Chapter 2 Routing Mode

Typically, you use SunScreen in routing mode if you need a machine to act as both a router and a firewall. In this mode, the interfaces have IP addresses and perform IP routing functions; while the SunScreen software restricts the packet flow between those interfaces.

Prior to installation, make sure that the machine is performing properly as a router, including the following:

• Each interface is connected to a different subnet

• Network traffic routes correctly between the individual subnets

• System can forward packets between interfaces

• Kernel global variable ip_forwarding is set to 1 or 2

To set the kernel global variable ip_forwarding to 1, type:

# ndd -set /dev/ip ip_forwarding  1

See the SunScreen 3.1 Installation Guide and the Solaris man page ip(7P) for more details.

Network Example

For the network example, shows the Hong-Kong segment of the network. Looking at the diagram, a remotely administered Screen, hk-screen1, is set up in routing mode with two interfaces (configured with IP addresses on separate subnets).

Figure 2-1 Hong-Kong Segment of the Sample Company Network

General Routing-Mode Installation

To install a remotely administered Screen in routing mode requires several steps, in the following order:

1. Install the SunScreen software on the Administration Station.

2. Create the Administration Station's certificate ID used to encrypt and decrypt packets.

3. Install the SunScreen software on the Screen.

   This procedure requires the Administration Station's certificate ID, and creates the Screen's certificate.

4. Install the Screen's certificate ID on the Administration Station.

5. Enable SunScreen SKIP on the Administration Station to begin encrypted communication between it and the Screen.

Detailed Routing-Mode Installation

Before you begin, verify that the Administration Station (hk-host3) can ping the Screen (hk-screen1). The following procedures are performed as root:

1. On Administration Station hk-host3, run the Solaris Web Start Wizards installer to install the SunScreen software.

See the SunScreen 3.1 Installation Guide for information regarding which browsers are supported for SunScreen. Also check the SunScreen 3.1 Release Notes, which may show additional supported browsers .

If you are installing the software on a system without a console, use the command line installation as described in Appendix A in the SunScreen 3.1 Installation Guide.

1. On Administration Station hk-host3, generate a local certificate ID and set up SunScreen SKIP as described in the following steps:

   1. Initialize the SunScreen SKIP directories by typing:

      # skiplocal -i

   2. Generate the certificate ID by typing:

      # skiplocal -k

      Because the output of skiplocal -k is verbose, use the command shown in the next step, skiplocal -l, to list the certificate ID just created in a more clearly understood format.

   3. List the certificate ID just created by typing:

      # skiplocal -l

   4. Write down the certificate ID for use when installing the SunScreen software on the Screen, for example:

      c590723af78f869118cd35dee50680a6

   5. Add SunScreen SKIP to all the interfaces by typing:

      # skipif -a

   6. Reboot the system.

2. On Screen hk-screen1, run the Solaris Web Start Wizards installer to install the SunScreen software.

   Using the command line to install the software is documented in Appendix A in the SunScreen 3.1 Installation Guide.

   1. Use the Administration Station's certificate ID created in Step 2, when requested.

   2. Write down the Screen's certificate ID for use in the following step.

   3. Reboot the Screen upon completion.

3. On Administration Station hk-host3, load the Screen's certificate ID using the skiptool GUI.

   ---

   Note -

   This step can also be done using the skiphost command as described in the file /etc/opt/SUNWicg/SunScreen/AdminSetup.readme.

   ---

   1. Launch the skiptool GUI by typing:

      # skiptool

   2. Click the Add button under Host and choose Off.

   3. Type `default' as the hostname and click Apply.

   4. Click the Add button under Host and choose SKIP.

   5. Type the following information:

      screenname ( hk-screen1) as hostname MD5 for Remote Key ID with the Screen's certificate ID as the ID MD5 for Local Key ID with the Administration Station's certificate ID as the ID Default values for key, traffic, and authentication algorithms

   6. Verify that Access Control is set to `enabled.'

   7. Select save from the file menu to make your changes permanent.

      Enabling SunScreen SKIP allows the Administration Station to begin encrypted communication to the Screen.

4. On host hk-host3, the Administration Station, verify that remote administration from a browser is working to Screen hk-screen1 by typing:

   http://hk-screen1:3852

   The SunScreen log-in screen for Screen hk-screen1 appears.

For a more detailed explanation regarding installing in routing mode, refer to the SunScreen 3.1 Installation Guide.