test

SunScreen 3.2 Administration Guide

Administrative Access Rules

You use administrative access rules to:

You can add new users that you have created, re-add users for whom new passwords have been defined, or change SecurID assigned names on the Administrative Access page. You can also add an access rule for users and change the encryption parameters.

You must activate a new policy for any changes to take effect.

The fields of the Administrative access rules tab are described in the SunScreen 3.2 Administrator's Overview.

The following information describes using the administration GUI. Chapter 10, Using the Command Line Interface contains information about the command line interface.

To Add or Change an Administrative Access Rule for Local Administration

  1. Execute the steps in "To Modify Rules".

  2. Click the Administrative Access tab to display the Administrative Access area.

    Graphic

  3. Click the Add New Rule button, or Edit button, below the Access Rules for GUI Local Administration area.

    The Local Access Rules dialog box appears.

    Graphic

    The following table describes the controls for the Local Access Rules dialog box.

    Table 3-3 Controls for the Local Access Rules Dialog Box

    Control 

    Description 

    Rule Index 

    Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed bottom of the list). If you type a lower number, the new rule is inserted into the specified position in the list, and the rules currently in the configuration are renumbered.  

    Description 

    (Optional) Provides a brief description of the Administrative Access rule.  

    Screen 

    (Optional) Specifies the Screen for which you want the rule to apply. Type a specific Screen name in this field if you use centralized management and want a rule to apply to a specific Screen. The default All applies to all Screens.

    User 

    Lists the user names of SunScreen administrators. Use the names that you defined for the Administrative User object.  

    Access Level 

    Specifies what actions the designated user can perform. 

    1. ALL - Allows the administrator to display and modify all setting for the Screen.

    2. WRITE - The administrator can perform all operations except modifying the Administration Access rules for any Policy.

    3. READ - The administrator can view both the Information and Policy. This level also allows the user to save and clear logs on the information page. With this access level users cannot modify any Policy data.

    4. STATUS - The administrator can display status information (logs, statistics, status information) but cannot display or modify management settings.

    5. NONE - The administrator no longer has any access. This switch prevents an administrator who had access from logging in without having to remove that administrator from the database.

To Add or Change an Administrative Access Rule for Remote Administration

If you are adding an additional remote Administration Station, you must add a rule for it.

Note -

If you change the encryption parameters, make a note of them; they have to match the encryption parameters on the remote Administration Station.

  1. Execute the steps in "To Modify Rules".

  2. Click the Administrative Access tab in the Policy Rules area.

    Graphic

  3. Click the Add New Rule button in the Access Rules for Remote Administration area.

    The Remote Access Rule dialog box appears.

    Graphic

    The following table describes the controls for the Remote Access Rules dialog box.

    Table 3-4 Controls for the Remote Access Rules Dialog Box

    Control 

    Description 

    Rule Index 

    (Optional) Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed bottom of the list). If you type a lower number, the new rule is inserted into the specified position in the list, and the rules currently in the configuration are renumbered.  

    Description 

    (Optional) Provides a brief description of the remote administrative access rule.  

    Screen 

    (Optional) Specifies the Screen for which you want the rule to apply. Type a specific Screen name in this field if you use centralized management and want a rule to apply to a specific Screen. The default All applies to all Screens.

    Address Object 

    Restricts addresses(es) from which users may initiate a connection.. 

    User 

    Lists the user names of SunScreen administrators. Use the names that you defined for the Administrative User object.  

    Access Level 

    Specifies what actions the designated user can perform: 

    1. ALL - The administrator can display and modify all settings for the Screen.

    2. WRITE - The administrator can perform all operations except modifying the Administration Access rules for any Policy.

    3. READ - The administrator can view both the Information and Policy. This level also allows the user to save and clear logs on the information page. With this access level users cannot modify any Policy data.

    4. STATUS - The administrator can display status information (logs, statistics, status) but cannot display or modify management settings.

    5. NONE - The administrator does not have access.

    Encryption 

    Specifies the type and version of encryption (SKIP or IKE) being used to encrypt traffic between the Screen and the Administration Station.  

    Certificate Group 

    (SKIP only) Specifies the name of the certificate group, which can correspond to a single certificate or a certificate group, allowed over this interface. 

    Key Algorithm 

    (SKIP only) Identifies the algorithm used to encrypt traffic-encrypting keys. The algorithms available depend on the strength of encryption (128 bit, or 56 bit) that you are using with SunScreen.  

    Data Algorithm 

    (SKIP only) Identifies the algorithm used to encrypt message traffic between the Screen and the Administration Station. The algorithms available depend on the strength of encryption (128 bit or 56 bit) that you are using with SunScreen.  

    MAC Algorithm 

    (SKIP only) Identifies the algorithm used to authenticate traffic.  

    Tunnel 

    Identifies the tunnel address used for the communication between the remote Administration Station and the Screen.  

    Move button 

    Enables you to assign a new rule index number for the rule that you highlighted in the Access Rules for Remote Administration panel of the Administrative Access tab. 

    Delete button 

    Deletes the access rule that you highlighted in the Access Rules for Remote Administration panel of the Administrative Access tab. 

    Help button 

    Displays the online help. 

  4. Select the user or group of administration users to which this access rule applies.

  5. To associate this entry with a specific Screen, choose a Screen from the Screen list.

    Note -

    If you are using the CMG (centralized management group) feature, and this field is left blank or contains an asterisk ("*"), the access rule being defined will, by default, allow access to all Screens in the cluster.

