Chapter 4 Installing in Stealth Mode With Remote Administration Using SKIP

This chapter describes how to install the SunScreen software in stealth mode with remote administration using SKIP encryption technology. This installation scenario is a three-step process that requires you to first install the appropriate software on an Administration Station, then install the software on the Screen, and last, establish encrypted communication between the Administration Station and the Screen.

Installing a locally administered Screen in stealth mode is not supported because a method for retrieving debug information is not available.

A system operating SunScreen in stealth mode behaves much like a bridge in that no IP interfaces are exposed to the public or private network and packets are filtered by the Screen transparently.

Topics in this chapter include:

• "Stealth Mode Installation Summary"

• "Installing the Administration Software on the Administration Station"

• "Creating the Certificate on the Administration Station"

• "Installing the SunScreen Software on the Screen"

• "Creating the Certificate on the Screen"

• "Completing the SKIP Certificates Installation Procedure"

• "Managing Your Firewall"

This chapter describes installing the SunScreen software using the Solaris Web Start Wizards installer; however, if you are installing on a system without a monitor, use the command-line installation described in "Command Line Installation" in the SunScreen 3.2 Installation Guide.

Before installing, review the SunScreen 3.2 Release Notes for the latest product information.

Be sure to make a map of your network before you begin this installation. See "Determining Your Security Policy" in the SunScreen 3.2 Installation Guide appendix for worksheets and instructions to aid you in determining your network configuration and your desired security level.

Supported Administration Station Configurations

Any system operating Solaris 8 with SunScreen and a Java-enabled Web browser compliant with JDK 1.1.3 through 1.1.8 that can connect securely to the Screen using SKIP can be used as an Administration Station.

The SunScreen CD includes SKIP for both SPARC and Intel platform editions. Using SKIP allows any hardware running the Solaris 2.6, Solaris 7, or Solaris 8 operating environments to be an Administration Station.

Although systems operating Windows 95, Windows 98, or NT 4.x with PC SKIP, or Windows 2000 with IKE are supported platforms for an Administration Station, this chapter covers Solaris-based Administration Stations only.

For details regarding SKIP, see either the SunScreen SKIP User's Guide, Release 1.5.1, or the SunScreen SKIP User's Guide, Release 3.0.7, for the Microsoft Windows NT, Windows 95, and Windows 98 Operating Environments documentation.

Stealth Mode Installation Summary

The installer guides you through installing the SunScreen software on systems using SKIP UDH self-generated or SKIP CA-issued certificate technology for encryption.

Perform the installation in the following order:

1. On the Administration Station

   1. Install the SunScreen administration software.

   2. Create the Administration Station's SKIP certificate.

2. On the Screen

   1. Install the SunScreen software.

      This step requires the Administration Station's certificate ID and installs the Screen's certificate.

   2. Create the Screen's SKIP certificate.

3. On the Administration Station install the Screen's certificate to begin encrypted communication.

4. Use the administration GUI on the remote Administration Station to manage your Screen.

If you configure a network interface as routing and later set it to stealth mode, the Screen will hang upon activation. If this happens, you must reboot the Screen in single user mode; remove the file /etc/hostname.interface_name, which unconfigures that interface; and reboot again.

The following sections describe the installation procedures for installing the SunScreen software in stealth mode and how to establish encrypted communication using SKIP certificate technology to remotely administer the stealth Screen.

Do not begin this procedure until you have read the information in "Defining Security Policies" in the SunScreen 3.2 Installation Guide.

Installing the Administration Software on the Administration Station

This procedure describes installing the administration software on the Administration Station.

To Install the Administration Software on the Administration Station

1. Open a terminal window on your system and become root, if not already.

2. Change to the directory containing the SunScreen 3.2 product.

   #cd /cdrom/cdrom0/Solaris_9/ExtraValue/CoBundled/SunScreen_3.2/sparc

3. Double-click the install icon to start the installation.

   ---

   Note -

   You are prompted to type the root password for your system if the installer is started as a user other than root.

