This chapter gives an overview of the SunScreen software installation.
Topics covered include:
SunScreen is a layered software security solution that is installed on Solaris(TM)-based systems to enable companies to connect their departmental networks to public internetworks securely. Depending on the type of installation, SunScreen can function as both a firewall and router ( in routing mode) or like a bridge for hosts on the network it protects (in stealth mode.)
The Screen is the firewall responsible for screening packets. An Administration Station can be used to define objects and rules that form the security policy and to administer the Screen remotely. Administration can be performed on the Screen itself or from a remote Administration Station. The number of Screens and Administration Stations depends on your site's network topology and security policies. The SunScreen firewall and administration software can be installed on a single system or on separate systems when using an Administration Station to remotely administer the Screen.
Install a Screen at every point in the network where you want to restrict access. In the strictest sense, install one Screen for each point in the network that has direct public access (typically, one per site). One Administration Station can manage multiple Screens, although more Administration Stations can be installed for redundancy and ease of access. Encryption and authentication protects access and limits management of a Screen to an authorized Administration Station.
For encryption, SunScreen supports Internet Protocol Security (IPsec) with manual keying (see "IPsec Key" in the SunScreen 3.2 Administration Guide). Solaris Internet Key Exchange (IKE) and SunScreen Simple Key Management for Internet Protocol (SKIP) (see "Certificate Objects" in the SunScreen 3.2 Administration Guide for information about IKE and SKIP). SunScreen can be configured to encrypt packets using IPsec with manual keying or IKE, as well as with SKIP. IKE and SKIP can be used on the same Screen but they cannot encrypt the same traffic.
To communicate with the Screen using IKE, you must download the SUNWcryr and SUNWcryrx packages onto the Administration Station from: http://www.sun.com/software/solaris/encryption/download.html. This requirement applies in the case of Solaris 9 only if you need to use encryption other than DES or 3DES (which are included with the operating system).
You can install the SunScreen software in routing mode or in stealth mode.
It is possible to mix the two modes so that the interfaces protecting your system from the outside network are stealth and the interfaces to your internal network are routing. When mixing modes, install the Screen in routing mode first, then configure the stealth interfaces.
Mixing interface modes requires careful consideration. Before you attempt this configuration, refer to the SunScreen 3.2 Administration Guide and the SunScreen 3.2 Configuration Examples documents, the latter of which includes an example of a mixed mode configuration.
Choose routing mode when you need to filter packets between multiple networks connected by a Solaris-based system. A system in routing mode acts as both a router and a firewall. To use proxies or to install additional network services on the Screen, the interfaces must be configure in routing mode. Routing mode requires at least two exposed IP interfaces.
Be aware of the following considerations when operating in routing mode:
As with any router, the Screen is situated between subnets.
Adding a new router to your network can require a reorganization of your network and renumbering of your hosts.
Solaris software IP stack on the Screen's filtering interfaces exposes an IP address, as opposed to a stealth configuration that does not.
Choose stealth mode to increase your defense against attacks and when routing functions are not needed. In stealth mode, your system behaves like a bridge in that no IP interfaces are exposed to the public or private network and packets are filtered by the Screen transparently. While operating in stealth mode, the Screen cannot be seen or detected through traceroute or similar network tools.
Be aware of the following considerations when operating in stealth mode:
Packets are not routed, instead the Screen behaves like a bridge.
Only when using remote administration does any network interface need to be configured.
The systems that are used as gateways, or that are in vulnerable positions on the network, need only have the minimum Solaris software packages installed, which reduces the number of potentially exploitable applications (see "Software and Hardware Requirements" in this manual.
When installing SunScreen in stealth mode, you are asked if you want to harden the Screen. Hardening is optional and if chosen, automatically removes any Solaris software files and packages that might otherwise make the Screen vulnerable to an attack (in accordance with the best practices as described in http://www.sun.com/blueprints/browsesubject.html#security). Hardening in SunScreen 3.2 is based upon JASS (JumpStart Architecture and Security Scripts). More information regarding JASS is available at: http://www.sun.com/blueprints. The hardening process can be performed during installation or at a later time by running the script: /usr/lib/sunscreen/lib/harden_os. For more information on hardening, see the "Installing in Stealth Mode With Remote Administration Using IKE" and "Installing in Stealth Mode With Remote Administration Using SKIP" chapters in this manual.
