SunScreen 3.1 Configuration Examples

Chapter 8 Routing Mode With Centralized Management Group

Typically, centralized management is used to remotely administer configurations on a group of Screens simultaneously. A centralized management group is comprised of a primary Screen and some number of secondary Screens. The primary Screen's main function (beyond being a working firewall, and, in this example, a router) is to push policy configurations to all of the secondary Screens in the centralized management group.


Note -

You can configure centralized management groups on a Screen in stealth mode as well as in routing mode; and on a primary Screen as well as on a secondary Screen.


Network Example

For the network example, shows the San Francisco and Boston segments of the network. Looking at the diagram, sf-screen1 is the primary routing-mode Screen and bos-screen1 is the secondary Screen running in stealth mode. Additional Screens (both stealth and routing modes) can be added as secondary Screens by following this same procedure.

Figure 8-1 San Francisco and Boston Segments of the Sample Company Network

Graphic

General Centralized Management Group Configuration

Setting up centralized management requires several steps, in the following order:

  1. Install the firewall software on the routing-mode primary Screen.

  2. Configure the primary Screen with a basic policy, including an administrative certificate.

    Which is created during installation by selecting remote administration, or it can be created manually once the installation is complete.

    Also, be sure to specify the primary Screen's name on any interfaces defined for the primary Screen.

  3. Install the firewall software on the stealth-mode secondary Screens.

    On the secondary Screens, create the following:

    • Certificate objects for both the primary and secondary Screens.

    • Address objects required to correctly define the Screen objects, interfaces, and policy rules on the secondary Screens.

    • Screen object for primary Screen.

    • Interface objects for the secondary Screens.

    • Policy rules to enable at least SunScreen SKIP and CDP packets from the primary Screen to pass through the secondary Screens' interfaces.

  4. Modify the object for the secondary Screens to contain the primary Screen's name and encryption information.

  5. Save and activate the policy on the secondary Screens.

  6. On the primary Screen, create the following:

    • Certificate object for the secondary Screens.

    • Screen object for the secondary Screens containing the primary Screen's name and encryption information.

    • Address objects required to correctly define all the interfaces on the secondary Screens (be sure to include the Screen name for each interface defined).

    • Interface objects for all interfaces on the secondary Screens (be sure to supply the Screen name for each interface defined).

    • Policy rules for the secondary Screens, as needed.


      Note -

      To enable centralized management to push the policy to the secondary Screens, SunScreen SKIP and CDP from the primary Screen must be enabled to pass through the secondary Screens.


  7. Save and activate the policy on the primary Screen.

    This pushes the policy to each secondary Screen that was defined.

  8. Repeat Steps 3 through 7 for each secondary Screen in the centralized management group.

Detailed Centralized Management Group Configuration

The following detailed steps show how to set up this simple centralized management group configuration:

  1. Install and configure Screen sf-screen1 in routing mode with remote Administration Station sf-host4.

    Be sure to write down the Screen's certificate ID for use in the next step. Refer to "Installing a Screen In Routing Mode" in the first example in this document for instructions on this step.

  2. Install the Screen bos-screen1 in stealth mode with remote administration.

    Refer to "Installing a Screen In Stealth Mode" described earlier in this document for instructions on this step.

    Use the certificate generated in Step 1 when asked to type the Administration Station's certificate ID. This certificate is given the name "remote" by default.

    Be sure to write down the Screen's certificate ID for use in a later step.

  3. Configure the Screen bos-screen1 as a secondary Screen in the centralized management group.

    Create the following objects to enable Screen sf-screen1 to push the security policy to bos-screen1.

    • Address objects (to enable definition of the stealth interfaces), screen objects, and policy rules, as shown in the following table:

      Table 8-1 Address Object Definitions

      Name 

      Type 

      Address 

      sf-screen1

      Host 

      192.168.1.2

      bos-screen1

      Host 

      10.0.2.200

      bos-ext-router

      Host 

      192.168.2.1

      bos-net-10

      Range 

      10.0.2.0 - 10.0.2.255

      bos-net-192

      Range 

      192.168.2.0 - 192.168.2.255

      bos-internal

      Group 

      Include: bos-net-10, bos-net-192Exclude: bos-ext-router, *

      bos-external

      Group 

      Include: *, bos-ext-routerExclude: bos-net-10, bos-net-192

    • Screen object for primary Screen sf-screen1 containing the administrative IP Address (sf-screen1) and certificate (remote) under the HA/Master Config Tab, as shown in the following figure.

