All the functionality of SunScreen that is available through the administration GUI is also available through a command. Administering your Screens through the command line can be useful when you want to manage one or more remote Screen or if you use more than one network address.
You can access a Screen using the command line from its own keyboard, when the Screen is being administered locally and requires that you have superuser (root) access; or you can access a Screen using the command line from an Administration Station, when the Screen is being administered remotely and requires that you use SKIP encryption and an Administration User name and password.
For more information on the command line, see the SunScreen Reference Manual.
The following Unix (shell) commands are available at your shell prompt when /opt/SUNWicg/SunScreen/bin is included in your $PATH. The following table lists the SunScreen Unix (shell) commands and their descriptions. Many of these commands duplicate administration GUI functions, while others provide a context for other commands.
Table A-1 SunScreen UNIX (shell) Command Summary
Unix Command |
Description |
---|---|
ss_install |
Create an initial SunScreen configuration. ss_install, when combined with pkgadd, is equivalent to using the install-wizard graphical user interface. |
ss_client |
Provide communication between an Administration Station and a Screen that was configured by an earlier SunScreen firewall product release. ss_client is provided only for the purpose of remotely administering such products using the SunScreen system as a remote Administration Station. |
ssadm |
Primary command-line tool for SunScreen administration. ssadm sub-commands perform various operations such as editing and activating a SunScreen configuration, and examining the status of a Screen. |
The commands used by skiptool can be found in the SunScreen SKIP 1.5.1 User's Guide.
ss_install is a text-based command-line utility for creating an initial SunScreen configuration. ss_install, combined with pkgadd, is the command-line equivalent to the installation wizard graphical user interface.
ss_install interactively queries you with various options for configuring the SunScreen, creates a configuration, stores it under the policy name "Initial", and activates it. After ss_install is complete, you can administer the firewall.
ssadm is the primary command-line tool for SunScreen administration. ssadm has a number of sub-commands that perform various operations such as editing and activating a configuration, and examining the status of a Screen.
ssadm runs directly on a locally administered Screen, or indirectly from a remote Administration Station that is using SunScreen SKIP to encrypt IP network communications passing between them. See the SunScreen SKIP User's Guide for more information regarding SKIP encryption.
Usage:
ssadm [-b] [-n] sub-command [parameters...]
ssadm [-b] [-n] -r remotehost [-F ticketfile] sub-command [parameters...]
Options:
-b -- Allow binary data (instead of text) in standard input and output.
-n -- Do not read any input from standard input.
-r remotehost -- Access remote Screen using address or hostname remotehost.
-F ticketfile -- Use authorization ticket stored in ticketfile.
The available ssadm sub-commands are each described in the ssadm Sub-Command section of this document.
The -b option normally is not needed since those commands that process binary data enable the binary mode automatically. For example, ssadm backup, ssadm restore, ssadm log, ssadm logdump, and ssadm patch handle binary data even if -b is not specified.
When ssadm is executed locally on the Screen (that is, without the -r option) no login or authentication is required, but you must be superuser to have any effect.
When ssadm is used with the -r option to access a remote Screen, login authentication is required. You must use the ssadm login command to get a ticket that is used by subsequent invocations of ssadm to allow access to the remote Screen. Normally, the ticket is stored in a ticketfile, the name of which can be specified using the -F option, or through the SSADM_TICKET_FILE environment variable. See the ssadm login command for information about ticket files and remote administration using ssadm.
You can configure a local Screen by typing the commands listed in this appendix using the Screen's keyboard. For example, to activate a policy called "Initial," you would type:
# ssadm activate Initial |
where ssadm is the command you want to execute, activate is the name of the ssadm subcommand, and Initial is the name of the policy you want to activate.
The ssadm command resides in the /opt/SUNWicg/SunScreen/bin directory. Include this directory in your directory search path to have access to the commands on the local Screen.
You can configure a Screen from a remote Administration Station by preceding the commands listed in this appendix with the ssadm -r command and the name of the Screen you want to administer. For example, to activate the policy "Initial" on a remote Screen called SunScreen1, you would type:
# ssadm -r SunScreen1 activate Initial |
where ssadm -r indicates that you want to execute a command on a remote Screen called SunScreen1, activate is the name of the ssadm sub-command, and Initial is the name of the policy you want to activate
A local ssadm command can be turned into a remote ssadm command by adding -r remote_Screen_name immediately after ssadm.
When ssadm is used with the -r option to access a remote Screen, the name of the ticketfile can be specified using the -F option, or through the SSADM_TICKET_FILE environment.
If you are using remote administration, you must log in before you can perform most ssadm commands.
Type the following:
# export SSADM_TICKET_FILE # touch $SSADM_TICKET_FILE # chmod go= $SSADM_TICKET_FILE # ssadm -r SunScreen1 login username password WRITE access <E23B344150C702EC> |
Type the following:
# ssadm -r SunScreen1 logout |
The following table lists the SunScreen ssadm sub-commands and their descriptions. Many ssadm sub-commands duplicate administration GUI functions, while others provide a context for other sub-commands.
Table A-2 SunScreen ssadm Sub-Command Summary
ssadm Sub-command |
Description |
---|---|
activate |
Activate a Screen policy. |
active |
List information about the currently active policy. |
algorithm |
List algorithms supported by SKIP. |
backup |
Write a SunScreen backup file to standard output. |
debug_level |
Set or clear the level of debugging output generated by a Screen. |
edit |
Run the SunScreen configuration editor. See Configuration Editor Sub-Command Summary. |
ha |
Configure the features of a High Availability (HA) Screen. |
lock |
Examine or remove the protection lock that the configuration editor places on a policy file. |
log |
Maintain the Screen log file. |
logdump |
Interpret Screen logs and displays their contents. |
login |
Authenticate a user for administrative access through ssadm to a Screen from a remote Administration Station. |
logmacro |
Expands SunScreen logmacro objects. |
logout |
Terminate the session created by ssadm login. |
logstats |
Print information about the SunScreen log. |
patch |
Install patch, as needed. |
policy |
Create, delete, list, rename Screen policies. |
product |
Print single line of descriptive SunScreen use. |
restore |
Read a backup file from standard input. |
securid |
Configure the client layer of the SecurID system. |
sys_info |
Print a description of running SunScreen software. |
traffic_stats |
Report summary information about the traffic flowing through the SunScreen, classified by interface. |
You maintain user-controlled data by using the edit command that is a sub-command of ssadm.