Do not harden your Screen if some of your interfaces are in stealth mode and other interfaces are in routing mode. See the chapter "Configuring a Stealth Mode Screen" in the SunScreen 3.2 Configuration Examples document for an example of a mixed-mode configuration.
Before installing SunScreen, complete the following tasks:
Be acquainted with the SunScreen documentation set, especially the SunScreen 3.2 Release Notes document, which gives the latest product information.
Make a map of your network. See "Determining Your Security Policy" in this manual for worksheets and instructions to aid you in determining your network configuration and your desired security level.
Ensure that the system you have identified to run the SunScreen software is secure.
Consider reinstalling the Solaris software from CD-ROM to ensure its stability.
If you are running the Solaris 8 software, install the recommended kernel and security patches from http://sunsolve.sun.com. In addition, make sure the following patches are installed.
When using SKIP CA-issued keys and certificates, make sure a set is available for each host.
After installing the SunScreen software, you begin to set up and implement your network's security policy. For administrative instructions, refer to the SunScreen 3.2 Administration Guide. For examples of security policy configurations, see the SunScreen 3.2 Configuration Examples document. For more information regarding the SunScreen product, see SunScreen 3.2 Administrator's Overview document.
The table below lists the installation requirements for SunScreen 3.2.
SunScreen includes HotJavaTM 1.1, SunScreen SKIP for Solaris, and IKE software.
To read the SunScreen documentation from the administration GUI, you must have the Adobe Acrobat Reader plug-in installed on your system.
Because of a limitation in SunScreen SKIP, release 1.5.1 for Solaris, the RC2 encryption algorithm is not available when running Solaris 8 in 64-bit mode.
Ensure that the required Solaris software packages reside on the Screen and the Administration Station as described below.
Install third-party content scanning products on a system separate from your SunScreen firewall to avoid possible security risks, as well as to avoid overloading your system when the content is large.
When installing the SunScreen software on your Screen remotely from an Administration Station or if you choose to use the command-line interface instead of the administration GUI, install the Solaris Core Distribution software as well as the packages listed in the following table from your Solaris CD, if not already on your system.
When installing only the Solaris Core Distribution software, either change your DISPLAY variable for using the installer to a windowing system or install SunScreen using the command-line installation procedure described in the "Command Line Installation" appendix in this manual.
When installing the SunScreen software on your Screen locally, install the Solaris End User Distribution software as well as the packages listed in the following table from your Solaris CD, if not already on your system.
Table 1-2 Solaris Packages for Screen System
Package Name |
Description |
---|---|
SUNWlibc |
Sun Workshop Compilers Bundled libC |
SUNWlibms |
Sun WorkShop Bundled shared libm |
SUNWsprot |
Solaris Bundled tools |
SUNWxwplt |
X Window System platform software |
SUNWmfrun |
Motif RunTime Kit |
SUNWloc |
System Localization |
SUNWxwice |
X Window System Inter-Client Exchange (ICE) Components |
SUNWxwrtl |
X Window System & Graphics Runtime Library Links in /usr/lib |
SUNWtoo |
Programming Tools |
SUNWtoox |
Programming Tools (64-bit) |
SUNWeuluf |
UTF-8 L10N For Language Environment User Files |
SUNWeulux |
UTF-8 L10N For Language Environment User Files (64-bit) |
SUNWjvrt |
JavaVM run time environment |
For Trusted Solaris 8 only SUNWj2rt |
JDK 1.2 run time environment |
For Solaris 9 only SUNWj3rt SUNWapchr SUNWapchu SUNWeu8os SUNWeu8osx |
J2SDK 1.4 runtime environment Apache Web Server (root) Apache Web Server (usr) American English/UTF-8 L10N For OS Environment User Files American English/UTF-8 L10N For OS Environment User Files (64-bit) |
SUNWcryr |
Cryptography packages for IKE. Optional for Solaris 9 unless AES or Blowfish is required. Required for Trusted Solaris. |
SUNWcryrx |
Cryptography packages for IKE(64-bit). Optional for Solaris 9 unless AES or Blowfish is required. Required for Trusted Solaris.
|
When installing the SunScreen software remotely using the administration GUI, install the following packages on your Administration Station from your Solaris CD, if not already on your system.