   ---

   The Welcome window appears.

4. In the Welcome window, click Next to continue.

   ---

   Note -

   The Welcome window includes an About button that you can click for information regarding the Web server used. Click the Dismiss button when done.

   ---

   The Install Type window appears with Typical as the default entry.

5. In the Install Type window, select Custom and click Next to continue.

   The Functions window appears with both Screen and Administration selected as the default entry.

6. In the Functions window, select Administration only by deselecting the Screen box, then click Next to continue.

   The Component Selection window appears with all components except "Sun Web Server" and "SunScreen Firewall" selected as the default entry.

7. In the Component Selection window, accept the default and click Next to continue.

   The Install Verification window appears, containing a list of components to be installed.

8. After verifying that the list of components is correct, click Install Now to continue.

   The Installation Summary window appears. Upon successful completion, the status reads "Installed."

   ---

   Note -

   To see a list of the added components, click the Details button.

   ---

9. In the Installation Summary window, click Next to continue.

   The Checking System window appears. The installer verifies that all required Solaris software and SunScreen packages are installed.

   • If the required packages are installed, a message appears announcing System check complete.

   • If all required packages have not been installed, exit the installer, install the missing packages, and rerun the installer to complete the SunScreen configuration.

10. In the Checking System window, if the required packages are installed, click Next to continue.

    The Administration Station Configuration window appears and displays the results of the Administration Station's configuration.

11. In the Administration Station Configuration window, click Next to continue.

    The Installation and Configuration Complete window appears from which you must exit the installation to install the administration certificate.

12. In the Installation and Configuration Complete window, click Exit to finish the installation.

    The installer is dismissed.

After installing the required software packages on the Administration Station, you continue the process by creating the Administration Station's SKIP certificate.

Both the Administration Station and the Screen need certificates before encrypted communication can begin.

Creating the Certificate on the Administration Station

Use the command-line interface to create SKIP UDH self-generated (the default) or SKIP CA-issued certificates on the Administration Station, as described in the following procedures.

To Create the SKIP UDH Self-Generated Certificate on the Administration Station

1. Open a terminal window and become root, if not already.

2. Create the required SKIP directories by typing:

   # skiplocal -i

3. Create the SKIP UDH certificate on the Administration Station by typing:

   # skiplocal -k -f -V -m key_size

   ---

   Note -

   For key_size, you type either 512, 1024, 2048, or 4096 (the latter being the default for this release). Make sure that you use the same key-size when generating the Screen's certificate.

   ---

   The local certificate ID appears, which is the Administration Station's 32-character certificate ID (MKID).

   ---

   Note -

   For export control regulatory assistance, consult the U.S. Department of Commerce, Bureau of Export Administration: http://www.bxa.doc.gov.

   ---

4. Write down the certificate ID, which begins with `0x'.

   This information is required when "Installing the SunScreen Software on the Screen".

5. Add SKIP to all the interfaces by typing:

   # skipif -a

6. Reboot the Administration Station to complete the installation by typing:

   # sync; init 6

Continue to the section "Installing the SunScreen Software on the Screen".

To load a SKIP CA-Issued Certificate on the Administration Station

1. Open a terminal window on the Administration Station and become root, if not already.

2. Load the required SKIP directories by typing:

   # skiplocal -i

3. Insert the SKIP CA-issued Key and Certificate diskette into the Administration Station's diskette drive.

4. Mount the diskette by typing:

   # volcheck

5. Install the SKIP keys by typing:

   # install_skip_keys -icg /floppy/floppy0

6. Start the SKIP daemon by typing:

   # skipd_restart

7. Eject the SKIP CA-issued Key and Certificate diskette by typing:

   # eject floppy0

8. Write down the eight-character certificate ID.

   This information is required when "Installing the SunScreen Software on the Screen".

9. Add SKIP to all the interfaces by typing:

   # skipif -a

10. Reboot the Administration Station to complete the installation by typing:

    # sync; init 6

Continue to the following section "Installing the SunScreen Software on the Screen".

