Common Objects Area
Common objects are the components you use to make up policy rules. Before you write these rules, you add the common objects that you plan to use in the rules.
Note -
After the common objects have been added, they are stored in a database and can be used over again to create rule sets for additional policies.
Save Is Not Required With Some Common Objects
Some of the common objects that appear in the administration GUI are automatically saved when they are edited or new objects are added. You do not need to save these objects. Once these objects are added or edited, the change applies immediately and is not revertible. The reason the Save button in the administration GUI does not become active when you alter these is because there is no in-memory buffer of unsaved changes.
Note -
Although the changes made to these objects are saved immediately, they do not (except for logmacro) take effect until the next activation. The administration GUI edits Authorized Users, which are authuser objects, Proxy Users, which are proxyuser objects, and Jar Signatures and Jar Hashes, which are both vars objects.
Common Objects with this behavior are:
-
Authorized User
-
Admin User
-
Jar Signature
-
Jar Hash
-
Proxy User
Common Objects
-
Service -- Policy object that lets you identify network services for which you want SunScreen EFS 3.0 to filter packets. You can define:
-
Single Service -- Lets you add new network services and control the filtering activities applied when a service is used in a rule. Control the filtering activities by specifying what packet filtering engine you want to use and the various discriminators and parameters applicable to that filtering engine.
-
Use the fields in the dialog window to type the configuration information for the Service.
Name -- Specifies the name of the service object.
Note -
If you are adding a new Service Object, either through command-line or the administration GUI and specify that you want to set the PARAMETERS but do not provide the information for these paramaters, the configuration editor dumps core. (You cannot specify a negative value for one of the parameters.) If you are using the administration GUI when this happens, it can hang as it cannot recover from the failed editing session. Make sure you always specify a PARAMETER value when specifing the use of parameters for a new service.
Description -- (Optional) Provides a brief description about the service object.
Screen -- Specifies which Screen recognizes the service object.
Use the Filter table to define the filtering activities:
Filter -- Identifies the packed filtering engine.
Port -- Identifies the port, program number, or type used by the forward filter.
Broadcast -- Determines whether the rules where the service is used allows communication to broadcast and multicast addresses.
Note -
If you want the service to work for non-broadcast addresses, type separate table entries for broadcast and non-broadcast filtering.
Parameters -- Identifies the port, program number, or type used by the Reverse filter.
Reverse -- Determines whether the filter applies to packets originating from the host in the To address of a rule and going to the From address of a rule.
Use the fields in the dialog window to type the configuration information for the service group.
Name -- Specifies the name of the service object.
Description -- (Optional) Provides a brief description about the service object.
Screen -- Specifies which Screen recognizes the service object.
Adding services to a service group:
1.Highlight the services you want in the Services list.
2.Choose Add to add the service to the Members list.
-
Address -- The address object for a range of addresses lets you associate a contiguous range of IP addresses with an address object name. For example, you can associate a name with a specified network address range and then use that name to filter traffic to all hosts on that network.
Use the fields in the Address dialog window to type the configuration information address object.
Name -- Specifies the name for the address object.
Description -- (Optional) Provides a brief description about the address object.
Screen -- Specifies which Screen recognizes the address object. The default is All.
Starting IP Address -- Specifies the starting IP address in the range.
Ending IP Address -- Specifies the ending IP address in the range.
-
Single Host
The address object for a single host lets you associate an individual host's address with the address object name in the Name field. Use the fields in the dialog window to type the configuration information for the rule.
Name -- Specifies the name for the address object.
Description -- (Optional) Adds a note about the address object.
Screen -- Specifies which Screen recognizes the address object. Default is All.
IP Address/Host Name -- Specifies the IP address of the host machine. To type an IP address in the address field you can do one of the following: Type the address directly into the field, or type the host name and use Lookup IP Address to get the host's IP address.
