hardware list (located at: http://access1.sun.com/drivers/hcl/hcl.html).

Caution -

Manually deleting and then re-installing network interfaces also removes SunScreen EFS 3.0 from the interfaces.

Both stealth and routing modes support the following link adapters: SBus local (le, be) (10Mb/s) and Quad (qe) Ethernet; as well as X1059A SBus (hme), X1049A SBus Quad (qfe), X1032A 10/100 Mbps PCI (hme), X1033 PCI (hme), and X1034A PCI Quad (qfe) FastEthernet. Screens running in routing mode additionally support: FDDI, Token Ring, and ATM.

SunScreen EFS 3.0 uses open-standard SKIP (Simple Key-Management for Internet Protocols) technology, pioneered by Sun, for encryption, authentication, access control, and secure virtual private networks. SunScreen EFS 3.0 incorporates SunScreen SKIP 1.5 for Solaris. You must log into the Solaris command line to directly administer SKIP on the Screen.

Note -

SunScreen SKIP new features includes support for 4096-bit Diffie-Hellman modulus and new DH primes.

See the SunScreen SKIP 1.5 User's Guide for further information regarding SKIP encryption and administration.

You can remotely administer SunScreen EFS 3.0 with any computer that has a supported version of SKIP and a Java browser compliant with JDK 1.1.3. SKIP software is available for Sun Solaris, Windows NT with Service Pack 3, Windows 95, and Windows 98 with PC SKIP patches.

Note -

If the choice list flickers when using the HotJava browser, quit and restart the browser.

SunScreen EFS 3.0 Features

Centrally Managed Groups - provides a way for you to manage multiple Screens with a set of common objects through a specific, primary Screen, as well as monitor logs on individual Screens in a centralized management group or HA cluster. The primary Screen, where the objects reside, can be managed by many different Administration Stations like in prior SunScreen firewall releases.

Stealth or Routing Modes- allows you to designate interfaces in either stealth or routing mode on a port-by-port basis. Stealth mode, as a layered product, no longer boots from a CD-ROM nor requires an installation diskette, and operating system (OS) hardening is optional. High availability (HA) is accessible in both modes. Proxies work in routing mode only.

Data Organization - increases the efficiency of data storage and retrieval by handling text data through a common access method. C ommon objects comprised of policy objects defining your security policy, are maintained by the edit sub-command of the new process ssadm, which is written in Java, that provides local as well as remote administration capabilities.

High Availability (HA)- supports stealth and routing mode installations. The primary HA Screen manages secondary HA Screens in an HA cluster. A passive HA Screen within a HA cluster mirrors the state of the active Screen, which can be the primary or a secondary HA Screen. When the active Screen fails, the passive Screen that has been running the longest takes over as the active Screen within 15 seconds. During this time (before the passive Screen takes over), no traffic will go through the HA cluster.

Logging - allows you to search, sort, and filter log messages to find critical information quickly and easily. You specify the log size value and what information you want recorded in administrative log files when you set up SunScreen EFS 3.0. Once running, you can monitor logs using the browser and the command line in real time.

Network Address Translation (NAT)- enables a Screen to map an internal network address to a different network address. As it passes packets between an internal host and a public network, the addresses in the packet are replaced with new addresses transparently, checksums and sequence numbers are corrected, and the state of the address map is monitored. You specify when a packet using ordered NAT translations is applied based on source or destination addresses.

Proxies - provides content filtering and user authentication in routing mode only.

Time-of-day Rules - allows you to define rules that are only active at specified hours.

Tunneling - uses encrypted tunnels to hide network topology from intruders and to set up secure VPN gateways over insecure public networks.

Software and Hardware Requirements

Table 1-1 lists the installation requirements for SunScreen EFS 3.0.

Table 1-1 SunScreen EFS 3.0 Installation Requirements


Requirement	Description
Operating Environment	Solaris 2.6 or Solaris 7 in either 32-bit or 64-bit mode for SPARC and x86 systems.
Browser	Web browser compliant with JDK^TM Release 1.1.3 or later. Browsers supported: HotJava 1.1 on Solaris running on SPARC, x86, and Win95, Win NT 4.0, and Win98 Netscape 4.5 and Internet Explorer 4.01, or higher, can be used to perform all administrative functions except those requiring local file access. (See below for system requirements for Internet Explorer and Netscape to run Java Plug-ins.)
Hardware	All supported Solaris 2.6 or Solaris 7 for SPARC and x86 systems.
Disk Space	Minimum of 1 GB (at least 300Mbytes unused)
Memory	For machines running just the Screen: 32MB Minimum For machines running the Administration Station: 32MB Minimum, 64MB `strongly` recommended
Network Interface Supported	The Screen supports all Solaris supported Ethernet adapters. Additionally, when in routing mode, the Screen also supports: Sun FDDI Sun Token Ring (Screen only) Sun ATM* (Screen only) The Administration Station supports all Solaris supported Ethernet adapters, plus Sun FDDI.
Link Support	Ethernet, Fast Ethernet, ATM (155 and 622 Mbit/sec in LAN Emulation mode), Token Ring, and FDDI. High availability and stealth-mode interfaces are only supported for Ethernet and Fast Ethernet. Also, high availability requires that the two boxes are connected in a non-switched hub.
Media	CD-ROM drive and diskette drive

* Currently, there is no support for Classical IP (cip) over ATM. There is support for lane (LAN emulation), only.