When you need to look at or change a policy in some way like Move or Delete, you invoke the configuration editor and enter a series of commands that end with save and quit requests.
Be sure to save change commands, such as add, del, rename, renamereference, insert, replace, and move, before you quit. Run save just before the quit command to avoid accumulating too many policy versions.
The ssadm edit commands are used when running the configuration editor, which is responsible for maintaining the SunScreen configuration database.
The following table lists the SunScreen configuration editor ssadm edit sub-commands and their descriptions. Many sub-commands duplicate administration GUI functions, while others provide a context for other sub-commands.
Table A-3 SunScreen Configuration Editor ssadm edit Sub-Command Summary
edit Sub-Command |
Description |
---|---|
list |
Display all data for all entries or a specific entry of a give TYPE. |
list_name |
Display the set of unique basenames and sub-type of all of a given TYPE. |
search |
Search for objects that match specified criteria. |
add |
Create or redefine an entry. |
add_member |
Add a member to a group or list. |
del[ete] |
Delete the specified entry of the given TYPE. |
del[ete]_member |
Delete a member from a centralized management group or list. |
insert |
Insert a new object of one of the ordered (indexed) types in a specified position in the corresponding list. |
|
|
move |
Move an indexed entry from its current location in the ordered list to the new location. |
replace |
Replace an object at a specified index. |
refer |
Determine if a named-object of a given TYPE is referred to in the current policy. |
referlist |
Display a list of all entries in the current policy that refer to a specified named-object of a given TYPE. |
rename |
Rename a specified named-object of a given TYPE. |
renamereference |
Renames all references to a specified named-object of a given TYPE. |
load |
Load a policy into the configuration editor. |
lock |
Lock the policy in anticipation of performing edits. |
lock_status |
Return the status of the lock relative to this editor. |
save |
Save all current edits to the policy. |
reload |
Discard any and all edits, if made, and reload the data into the editor from the database. |
verify |
Takes no arguments and verifies the currently loaded policy. |
authuser |
Manipulates the list of authorized users. |
jar_hash |
Manipulates the list of JAR hashes used by the HTTP proxy. |
jar_sig |
Manipulates the list of JAR signatures used by the HTTP proxy. |
mail_relay |
Manipulates the list of mail relays used by the SMTP proxy. |
mail_spam |
Manipulates the list of spam domains used by the SMTP proxy. |
proxyuser |
Manipulates the list of proxy users. |
vars |
The vars command in the configuration editor manipulates variables used for RADIUS configuration. See the section on RADIUS configuration in the SunScreen Reference Manual for more information. |
quit |
Cause the editor to terminate if there are no unsaved changes. |
QUIT |
Cause the editor to terminate even if there are unsaved changes. |
Unlike many of the other ssadm sub-commands, the configuration editor allows editing only one policy at a time. When you are in an editing session, others are unable to edit, and can only read the policy.
You invoke the configuration editor with the edit command, which is a sub-command of ssadm, and the name of your policy, such as Initial. Once it is running, the prompt becomes: edit>.
For a locally administered Screen, type:
# ssadm edit policy_name |
For a remotely administered Screen, type:
# ssadm -r Screen_name edit policy_name |
Add a new policy, for example, myconfig, by typing:
For local administration:
# ssadm policy -a myconfig |
For remote administration:
# ssadm -r Screen_name policy -a myconfig |
Copy a policy by typing:
For local administration:
# ssadm policy -c myconfig myconfigcopy |
For remote administration:
# ssadm -r policy -c myconfig myconfigcopy |
Rename a policy by typing:
For local administration:
# ssadm policy -r old_name new_name |
For remote administration:
# ssadm -r Screen_name policy -r old_name new_name |
Delete a policy by typing:
For local administration:
# ssadm policy -d name |
For remote administration:
# ssadm -r Screen_name policy -d name |
Verify the validity of a policy, for example, myconfig, by typing:
For local administration:
# ssadm activate -n myconfig |
For remote administration:
# ssadm -r Screen_name activate -n myconfig |
Activate a policy by typing:
For local administration:
# ssadm activate myconfig |
For remote administration:
# ssadm -r Screen_name activate myconfig |
Type the following to back up a policy:
For local administration:
# ssadm backup > filename |
For remote administration:
# ssadm backup Screen_name > filename |
Restore a policy, for example, myconfig, by typing:
For local administration:
# ssadm restore < myconfig |
For remote administration:
# ssadm -r Screen_name restore < myconfig |
Type the following to add the service ftp-34, service engine, discriminator, parameters, and an optional description within quotation marks.
You only need to type in the "PARAMETERS 1200 1200 1" in the example below if you do not want to use the default values. See the SunScreen Reference Manual for the default parameters for the state engines
edit> add service ftp-34 SINGLE FORWARD ftp PORT 34 PARAMETERS 1200 1200 1 COMMENT "ftp-34 uses port 34 instead of port 21. Use ftp-34 instead of the supplied ftp service." |
Type the following to see the new service ftp-34:
edit> list service ftp-34 "ftp-34" SINGLE FORWARD "ftp" PORT 34 PARAMETERS 1200 1200 1 COMMENT "ftp-34 uses port 34 instead of port 21. Use ftp-34 instead of the supplied ftp service." |
Although SunScreen lets you change the default services in service groups, to make any troubleshooting easier, it is better to add a new service group that contains the services that you want.
Type the following to add the service group "useful services" and an optional description within quotation marks:
For local administration:
edit> add service "useful services" GROUP www archie gopher COMMENT "A new service group that is used instead of common services." |
The description will appear in the Service Details field that appears when you choose a service or service group for a policy rule using the Policy Rule Definition dialog window.
