SunScreen 3.1 Configuration Examples

Chapter 1 Introduction

SunScreen 3.1 is dynamic, stateful, IP-packet filtering firewall software used to protect a host or a network of hosts by controlling packet flow to or through the machine on which it is installed. SunScreen uses rules that restrict access based on IP addresses and network service ports. It can be configured to encrypt IP packets between hosts or a network of hosts to prevent data compromise. SunScreen SKIP provides authentication of hosts using certificates.

The necessary SunScreen SKIP packages are installed automatically by the Solaris Web Start WizardsTM installer program. For detailed information on how SunScreen SKIP encryption works, refer to the SunScreen SKIP 1.5.1 User's Guide.

The administration graphical user interface (GUI) works on any hardware or software platform that has a browser supporting JDK 1.1 (>= 1.1.3) and has end-system SKIP installed.


Note -

Do not install SUNWes or SUNWesx on a Screen, as it is not an end-system SKIP node.


SunScreen includes user-level proxies (http, ftp, telnet, and smtp) for application-level packet examination or user authentication through internal or external means.

SunScreen 3.1 Configuration Examples For the Solaris Operating Environment contains detailed examples on how to use SunScreen's features. It does not offer recommendations for what security policy to implement.

What Is the Configuration Examples Document?

This document is a collection of recorded SunScreen configuration examples. They include pertinent information, such as:

The examples use remote Screen administration through an Administration Station using a browser (Java applets).

SunScreen's browser-based administration GUI runs on the Administration Station, and the configuration files are stored on the Screen. One Administration Station can manage any number of Screens that have the right access rules defined (as the Administration Station only needs to be granted access to the Screen).

Centralized group management enables you to connect to one Screen that is designated as the primary Screen where you manipulate policy, which it then pushes to its secondary Screens.

The following figure shows where SunScreen sits in the network protocol stack and how packets flow from the network to an application running on the firewall.

Figure 1-1 SunScreen Functions

Graphic

Once you have identified your security requirements for protecting the integrity and accessibility of your corporate data and computer resources, determined the services you want to support at your site for employees and customers, defined the layout for your network, and so forth, you configure SunScreen to implement this policy.

The machines used in the examples are assumed to have been set up following the procedures as described in the SunScreen guides, including any required patches or plug-in software.

It is assumed that you know how the following configuration requisites are achieved (see the SunScreen guides for specific requisite information):

The examples in this document use RFC-1918 IP addresses. For the purpose of these examples only, the addresses starting with 192.168 are considered legal, routable IP addresses, while addresses starting with 10.0 are considered illegal IP addresses. All networks shown assume a class C (255.255.255.0) subnet mask. In a real-life configuration, replace the IP addresses with those supplied by your ISP or assigned by the InterNIC.

Segments of the sample company network shown in the following two figures are used in the configuration examples described in this document.

Figure 1-2 Example Company Network: San Francisco and Boston

Graphic

Figure 1-3 Example Company Network: London and Hong-Kong

Graphic