SunScreen EFS 3.0 includes the HotJava 1.1 software and the SunScreen SKIP for Solaris software.

Note -

Due to a limitation in SunScreen SKIP 1.5 for Solaris, the RC2 encryption algorithm is not available when running Solaris 7 in 64-bit mode.

Required Patches

Two patches, which are included on the SunScreen EFS 3.0 CD-ROM, are required when you are running the Solaris 2.6 operating environment.

Apply the patches to a SPARC system by typing:

# cd /cdrom/cdrom0/sparc/Patches
# patchadd 106125-06
# patchadd 105181-11

Apply the patches to an x86 system by typing:

# cd /cdrom/cdrom0/i386/Patches
# patchadd 106126-06
# patchadd 105182-13

Java Plug-In Software

Java plug-in software system requirements:

Windows 95, Windows 98, or Windows NT 4.0

Pentium 90 MHz or faster processor
10 MB free hard disk space (recommended 20 MB)
24 MB system RAM

Sun Solaris 2.5 or above

Sun SPARC or Intel x86 microprocessor
10 MB free hard disk space (recommended 20 MB)
32 MB system RAM (recommended 48 MB)

Java Plug-in software, which is provided free-of-charge, is available at the following URL: http://java.sun.com/products/plugin/1.1.2/index-1.1.2.html

Java Plug-in software enables you to direct Java technology-enabled applets on your Intranet Web pages to run using Sun's Java Runtime Environment (JRE), instead of the browser's default runtime. They enable you to support Microsoft Windows- and Sun Solaris-based browsers in your enterprise.

See Appendix A, "Using the Command Line," in the SunScreen EFS 3.0 Administration Guide for instructions on how to install the plug-in software.

Compatibility With Other SunScreen Products

This release differs from previous releases of SunScreen firewall products both in how the Administration Station and Screen communicate with each other and in how rules are defined. You can use the SunScreen EFS 3.0 administration GUI (Web browser) software to manage SunScreen EFS 3.0 and SunScreen EFS, Release 2.0; however, you cannot use it on any other previous versions of SunScreen firewall products. The ss_client command is maintained so you can still remotely manage other Screens through the command line.

Note -

See Appendix A, "Migrating From Previous SunScreen Firewall Products" for information regarding command compatibility with previous releases; and for information regarding the current commands for SunScreen EFS 3.0, see Appendix B, "Command Line Reference."

The SunScreen SKIP encryption system built into SunScreen EFS 3.0 is completely compatible with other SKIP implementations, such as prior releases of SunScreen firewall products, SunScreen SKIP for Solaris, or SunScreen SKIP for Microsoft Windows. SunScreen EFS 3.0 can exchange encrypted information with other SunScreen firewall products transparently.

To upgrade to SunScreen EFS 3.0 from prior SunScreen firewall releases, see the upgrading instructions in your SunScreen EFS 3.0 Installation Guide.

Online Help and Documentation

Topical help is available for each page of the administration GUI by clicking the Help button on a page or by clicking the Documentation button on the SunScreen navigation buttons banner.

The SunScreen EFS 3.0 CD-ROM includes a documentation directory that contains files in Hypertext Markup Language (HTML) and Portable Document Format (PDF) format.

Click the Documentation button for the HTML files. They are located in: /opt/SUNWicg/SunScreen/admin/htdocs/html.

PDF files use the file extension identifier .pdf. To display or print a .pdf file, use the Adobe freeware Acrobat Reader. The .pdf files are located in: /opt/SUNWicg/SunScreen/admin/htdocs/pdf. They can be displayed using the command: imagetool /opt/SUNWicg/SunScreen/admin/htdocs/pdf/filename &

Documentation is available on Sun's external document Web server docs.sun.com and stored in Sun's documentation archive. For a list of documents and how to order them, see the catalog section of the SunStore^SM Internet site at http://sunstore.sun.com.

The man pages for SunScreen EFS 3.0 are located in: /opt/SUNWicg/SunScreen/man.

The man pages for SunScreen SKIP are located in the standard Solaris man page directory.