Table 1-3 Solaris Packages for Administration Station
Package Name |
Description |
---|---|
SUNWjvrt |
JavaVM run time environment |
SUNWxwplt |
X Window System platform software |
SUNWmfrun |
Motif RunTime Kit |
SUNWcryr |
Cryptography packages for IKE. Optional for Solaris 9 unless AES or Blowfish is required. Required for Trusted Solaris 8. |
SUNWcryrx |
Cryptography packages for IKE(64-bit). Optional for Solaris 9 unless AES or Blowfish is required. Required for Trusted Solaris 8.
|
In addition to the patches included on your SunScreen CD, make sure you install all recommended security patches available for your operating environment. For security reasons, always keep your operating environment up to date with available patches.
Use the command-line interface to create IKE self-generated certificates.
SunScreen 3.2 on the Solaris 8 operating environment supports IPv4 packets according to the policy but blocks IPv6 packets.
A routing-mode Screen supports an unlimited amount of network interfaces, all of which must be configured in Solaris; while a stealth-mode Screen supports up to 15 network interfaces at one time, and only the network interface that is used for remote administration is configured in Solaris. See the documentation accompanying your Solaris software.
The SunScreen CD includes the SunScreen SKIP, revision 1.5.1, software. The SunScreen SKIP version of Windows 95/98 and NT4.0 is available separately.
A remote Administration Station connects directly to a Screen only through an Ethernet local area network (LAN) or a Fiber Distributed Data Interface (FDDI). Once connected directly to the network by way of an Ethernet or FDDI connection, it can connect to the Screen by an asynchronous transfer mode (ATM) or Token Ring LAN.
ForTrusted Solaris 8, to use IPsec manual keying or IKE, you must download the SUNWcryr and SUNWcryrx encryption packages onto both the Screen and the Administration Station.
For Solaris 9, support for DES and 3DES is built into the operating system. You only need to download the encryption packages if you need support for AES or Blowfish.
In either case, to download the packages go to http://www.sun.com/software/solaris/encryption/download.html
For downloading the Java applets used by the administration GUI, the the Solaris 8 and 9 software uses Apache Web Server.
Web server onfiguration files are contained in /etc/sunscreen/httpd/.
SunScreen allows any system with a Java-enabled Web browser compliant with JDK 1.1.3 through 1.1.8 to function as an Administration Station. However, the version of the JVM(TM) or plug-in you are using with the browser dictates the operations you are able to perform on the Administration Station.
HotJava 1.1.5 is included on the SunScreen CD.
You can use any supported browser to look at status information and logs as well as modify and save policy configurations. However, some browser configurations do not support local system access.
The Netscape Navigator(TM) default Java plug-in provided with the Solaris 8 software is not compatible with the SunScreen 3.2 administration applet. To save log files and load certificates using Netscape Navigator 4.5 or higher, you must install the older version (version 1.1.2, which is included in the SunScreen distribution) of the Java plug-in or use the HotJava browser (included).
How to install the Java plug-in, version 1.1.2, save the identitydb.obj file, and set the NPX_PLUGIN_PATH environment variable is described in"Administration GUI Browser Requirements" section of this chapter.
You can install and use SunScreen 3.2 on systems running Trusted Solaris 8 . See "Installing on Trusted Solaris" in this manual for more information.
High availability (HA) enables you to deploy groups of Screens together in situations in which the connection between a protected inside network and an insecure outside network is critical. For a detailed description regarding installing an HA cluster, see "Using High Availability" in the SunScreen 3.2 Administration Guide.
The SunScreen CD includes software to upgrade to SunScreen 3.2 for the following:
SunScreen 3.1 and SunScreen 3.1 Lite
SunScreen EFS 1.1, 2.0, and 3.0
SunScreen SPF-200
Detailed instructions for upgrading your SunScreen system are in "Upgrading to SunScreen 3.2" in this manual.
To use your existing FireWall-1 configurations for a similar security policy on SunScreen, you can either: Convert the FireWall-1 system to become the Screen or convert the FireWall-1 security policies and use them on a system running SunScreen. See "Converting FireWall-1 to SunScreen in Routing Mode" in this manual.
SunScreen 3.2 includes:
"Network Address Translation (NAT) Rules" in the SunScreen 3.2 Administration Guide
"Virtual Private Network (VPN) Rules" in the SunScreen 3.2 Administration Guide
"Setting Up and Using Proxies" in the SunScreen 3.2 Administration Guide
"Configuring Centralized Management Groups" in the SunScreen 3.2 Administration Guide
"Getting Status and Managing Logs" in the SunScreen 3.2 Administration Guide
"Using the Command Line Interface" in the SunScreen 3.2 Administration Guide
"Quick Start Procedures" in SunScreen 3.2 Administration Guide