How SunScreen Works

SunScreen is a Solaris software product supporting Solaris 2.6, Solaris 7, Solaris 8 SPARC Platforms and Intel Platforms and Trusted Solaris 7 SPARC Platform.

Upgrade your system to at least Solaris 2.6; SunScreen cannot support Solaris 2.5.1 because of Unicode internationalization requirements.

The administration GUI software works on any hardware or software system with a browser that supports JDK 1.1 (up to and including 1.1.3) and, if you want secure administration, has end-system SKIP installed.

Integration of the two SunScreen firewall products in SunScreen allows you to create a stealth-mode firewall as a dedicated perimeter defense and extranet firewall, or a routing-mode firewall as a traditional firewall on the perimeter of a network or a remote-access server inside the intranet to segregate departments, or deployed on an existing application or data server throughout an enterprise to control access and provide encryption.

SunScreen and SunScreen SKIP use graphical user interfaces called:

• SunScreen installation wizard

• SunScreen administration GUI

• SunScreen SKIP skiptool GUI

With the installation wizard you can configure your Screen in routing mode, which is the default, or in stealth mode. Following installation, use the administration GUI to administer your Screen locally on the same machine or remotely from an Administration Station.

For backwards compatibility and for machines without monitor, the installation for SunScreen retains the ss_install command.

With the administration GUI, you can administer single Screens and HA clusters of centralize management groups of Screens locally or remotely

Use the skiptool GUI to encrypt administration commands that travel from the Administration Station over a potentially insecure network to the Screen. See the SunScreen SKIP 1.5.1 User's Guide regarding the skiptool GUI.

The network address translation (NAT) feature enables you to have a Screen map unregistered internal network addresses to a registered network addresses.

The network address translation (NAT) feature enables you to have a Screen map an internal network address to a different network address. As it passes packets between an internal host and a public network, the addresses in the packet are replaced with new addresses transparently, checksums and sequence numbers are corrected, and the state of the address map is monitored. You specify when the ordered NAT rules apply to a packet based on source and destination addresses.

The high availability (HA) feature protects data by providing a set of Screens to provide failover protection. One member of the HA cluster, the active Screen, services packets travelling between a protected inside network and a insecure outside network. Other members, the passive Screens, receive the same packets, perform the same calculations, and mirror the state of the active Screen, but they do not forward traffic between the inside network and the outside network.

Individual versions of a policy are copied or saved into a new policy. Each version of a policy is maintained and you can use either all or a portion of a policy at a later date.