Installing the SunScreen Software on the Screen

Before proceeding, make sure the network interface you plan on using for administration is configured. For details on the Solaris network interface configuration, see your Solaris software documentation.

After adding certificates on the Administration Station, you install the SunScreen software on the Screen. This procedure requires the Administration Station's SKIP certificate ID (MKID).

You can use the installer if a monitor and a keyboard are attached to your Screen. If you are operating the Screen without a monitor, you must either temporarily attach a monitor or install the software through the command line (see "Command Line Installation" in the SunScreen 3.2 Installation Guide)..

To Install the Software on the Screen

1. Change to the directory containing the SunScreen 3.2 product.

   #cd /cdrom/cdrom0/Solaris_9/ExtraValue/CoBundled/SunScreen_3.2/sparc

2. Double-click the install icon to invoke the SunScreen installer, which brings up the Welcome window.

   ---

   Note -

   You are prompted to type the root password for your system if the installer is started as a user other than root.

   ---

3. In the Welcome window, click Next to continue.

   The Install Type window appears with Typical selected as the default entry.

4. Select Custom in the Install Type(s) window and click Next to continue.

   The Functions window appears with both Screen and Administration selected as the default entry.

5. In the Functions window, accept the default entry and click Next to continue.

   The Component Selection window appears with all components except "SKIP End System" selected as the default entry.

   ---

   Note -

   Never add the end-system SKIP packages SUNWes and SUNWesx to the Screen.

   ---

6. In the Component Selection window, accept the default entry and click Next to continue.

   The Checking System window appears and lists any existing SunScreen configurations found by the installer.

7. In the Checking System window, click Next to continue.

   • If an existing configuration was found, the Old Configurations window appears. Select Remove or Retain, as appropriate, and click Next to continue.

     • If Retain is selected, the Ready To Install window appears, and you can go to Step 10.

     • If Remove is selected, the Secondary HA window appears with No selected as the default entry.

   • If no existing configurations were found, the Secondary HA window appears with No selected as the default entry.

8. In the Secondary HA window, accept the No default entry and click Next to continue.

   The Screen Type window appears with Routing selected as the default entry.

9. In the Screen Type window, select the Stealth entry and click Next to continue.

   The Ready To Install window appears and lists the components for you to verify.

10. After you verify that the components shown in the list are correct, click Install Now to continue.

    The Installation Summary window appears and shows the status of the installation, which upon a successful completion, reads "Installed."

    ---

    Note -

    To see a list of the added components, click the Details button.

    ---

11. In the Installation Summary window, click Next to continue.

    The Checking System window appears wherein the installer verifies that all required Solaris software and SunScreen packages are installed.

    • If the required packages are installed, a message appears announcing System check complete.

    • If all required packages have not been installed, exit the installer, install the missing packages, and rerun the installer to complete the SunScreen configuration.

12. In the Checking System window, click Next to continue.

    The Select Certificate Type window appears with UDH self-generated certificates selected as the default entry. The following section describes how to create the SKIP certificate on the Screen.

Creating the Certificate on the Screen

After installing the required software packages on the Screen, you continue the process by creating the Screen's SKIP certificate, as described in the following sections

Both the Administration Station and the Screen need certificates before encrypted communication can begin.

To Create the SKIP UDH Self-Generated Certificate on the Screen

1. In the Select Certificate Type window, accept the default entry and click Next to continue.

   The Self Generated Certificate ID window appears where you type the Administration Station's certificate ID.

2. In the Self Generated Certificate ID window, type the Administration Station's certificate ID (do not type the leading 'Ox') in the text entry field and click Next to continue.

   The Select Administration SKIP Key Length window appears with 4096-bit key length as the default.

   ---

   Note -

   The Screen's key length must match the UDH self-generated certificate key length you created previously for the Administration Station (see "Creating the Certificate on the Administration Station"). You must specify the Administration Station's key in the SKIP Key Length window if it is less than the 4096-bit default key length.