  6. Select the address you want to use from the Address Object list.

  7. Select the type of encryption you want to use from the Encryption list.

    To use IPsec IKE, see "To Specify a SKIP/IPsec/IKE Action on a Remote Access Rule".

    To use SKIP (Simple Key-Management for Internet Protocol), follow these substeps:

    1. Select the version of SKIP you want to use from the Encryption list.

      Use SKIP_VERSION_1 for communicating with an SPF-100. For later versions, choose SKIP_VERSION_2.

      The required fields for SKIP_VERSION_1 are:

      • Certificate Group

      • Key Algorithm

      • Data Algorithm

      The required fields for SKIP_VERSION_2 are:

      • MAC Algorithm

      • Certificate Group

      • Key Algorithm

      • Data Algorithm

    2. Select the certificate group that you want to use from the Certificate Group list.

      Specify the Screen's certificate or certificate group (in this case, the certificate or certificate group that includes the remote Administration Station's certificate) and administration IP address in the Screen's Administration Certificate field.

    3. Select the key algorithm that you want to use from the Key Algorithm list.

    4. Select the data algorithm you want to use from the Data Algorithm list.

    5. (For SKIP_VERSION_2 only) Select the MAC algorithm that you want to use from the list of MAC algorithms.

    6. (Optional) Select the tunnel address of the remote Administration Station from the Tunnel list.

  8. Type a description in the Description field.

  9. Select the level of access you wish to authorize for this user from the Access Level list.

    There are five access levels for remote administrators:

      ALL --The administrator can display and modify all settings for the Screen.


      STATUS -- The administrator can display status information (logs, statistics, status) but cannot display or modify management settings


      READ -- The administrator can view both the Information and Policy. This level also allows the user to save and clear logs on the information page. With this access level users cannot modify any Policy data


      WRITE --The administrator can perform all operations except modifying the Administration Access rules for any Policy.


      NONE (Default) -- The administrator does not have access.


  10. Click the OK button.

  11. Repeat the previous steps until you have added all the access rules for remote administration.

  12. Click the Save Changes button.

  13. Add the Screen's certificate MKID in the SKIP database of the remote Administration Station, and configure it to use SKIP to communicate with the Screen.

To Specify a SKIP/IPsec/IKE Action on a Remote Access Rule

  1. Execute the steps in "To Modify Rules".

  2. Select the Administration Access tab in the Policy Rules area.

    The Administration Access panel appears.

    Graphic

  3. Click Add New Rule under the Access Rules for Remote Administration

    The Remote Access Rules panel appears.

    Graphic

  4. Select IPSEC IKE from the Encryption pulldown.

    The Remote Access Rules panel for IPsec/IKE appears.

    Graphic

  5. (Optional) Type a brief description for this rule.

  6. Select the user or group of administration users to which this access rule applies.

  7. To associate this entry with a specific Screen, choose a Screen from the Screen list.

    Note -

    If you are using the CMG (centralized management group) feature, and this field is left blank or contains an asterisk ("*"), the access rule being defined will, by default, allow access to all Screens in the cluster.

  8. Select the address you want to use from the Address Object list,

  9. Select the level of access you wish to authorize for this user from the Access Level list.

    There are five access levels for remote administrators:

      ALL. Master administrators, who have the access level ALL, grant the various access levels to the other administrators.


      STATUS. Status administrators, who have the access level STATUS, can monitor SunScreens, but cannot view the policies.


      READ. Local administrators, who have the access level READ, are users responsible for reviewing their individual Screen's policy. Local Administrators are allowed to read policies, but cannot change them; to do so they must make a request for changes to executive or master administrators.


      WRITE. Executive administrators, who have the access level WRITE, can define and change policies.


      NONE (Default--obviously not for remote administrators)


  10. If you are using IPsec, follow Step 11 through Step 17. If you are using IKE, follow Step 18 through Step 23.

    Note -

    You must complete Step 11 through Step 17 plus Step 18 through Step 23 to perform remote administration for IKE.

  11. (IPsec) To define the ESP, click the Edit button.

    The ESP Header panel appears.

    Graphic

  12. (IPsec) Select the Encryption Algorithm to be used. The options are none, Null, DES, 3DES, BLOWFISH, and AES.

  13. (IPsec) Select the Authentication Algorithm to be used. The options are none, MD5, and SHA1.

  14. (IPsec) Click the OK button

  15. (IPsec) To define the authentication header (AH), click the Edit button.

    The AH header appears.

    Graphic

  16. (IPsec) Select the Authentication Algorithm to be used. The options are none, MD5, and SHA1.

  17. (IPsec) Click the OK button

  18. (IKE) Select the Encryption Algorithm to be used. The options are none, Null, DES, 3DES, BLOWFISH, and AES.

  19. (IKE) Select the Hash Algorithm to be used. The options are none, MD5, and SHA1.

  20. (IKE) Select the Oakley Group. The options are 1, 2, and 5.

  21. (IKE) Select the Authentication Method to be used. The options are:

    • RSA-SIGNATURES
    • RSA-ENCRYPTION
    • DSS-SIGNATURES

  22. (IKE) Select the name of the Source Certificate. You can click on the arrow to see a list of certificates that are defined.

  23. (IKE) Click the OK button.