SunScreen 3.1 Configuration Examples

Detailed Stealth-Mode Installation

  1. Install the Solaris operating environment on the Screen.

    Configure a single interface, the administration interface (le0 in this example), with an IP address (192.168.1.3 in this example) to enable control of the Screen remotely from an Administration Station.

    The traffic on this interface is restricted to ports 3852 and 3953 only. The traffic is encrypted using SunScreen SKIP, which requires the Screen's and Administration Stations' certificate IDs. SunScreen supports:

    • Self-generated certificates (that is, Unsigned Diffie-Hellman [UDH]), as described here).

    • Issued certificates (which are obtained from Sun's certification authority [CA] before proceeding).

    See the SunScreen 3.1 Installation Guide regarding certificates.

    Access is restricted to systems in a remote access rule using the SunScreen SKIP identity of that system for authentication. This remote access rule is configured as part of the installation process.

  2. Install the recommended Solaris operating environment patches at this point, especially any Ethernet interface patches.

    The Screen is only able to resolve IP addresses using the administration interface. Because it only needs to resolve the IP address of the Administration Station and any SNMP trap receivers, consider configuring /etc/nsswitch.conf to use files for name resolution only.

  3. Install the SunScreen software by following the instructions in the SunScreen 3.1 Installation Guide.

    Do the following:

    1. Install the SunScreen software on the Administration Station.

    2. Generate a certificate ID for the Administration Station.

    3. Install the SunScreen software on the Screen as stealth mode.

    4. Optionally, harden the Solaris operating environment.

    5. Add the Administration Station's certificate ID to the Screen.

    6. Add the Screen's certificate ID to the Administration Station.

    7. Reboot the Administration Station and the Screen.


      Note -

      The Administration Station can only contact the Screen using the administration GUI or the command-line interface; it cannot ping the Screen.


  4. Start a browser on the Administration Station and connect to the URL by typing:


    http://192.168.1.3:3852
    
  5. Select the Screen object and define the network that the Screen partitions, as shown in FIGURE 4-2.


    Caution - Caution -

    Failure to do this step causes the Screen to not work correctly.


    Figure 5-2 Network Address Used in the Example

    Graphic

  6. Define the address objects as shown in the following table:

    Table 5-1 Address Object Definitions

    Name 

    TYPE 

    Details 

    10.0.2-net

    Range 

    10.0.2.0 to 10.0.2.255 

    DMZ

    Range 

    192.168.1.100 to 192.168.1.100

    192.168.1-private

    Range 

    192.168.1.2 to 192.168.1.99

    192.168.1-public

    Range 

    192.168.1.1 to 192.168.1.1

    Internal 

    Group 

    Include: {10.0.2-net 192.168.1-private} Exclude: {}

    Internet 

    Group 

    Include: {*} Exclude: {Internal DMZ}

    hme0_grp

    Group 

    Include: {DMZ} Exclude: {}

    hme1_grp

    Group 

    Include: {Internal} Exclude: {}

    hme2_grp

    Group 

    Include: {Internet} Exclude: {}

    The last three objects are called the Interface Groups. These should contain all the IP addresses of all the hosts that can be reached from that interface. The Screen uses these groups to determine to which interface a packet is to be sent. Thus, the correct definition is important for correct operation.


    Note -

    Be sure the address groups do not overlap.


  7. Define the interfaces hme0, hme1, and hme2 as stealth interfaces, as shown in the following figure, which is an example for hme0.

    Figure 5-3 Stealth Interface Definitions

    Graphic

  8. Define policy rules.

  9. Save and activate the policy.