Chapter 1 SunScreen Overview

This chapter discusses the following topics:

• "What Is SunScreen?"

• "Software and Hardware Requirements"

• "Compatibility With Other SunScreen Products"

• "Online Help and Documentation"

What Is SunScreen?

SunScreen is a versatile firewall used for access control, authentication, and network data encryption. SunScreen integrates the two earlier SunScreen firewall products SunScreen EFS and SunScreen SPF-200 as modes of operation.

Each physical interface can operate in one of two modes: routing or stealth.

Virtual interfaces are supported only in routing mode. An interface in routing mode has its own IP address and behaves like the interfaces of the SunScreen EFS system. If two or more routing mode interfaces are present, the firewall subdivides a network.

An interface in stealth mode does not have an IP address, nor does it have a TCP/IP stack. Multiple stealth interfaces act like a bridge and do not subdivide a network with respect to routing.

SunScreen consists of a rules-based, dynamic packet-filtering engine for network-access control, and an encryption and authentication engine that allows you to create secure Virtual Private Network (VPN) gateways by integrating public-key encryption technology. It is the first firewall to address high availability (HA) for standards-based encryption. Secure administration is provided through an easy-to-use administration graphical user interface (GUI) through a Web browser.

SunScreen consists of two components: Screen and Administration Station. The Screen is the firewall responsible for screening packets and for performing the necessary encryption and decryption. The Administration Station is where you define your security policy and from where you administer your Screen or Screens. The two components can be installed on separate machines for remote administration or on a single machine for local administration.

SunScreen fuses open-standard SKIP (Simple Key-Management for Internet Protocols) technology for encryption, authentication, access control, and secure virtual private networks (VPN). SunScreen incorporates SunScreen SKIP 1.5.1 for Solaris. You must use the Solaris command line to administer SKIP on the Screen directly.

See the SunScreen SKIP User's Guide, Release 1.5.1, for further information regarding SKIP encryption and administration.

You can administer SunScreen remotely from any computer that has a browser compliant with JDK 1.1.3 and has a supported version SKIP software installed. SKIP software is available for the Sun Solaris operating environment and the Microsoft Windows operating environment.

Software and Hardware Requirements

TABLE 1-1 lists the installation requirements for SunScreen.

Table 1-1 SunScreen Installation Requirements

Requirement	Description
Operating Environment	Solaris 2.6, Solaris 7, Solaris 8 (with IPv4 only) in either 32-bit or 64-bit mode for SPARC and Intel Editions Trusted Solaris 7 (SPARC system only).
Administration Station	Browsers supported:   A JavaTM-enabled Web browser compliant with JDKTM, Release 1.1.3 or later. Netscape NavigatorTM 4.5 (with and without the Java plug-in) on the SPARC and Intel platforms HotJavaTM 1.1 running on the SPARC and Solaris Intel Edition platforms Netscape Navigator 4.5 (with or without Java plug-in) on the Intel platform Internet Explorer 4.0 (with or without the Java plug-in) on the Intel platform Netscape 4.0.1 or higher, can be used for all administrative functions except those requiring local file access. (See below for system requirements for Internet Explorer and Netscape to run Java plug-ins.)
Hardware	All SPARCStations, UltraSPARC, and Intel Edition systems that Solaris 2.6, Solaris 7, and Solaris 8 operating environments support All SPARCStations and UltraSPARC systems that Trusted Solaris 7 supports.
Disk Space	Minimum of 1 Gbyte (with at least 300 Mbytes unused). This space is needed for the Solaris operating environment, SunScreen software, and sufficient space for storing packet logs.
Memory	For machines running the Administration Station: a minimum of 32 Mbytes is required and 64 Mbytes is strongly recommended. For machines running just the Screen: a minimum of 32 Mbytes.
Network Interfaces Supported [The Screen can support up to 15 network interfaces of each type at one time.]	For the Screen:  For SPARC and UltraSPARC systems in routing mode: 10-Mbps or 100-Mbps Ethernet interfaces (le, qe, hme, be, qfe) Gigabit Ethernet interfaces Token Ring interfaces ATM (155 and 622 Mbps in LAN emulation mode or classic IP mode) FDDI, or PCI-based Ethernet cards. For Intel-based systems: 10 Mbps or 100 Mbps Ethernet interfaces (dnet, elxl). See supported devices listed at http://soldc.com.sun/support/divers/hcl/index.html/ High availability requires that the two machines be connected by means of a nonswitching hub [Alteon switches can be configured to work with SunScreen HA clusters.] . The Administration Station [A remote Administration Station can connect directly to a Screen only through an Ethernet local area network (LAN) or a Fiber Distributed Data Interface (FDDI). ] : For SPARC systems: 10-Mbps or 100-Mbps Ethernet interfaces (le, qe, hme, be, qfe), or FDDI, or PCI-based Ethernet cards. An Administration Station can connect to the Screen by an Asynchronous Transfer Mode (ATM) or Token Ring LAN, but only after it is connected directly to the network by way of an Ethernet or FDDI connection first. For Solaris Intel Edition systems: 10-Mbps or 100-Mbps Ethernet interfaces (dnet, elxl).
Media	CD-ROM drive (and a diskette drive, if you are using issued certificates).

