Chapter 1 SunScreen Overview

This chapter describes SunScreen generally and discusses the following topics:

• "What Is SunScreen?"

• "Software and Hardware Requirements"

• "Compatibility With Other SunScreen Products"

• "SunScreen Lite"

• "Online Help and Documentation"

What Is SunScreen?

SunScreen 3.2 is a versatile firewall that provides access control, authentication, and network data encryption. SunScreen has a dynamic packet-filtering engine for network-access control (routing mode) and an encryption and authentication engine (stealth mode) for creating secure VPN gateways by integrating public-key encryption technology. SunScreen addresses high availability (HA) for standards-based encryption. Secure administration is provided through a browser-based administration GUI or a command line editor.

Each physical network interface in a SunScreen environment can operate in either routing or stealth mode. An interface in routing mode has its own IP address and behaves like a bridge. If two or more routing mode interfaces are present, SunScreen connects multiple networks or subnetworks. Virtual interfaces are supported only in routing mode. An interface in stealth mode does not have an IP address, nor does it have a TCP/IP stack. Multiple stealth interfaces act like a bridge that subdivides a single subnet with respect to routing.

SunScreen consists of two primary components: a Screen which is the firewall responsible for screening packets and performing necessary encryption and decryption, and an Administration Station, where you define your security policy and from where you administer your Screen or Screens. The two components can be installed on separate machines for remote administration or on a single machine for local administration.

There are two methods of administering SunScreen: the SunScreen administration graphical user interface (GUI) and the command line configuration editor. Note that the command line interface is a superset of the GUI. The GUI is handy for simple, highly-interactive tasks. The command line interface is scriptable. See Appendix B, Configuration Editor Reference for detailed descriptions of the configuration editor and the command line interface.

For remote administration of a Screen, you must use either SunScreen SKIP (Simple Key-Management for Internet Protocols) or IPsec/IKE (IP Security Architecture/Internet Key Exchange) for secure communication between the Administration Station and the Screen. IKE or SKIP protects network traffic against unauthorized modification and eavesdropping, and securely authenticates parties that are communicating with each other.

• SKIP technology enables encryption, authentication, access control, and secure virtual private networks (VPN). SunScreen incorporates SunScreen SKIP, release 1.5.1 for the Solaris^TM operating environment. You can use the SunScreen administration GUI to administer SKIP on the Screen, but if you need further debugging capabilities, you must use the command line. See the SunScreen SKIP User's Guide, Release 1.5.1, for further information regarding SKIP encryption and administration.

• The IPsec protocol is a set of security extensions that use modern cryptographic methods to provide privacy and authentication services. IPsec alone, without IKE, uses manual keying to establish security sessions. SunScreen also supports manual keying. The IKE feature in SunScreen is supported only in the Solaris 8 operating environment. See System Administration Guide, Volume 3, for information about IPsec and IPv6. IKE, with signed certificates, must be used for remote administration and for VPNs created with vpngateway objects.

  ---

  Note -

  For encryption, SunScreen supports IPsec (Internet Protocol Security) with manual keying and IKE (Internet Key Exchange) as well as SKIP (Simple Key Management for Internet Protocol). You can use IKE and SKIP on the same Screen, but they cannot encrypt the same traffic.

  ---

You can administer SunScreen remotely from any system that has a browser compliant with JDK 1.1.3 and has a supported version of IKE or SKIP software installed. SKIP software is available for the Sun Solaris operating environment and the Microsoft Windows operating environment (Windows 95, Windows 98, NT 4.x with PC SKIP) . IKE is available for Solaris or Windows 2000 with IKE.

Software and Hardware Requirements

The table below lists the installation requirements for SunScreen 3.2.