Type the following to list the new service group "useful services."
edit> list service "useful services" |
Add the GROUP again with the modified member list. The new version will overwrite the old version.
SunScreen lets you rename a single service or a service group. To make troubleshooting easier, do not rename the single services and service groups that are supplied with SunScreen.
Type the following to rename the old service or service group to the new name and all references to it, for example:
edit> renamereference service "useful services" "dmz services" |
Type the following to rename the old service or service group to the new name only, for example:
edit> rename service "useful services" "dmz services" |
To have the changes take effect, you must activate the policy whose rules you edited.
SunScreen lets you delete a single service or a service group. To make any troubleshooting easier, do not delete the single services and service groups that are supplied with SunScreen.
This command does not check for references to the single service or service group that you are deleting.
Type the following to delete a service or service group, for example to delete the service group "dmz service":
edit> del service "dmz services" |
To have the changes take effect, you must activate the policy whose rules you edited.
To check references to the single service or service group that you want to delete or have deleted:
Type the following to find references to the service or service group that you want to delete or have deleted, for example:
edit> referlist service "dmz services" |
You see a list of all the instances where the service or service group is used. You, then, can remove the service or service group from the service group in which it is used, and edit the rule to remove it from the rule or rules in which it is used.
SunScreen lets you define a new host address.
Type the following to add the new host address and an optional description within quotation marks:
edit> add address ftp-www HOST 172.16.1.2 COMMENT "Address of the DMZ host" |
To have the changes take effect, you must activate the policy whose rules you edited.
Type the following to add an address range and an optional description within quotation marks, for example:
edit> add address corp RANGE 172.16.3.2 172.16.3.255 COMMENT "All hosts in corporate" |
To have the changes take effect, you must activate the policy whose rules you edited.
Type the following to add an address group and an optional description within quotation marks, for example:
edit> add address Internet GROUP { corp sales ftp-www } {} COMMENT "The ranges corporate and sales and the host ftp-www have access to the Internet" |
To have the changes take effect, you must activate the policy whose rules you edited.
To make troubleshooting easier, do not delete the names of addresses, ranges of addresses, and lists of addresses that were defined when SunScreen was installed.
This command does not check for references to the address, range of addresses, or list of addresses that you are deleting.
Type the following to delete an address, a range of addresses, or a list of addresses, for example:
edit> del address host0 |
To have the changes take effect, you must activate the policy.
To check references to the address, range of addresses, or list of addresses that you want to delete or have deleted, use these commands:
Type the following to find the reference to an address, a range of addresses, or a list of address that you want to delete or have deleted, for example:
edit> referlist address host0 |
You see a list of all the instances where the address, range of addresses, or list of addresses is used. You, then, can remove the address, range of addresses, or list of addresses from the address list in which it is used, and edit the policy rule to remove it from the rule or rules in which it is used.
To make troubleshooting easier, do not delete the names of addresses, ranges of addresses, and lists of address that were defined when SunScreen was installed.
Type the following to rename an address, a range of addresses, or a list of addresses and all reference to it, for example:
edit> renamereference address ftp-www DMZ |
Type the following to rename an address, a range of addresses, or a list of addresses only, for example:
edit> rename address ftp-www DMZ |
To have the changes take effect, you must activate the policy whose rules you edited.
Each type of certificate requires a particular Name Space ID (NSID) and the Master Key ID (certificate ID) of the certificate:
Certificate IDs that use the IP address use the NSID 0 convention with the IP address as the MKID.
Certificate IDs use the NSID 1 convention with an MKID of 8 hexadecimal digits (32 bits}.
Diffie-Hellman certificates use the NSID 8 convention with an MKID of 32 hexadecimal digits (128 bits).
NSIDs and certificate IDs are described in the SunScreen Reference Manual.
Presently, you can only do this with local administration. Therefore, for a remotely administrated Screen, you must go to the Screen to add Screen certificates from a diskette or a file.
This example shows adding a private certificate key and certificate.
Insert the diskette that contains the private certificate, if you are using Sun CA X.509 keys and certificates, into the diskette drive of the Administration Station.
You also can add a new private keys and certificates from a directory that contains only one set of private key and certificate files.
If you are adding a private key and certificate from a directory, you do not need this step and step 2.
Mount the diskette by typing:
# volcheck |
Type the path to the directory where the private key and certificate are stored and the following command and the name of the directory to add the private key and certificate, for example:
# install_skip_keys -icg /floppy/unnamed_floppy |
Type the following to eject the diskette, if you are using Sun CA X.509 keys and certificates:
# eject unnamed_floppy |
If you are adding a private certificate from a directory, you do not need this step.
Store the diskette that contains the private key and public certificate safely and securely. It contains sensitive information that is not encrypted.
Type the following to restart the SKIP key manager to update the certificate database:
# skipd_restart |
Type the following to name the private key and certificate you have just added, for example:
edit> add certificate sales-home SINGLE NSID 1 MKID "0xA0050E" COMMENT "Use this cert for tunnelling to home from NY" |
Where sales-home is the name that you are giving the certificate; 1 is the NSID; A00050E is the certificate ID.
Presently, you can only do this with local administration; therefore, for a remotely administrated Screen, you must somehow gain access to the Screen's crt.file, then the commands will work. One means of gaining access to this file might be through the rlogin command, if you have a policy rule that allows this.
To use this command you must first have saved the local identity and the secret key to separate files. For example, you may have extracted the self-generated certificate ID keys that you generated on a Screen to a diskette. You do this because it is impossible to generate the same key later, should you have to reinstall the SunScreen software. Once you have swapped certificate IDs with a number of peer systems, it becomes difficult to fix things in a timely manner.
The SunScreen installation programs all intrinsically rekey the SunScreen being installed. While this is not a serious problem, it means that you have to add your old keys back into the database before configuring the Screen for any virtual private networks (VPN) that existed. See the SunScreen Reference Manual for information about VPNs.