SunScreen includes the HotJava 1.1 software and the SunScreen SKIP for Solaris software. The global encryption strength is now 1024 bit and 4096 bit replaces 2048 bit as the domestic strength.

---

Note -

Because of a limitation in SunScreen SKIP 1.5.1 for Solaris, the RC2 encryption algorithm is not available when running Solaris 7 in 64-bit mode.

---

Required Patches

If you are running the Solaris 2.6, the SPARC Edition, the patches that are included on the CD-ROM for SunScreen in the /cdrom/cdrom0/sparc/Patches/ directory are automatically installed.

If you are running Solaris 2.6, the Intel Edition, the patches that are included on the CD-ROM for SunScreen in the cdrom/cdrom0/i386/Patches/directory are automatically installed.

---

Note -

In addition to the patches provided by SunScreen, install all recommended and security patches available for your operating environment. For reasons of security, you should always keep your operating environment up to date by installing any patches as they become available.

---

Java Plug-In Software

Java plug-in software makes it possible for applets using Java technology on your intranet Web pages to use Java Runtime Environment (JRE), instead of the browser's default runtime. Java plug-in software is available for Microsoft Windows- and Sun Solaris-based browsers.

Java plug-in software system requirements:

• Windows 95, Windows 98, or Windows NT 4.0

  • Pentium 90 MHz or faster processor

  • 10-MBytes free hard disk space (recommended 20 MBytes)

  • 24-MBytes system RAM

• Solaris 2.5 or above

  • SPARC or Intel microprocessor

  • 10-MBytes free hard disk space (recommended 20 MBytes)

  • 32-MBytes system RAM (recommended 48 MBytes)

Java Plug-in software is available at no charge at the following URL: http://java.sun.com/products/plugin/1.1.2/index-1.1.2.html/

See Appendix A, "Using the Command Line," in the SunScreen Administration Guide for instructions on how to install the plug-in software.

Compatibility With Other SunScreen Products

SunScreen can communicate with older SunScreen firewalls either in the clear or as part of a VPN.

The ss_client command that is used in SunScreen SPF-200, Release 1.0, and SunScreen EFS, Releases 2.0 and 3.0, is maintained so that you can still manage Screens running these versions of the software remotely through the command line.

---

Note -

See Appendix A, Migrating From Previous SunScreen Firewall Products for information regarding command compatibility with previous releases. For information regarding the current commands for SunScreen, see Appendix B, Command-Line Reference.

---

The SunScreen SKIP encryption system built into SunScreen is completely compatible with other SKIP implementations, such as earlier releases of SunScreen firewall products, SunScreen SKIP for Solaris, or SunScreen SKIP for the Microsoft Windows Operating Environment. SunScreen can exchange encrypted information with other SunScreen firewall products transparently.

To upgrade to SunScreen from earlier SunScreen firewall releases, see the upgrading instructions in the SunScreen Installation Guide.

SunScreen Lite

SunScreen Lite is a stateful, packet-filtering firewall that has a subset of the features in SunScreen. It protects individual servers and small work groups.

This manual is a reference for both the SunScreen and the SunScreen applications. Keep the following differences and similarities in mind when configuring and administering SunScreen Lite.

Limitations

The SunScreenLite firewall does not support the following feature that are available in SunScreen. A SunScreen Lite firewall:

• Does not support stealth-mode operation.

• Cannot support more than two routing interfaces; the filtering mechanisms ignore any other interfaces.

• Does not support and cannot create the ADMIN, HA, or STEALTH interfaces.

• Cannot support more than ten unregistered IP addresses that can be translated to registered addresses using network address translation (NAT); it is limited to two NAT rules.

• Cannot be a member of a high availability (HA) cluster.

• Cannot create and cannot be made the primary Screen in a centralized management group (CMG).

• Does not support proxies.

• Does not support and cannot create the time objects.

• Ignores the time-of-day field. It makes all rules active while that policy is active.

Supported Features

The SunScreen 3.1 Lite firewall:

• Can administer a Screen from a remote Administration Station.

• Supports basic packet filtering.

• Displays all data for supported SunScreen types and data fields.

• Can be used in virtual private networks (VPNs).

• Can be used for secondary machines in a centralized management group.

• Uses SunScreen SKIP (Simple Key Management for Internet Protocols) for the Solaris operation environment for encryption. SunScreen SKIP is included as part of SunScreen 3.1 Lite and is automatically installed.

Online Help and Documentation

Topical help is available for each page of the administration GUI by clicking the Help button on a page or by clicking the Documentation button on the SunScreen navigation buttons banner.

The SunScreen CD-ROM includes a documentation directory that contains files in Hypertext Markup Language (HTML) and Portable Document Format (PDF) format.

Click the Documentation button for the HTML files. They are located in /opt/SUNWicg/SunScreen/admin/htdocs/html.

The PDF files of the documentation are located in /opt/SUNWicg/SunScreen/admin/htdocs/pdf.

The man pages for SunScreen are located in /opt/SUNWicg/SunScreen/man.

The man pages for SunScreen SKIP are located in the standard Solaris man page directory.