This document is a collection of recorded SunScreen configuration examples. They include pertinent information, such as:
When a particular configuration might be used
General steps for configuring the firewall to perform the operations used to accomplish the task
As appropriate, step-by-step detailed descriptions
As appropriate, known tips or recommendations
The examples use remote Screen administration through an Administration Station using a browser (Java applets).
SunScreen's browser-based administration GUI runs on the Administration Station, and the configuration files are stored on the Screen. One Administration Station can manage any number of Screens that have the right access rules defined (as the Administration Station only needs to be granted access to the Screen).
Centralized group management enables you to connect to one Screen that is designated as the primary Screen where you manipulate policy, which it then pushes to its secondary Screens.
The following figure shows where SunScreen sits in the network protocol stack and how packets flow from the network to an application running on the firewall.
Once you have identified your security requirements for protecting the integrity and accessibility of your corporate data and computer resources, determined the services you want to support at your site for employees and customers, defined the layout for your network, and so forth, you configure SunScreen to implement this policy.
The machines used in the examples are assumed to have been set up following the procedures as described in the SunScreen guides, including any required patches or plug-in software.
It is assumed that you know how the following configuration requisites are achieved (see the SunScreen guides for specific requisite information):
Using the Netscape NavigatorTM browser for administration
Preparing for installation
Choosing a certificate
Dedicating interfaces
The examples in this document use RFC-1918 IP addresses. For the purpose of these examples only, the addresses starting with 192.168 are considered legal, routable IP addresses, while addresses starting with 10.0 are considered illegal IP addresses. All networks shown assume a class C (255.255.255.0) subnet mask. In a real-life configuration, replace the IP addresses with those supplied by your ISP or assigned by the InterNIC.
Segments of the sample company network shown in the following two figures are used in the configuration examples described in this document.