      Figure 8-2 Screen Object for sf-screen1

      Graphic

    • Interface objects, as shown in the following table:

      Table 8-2 Interface Object Definitions

      Name 

      Screen 

      Type 

      Address Group 

      qfe0

      bos-screen1

      STEALTH  

      bos-external

      qfe1

      bos-screen1

      STEALTH  

      bos-internal

      hme0

      bos-screen1

      ADMIN 

      bos-screen1_hme0 (created by default)

  4. Modify the Screen object for bos-screen1 to show sf-screen1 as the primary Name, and be sure it contains bos-admin1 as the Administrative IP Address and bos-screen1.admin as the Administrative Certificate, as shown in the following figure.

    Figure 8-3 Screen Object for bos-screen1

    Graphic

  5. Create policy rules to enable SunScreen SKIP and CDP packets from sf-screen1 to pass through the Screen, as shown in the following figure:

    Figure 8-4 Policy Rules to Allow SunScreen SKIP and CDP Packet Flow

    Graphic

  6. Save and activate the policy on bos-screen1.

  7. Configure primary Screen sf-screen1 to push the policy to secondary Screen bos-screen1 by creating the following objects:

    • Address objects enable configuration of the stealth interfaces, screen objects, and policy rules for secondary Screen bos-screen1, as shown in the following table (same as in Step 3 above):

      Table 8-3 Address Objects To Enable Configuration

      Name 

      Type 

      Address 

      sf-screen1

      Host 

      192.168.1.2

      bos-screen1

      Host 

      10.0.2.200

      bos-ext-router

      Host 

      192.168.2.1

      bos-net-10

      Range 

      10.0.2.0 - 10.0.2.255

      bos-net-192

      Range 

      192.168.2.0 - 192.168.2.255

      bos-internal

      Group 

      Include: bos-net-10, bos-net-192Exclude: bos-ext-router, *

      bos-external

      Group 

      Include: *, bos-ext-routerExclude: bos-net-10, bos-net-192

    • Certificate object called bos-screen1.admin using the Associate MKID selection under the Certificate -> Add New in the Policy Objects area. Use the certificate ID that was generated in Step 2 above.

    • Screen object for bos-screen1 containing sf-screen1 as the primary Name, bos-admin1 as the Administrative IP Address, and bos-screen1.admin as the Administrative Certificate.

    This looks the same as it did on the secondary Screen, as shown in Figure 8-3.

    • Interface objects are created for bos-screen1, as shown in the following table:

      Table 8-4 Interface Objects For bos-screen1

      Name 

      Screen 

      Type 

      Address Group 

      qfe0 

      bos-screen1 

      STEALTH  

      bos-external 

      qfe1 

      bos-screen1 

      STEALTH  

      bos-internal 

      hme0 

      bos-screen1 

      ADMIN 

      bos-screen1_hme0 (created by default)  

    Be sure that all interface definitions for the primary Screen sf-screen1 contain sf-screen1 in the Screen field.

  8. Add policy rules to enable SunScreen SKIP and CDP packets from sf-screen1 to pass through Screen bos-screen1, as shown in Figure 8-4 in Step 5.

    Be sure that each rule has an entry in the screen object field to tell it which Screen(s) is to implement the particular rule.

  9. Save and activate the policy on sf-screen1.

Your centralized management group is now configured, and is ready for you to implement your full security policy.

In the network diagram, as shown in , the primary routing-mode Screen sf-screen1 is shown in an HA cluster configuration. You can configure your primary centrally managed Screen with HA if you desire. However, you should first follow the steps to get your centralized management group working, then follow the procedure for adding the secondary HA Screen into the configuration.