Chapter 2 SunScreen Concepts

This chapter discusses the following topics:

• "Security Considerations"

• "Administration"

• "Security Policy "

• "Proxies"

Security Considerations

A company's assets are at risk when it connects to the Internet. It might want to provide Internet services for customers and other users of the Internet, while allowing its employees to connect to the Internet for services or access to corporate information.

SunScreen

SunScreen divides the network into discrete areas, each served by an interface. You set up filtering rules to control the access to one area from another area, which can be another network within your company or an area outside your company.

FIGURE 2-1 shows a sample map of a simple network in which a Screen in routing mode functions as a firewall and router to connect the Engineering network over an unsecured public network (the Internet) through a Screen in stealth mode to other secure networks.

Figure 2-1 Sample Network Map

The ftp-www server might be the public area of the company, also called the demilitarized zone (DMZ), and the engineering, sales, and corporate network segments might be part of the "private" area. SunScreen can then control access between these areas and the rest of the Internet.

How SunScreen Works

SunScreen is a Solaris software product supporting Solaris 2.6, Solaris 7, Solaris 8 SPARC Platforms and Intel Platforms and Trusted Solaris 7 SPARC Platform.

---

Note -

Upgrade your system to at least Solaris 2.6; SunScreen cannot support Solaris 2.5.1 because of Unicode internationalization requirements.

---

The administration GUI software works on any hardware or software system with a browser that supports JDK 1.1 (up to and including 1.1.3) and, if you want secure administration, has end-system SKIP installed.

Integration of the two SunScreen firewall products in SunScreen allows you to create a stealth-mode firewall as a dedicated perimeter defense and extranet firewall, or a routing-mode firewall as a traditional firewall on the perimeter of a network or a remote-access server inside the intranet to segregate departments, or deployed on an existing application or data server throughout an enterprise to control access and provide encryption.

SunScreen and SunScreen SKIP use graphical user interfaces called:

• SunScreen installation wizard

• SunScreen administration GUI

• SunScreen SKIP skiptool GUI

With the installation wizard you can configure your Screen in routing mode, which is the default, or in stealth mode. Following installation, use the administration GUI to administer your Screen locally on the same machine or remotely from an Administration Station.

---

Note -

For backwards compatibility and for machines without monitor, the installation for SunScreen retains the ss_install command.

---

With the administration GUI, you can administer single Screens and HA clusters of centralize management groups of Screens locally or remotely

Use the skiptool GUI to encrypt administration commands that travel from the Administration Station over a potentially insecure network to the Screen. See the SunScreen SKIP 1.5.1 User's Guide regarding the skiptool GUI.

The network address translation (NAT) feature enables you to have a Screen map unregistered internal network addresses to a registered network addresses.

The network address translation (NAT) feature enables you to have a Screen map an internal network address to a different network address. As it passes packets between an internal host and a public network, the addresses in the packet are replaced with new addresses transparently, checksums and sequence numbers are corrected, and the state of the address map is monitored. You specify when the ordered NAT rules apply to a packet based on source and destination addresses.

The high availability (HA) feature protects data by providing a set of Screens to provide failover protection. One member of the HA cluster, the active Screen, services packets travelling between a protected inside network and a insecure outside network. Other members, the passive Screens, receive the same packets, perform the same calculations, and mirror the state of the active Screen, but they do not forward traffic between the inside network and the outside network.

Individual versions of a policy are copied or saved into a new policy. Each version of a policy is maintained and you can use either all or a portion of a policy at a later date.

Routing and Stealth Modes

SunScreen includes routing-mode and stealth-mode capabilities.

Routing Mode

Routing-mode interfaces have IP addresses and perform IP routing. Routing mode requires that you connect each interface to a different network with its own network number.

Access to all proxies is through the transmission control protocol (CP) and can only run on systems configured in routing mode.

Stealth Mode

Stealth mode firewall partitions an existing single network and, consequently, does not permit you to subnet the network. Stealth-mode interfaces do not have IP addresses, and bridge the MAC layer.

In stealth mode, you must configure one interface as an administration interface. This interface is special case of a routing interface that is configured so that it only passes encrypted administration traffic to the Screen from a remote Administration Station.

If all of your interfaces are in stealth mode, SunScreen offers optional hardening of the OS, which removes packages and files from the Solaris operating system that are not used by SunScreen.

Both Routing and Stealth Mode

If some of your interfaces are in stealth mode and other interfaces are in routing mode, you should not use the option of hardening of the OS that SunScreen offers.

