SunScreenTM 3.1 for the Solaris Operating environment is part of the family of SunScreen products that provide a solution to security authentication and privacy requirements. SunScreen gives companies a means of securing department networks connected to a public internetwork.
This SunScreen 3.1 Administration Guide provides all the information necessary to configure and administer SunScreen on your network. Other manuals in the SunScreen documentation set include the SunScreen Installation Guide, the SunScreen Reference Manual, the SunScreen Configuration Examples manual, and the SKIP User's Guide.
The SunScreen 3.1 Administration Guide is intended for SunScreen system administrators responsible for the operation, support, and maintenance of network security. In this guide, it is assumed that you are familiar with UNIX system administration and TCP/IP networking concepts, and with your network topology.
SunScreen 3.1 Lite is a stateful, packet-filtering firewall that has a subset of the features in SunScreen 3.1. It protects individual servers and small work groups.
This manual applies to both the SunScreen 3.1 Lite and the full version of SunScreen 3.1. Keep the following difference and similarities in mind when configuring and administering SunScreen 3.1 Lite.
SunScreen 3.1 Lite supports the following SunScreen features. A SunScreen 3.1 Lite firewall:
Can do basic packet filtering.
Can administer a Screen from a remote Administration Station.
Can be used for CMG Secondary machines.
Uses SunScreen SKIP (Simple Key-Management for Internet Protocols) for encryption. SunScreen SKIP is included as part of SunScreen 3.1 Lite and is automatically installed.
SunScreen 3.1 Lite does not support the following SunScreen features. A SunScreen 3.1 Lite firewall:
Cannot create and cannot be made the primary Screen in in a CMG group.
Cannot support more than two interfaces; the filtering mechanisms ignore any other interfaces.
Cannot support more than ten unregistered IP addresses that can be translated to registered address using Network Address Translation (NAT); it is limited to two NAT rules.
Ignores the time-of-day field. It makes all rules active while that policy is active.
Does not support and cannot create the ADMIN, HA, or STEALTH interfaces.
The SunScreen 3.1 Administration Guide contains the following chapters and appendixes:
Chapter 1, Starting the Administration GUI and Logging In covers the basic concepts as well as the procedures for starting and configuring the Java-based browser, and logging in to the administration graphical user interface (GUI). It also covers how you define the access levels for administrative users.
Chapter 2, Getting Status and Managing Logs describes the Information page in the administration GUI, viewing statistics and logs, and setting the retrieval mode.
Chapter 3, Working with Common Objects contains the procedures for using the administration GUI to add, delete, and rename the Common Objects.
Chapter 4, Creating and Managing Rules describes packet filtering, administrative access rules, Network Address Translation (NAT), and Virtual Private Networks (VPN).
Chapter 5, Creating and Managing Policies tells you how to how to create a policy file that describes how you want your SunScreen firewall to function. This chapter also contains many policy management procedures.
Chapter 6, Using High Availability describes setting up and managing a Highly Available (HA) SunScreen configuration.
Chapter 7, Setting Up and Using Proxies tells you how to use proxies to provide content filtering and user authentication.
Chapter 8, Configuring Centralized Management Groups descrtibes how you set up multple SunScreen to be managed from one location.
Chapter 9, Adding Remote Administration Stations After Installation describes how you can add aditionalremote administration stations to your network.
Appendix A, Using the Command Line contains procedures for using the UNIX command line to manage a SunScreen firewall.
Appendix B, Quick Start Procedures contains detailed information about:
Telnet proxy service with and without proxy user authentication
FTP proxy service with and without proxy user authentication
HTTP proxy service
SMTP proxy service
Configuring RADIUS Authentication
Telnet and FTP proxy service with RADIUS user authentication
SecurID clients supported by SunScreen
Telnet and FTP proxy service with SecurID user authentication
Port-by-port using mixed mode with proxies
Fatbrain.com, an Internet professional bookstore, stocks select product documentation from Sun Microsystems, Inc.
For a list of documents and how to order them, visit the Sun Documentation Center on Fatbrain.com at http://www1.fatbrain.com/documentation/sun.
The docs.sun.comSM Web site enables you to access Sun technical documentation online. You can browse the docs.sun.com archive or search for a specific book title or subject. The URL is http://docs.sun.com.