Type the following to add the Screen's local identity.
# skiplocal -a -T soft -t x509 -n 1 -c certificate_filename -s secret_filename |
This example shows adding a CA key and certificate. If you are adding a self-generated key and certificate, the value for -t is dhpublic and the value for -n is 8.
Type the following to restart the SKIP key manager to update the certificate database:
# skipd_restart |
Type the following to name the private key and certificate you have just added, for example:
edit> add certificate sales-home SINGLE NSID 1 MKID "0xA000050E" COMMENT "certificate for home sales" |
where sales-home is the name that you are giving the certificate; 1 is the NSID; A00050E is the MKID.
For local administration:
Type the following to create a self-generated Screen certificate, for example:
# skiplocal -k -m 512 |
The example shows generating a global (512-bit) key.
Use the -m followed by the modulus size in bits of the encryption for which you want to create a new certificate, if you have installed more than one encryption strength. The modulus sizes are:
Global (1024 bits)
U.S. and Canada Only (4096 bits)
You see the following message on the Screen:
generating local secret with 512 modulus size It would help the quality of the random numbers if you would type 50-100 random keys on the keyboard. Hit return when you are done. |
Type 50 to 100 random keys.
As you type the random keys, the number of keys appears on the screen.
After you press the Return key, you see the continuation of the message on the screen:
100 Format: Hashed Public Key (MD5) Name/Hash: 3f 3c f9 d0 52 85 a3 be 1e 6d 4e cb e4 9e 49 e7 Not valid Before: Fri Apr 17 17:00:00 1998 Not valid After: Thu Apr 17 17:00:00 2003 g: 2 p: f52aff3ce1b1294018118d7c84a70a72d686c40319c807297aca950cd9969fab d00a509b0246d3083d66a45d419f9c7cbd894b221926baaba25ec355e92a055f public key: 9945eb0a204efd9643a3aeb42f80d18a22a194232ef6e18809b4b80ac6227100 0b24fbd0a01608a6b3fe92a3ab107efd1970c398cdc2d0f73effea55c1cb0565 Added local identity slot 12 |
Type the following to restart the SKIP key manager to update the certificate database:
# skipd_restart |
Type the following to add the new certificate and its name to the certificate database, for example:
edit> add certificate sales-home SINGLE NSID 8 MKID "0x3f3cf9d05285a3be1e6d4ecbe49e49e7" COMMENT "This is the Screen's key for the home sales network." |
Because this is a self-generated UDH certificate, the NSID is 8.
To enter the certificate ID:
For remote administration:
Type the following to create a self-generated Screen certificate, for example:
# ssadm -r Screen_name lib/skiplocal keygen -k -m 1024-f |
You must use the -f flag with remote administration. This flag suppresses the prompt to type random keys on the keyboard.
The example shows generating a global (1024 bit) key.
Use the -m flag followed by the modulus size in bits of the encryption for which you want to create a new certificate, if you have installed more than one encryption strength. The modulus sizes are:
Global (1024 bits)
U.S. and Canada Only (4096 bits)
You see the following message on the screen:
generating local secret with 1024 modulus size Format: Hashed Public Key (MD5) Name/Hash: 3f 3c f9 d0 52 85 a3 be 1e 6d 4e cb e4 9e 49 e7 Not valid Before: Fri Apr 17 17:00:00 1998 Not valid After: Thu Apr 17 17:00:00 2003 g: 2 p: f52aff3ce1b1294018118d7c84a70a72d686c40319c807297aca950cd9969fab d00a509b0246d3083d66a45d419f9c7cbd894b221926baaba25ec355e92a055f public key: 9945eb0a204efd9643a3aeb42f80d18a22a194232ef6e18809b4b80ac6227100 0b24fbd0a01608a6b3fe92a3ab107efd1970c398cdc2d0f73effea55c1cb0565 Added local identity slot 12 |
Type the following to restart the SKIP key manager to update the certificate database:
# ssadm -r Screen_name lib/skipd_restart |
After entering the editor (remote login), type the following to add the new certificate and its name to the certificate database, for example:
edit> add certificate sales-home NSID 8 MKID "0x3f3cf9d05285a3be1e6d4ecbe49e49e7" COMMENT "This is the Screen's key for the home sales network." |
Because this is a self-generated UDH certificate, the NSID is 8.
To enter the certificate ID:
For tunnelling with a remote administration station, see the editor command accessremote. For tunnelling with encrypted packet filtering, see "Policy Rules." Tunnelling is also described in the SunScreen Reference Manual.
Presently, you can only do this with local administration; therefore, for a remotely administrated Screen, you must go to the Screen to add Screen certificates from a diskette or a file.
Insert the diskette that contains the public certificate, if you are using issued certificates, into the diskette drive of the Administration Station.
You also can add new private keys from a directory that contains only one set of certificate files. If you are adding private certificate from a directory, you do not need this step and step 2.
Mount the diskette by typing:
# volcheck |
Type the path to the directory where the public certificate are stored and the following command and the name of the directory to add the public certificate, for example:
# /floppy/floppy0/install_skip_keys A00050B |
This example shows adding a public certificate ID:
Type the following in the terminal window to eject the diskette, if you are using issued certificates:
# eject floppy0 |
If you are adding a public certificate from a directory, you do not need this step.
Type the following to name the public certificate you have just added, for example:
edit> add certificate NYcert NSID 1 "0xA00050B" COMMENT "NY office public cert" |
Where NYcert is the name that you are giving the certificate; 1 is the NSID; A00050B is the certificate ID.
Each type of certificate requires a particular Name Space ID (NSID) and the Master Key ID (certificate ID) of the certificate.
Issued certificates use the NSID 1 convention with a certificate ID of 8 hexadecimal digits (32 bit).
Diffie-Hellman certificates use the NSID 8 convention with an certificate ID of 32 hexadecimal digits (128 bit).
NSIDs and certificate IDs are described in the SunScreen Reference Manual.