Administration

SunScreen consists of two components: Administration Station and a Screen. The two components can be installed on separate machines with Screen on one or more machines and another machine as a remote Administration Station, or they can be installed on a single machine for local administration of a Screen. If both components are installed on a single machine, the Administration Station can administer not only the local Screen, but other Screens that are remote as well.

The number of Screens and Administration Stations needed at a site depends on its network topology and security policies. Typically, one Screen is installed at each network direct public access location that needs to be restricted. One or more Administration Stations can manage multiple Screens.

You typically choose whether to administer a Screen locally or remotely when you install the SunScreen software. You can add a remote Administration Station after the Screen software has been installed.

Remote Administration

Remote administration from an Administration Station to the Screen, installs the software packages, including the SunScreen SKIP, on separate machines, as shown in FIGURE 2-2. SunScreen uses SunScreen SKIP to encrypt all communication between the remote Administration Station and the Screen.

Figure 2-2 Remote Administration From an Administration Station to a Screen in Routing Mode

In FIGURE 2-2, a remote Administration Station on the internal network administers the Screen located between the internal network and the Internet. This Screen is the router between the internal network and the Internet. A second remote Administration Station for this Screen is located on the external network. The Administration Stations must be configured to communicate with the Screen using encryption.

Local Administration

Local administration is performed on the same host where the Screen software is installed, as shown in FIGURE 2-3. Because administrative commands do not travel over a network, local administration does not require encrypted communication.

Figure 2-3 Local Administration of a Screen

Locating the SunScreen Screen

A Screen only controls traffic that passes through it and must, therefore, be placed in the network so the traffic you want to control passes through it. All packets coming into the network and leaving it must pass through the Screen that you want to control the network.

FIGURE 2-3 shows a Screen dividing a network. In this case, the Screen is placed at the single boundary between the Internet and the corporate network; it controls the traffic between those two networks.

If multiple paths exist between the Internet and the corporate network, then the Screen will not work optimally, because, depending on the routing, traffic can pass through the Screen in one direction, but can bypass it in the reverse direction. To control the traffic on a network properly, both the incoming traffic and the outgoing traffic must pass through the same Screen.

FIGURE 2-4 shows a network divided into several pieces by the Screen.

Figure 2-4 SunScreen as Internet Firewall Dividing a Network into Several Pieces

Like the example in Figure 2-3, two of these networks are the Internet and the company's network. In this example, however, the network is further divided into several demilitarized zones (DMZ) where public services reside. The advantage of dividing the network into one or more DMZs is that even if the systems on a DMZ is compromised, the traffic on that system must still pass through the Screen

Security Policy

A security policy is the collection of decisions an organization makes about network security and its stance regarding what network activities are permitted or denied. The most important aspect in installing and administering a firewall is a well-defined security policy.

Configuration

A configuration is the union of one policy with the common objects to form a complete description of the behavior of one or more Screens. A policy is a named set of policy objects. For example, when the SunScreen software is first installed, there is one policy, named Initial. Common objects are data objects relevant to all policies. Object types are either named or ordered. Named common object types include address, screen, service, interface, certificate, and time objects. Ordered objects include filtering rules, NAT rules, administration access rules, and VPN gateway descriptions. Neither common objects nor rules include objects loaded into SKIP but they do include the reference from the certificate name in the common object registry to the internal identity used by SKIP.

Dynamic Packet Filtering

Dynamic packet filtering allows a Screen, which sits between the client and server, to examine each data packet as it arrives. Based on information in the packet, state retained from previous events, and a set of security policy rules, the Screen either passes the data packet, or blocks and drops it.

SunScreen uses a set of ordered rules to filter packets. When you configure SunScreen, you translate the security policies for your site into a series of policy rules that specify which services are to be allowed, what to do with packets for services that are disallowed, and what to do when packets are dropped. You then place these policy rules in sequence to specify which rules override others.

Centralized Management Group

The centralized management group feature enables you to locate Screens at different points in the network to be managed with a standard set of objects through an Administration Station.

Centralized management reduces the overhead in configuring a set of firewalls. When firewalls in a set are configured differently, traffic does not flow through them properly. Centralized management avoids this problem because all the firewalls in the group share the same data.

Network Address Translation (NAT)

The network address translation (NAT) feature makes it possible to have a Screen translate one set of addresses to another set. NAT is typically used:

• To hide the internal topology of a network - Here the network's private (unregistered) addresses are translated to a set of public (registered) addresses. All traffic appears to come from this set of public address, rather than from the network's private addresses.

• To use the public addresses assigned to a site efficiently - Many sites have a limited set of registered addresses assigned to them by the Internet service provider (ISP). With NAT you can use those addresses efficiently to support a large internal network. In this case, the addresses of the internal network are translated to the smaller set of registered addresses assigned by the ISP.

