SunScreen 3.2 Installation Guide

Chapter 5 Installing With Remote Administration Using IKE

This chapter describes how to install the SunScreen software in routing and stealtgh mode with a remote administration using IKE encryption technology. The configuration steps are almost identical whether you are installing your Screen in routing mode or in Stealth mode.

For Trusted Solaris 8, there is no built-in facility for generating IKE certificates on a remote Administration Station like there is when using SKIP encryption. Instead, you employ a second Screen (known as an administrative Screen) for remote administration. Solaris 9 has native IKE support and only requires the administration software.

This installation example uses self generated certificates but it is also possible to use CA signed certificates. In fact, in the case of using a Windows 2000 system as a remote Administration Station, you must used CA signed certificates.

For an example of an installation using IKE encryption technology with Windows 2000, see the SunScreen 3.2 Configuration Examples document.

Topics in this chapter include:

Before installing, review the SunScreen 3.2 Release Notes for the latest product information.

Note -

Be sure to make a map of your network before you begin this installation. See "Determining Your Security Policy" appendix, which includes worksheets and instructions to aid you in determining your network configuration and your desired security level.

Supported Administration Station Configurations

For IKE administrative traffic, systems using Solaris 9 and Trusted Solaris 8 (with Screen software installed), or Windows 2000 with IKE (using CA signed certificates) are supported platforms for an Administration Station.

Routing and Stealth Mode Installation Summary

Although you can use the installer to guide you through the installation, this chapter covers installing the SunScreen software through the command-line interface on systems using IKE with self-generated certificates for encryption.

Perform the installation in the following order:

On the Administration Station:
1. Install the administration software. In the Solaris 9 case, you only install the administration package. In the Trusted Solaris 8 case, you install both the administration and Screen packages.
2. Create the Administration Station's IKE certificate. Export it to a file, then transfer the file to the firewall Screen system.
On the firewall Screen
1. Install the Screen and the administration software.
  
  This step requires the Administration Station's certificate ID.
2. Create the Screen's IKE certificate. Export it to a file, then transfer the file to the Administration Station.
3. Import the Administration Station's IKE certificate.
4. Mark the certificate as trusted.
5. Create an address object for the Administration Station.
6. Create an Admin Acess rule allowing communication bewteen the Administration Station and the Screen.
7. Edit the Screen object to specify the Administration Station's IP address.
On the Administration Station
1. Import the Screen's certificate.
2. Mark the certificate as trusted.
3. Set up encrypted communication between the Administration Station and the Screen. In the Solaris 9 case, this means editing the IKE configuration files. In the Trusted Solaris 8 case, you must create certificate and address object then use these objects to create a packet filtering rule allowing communication between the two systems.

The following sections describe the installation procedures for installing the SunScreen software and how to establish encrypted communication using IKE certificate technology.

Installing the Screen and Administration Station

Note -

Before proceeding, make sure that all network interfaces you plan on using are configured. Configured interfaces are those displayed with # ifconfig -a. For details on the Solaris network interface configuration, see your Solaris software documentation.

This procedure describes installing the required SunScreen 3.2 Screen and administration packages using pkgadd to install the software. Use this procedure to install the Screen and administration packages on the firewall Screen as well as on the Administration Station. You can also use this procedure on the firewall Screen itself for a local installation.

To Install the Software

Use this procedure on both systems.

Open a terminal window on one of the systems and become root, if not already.

Change to the directory containing the SunScreen 3.2 product.

#cd /cdrom/cdrom0/Solaris_9/ExtraValue/CoBundled/SunScreen_3.2/sparc

Add the software by typing:
# pkgadd -d .
A list of available packages appears. Choose the following packages: 1-6 and 10-27

Complete the installation then type q to quit pkgadd.

Complete the installation by activating your policy configuration.

Type: ssadm configure

Answer the questions that appear.

Reboot by typing:
# sync; init 6

After installing the appropriate software on both the Screen and Administration Station, you create the IKE self-generated certificates on the systems and set up encrypted communications, as described in the following procedure.

Note -

The Adminstration Station and the firewall Screen need both their own certificates and each other's certificates installed before encrypted communication can begin.