The tunnelling address is specified as an option in the rule that uses the key, or in the remote administration rule.
After you have named certificate IDs in the rule, you can group them into logical groups, so that you can use a group instead of single names in a rule:
edit> add certificate sales-list GROUP sales-co sales-il sales-tx sales-sca sales-nca COMMENT "list of U.S. sales offices" |
Type the following to add a new member to a certificate group, for example:
edit> add_member certificate sales-list sales-wy |
Type the following to remove a new member to a certificate group, for example:
edit> del_member certificate sales-list sales-wy |
To make troubleshooting easier, do not rename the certificates that were created when you installed a remotely administered SunScreen.
When you rename a certificate group using this command, SunScreen checks for all instances in the certificate policy object for the old name and changes them to the new name. It does not rename references in other places, like administrative rules and policy rules.
Type the following to rename a certificate or certificate group, for example:
edit> renamereference certificate sales-ny sales-northeast |
To make troubleshooting easier, do not delete the certificates that were created when you installed a remotely administered SunScreen.
This command does not check for any references to the certificate or certificate group that you are deleting.
Type the following to delete a certificate or certificate group, for example:
edit> del certificate sales-la |
If you want to check references to the certificate that you want to delete or have deleted,
Type the following to find the reference to a certificate and certificate group that you want to delete or have deleted, for example:
edit> refer certificate sales-la |
You see a list of all the instances in the certificate database where the certificate is used. You, then, can remove it from the access entries in which it is used, and edit any policy rule in which it is used to remove it.
If you want to check references to the certificate group that you want to delete or have deleted,
Type the following to find the reference to a certificate and certificate group that you want to delete or have deleted, for example:
edit> referlist certificate sales-west |
You see a list of all the instances in the certificate database where the certificate group is used. You, then, can remove it from the access entries in which it is used, and edit any policy rule in which it is used to remove it.
The Screen object controls much of the identity of SunScreen. It contains information for your stealth, HA, cluster, and administrative rules. Upon installation, a Screen object is created, which you can edit. As with other common objects you can edit, you must specify all the options that you want to set; otherwise the options are set to off, the default.
To add a screen object with a previously- created certificate, using DNS and NIS for Name Service, pass routing information, and a comment, type the following:
edit> add screen vorticity ADMIN_CERTIFICATE vorticity.admin RIP DNS NIS COMMENT "The screen that protects the sales office" |
Type the following to list all the Screens:
edit> list screen "sphere" ADMIN_CERTIFICATE "sphere.admin" CDP RIP DNS COMMENT "This is the data center screen" |
To add an SNMP receiver to the previous Screen:
edit> add screen sphere ADMIN_CERTIFICATE sphere.admin RIP DNS NIS SNMP 10.100.253.200 |
To add multiple SNMP receivers to the previous Screen object:
edit> add screen vorticity ADMIN_CERTIFICATE vorticity.admin ROUTING DNS NIS SNMP 10.100.253.200 10.100.253.254 |
To add a Time Status Indicator of 30 minutes to the previous Screen object:
edit> add screen vorticity ADMIN_CERTIFICATE vorticity.admin ROUTING DNS NIS SNMP_TIMER 30 SNMP 10.100.253.200 10.100.253.254 |
To remove SNMP receivers from the Screen, do not include them in the Screen object when you set it:
edit> add screen vorticity ADMIN_CERTIFICATE vorticity.admin RIP DNS NIS |
The Screen object allows you to set the maximum size of your log file. The value is in Mb, where 200 is 200 Mb.
At the command line prompt, type:
edit> add screen sphere ADMIN_CERTIFICATE sphere.admin CDP RIP DNS SNMP 10.100.253.200 LOGSIZE 200 |
Type the following:
edit> add screen vorticity ADMIN_CERTIFICATE vorticity.admin RIP STEALTH_NET 10.100.253.0 255.255.255.0 COMMENT "The screen in Stealth Mode" |
Before you add a new interface, you must define the address group that the interface will use.
Type the following to define the interface qe0 with no logging, no SNMP alerts, and ICMP_PORT_UNREACHABLE:
edit> add interface qe0 ROUTING qe0 ICMP PORT_UNREACHABLE |
Type the following:
edit> add interface qe0 ROUTING qe0 LOG DETAIL SNMP ICMP PORT_UNREACHABLE |
To make any troubleshooting easier, do not rename the certificates that were created when you installed a remotely administered SunScreen.
The authorized user object is used to establish a user identity and provide a mechanism to authenticate it by:
Type the following to add an authorized user:
For local administration:
edit> authuser add admin1 PASSWORD={ "foo" } CONTACT_INFO=br@nncc REAL_NAME="Ben Ruhmduhm" DESCRIPTION="created for remote administration" |
Although the password is in plain text when you add a user, it is automatically encrypted and the password will be displayed as empty quotation marks (" "). Enabled is the default.
The description field cannot contain single (` `) or double (" ") quotation marks as in, for example, the description: This user, test_user is for `testing' only.
All changes apply immediately.
For the changes to take effect in policy and administrative access rules, you must activate the policy.
Type the following to add an authorized user:
For local administration:
edit> authuser add admin1 SECURID={ "C2BR" } CONTACT_INFO=br@nncc REAL_NAME="Ben Ruhmduhm" DESCRIPTION="created for remote administration" |
For remote administration:
edit> authuser add admin1 SECURID={ "C2BR" } CONTACT_INFO=br@nncc DESCRIPTION="created for remote administration" |
Enabled is the default. All changes apply immediately. For the changes to take effect in policy and administrative access rules, you must activate the policy.
Type the following to modify the information for a user, for example to change the SecurID name from C3BR to C4BR:
edit> authuser add admin1 SECURID={ "C4BR" } CONTACT INFO=br@nncc REAL_NAME="Ben Ruhmduhm" DESCRIPTION="reated for remote administration" |
The new parameters for the user will overwrite the old parameters. All changes apply immediately.
Modifications to passwords or SecurID passcodes take place immediately. For other changes to take effect in policy and administrative access rules, you must activate the policy.