• To prevent having to renumber host addresses when changing ISPs - NAT enables you to map your old public addresses to the new set of registered addresses assigned to you by your new ISP.

• To use private or unregistered addresses on your internal network - The Internet Assigned Number Authority (IANA) has reserved the addresses ranges 10.0.0.0 through 10.255.255.255, 172.16.0.0 through 172.31.255.255, and 192.168.0.0 through 192.168.0.255 for use in private networks. NAT enables you to use these addresses in your internal network, yet still communicate with other networks by mapping those addresses into the registered addresses assigned to your site.

NAT works by modifying the address fields in the packet as it passes through the Screen. In addition to the address fields, the checksum and sequence number fields in the packet are modified. Certain protocols (such as FTP) also require that data within the packet containing address information be modified.

Tunneling and Virtual Private Networks (VPN)

Organizations typically have offices in more than one location. SunScreen provides a tunneling mechanism to let the different offices use public networks as a secure private network without needing dedicated lines and with no changes to user applications.

When a tunnel, or virtual private network, is set up between two or more locations, all data packets traveling from one location to the other are encrypted and wrapped inside other packets before they are sent over the public internetwork. Encrypting the packets guarantees that their contents will remain private; anyone capturing packets with the snoop program on network traffic between the two locations will be unable to read them. When the packets arrive at the remote location, they are unwrapped, decrypted, and forwarded to their intended destination.

In addition to protecting the privacy of network traffic, tunneling also lets a site conceal the details of its network topology from intruders or eavesdroppers. Because the original packets are encrypted, the source and destination addresses in their IP headers cannot be read. When the encrypted packets are encapsulated inside other packets, the new IP headers identify the addresses of the Screens that protect the locations, not the hosts that originated the packets. Consequently, the network topology behind the Screens is never exposed.

High Availability (HA)

High Availability(HA) enables you to deploy groups of Screens together in situations in which the connection between a protected inside network and an insecure outside network is critical. At any time, one member of the HA cluster is the active Screen, which performs packet filtering, network address translation, logging, and encryption or decryption of packets travelling between the inside and outside networks. The other members of the HA cluster, the passive Screens, receive the same packets, perform the same calculations as the active Screen, and mirror the state of the active Screen, but they do not forward traffic. When an active Screen fails, the passive Screen that has been running the longest takes over as the active Screen within 15 seconds. During this time (before the passive Screen takes over), no traffic will go through the HA cluster.

Encryption

SunScreen uses a combination of public-key and shared-key cryptography to encrypt and decrypt packets. Any traffic that passes between any two machines or other SKIP devices can be encrypted, while all traffic between a Screen and an Administration Station is encrypted.

Logging

SunScreen provides flexible logging of packets. This means that each primary and secondary Screen keeps a log of its traffic. Logs of the packets are kept on the Screen that passed or rejected the packets.

In an HA cluster only the active Screen logs network traffic. However, traffic destined for the active or passive HA machine itself may be logged according to the rule. This means that some passive Screens may log some traffic. This traffic is only the traffic to it, not the traffic that is going through it.

You can configure SunScreen to log a packet when it matches a rule or when it does not match any particular rule. Most frequently, packets matching DENY rules or packets that are dropped because they do not match any rule are logged. The action defined in a rule controls whether a packet is logged and what information about the packet is recorded.

Examining logged packets is useful when you are trying to identify the causes of problems during configuration or administration. You should also examine logs periodically for evidence of attempts to break into your network.

Each machine in an HA cluster logs what that system passed or rejected, as well as any locally processed nonpacket events.

Proxies

A proxy is a user-level application that runs on the Screen. The main purpose of proxies is to provide content filtering (for example, allow or deny Java applets) and user authentication.

Using Proxies

SunScreen lets you set up proxies for FTP, HTTP, SMTP, and Telnet protocols. Although each proxy has different filtering capabilities and requirements, you can allow or deny sessions based on source or destination addresses of packets. Proxies share common objects and policy rule files. To start a proxy, you set up rules for a proxy in your security policy and activate the policy.

Use of these proxies does not require installing any additional client or server system software. Some changes, however, may be required in system configurations or user-supplied commands to access protected destinations through the proxies.

Event Logging With Proxies

Event logging (failure and success, including subsystem authentication) through the log browser supports filtering capabilities to define and store named filtering macros. The size of the log is configurable. The log collection facility allows the proxies to add information to the current log. The types of logged events are extensible to anticipate the evolving use of this facility. Filtering automates uploading, storage, and postprocessing of logs. You can create postprocessing of your choice of uploaded logs (for instance, analysis and compression).