Setting Up a Remote Administration Station Using IKE

The following procedure describes using the command-line interface to create the IKE self-generated certificates on the Administration Station and firewall Screen. In the case of Trusted Solaris 8, the Administration Station is also a Screen.

Create an IKE Certificate on the Administration Station

The first step ijn this process is to create an IKE certificate on the remote Administration Station and to export it to a file.

To Create the Certificate on a Trusted Solaris 8 Administrative Screen

Open a terminal window and become root, if not already.

Create the IKE self-generated certificate.

# ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US, 
O=YOUR_ORG, CN=admin_name"

Export the Administration Station's certificate to a file.

# ssadm certdb -I -e "C=US, O=YOUR_ORG, 
CN=admin_name" > /tmp/admin_cert

Set up the Screen.

To Create the Certificate on a Solaris 9 Administration Station

Open a terminal window and become root, if not already.

Create the IKE self-generated certificate.

# ikecert certlocal  -ks -m 512 -t rsa-md5 -D "C=US, 
O=YOUR_ORG, CN=admin_name"

Export the Administration Station's certificate to a file.

# ikecert certdb  -e "C=US, O=YOUR_ORG, 
CN=admin_name" > /tmp/admin_cert

Set up the Screen.

Setting Up the Screen

This section describes how you set up a Screen to use IKE to communicated with a remote Administration Station. Much of the instructions are given using command line examples while others use the administration GUI. In each case, the easiest method of performing the required task was chosen.

If you need further instructions on how to perform a specific task, try looking at the SunScreen Administration Guide and also the SunScreen Configuration Examples for detailed instructions.

To Set Up IKE on the Firewall Screen

After adding certificates on the administrative Screen or Administration Station, you create the IKE certificate on the firewall Screen.

Create the IKE self-generated certificate.

# ssadm certlocal -Iks -m 512 -t rsa-md5 -D 
"C=US, O=YOUR_ORG, CN=screen_name"

Export the firewall Screen's IKE certificate to a file by typing.

# ssadm certdb -I -e "C=US, O=YOUR_ORG,  
CN=screen_name" > /tmp/screen_cert

Import the administrative Screen's certificate by typing.
# ssadm certdb -I -a < /tmp/admin_cert

Create certificate objects for the certificates

# ssadm edit PolicyName
then using ssadm edit
edit> add certificate admin_cert SINGLE IKE "C=US, 
O=SUN, CN=admin_name"
edit> add certificate screen_cert SINGLE IKE "C=US, 
O=SUN, CN=screen_name"

Mark the imported certificate as trusted.

Using ssadm edit
edit>add member certificate "IKE manually 
verified certificates" "admin_cert"

Start the Administration GUI.

From this point on, it is easier to use the administration GUI to do the remaining steps.
http://localhost:3852
After you log in, edit the appropriate policy then continue with the following steps.

Add the Administration Station's IP address as an address object.

Add the Administration Station as a screen object and allow routing traffic and naming service.

Edit the firewall Screen's screen object by selecting the primary/secondary tab and establishing the Administration Station's IP address as the administrative IP address in the IKE administrative certificate field, and add the firewall Screen's certificate.

Stealth Mode Only - Return to the miscellaneous tab and make sure routing traffic and name service are No or None (certificate discovery is on).

From a command line, mark the administrative certificate as trusted by typing:

# ssadm edit PolicyName  
then, using ssadm edit
edit>add member certificate "IKE manually 
verified certificates" "admin_cert"

From th GUI, add a remote access rule by selecting the administrative access tab and under the Access rules for remote administration table, click the add new rule button.
screen: screen name address object: remote admin address user: admin access level: all encryption: IPSEC IKE

Select the one algorithm that matches the packet filtering rule on the firewall Screen's source certificate: screen cert.

Click on the Options tab, source screen: screen name.

When done, you have a remote access rule like the following:

1 SCREEN "screen_name" USER "admin" "admin_addr" 
IPSEC ESP("DES-CBC", "MD5") AH("SHA1") IKE("DES-CBC", "MD5", 
1, RSA-SIGNATURES, "screen_cert") PERMISSION ALL

Activate the policies.

Finish the Administration Station.

Finish the Administration Station

Finishing a Trusted Solaris 8 Administration Station

Import the firewall Screen's certificate.