Type the following to delete an authorized user, for example:
edit> authuser delete admin1 |
Policy Rules are ordered; that is, they are executed in the order in which they are listed. You can define them in the order in which you want them to take effect or you can reorder your policy rules after you have defined them.
Type the following to add a new rule at the end of a policy with the following attributes:
ping as the service
* as the Source Address
* as the Destination Address
SKIP Version 2 as the encryption with Encryption Details:
From Encryptor is cert-1
To Encryptor is cert-2
Key Algorithm is DES-CBC
Data Algorithm is RC2-40
MAC algorithm is MD5
NONE for the compression (This is the only possible value at present.)
ALLOW as the Action and Action Details:
NONE for the compression (This is the only possible value at present.)
edit> add Rule ping * * ALLOW SKIP_VERSION_2 cert-1 cert-2 DES-CBC RC2-40 MD5 NONE LOG SUMMARY |
All other options assume default values unless specified (for example, SNMP is off).
Type the following to add a new rule at a particular position, for example, at the beginning of the policy:
edit> insert Rule 1 ping * * ALLOW SKIP_VERSION_2 cert-1 cert-2 DES-CBC RC2-40 MD5 NONE LOG SUMMARY |
Type the following to produce an ordered list of rules for the policy:
edit> list rule |
An ordered list of policy rules is displayed, as shown in this example.
1 "www" "*" "*" ALLOW 2 "finger" "*" "*" ALLOW 3 "ftp" "*" "localhost" USER "admin" ALLOW LOG DETAIL PROXY_FTP FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE 4 "daytime" "localhost "*" ALLOW 5 "telnet" "*" "*" ALLOW 6 "echo" "localhost" "*" ALLOW |
Type the following to move a policy rule to a new position:
edit> move rule 4 5 |
Type the following to delete the policy rule 5:
edit> del rule 5 |
Type the following to list the edited ordered list of policy rules:
edit> list rule |
The new list of policy rules is displayed.
1 "www" "*" "*" ALLOW 2 "finger" "*" "*" ALLOW 3 "ftp" "*" "localhost" USER "admin" ALLOW LOG DETAIL PROXY_FTP FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE 4 "daytime" "localhost "*" ALLOW 5 "telnet" "*" "*" ALLOW 6 "echo" "localhost" "*" ALLOW |
You can edit a component or the components of a policy rule by using the following procedure. The example shows how to modify the action.
Type the following to list all the rules in the policy:
edit> list rule |
An ordered list of policy rules is displayed.
1 "www" "*" "*" ALLOW 2 "finger" "*" "*" ALLOW 3 "ftp-proxy" "*" "localhost" USER "admin" ALLOW LOG_DETAIL PROXY_FTP FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE 4 "daytime" "localhost "*" ALLOW 5 "telnet" "*" "*" ALLOW 6 "echo" "localhost" "*" ALLOW |
Type the following to change the action of policy rule 5 from ALLOW to DENY by inserting a new policy rule with the action changed:
edit> replace rule 5 telnet * * DENY LOG DETAIL |
Type the following to remove the policy rule with the old action.
For local administration:
edit> del rule 5 |
Type the following to list the rules for the policy, for example:
edit> list rule |
The list of policy rules is displayed, showing the rule with the new values replaces the old rule.
1 "www" "*" "*" ALLOW 2 "finger" "*" "*" ALLOW 3 "ftp-proxy" "*" "localhost" USER "admin" ALLOW LOG DETAIL PROXY_FTP FTP_GET FTP_CHDIR FTP_RENAME FTP_DELETE 4 "daytime" "localhost" "*" ALLOW 5 "telnet" "*" "*" DENY 6 "echo" "localhost" "*" ALLOW |
To have the changes take effect, you must activate the policy whose rules you edited.
Type the following to add an administrative access rule for local administration:
edit> add accesslocal USER admin3 PERMISSION ALL |
Type the following to list the administrative access rules for local administration:
edit> list AccessLocal |
By default, an Admin User is created during installation.
The following approximates the output that is displayed:
1 USER "admin" PERMISSION ALL 2 USER "admin3" PERMISSION ALL |
Type the following to replace an administrative access rule with a new value for a particular user for local administration:
edit> replace AccessLocal 2 USER "admin3" PERMISSION STATUS |
Do not delete all the administrative access rules.
Type the following to delete the administrative access rule for local administration:
edit> del AccessLocal 2 |
Where 2 is the number, in the ordered rules, that you want to delete.
Type the following to add an administrative access rule for remote administration:
edit> add accessremote USER admin3 * SKIP_VERSION_2 admin-group DES-CBC DES-CBC MD5 NONE |
This administrative access rule allows the access level ALL for the admin 3 user at a remote Administration Station on the Internet to use the GUI and command line to administer the Screen.
Make a note of the encryption parameters if you change them because they have to match the encryption parameters on the remote Administration Station.
Type the following to list the administrative access rules for remote administration, for example:
edit> list accessremote |
The following approximates the output that is displayed:
1 USER "admin" "*" SKIP_VERSION_2 "admin-group" "DES-CBC" "DES- CBC" "NONE" "NONE" PERMISSION ALL 2 USER "admin3" "*" SKIP_VERSION_2 "admin-group" "DES-CBC" "DES- CBC" "NONE" "NONE" PERMISSION ALL |
Type the following to replace an administrative access rule with the value or values for a particular user for remote administration with a new value, for example, STATUS, for the access level:
edit> replace accessremote USER admin3 * SKIP_VERSION_2 admin- group DES-CBC DES-CBC NONE NONE PERMISSION STATUS |
This administrative access rule changes the access level for admin3 at a remote Administration Station on the Internet to STATUS.
Do not delete all the administrative access rules.
Type the following to delete an administrative access rule for remote administration:
edit> del accessremote 2 |
Where 2 is the number, in the ordered rules, that you want to delete.
When using NAT, be sure that, when you are defining a static mapping, the ranges and groups used in the Source and Translated Source fields are exactly the same size.