The address object for a range of addresses lets you associate a contiguous range of IP addresses with an address object name. For example, you can associate a name with a specified network address range and then use that name to filter traffic to all hosts on that network.
Use the fields in the Address dialog window to type the configuration information address object.
Name -- Specifies the name for the address object.
Description -- (Optional) Provides a brief description about the address object.
Screen -- Specifies which Screen recognizes the address object. Default is All.
Starting IP Address -- Specifies the starting IP address in the range.
Ending IP Address -- Specifies the ending IP address in the range.
The address object for a group of addresses lets you group host addresses, address ranges and other address groups. By grouping addresses that use similar services and have similar actions, you can use groups to save time when creating rules.
Note -
Before you create an address group, you first define the address objects-- single addresses, address ranges, or address groups-- that you want to use in the address group.
Use the fields in the dialog window to type the configuration information for the address object.
Name -- Specifies the name for the address object.
Description -- (Optional) Provides a brief description about the address object.
Screen -- Specifies which Screen recognizes the address object. The default is All.
Addresses -- Displays the addresses objects that can to be used to create the address group.
Include List -- Specifies the address objects that are currently included in the address group. Use the Add or Remove buttons to modify the list.
Exclude List -- Specifies the address objects that are excluded from the address group. For example, you can create an address group that includes all addresses except as specified in the Exclude List. Use the Add or Remove buttons to modify the list.
-
Certificate -- Certificate is a Common Object that allows you to manage certificates. You can:
-
Generate Certificate
-
To generate a certificate, use the fields in the dialog window to type the configuration information.
Name -- Specifies a name for the certificate.
Description -- (Optional) Provides a brief description about the certificate object.
Screen -- Specifies which Screen recognizes the Certificate Object. The default is All.
Installed On -- (Optional) Specifies the Screen on which the certificate is installed.
Radio buttons -- Specify the level of encryption that the Screen uses.
Generate New Certificate -- Generates the certificate. The Certificate ID field displays the certificate's certificate ID.
Also called the certificate ID, lets you assign a name to a certificate that exists on another machine. You associate a certificate ID when you want to encrypt communication between two screens or between a screen and an Administration Station.
Use the fields in the dialog window to type the information for associating the MKID.
Name -- Specifies the name for the certificate ID object.
Description -- (Optional) Provides a brief description about the certificate ID object.
Screen -- (Optional) Specifies which Screen recognizes the certificate ID object. The default is all. Specifying a Screen allows you to define packet filtering rules that encrypt traffic between any two machines, not just between an Administration Station and a Screen.
Certificate ID -- Specifies the certificate ID (hash value) for the certificate that you generated on the other system.
Associate MKID (also called the certificate ID) lets you assign a name to a certificate that exists on another machine. You associate a certificate ID when you want to encrypt communication between two screens or between a Screen and an Administration Station.
Use the fields in the dialog window to type the information for associating the certificate ID.
Name -- Specifies the name for the certificate ID object.
Description -- (Optional) Provides a brief description about the certificate ID object.
Screen -- (Optional) Specifies which Screen recognizes the certificate ID object. The default is all.
Note -
Specifying a Screen allows you to define packet filtering rules that encrypt traffic between any two machines, not just between an Administration Station and a Screen.
Certificate ID -- Specifies the certificate ID (hash value) for the certificate that you generated on the other system.
-
Screen -- Allows you to edit or add Screen objects. You can edit miscellaneous Screen parameters, SNMP parameters, and Mail Proxy parameters for Screen objects that already exist.
In general, you edit rather than create Screen objects because they are automatically created during installation. However, you create new Screen objects to configure HA and centralized management.
Note -
You must enter the name of the Admin Interface of the Screen as listed in the Naming Service or in the hosts file.
Create a Screen object if you are setting up an HA cluster or centralized management group.
