test

SunScreen 3.1 Configuration Examples

Chapter 5 Stealth Mode

Running a Screen in stealth mode differs from routing mode in that it partitions a single subnet into two or more parts and filters packets passing between them. Where as, a Screen running in routing mode filters packets passing between subnets on a Solaris system configured as a router.

Typically, you use SunScreen in stealth mode if you need the following features:

Each of the filtering interfaces has the identical IP subnet. Because a stealth Screen is not a router, it cannot connect to or pass packets between different subnets. Stealth mode uses Ethernet interfaces only.

There is no need to reconfigure the hosts where the stealth Screen is inserted into a single subnet. The hosts on this subnet retain the same IP addresses they had before the stealth Screen was inserted.

Hardening of the operating environment removes packets and files from the Solaris operating environment that are not used by SunScreen. That is, hardening prevents network applications, such as telnet, from being configured.

Caution - Caution -

Hardening of the operating environment is not reversible. To reverse the hardening requires you to reinstall both the Solaris operating environment and the SunScreen software.

Because no IP protocol stack is associated with the filtering interface, which makes the Screen invisible to the network, there is no way for a potential attacker to know it exists.

Network Example

For the network example, the following figure shows the Boston segment of the network. Looking at the diagram, the administration interface is attached to the same subnet that the stealth Screen partitions (it can be attached to any subnet in the configuration). Screen, bos-screen1, does not pass packets between its filtering interfaces and the administration interface.

Note -

If you configure a network interface that you later set to stealth mode and the Screen hangs upon activation, reboot the Screen in single-user mode, remove the /etc/hostname.interface_name file (which unconfigures that interface), and reboot the Screen (follow the procedure for restoring proper operation as shown in the SunScreen 3.1 Reference Manual).

Figure 5-1 Boston Segment of the Sample Company Network

Graphic

General Stealth-Mode Installation

  1. Install the Solaris operating environment on the Screen and Administration Station.

  2. Install the SunScreen software on the Screen and Administration Station.

  3. Reboot after installation.

  4. Start the administration GUI.

  5. Define the Screen object.

  6. Define Address objects.

  7. Define Interface groups.

  8. Define the stealth interfaces.

  9. Define policy rules.

  10. Save and activate the policy.

Detailed Stealth-Mode Installation

  1. Install the Solaris operating environment on the Screen.

    Configure a single interface, the administration interface (le0 in this example), with an IP address (192.168.1.3 in this example) to enable control of the Screen remotely from an Administration Station.

    The traffic on this interface is restricted to ports 3852 and 3953 only. The traffic is encrypted using SunScreen SKIP, which requires the Screen's and Administration Stations' certificate IDs. SunScreen supports:

    • Self-generated certificates (that is, Unsigned Diffie-Hellman [UDH]), as described here).

    • Issued certificates (which are obtained from Sun's certification authority [CA] before proceeding).

    See the SunScreen 3.1 Installation Guide regarding certificates.

    Access is restricted to systems in a remote access rule using the SunScreen SKIP identity of that system for authentication. This remote access rule is configured as part of the installation process.

  2. Install the recommended Solaris operating environment patches at this point, especially any Ethernet interface patches.

    The Screen is only able to resolve IP addresses using the administration interface. Because it only needs to resolve the IP address of the Administration Station and any SNMP trap receivers, consider configuring /etc/nsswitch.conf to use files for name resolution only.

  3. Install the SunScreen software by following the instructions in the SunScreen 3.1 Installation Guide.

    Do the following:

    1. Install the SunScreen software on the Administration Station.

    2. Generate a certificate ID for the Administration Station.

    3. Install the SunScreen software on the Screen as stealth mode.

    4. Optionally, harden the Solaris operating environment.

    5. Add the Administration Station's certificate ID to the Screen.

    6. Add the Screen's certificate ID to the Administration Station.

    7. Reboot the Administration Station and the Screen.

      Note -

      The Administration Station can only contact the Screen using the administration GUI or the command-line interface; it cannot ping the Screen.

  4. Start a browser on the Administration Station and connect to the URL by typing: 


    http://192.168.1.3:3852

  5. Select the Screen object and define the network that the Screen partitions, as shown in FIGURE 4-2.

    Caution - Caution -

    Failure to do this step causes the Screen to not work correctly.

    Figure 5-2 Network Address Used in the Example

    Graphic

  6. Define the address objects as shown in the following table:

    Table 5-1 Address Object Definitions

    Name 

    TYPE 

    Details 

    10.0.2-net

    Range 

    10.0.2.0 to 10.0.2.255 

    DMZ

    Range 

    192.168.1.100 to 192.168.1.100

    192.168.1-private

    Range 

    192.168.1.2 to 192.168.1.99

    192.168.1-public

    Range 

    192.168.1.1 to 192.168.1.1

    Internal 

    Group 

    Include: {10.0.2-net 192.168.1-private} Exclude: {}

    Internet 

    Group 

    Include: {*} Exclude: {Internal DMZ}

    hme0_grp

    Group 

    Include: {DMZ} Exclude: {}

    hme1_grp

    Group 

    Include: {Internal} Exclude: {}

    hme2_grp

    Group 

    Include: {Internet} Exclude: {}

    The last three objects are called the Interface Groups. These should contain all the IP addresses of all the hosts that can be reached from that interface. The Screen uses these groups to determine to which interface a packet is to be sent. Thus, the correct definition is important for correct operation.

    Note -

    Be sure the address groups do not overlap.

  7. Define the interfaces hme0, hme1, and hme2 as stealth interfaces, as shown in the following figure, which is an example for hme0.

    Figure 5-3 Stealth Interface Definitions

    Graphic

  8. Define policy rules.

  9. Save and activate the policy.