Also, be sure that the ranges and groups used in the Destination and Translated Destination fields are exactly the same size.
Type the following if the networks that attach to the Screen on the inside have internal addresses, including any network on which there are addresses to which you want to allow external access:
# arp -s IP_Address ether_address pub |
You must either add this entry each time that you reboot the Screen or you can write your own script to automate this function. If you are remotely administering the Screen, you either must go to the Screen to add this entry or have a rule in your policy that will allow you to rlogin to the Screen.
Type the following command to create a static NAT entry that maps an internal address to an external address.
For local administration:
edit> add nat STATIC src dest translated_src translated_dest |
In most cases when defining a static mapping, the internal address and external address are each a single address, but can be a range or a list.
Repeat for every mapping that you want.
Use the same command to map for dynamic NAT. Use DYNAMIC instead of STATIC as the type of NAT entry desired.
You may also use a range of addresses or a group of addresses.
To have the changes take effect, you must activate the policy whose rules you edited
Type the following command to delete a NAT entry that maps internal address to an external address, regardless of whether mapping is static or dynamic:
edit> del nat 1 |
To have the changes take effect, you must activate the policy whose rules you edited.
Type the following command to list a NAT entry that maps internal address to a external address, regardless of whether mapping is static or dynamic:
edit> list nat |
You will see a listing that shows type of NAT, the internal address, and the external address:
1 STATIC "105-range" "*" "nat-range" "*" |
Setting up a VPN requires you to have a certificate per screen, and define the address groups involved. For descriptions and concepts of the Virtual Private network, the SunScreen Reference Manual.
At the command line prompt, type:
edit> add vpngateway vpn-net addrgrp-a SKIP cert-a KEY DES-CBC DATA RC4-40 MAC MD5 COMPRESSION NONE |
Where vpn-net is the name of the VPN network, addrgrp-a is an address group that uses the following certificate, and SKIP cert-a is the certificate.
If you are using a tunnel, append TUNNEL address name to the add/replace.
To setup the VPN completely, you should have all the keys, address groups, and vpngateways on each screen. So in a VPN configuration that has two networks connected, you would see something like the following:
edit> list vpngateway 1 "vpn-net" "addrgrp-a" SKIP "cert-a" KEY "DES-CBC" DATA "RC4-40" MAC "MD5" COMPRESSION "NONE" 2 "vpn-net" "addrgrp-b" SKIP "cert-b" KEY "DES-CBC" DATA "RC4-40" MAC "MD5" COMPRESSION "NONE" |
Create an address group containing the address groups for both networks, for example:
edit> add address vpn-grp GROUP { addrgrp-a addrgrp-b } {} |
Define a rule specifying the VPN Gateway:
edit> add rule common vpn-grp vpn-grp ALLOW VPN vpn-net |
VPN Gateways are setup in an ordered manner. To change values, at the command line prompt, type (for example):
edit> replace vpngateway 1 vpn-net addrgrp-a SKIP cert-new KEY DES-CBC DATA RC4-40 MAC MD5 COMPRESSION NONE |
To remove the VPN gateway you must delete the rules and VPN object.
At the command line prompt, type (for example):
edit> del vpngateway 1 |
(Optional) Type the following to display information, such as Product, System Boot Time, SunScreen Boot Time, and Version:
For local administration:
# ssadm sys_info |
For remote administration:
# ssadm -r Screen_name sys_info |
(Optional) Type the following to display the statistics about the traffic flowing through the Screen:
For local administration:
# ssadm traffic_stats |
For remote administration:
# ssadm -r Screen_name traffic_stats |
SunScreen provides flexible logging of packets. A packet can be logged when it matches a policy rule, when does not match a policy rule, or when it matches a policy rule whose action is DENY.
Configure SunScreen to log packets that do not match any particular policy rule.
Most frequently packets are logged because of the DENY action in a rule, or because they do not match any policy rule.
Set the type of logging that you want in the details for the ALLOW action in a policy rule and the type of ICMP reject in the details for DENY action.
Set logging for packets that are dropped because they do not match any policy rule on the Interfaces panel of the Interface page.
Once a log is retrieved, it can be examined using the ssadm logdump command.
Examining logged packets can be a very useful for troubleshooting problems in setting up security policies. For example, when first creating policies, make the default DENY action "log packets." This way, you can review the logs easily. You can also use logging to capture any attempts to break in.
Type the following to display packets in the log file:
# ssadm logdump -i ssadm_log_file |
You can only examine a saved log file from the command line.
ssadm_log_file is the name of a log file that has been downloaded from the Screen.
Type the following to view the current log:
For local administration:
# ssadm log get | ssadm logdump -i - |
Type the following to save a log record to a file:
For local administration:
# ssadm log get > filename |
For remote administration:
# ssadm -r Screen_name log get > filename |
This action clears the log browser's display of any log records without saving them and clears the SunScreen log file.
Type the following to clear the log file:
For local administration:
# ssadm log clear |
For remote administration:
# ssadm -r Screen_name log clear |
This action saves a log to a file and clears the display of any log records.
Type the following to save the log to a file and clear the log:
For local administration:
# ssadm log get_and_clear > filename |
For remote administration:
# ssadm -r Screen_name log get_and_clear > filename |
See Chapter 6, "High Availability," and the SunScreen Reference Manual before using the command line to set up HA.
To install HA on the Screen designated to be the Primary HA Screen (thereby creating a new HA cluster containing one Screen), type the following:
# ssadm ha init_primary interface |
To install HA on the Screen designated to be the Secondary HA Screen type the following:
# ssadm ha init_secondary interface primaryIP |
Where:
interface is the interface to be used for the HA heartbeat and synchronization.
primaryIP is the IP address (on the HA network) of the Primary Screen in the cluster.
To add the HA secondary Screen to the existing HA cluster, execute the following command on the primary machine in the cluster:
# ssadm ha add_secondary secondaryIP |
Where:
secondaryIP is the IP address (on the dedicated HA network) of the Secondary Screen to be added.