# ssadm certdb -I -a < /tmp/screen_cert

Create certificate objects for the certificates.

# ssadm edit PolicyName
edit> add certificate admin-cert SINGLE IKE "SUBJECT=C=US, O=SUN, 
CN=admin_DN"
edit> add certificate screen-cert SINGLE IKE "SUBJECT=C=US, O=SUN, 
CN=screen_DN"

Mark the imported certificate as trusted.
Using ssadm edit edit>add member certificate "IKE manually verified certificates" "screen_cert"
Note -
The Group name "IKE manually verified certificates" is reserved for a trusted Certificate Group.

Create an address object for the Screen.

Using ssadm edit
edit>add address nameofscreen ipaddressofscreen

Add a packet filter rule like the following:

1 "remote administration" "admin_address"  
"screen_address" IPSEC ESP("DES-CBC", "MD5") AH("SHA1")  
IKE("DES-CBC", "MD5", 1, RSA-SIGNATURES, "admin_cert", 
"screen_cert") ALLOW

See "Packet Filtering Rules" in the SunScreen 3.2 Administration Guide.

Activate the policies.

Finishing a Solaris 9 Administration Station

Import the firewall Screen's certificate.

# ikecert certdb  -a < /tmp/screen_cert

Set Up the IKE rules.

You have to edit the IKE configuration files to set up encrypted communication between the Administration Station and the Screen. For information on editing these files, see the Solaris 9 IKE documentation.

Edit the /etc/inet/ipsecinit.remote file.

The following file provides an example of how you would set up communication between an Administration Station with an IP address of 172.16.2.3 and a Screen's administrative interface with an address of 172.16.2.1

{sport 500} bypass {dir out}  
{dport 500} bypass {dir in}   
{saddr 172.16.2.3 daddr 172.16.2.1} apply {encr_algs des encr_auth_algs sha1 sa shared}   
{saddr 172.16.2.1 daddr 172.16.2.3} permit {encr_algs des encr_auth_algs sha1 sa shared}

Edit the /etc/inet/config file.

This file contains instructions to amrk the Screens certificate as trusted as well as encryption parameters.

# Example remote admin config file 
 # IKE manually verified self-signed certs   
cert_trust "SUBJECT=CN=DNofScreensCert-rsa-sha1-4096, O=Sun, C=US"   
# Outgoing IKE rule for remote admin 
{label "outgoing" 
local_id_type DN 
local_id "SUBJECT=CN=RemoteAdminCert-rsa-sha1-4096, O=Sun, 
C=US"  
remote_id "SUBJECT=CN=ScreenCert-rsa-sha1-4096, O=Sun, C=US"          
local_addr 172.16.2.3 
remote_addr  172.16.2.1
p1_xform {auth_method rsa_sig oakley_group 1 auth_alg sha1 encr_alg des }  
}

Reload IKE and it's associated components.

Issue commands similar to the following:

# pkill iked # ipsecconf -f # ipseckey flush # ipsecconf -a /etc/inet/ipsecinit.remote # /usr/lib/inet/in.iked -f /etc/inet/ike/config.remote

The remote Administration Station is now ready to communicate with the Screen.

Managing Your Firewall

To manage your firewall Screen, use the administration GUI on the remote administrative Screen.

Note -

There is a predefined rule to allow encrypted administration traffic between the firewall Screen and the administrative Screen. Thus, no other communication (like ping or telnet) is allowed between the two systems until you specifically define a rule to allow such a service. See "Administrative Access Rules" in the SunScreen 3.2 Administration Guide.

To Launch the Administration GUI

To configure and manage your firewall Screen, open a Java-enabled Web browser and launch the administration GUI by typing the following URL:
http://Name_of_Screen:3852/
The administration GUI appears.

Note -
When trying to launch the administration GUI, if you encounter the error: The requested item could not be loaded by the proxy, you must disable proxy usage by specifying localhost in the Don't Proxy list, and then try to launch the GUI again.

To login, type the following user default name and password, then click Login:
User Name: admin Password: admin

Note -

Be sure to change your default User Name and Password to something more secure.

See "Using the Administration GUI" in the SunScreen 3.2 Administration Guide for further instructions on configuring and managing your firewall Screen.