If you require technical support, contact your Sun sales representative or Sun Authorized Reseller. See
http://www.sun.com/service/contacting/index.html for information on contacting Sun and
http://internet.central.sun.com/service/support/index.html for information on Sun's support services.
The following table describes the typographic changes used in this book.
Table P-1 Typographic Conventions
Typeface or Symbol |
Meaning |
Example |
---|---|---|
AaBbCc123 | The names of commands, files, and directories; on-screen computer output |
Edit your .login file. Use ls -a to list all files. machine_name% you have mail. |
AaBbCc123 | What you type, contrasted with on-screen computer output |
machine_name% su Password: |
AaBbCc123 | Command-line placeholder: replace with a real name or value |
To delete a file, type rm filename. |
AaBbCc123 |
Book titles, new words, or terms, or words to be emphasized. |
Read Chapter 6 in User's Guide. These are called class options. You must be root to do this. |
The following table shows the default system prompt and superuser prompt for the C shell, Bourne shell, and Korn shell.
Table P-2 Shell Prompts
Shell |
Prompt |
---|---|
C shell prompt | machine_name% |
C shell superuser prompt | machine_name# |
Bourne shell and Korn shell prompt | $ |
Bourne shell and Korn shell superuser prompt | # |
You may want to refer to the following sources for background information on network security, cryptography, and SKIP.
Computer Security Policies and SunScreen Firewalls Kathryn M. Walker and Linda Croswhite Cavanaugh Sun Microsystems Press, 1998, ISBN 0-13-096015-0
Access Denied Gene Scott Adams Andrews McMeel, September 1996 ISBN: 0836221915
Building Internet Firewalls, 1st edition D. Brent Chapman and Elizabeth D. Zwicky O'Reilly & Associates, September 1995, ISBN 1-56592-124-0
Firewalls and Internet Security: Repelling the Wily Hacker William R Cheswick and Steven M. Bellovin Addison-Wesley, June 1994, ISBN 0-201-63357-4
Internetworking with TCP/IP, Volume 1: Principles, Protocols, and Architecture Douglas E. Comer Prentice Hall, March 1995, ISBN 0-13-216987-8
Practical UNIX and Internet Security, 2nd edition Simson Garfinkel and Gene Spafford O'Reilly & Associates, April 1996, ISBN 1-56592-148-8
SOLARIS Security, 1st edition Peter H. Gregory Sun Microsystems Press, 2000, ISBN 0-13-096053-5
TCP/IP Network Administration, 2nd edition Craig Hunt O'Reilly & Associates, December 1997, ISBN 1-56592-322-7
Network Security: Private Communication in a Public World Charlie Kaufman, Radia Perlman, and Mike Speciner Prentice Hall, March 1995, ISBN 0-13-061466-1
Applied Cryptography, 2nd edition Bruce Schneier John Wiley & Sons, 1996, ISBN 0-471-12845-7
Network Security Essentials: Applications and Standards William Stallings Prentice Hall, November 1999, ISBN 0-13-016093-8
Cryptography and Network Security: Principles and Practice William Stallings Prentice Hall, June 1998, ISBN 0-13-869017-0
TCP/IP Illustrated, Volume 1 The Protocols W. Richard Stevens Addison-Wesley, January 1994, ISBN 0-201-63346-9
TCP/IP Illustrated, Volume 3: TCP for Transactions, HTTP, NNTP, and the UNIX Domain Protocols W. Richard Stevens Addison-Wesley, January 1996, ISBN 0-201-63495-3
UNIX Network Programming, Volume 1: Networking APIs: Sockets and XTI W. Richard Stevens Prentice Hall, January 1994, ISBN 0-201-63346-9
UNIX Network Programming, Volume 2: Interprocess Communications W. Richard Stevens Prentice Hall, August 1998, ISBN 0-103-81081-9
Firewalls 24seven, 1st edition Matthew Strebe and Charles Perkins Sybex, Inc., 1999, ISBN 0-782-12529-8
SKIP IP-Level Cryptography [http://skip.incog.com/]
Sun Software and Networking Security [http://www.sun.com/security/]