After adding an HA Secondary Screen and activating your policy, the new Secondary Screen may become active. If you need to perform additional administration on the Primary Screen, you must direct the Secondary Screen to become passive in order to communicate with the Primary Screen.
An HA setup is installed by using commands outside the configuration editor. Removing the HA setup would consist of removing the HA_* options from the Screen objects on the machines.
For example, a list of the HA setup would be:
edit> list screen "vorticity" MASTER "barotropic" CDP RIP NIS HA_SECONDARY HA_IP 129.192.1.2 "barotropic" ADMIN_CERTIFICATE "barotropic.admin" CDP DNS NIS HA_PRIMARY HA_IP 129.192.1.5 HA_ETHER 8:0:20:9e:e0:66 edit> del screen vorticity edit> add screen barotropic ADMIN_CERTIFICATE barotropic.admin CDP DNS NIS |
Save and activate your configuration.
Type the following to display information, such as the current Active or Passive status of the local HA machine and the current state of the HA daemon.
For local administration:
# ssadm ha status |
For remote administration:
# ssadm -r Screen_name ha status |
Use the following commands to set up a Cluster. Centralized Management Groups are explained in Chapter 6 and in the SunScreen Reference Manual.
The example below illustrates a two-machine cluster setup.
Type the following on both machines in the cluster:
edit> add screen sphere ADMIN_CERTIFICATE "sphere.admin" CDP RIP NIS LOGSIZE 100 edit> add screen velocity ADMIN_IP 10.100.105.5 ADMIN_CERTIFICATE vorticity.admin KEY"DES-CBC" DATA "RC4-40" MAC "MD5" COMPRESSION "NONE" MASTER sphere CDP DNS NIS |
Type the following on the Primary Screen ("sphere" in this example):
edit> del screen vorticity |
Type the following on the Secondary ("vorticity" in this example):
edit> del screen sphere edit> add screen vorticity ADMIN_CERTIFICATE vorticity.admin CDP RIP DNS |
If you have any support issues, call your authorized service provider. For further information about support, use the following URL to contact Enterprise Services: http://www.sun.com/service/contacting.
Collect this information by saving the output of the following SunScreen support commands, as shown in the following table.
Table A-4 Table of Support Commands
Command |
Description |
---|---|
config |
Brings over configuration files for the active configuration |
date |
Sets and gets current time/date. |
disks |
Checks disk space (df -k) |
eeprom |
Checks EEPROM settings. |
findcore |
Checks for a core file. |
last |
Checks boot history. |
packages |
Checks pkginfo and patch history. |
procs |
Checks processes (ps -elf) |
skip |
Checks contents of /etc/skip/ directory. |
statetables |
Displays internal protocol state tables. |
stats |
Checks the kernel networking statistics (netstat -k) |
streams |
Checks the STREAMS statistic (netstat -m). |
versions |
Brings over version information on major SunScreen components. |
The commands are used for remote diagnostics and are sent from a remote Administration Station. Type the following to start these support commands:
# ssadm -r Screen_name lib/support Command |
You can use several commands to gather system information from the Screen. This information may be requested by Sun Service, should you encounter problems with your Screen.
To gather data for a Screen, type:
# ssadm lib/statetables |
Use this command to gather a complete set of data for your Sun Service representative, including:
Statetables
ARP table information
Disk usage
Streams information
SunScreen configuration information and files
Uptime
SKIP information
At the command line prompt, type:
# ssadm lib/screeninfo |
This command gives you access to the commands in the support directory. All the commands in the support directory are invoked by the screeninfo command, yet it may be advantageous to run this command alone if you are seeking limited data.
At the command line prompt, type:
# ssadm lib/support subcommand parameters |
At the command line prompt, type:
# ssadm lib/support help |
You can use the ssadm debug_level command to control the printing of debugging information from the SunScreen kernel.
If you type it with no arguments, ssadm debug_level displays the current debug-level mask. By default, this mask is "1," which means it only reports significant errors.
If you specify a hexadecimal number as an argument for ssadm debug_level, it sets the kernel debugging mask to that level.
Type the following to list the debugging bit choices:
# ssadm debug_level ? |
Select a ssadm debug_level mask by setting all of the debugging bits in which you are interested.
Probably the most useful example of the ssadm debug_level debugging bit is DEFAULT_DROP.
When using the Java Plug-in for Netscape Navigator, follow the instructions in the Netscape release notes. In particular, you should define the MOZILLA_HOME environment variable and include the Netscape installation directory in your PATH, so you do not have to type the full path name every time you run Netscape.
Perform the following steps to install and configure the Netscape browser for SunScreen administration.
Set up environment for installing and running the Java Plug-in.
Install the Java Plug-in by typing:
# sh Java_Plugin_File_Name.sh |
Save the identitydb.obj file. See "Saving the identitydb.obj File".
Access the SunScreen administration GUI in one of two ways:
Set the CLASSPATH environment variable only if you need to install special Java files in Netscape Communicator.
Communicator uses CLASSPATH to find local .class files. If CLASSPATH is set in your environment, only the .jar files and directories specified in the CLASSPATH are searched. If you set your CLASSPATH, you must make sure that each .jar file in $MOZILLA_HOME/java/classes is listed individually in your CLASSPATH.
After installing the Java Plug-in, save the identitydb.obj file to distribute to the Administration Stations.
Save the file identitydb.obj by going to:
http://localhost:3852/plugin/plugins/ |
Press your MENU mouse button and save the link as a file.
If your browser does not support this save, access identitydb.obj in the directory: /opt/SUNWicg/SunScreen/admin/htdocs/plugin/plugins/.
Copy the identitydb.obj file onto a diskette to distribute to all Administration Stations.
If the identitydb.obj file already exists in its proper location, per the following:
UNIX: $HOME single-user Win95: C:\WINDOWS multi-user Win95/98: C:\WINDOWS\PROFILES\username WinNT: C:\WINNT\PROFILES\username |
Add SunScreen as an accepted signer.