   ---

3. After selecting the appropriate key length, click Next to continue.

   The Generate Screen Certificate window appears and displays the Screen's generated SKIP certificate key ID.

4. In the Generate Screen Certificate window, click Next to continue.

   The Select Administrative Interface window appears listing the configured interfaces available for administration.

5. After selecting the appropriate administrative interface, click Next to continue.

   The Name Service window appears with both NIS and DNS name services selected as the default.

6. After selecting the appropriate name services, click Next to continue.

   The Verify Configuration window appears.

7. After verifying that the information is correct, click Configure Now to continue.

   The Screen Configuration window appears and instructs you, upon a successful configuration, to consult the /etc/sunscreen/AdminSetup.readme file on the Screen for instructions on completing the Administration Station setup.

8. In the Screen Configuration window, click Next to continue.

   The Screen Hardening window appears.

   ---

   Caution -

   Once you harden your Screen, it becomes a dedicated firewall and cannot be used for another purpose without first reinstalling the Solaris software. Hardening automatically removes files and packages that might otherwise make the Screen vulnerable to an attack.

   ---

   Clicking Next completes the installation without hardening your Screen. Optionally, to harden your Screen, click the Harden Screen button.

   ---

   Note -

   The hardening process can be done later by running the script: /usr/lib/sunscreen/lib/harden_os.

   ---

9. In the Screen Hardening window, click Next to continue.

   The Installation and Configuration Complete window appears and prompts you to reboot your system.

10. In the Installation and Configuration Complete window, click Reboot Now to complete the installation.

    The installer is dismissed.

    ---

    Note -

    To complete the installation process you must reboot the system at this time. If you do not wish to reboot your system, click Next instead of Reboot System.

    ---

You are now ready to complete the installation on the Administration Station as described in "Completing the SKIP Certificates Installation Procedure".

To Load the SKIP CA-Issued Certificate on the Screen

1. Select SKIP CA-Issued Certificate from the Select Certificate Type window (the default is SKIP UDH Certificate) and click Next to continue.

   The Issued Certificate Key Diskettes window appears.

2. Insert the Administration Station's Key and Certificate diskette into the diskette drive and click Read Diskette.

   Wait until the SKIP CA-issued certificate ID appears at the bottom of the window.

3. Write down the Administration Station's eight-character certificate ID and click Next to continue.

   This certificate ID is required to complete the Administration Station installation.

4. Insert the Screen's Certificate ID diskette into the diskette drive and click Read Diskette.

   The SKIP CA-issued certificate ID for the Screen appears at the bottom of the window.

5. Write down the Screen's eight-character certificate ID and continue to the Screen Configuration window.

6. To complete the installation, click System Reboot.

   The installer is dismissed.

   ---

   Note -

   To complete the installation process you must reboot the system at this time. If you do not wish to reboot your system, click Next instead of Reboot System.

   ---

You are now ready to complete the installation on the Administration Station as described in "Completing the SKIP Certificates Installation Procedure".

Completing the SKIP Certificates Installation Procedure

After installing the SunScreen software and the SKIP certificates on the Screen, the Screen's certificate information must be loaded onto the Administrating Station to complete the installation. This information is located on the Screen in the /etc/sunscreen/AdminSetup.readme file.

The following procedure explains how to display this file.

To Display the /etc/sunscreen/AdminSetup.readme File

1. Display the /etc/sunscreen/AdminSetup.readme file by typing:

   # more /etc/sunscreen/AdminSetup.readme

   The AdminSetup.readme file contains the Screen's certificate ID as well as the command run to give the Administration Station the Screen's certificate ID.

   This command adds the Screen to the ACL with the necessary encrypting parameter settings. If it executes successfully, then the configuration is complete, and you can go to "To Configure the Administration Station to Communicate With the Screen Using SKIP".