The HA/Master Config tab allows you to associate a certificate object with a Screen or Administration Station that is part of an HA cluster or a centralized management group. The HA menu and the Primary Name menu determine the role a Screen has within an HA cluster and centralized management group. The settings you choose for these menus determines which other controls on the HA/Master Config tab are active. The meanings and uses of the fields in the HA/Master Config tab are as follows:
High Availability -- Specifies whether the Screen is used for HA. If you are using it for HA, you can specify whether the Screen is a primary HA Screen or a secondary HA Screen.
Primary Name -- Specifies the name of the primary Screen.
Administrative IP -- Address IP address of the Screen that is used for administration.
Administration Certificate -- Specifies the Administration Station's certificate name.
High Availability IP Address -- Specifies the IP address of the HA interface.
Ethernet Address -- Generated by the system.
Key Algorithm -- Specifies the issued certificate (key) encryption algorithms supported for SunScreen SKIP, version 1.
Data Algorithm -- Specifies the data encryption algorithms supported for SunScreen SKIP, version 2.
MAC Algorithm -- Specifies the MAC (authentication) algorithms supported for manual keying.
Note -
The entry in the Name field must be the same as the entry that exists in the nameservice lookup or in the /etc/hosts file. The IP address associated with this name must match the IP address of the administrative interface.
Note -
The type of interfaces must be the same on all the machines in the HA cluster. This interface must be dedicated on each machine in the HA cluster with a dedicated network connection. For reasons of security, the HA network should not be connected to any other network. The HA primary Screen is always the Screen you administer whether it is the active or passive Screen.
Use the Miscellaneous, SNMP, and Mail Proxy tabs in the Screen dialog window to edit a Screen object.
Note -
After configuring the Screen as an HA primary remotely administered by an Administration Station (it is not part of the Centralized Management Group), the administration GUI does not show the admin certificate in the "HA/Master Config" panel from the Screen object. If you click OK from that panel, the admin certificate information is deleted from the Screen object. The result is that the activation fails because of the missing admin certificate. Use the command line to make any needed changes to the primary HA Screen object.
The Miscellaneous tab in the Screen dialog window allows you to specify miscellaneous Screen parameters.
Log Size
Stealth Network Address -- Specifies the network address for interfaces that are used as SPF interfaces. Type this parameter if you have used the Interface object to designate any Screen interfaces as Stealth interfaces.
Stealth Netmask -- Specifies the netmask for interfaces that are used as SPF interfaces. Type this parameter if you have used the Interface object to designate any Screen interfaces as Stealth interfaces.
Routing -- Specifies whether the Screen is used for routing.
Name Service -- Specifies the name service that the Screen uses.
Certificate Discovery -- Specifies whether the Screen uses Certificate Discovery.
The SNMP tab in the Screen dialog window allows you to add, edit, or delete an SNMP trap receiver.
Note -
Use the Action field of the packet filtering Rule Definition dialog window to specify actions that generate SNMP alerts. The machine that you want to receive SNMP trap alerts must not be a remote Administration Station.
The Mail Proxy tab in the Screen dialog window allows you to add, edit, or delete domains known to distribute unsolicited electronic mail (spam). You can define spam domains if you use an SMTP proxy.
Centralized management allows you to remotely administer configurations on a group of Screens. A centralized management group comprises a primary Screen and a number of secondary Screens. The primary Screen's function is to "push" policy configurations to the secondary Screens in the group.
Note -
You can configure packet filtering rules to make a specific rule apply to only one Screen. The rules apply globally by default.
Note -
The entry in the Name field must be the same as the entry that exists in the nameservice lookup or in the /etc/hosts file. The IP address associated with this name must match the IP address of the administrative interface.
-
Interface -- A Common Object that lets you define interfaces and specify the actions a Screen should take when a packet, which is received on that interface, is rejected.
Use the fields in the dialog window to type the configuration information for the interface object.
Name -- Specifies the name for the address object.
Type -- Specifies the type of interface.
Screen -- Specifies which Screen recognizes the Interface.
Address Group -- Specifies the valued source IP addresses for this interface.
Logging -- Identifies the level of detail for log messages generated when a packet received on the interface is rejected.
Note -
You can override the level of log messages that are issued for individual rules.
SNMP Alerts -- Indicates whether SNMP alert messages are issued when a packet received on the interface is rejected.
SNMP traps -- Addressed to the defined hosts.
ICMP Action -- Identifies the ICMP rejection message that is issued if a packet received on the interface is rejected. The default is none.
Comment -- (Optional) Provides a descriptive note about the Interface object.
-
Proxy User -- A Common Object that contains the mapping information for users of SunScreen EFS 3.0 proxies. The FTP and telnet rules reference the proxy user entries.
Before you add a proxy user, define an authorized user. You must create entries for both authorized users and proxy users to use the authentication feature of the FTP and telnet proxies.
Name -- Specifies the name of the proxy user.
Description -- Adds a brief description of the proxy user.
User -- Enabled Controls whether the user can log into the Screen.
Authorized User Name -- Selects the name of the authorized user to be used to authenticate this proxy user. Names in this list are generated when you add an Authorized User Object. If this field is empty, authorization is not required for this user.
-
Authorized User -- A Common Object that lets you specify which users are allowed to use the telnet and FTP proxy.
Use the fields in the dialog window to type the configuration information for the Authorized User Object.
User Name -- Specifies the login name of the authorized user.
Description -- (Optional)Provides a brief description about the authorized user.
User Enabled -- Indicates whether the user can log into the Screen.
Password -- Specifies the login password for the authorized user.
Retype Password -- Specifies the login password for the authorized user. The password typed in this field must exactly match the password you typed in the Password field.
SecurID Name -- Specifies the user's login name for SecurID authorization.
Real Name -- Identifies the real name of the authorized user.
Contact Information -- Displays information on how to contact the specified user.
-
Administrative User -- A Common Object that lets you identify the administrators authorized to access the Screen.
Use Administrative User Objects when you define Administrative Access rules.
Use the fields in the dialog window to type the configuration information for the Administrative User.
User Name -- Specifies the login name of the administrative user.
Description -- (Optional) Provides a brief description about the administrative user.
User Enabled -- Indicates whether the user can log into the Screen.
Password -- Specifies the login password for the administrative user.
Retype Password -- Specifies the login password for the administrative user. The password typed in this field must exactly match the password you typed in the Password field.
SecurID Name -- Specifies the user's login name for SecurID authorization.
Real Name -- Identifies the real name of the administrative user.
Contact Information -- Displays information on how to contact the specified user.
After you create the Administrative User Object, you grant administrative access by creating a rule in the Administrative Access panel.
Note -
The name that you create for the Administrative User object is the same name that you use when you create an Administrative Access rule.
-
Jar Signature -- Lets you identify the Java archives (JARs) you want the Screen to pass. JAR signatures apply only to the HTTP proxy.
Use the dialog window to type the information for the JAR signature.
Certificate Name -- Identifies the name of the certificate.
Master Key ID -- Identifies the certificate ID.
Load Jar Certificate -- Loads the certificate used to authenticate the Java archive.
-
Jar Hash -- The HTTP proxy can be set up to filter the Java applets based on the Jar hash value of the Jar file.
Use the fields in the dialog window to type the information for the Jar hash.
Certificate Name -- Identifies the name of the certificate.
Master Key ID -- Identifies the certificate ID.
-
Time -- A Policy Object that lets you specify when a rule applies. You can specify the time of day and day of the week.
Use the fields and controls in the dialog window to type the configuration information for the Time Object.
Name -- Specifies a name for the Time Object.
Description -- (Optional) Adds a descriptive note about the Time Object.
Screen -- Specifies which Screen recognizes the Time Object.
Note -
The Time Object is based on a 24-hour clock. The time 00:00 is midnight on the day specified; the time 24:00 is midnight 24 hours later.
- © 2010, Oracle Corporation and/or its affiliates