2. Write down the command, which begins with skiphost -a, that is requried in the next procedure.

   ---

   Note -

   You can use ftp to copy the /etc/sunscreen/AdminSetup.readme file onto the Administration Station if you trust that the network between the Screen and Administration Station is secure. Otherwise, display the file and write down the information for use in the next section.

   ---

Instructions for using SKIP from the command line are in the "Using the Command-Line Interface" in SunScreen SKIP User's Guide, Release 1.5.1.

To Configure the Administration Station to Communicate With the Screen Using SKIP

The following steps describe how to set up SKIP encryption software on the Administration Station.

If the AdminSetup.readme file was not copied to the Administration Station using ftp (or if the skiphost -a command fails), execute the following steps using the information obtained from that file.

1. Open a terminal window and become root, if not already.

2. Launch the skiptool GUI by typing:

   # skiptool &

   ---

   Note -

   To set SKIP parameters on a network interface other than the default interface, type: skiptool -i name_of_interface (such as qe3).

   ---

   The main window of the skiptool GUI appears.

3. Next, add a default access control list (ACL) to communicate unencrypted to all hosts.

   1. Click the Add button and, under Host, choose the Off security option.

      The Add Host properties window appears.

   2. In the Add Host Properties window, type default as the Hostname, as shown in the following figure, and click Apply.

      Figure 4-1 skiptool With Add Host Properties Window Completed

      
      

4. Next, add an ACL entry for the Screen.

   1. Click the Add button and, under Host, choose the SKIP security option.

      The Add SKIP Host Properties window appears, as shown in the following figure.

      Figure 4-2 Add SKIP Host Properties Window

      
      

   2. Use the information contained in the Screen's AdminSetup.readme file to complete the following fields:

      • Type the name of the Screen in the Hostname field.

      • Select Whole Packet in the Secure field.

      • Make the appropriate selection in the Remote Key ID field.

        For UDH self-generated certificates on the Administration Station, select MD5 (DH Public Value). For CA-issued certificates, select IPv4.

      • Type the Screen's MKID in the ID: field.

        The correct Remote Key ID is found in the AdminSetup.readme file.

      • Make the appropriate selection in the Local Key ID field.

        For UDH self-generated certificates on the Administration Station, select MD5 (DH Public Value). For CA-issued certificates, select IPv4.

      • Select the Administration Station's MKID in the ID: field.

      • Select the appropriate Key encryption, Traffic encryption, and Authentication algorithms for this connection.

        These algorithms must match those specified for the Screen in the AdminSetup.readme file.

5. Click Apply to load your entry into the list.

6. Select enabled from the pull-down menu for "Access control is," which is located at the top of the skiptool window.

   ---

   Note -

   When you select enabled, a window appears when you save the configuration. To prevent these acquired systems, which are part of the default configuration, from showing up in the Authorized Systems window, click Cancel.

   ---

7. In the skiptool window, select Save from the File menu.

   ---

   Note -

   After configuring SKIP, check that the encryption parameters and the certificate ID (MKID) values match on both the Administration Station and the Screen.

   ---

Managing Your Firewall

To manage your Screen, use the administration GUI on the remote Administration Station.

There is a predefined rule to allow encrypted administration traffic between the Screen and the Administration Station. Thus, no other communication (like ping or telnet) is allowed between the two systems until you specifically define a rule to allow such a service. See the SunScreen 3.2 Administration Guide for instructions on defining rules.

To Launch the Administration GUI

1. To configure and manage your Screen, open a Java-enabled Web browser and launch the administration GUI by typing the following URL:

   http://Name_of_Screen:3852/

   The administration GUI appears.

   ---

   Note -

   When trying to launch the administration GUI, if you encounter the error: The requested item could not be loaded by the proxy, you must disable proxy usage by specifying localhost in the Don't Proxy list, and then try to launch the GUI again.

   ---

2. To login, type the following default user name and password, then click Login:

   User Name: admin Password: admin

Change your default User Name and Password to something more secure.

See the SunScreen 3.2 Administration Guide for further instructions on using the administration GUI to configure and manage your Screen.