Table 1-1 SunScreen 3.2 Installation Requirements

Requirement	Description
Operating environment	Solaris 2.6, Solaris 7, Solaris 8 (with IPv4 only) in either 32-bit or 64-bit mode for SPARC and the Intel platform editions Trusted Solaris 8 (SPARC systems only)
Browsers supported:	A JavaTM-enabled Web browser compliant with JDKTM, Release 1.1.3 or later HotJavaTM 1.1 running on the SPARC and Solaris Intel platform editions Internet Explorer 4.0 (with or without the Java plug-in) on the Windows platform Netscape 4.0.1 or higher, can be used for all administrative functions except those requiring local file access. (See below for system requirements for Internet Explorer and Netscape to run Java plug-ins.)
Hardware	All SPARCstation(TM) workstations, UltraSPARC, and Intel systems supported by Solaris 2.6, Solaris 7, and Solaris 8 operating environments All SPARCstations and UltraSPARC systems supported by Trusted Solaris 8
Disk space	Minimum of 1 Gbyte (with at least 300 Mbytes unused). This space is needed for the following: configuration database = /etc/sunscreen = 10 MB [Can grow larger over the course of hundreds of policy or configuration changes] logs and temporary files = /var/sunscreen = 120 MB [Can grow larger if the SunScreen log size parameter is increased from its default of 100 MB] internal files = /usr/lib/sunscreen = 50 MB man pages = /usr/share/man = 1 MB
Memory	For administration software installation: a minimum of 32 Mbytes is required and 64 Mbytes is strongly recommended. For Screen-only software installation: a minimum of 32 Mbytes.
Network interfaces supported	For the Screen: [The Screen can support up to 15 stealth interfaces at one time.Stealth configurations do not support ATM, FDDI, token ring, or the use of proxies. SunScreen HA in routing mode does not support FDDI, token ring, ATM, Gigabit Ethernet, or failover of IKE-based IPsec connections] For SPARC and UltraSPARC systems in routing mode: 10-Mbps or 100-Mbps Ethernet interfaces (le, qe, hme, be, qfe, pnet) Gigabit Ethernet (ge) interfaces Token Ring interfaces (trp) ATM (155 and 622 Mbps) in LAN emulation mode (lane) or classic IP mode (ba) FDDI (nf), or PCI-based Ethernet cards For SPARC and UltraSPARC systems in stealth mode: 10-Mbps, 100-Mbps, Fast Ethernet, or Gigabit Ethernet interfaces For Intel-based systems: 10 Mbps or 100 Mbps Ethernet interfaces (dnet, elxl) High availability requires that the two machines be connected by means of a non-switching hub. [Some switches, including Alteon, Radware's Fireproof, and Foundry's ServerIron, can be configured to work with SunScreen HA clusters. Each Screen is set up as an individual Screen, with different IP addresses, and no interconnect. You can use as many Screens as the switch supports. Note that because SunScreen is a stateful firewall, TCP connections do not failover. ] For the Administration Station: [A remote Administration Station can connect directly to a Screen only through an Ethernet local area network (LAN) or a fiber distributed data interface (FDDI). ] For SPARC systems: 10-Mbps or 100-Mbps Ethernet interfaces (le, qe, hme, be, qfe), or FDDI, or PCI-based Ethernet cards. An Administration Station can connect to the Screen by an asynchronous transfer mode (ATM) or Token Ring LAN, but only after it is connected directly to the network by way of an Ethernet or FDDI connection first. For Solaris Intel Edition systems: 10-Mbps or 100-Mbps Ethernet interfaces (dnet, elxl).
Media	CD-ROM drive (and a diskette drive, if you are using certain types of CA-issued certificates).

SunScreen includes HotJava 1.1, SunScreen SKIP for Solaris, and IKE software.

---

Note -

To read the SunScreen documentation from the administration GUI, you must have the Adobe Acrobat Reader plug-in installed on your system.

---

---

Note -

Because of a limitation in SunScreen SKIP 1.5.1 for Solaris, the RC2 encryption algorithm is not available when running Solaris 7 or 8 in 64-bit mode.

---

Required Patches

See the SunScreen 3.2 Installation Guide for a list of required patches.

Java Plug-In Software

With Java plug-in software applets using Java technology on your Web pages can use Java Runtime Environment (JRE) instead of the browser's default runtime. Java plug-in software is available for Microsoft Windows and Sun Solaris-based browsers.

Java plug-in software system requirements:

• Windows 95, Windows 98, or Windows NT 4.0

  • Pentium 90 MHz or faster processor

  • 10 MBytes free hard disk space (recommended 20 MBytes)

  • 24 MBytes system RAM

• Solaris 2.5 or compatible versions

  • SPARC or Intel microprocessor

  • 10 MBytes free hard disk space (recommended 20 MBytes)

  • 32 MBytes system RAM (recommended 48 MBytes)

Java plug-in software is available at no charge at the following URL: http://java.sun.com/products/plugin/1.1.2/index-1.1.2.html

See Appendix A, "Using the Command Line," in the SunScreen 3.2 Administration Guide for instructions on how to install the plug-in software.

Compatibility With Other SunScreen Products

SunScreen 3.2 can communicate with older SunScreen firewalls either in the clear or as part of a VPN.

The obsolete ss_client command that is used in SunScreen SPF-200, Release 1.0, and SunScreen EFS, Release 2.0, is maintained so that you can still manage Screens running these versions of the software remotely through the command line.

---

Note -

See Appendix A, Migrating From Earlier SunScreen Firewall Products for information regarding command compatibility with previous releases. For information regarding the current commands for SunScreen, see Appendix B, Configuration Editor Reference.

---

The SunScreen SKIP encryption system built into SunScreen 3.2 is compatible with other SKIP implementations, such as earlier releases of SunScreen firewall products, SunScreen SKIP for Solaris, or SunScreen SKIP for the Microsoft Windows Operating Environment. SunScreen 3.2 exchanges encrypted information with other SunScreen firewall products transparently.

To upgrade to SunScreen 3.2 from earlier SunScreen firewall releases, see the upgrading instructions in the SunScreen 3.2 Installation Guide.

SunScreen Lite

SunScreen Lite is a stateful, packet-filtering firewall that has a subset of the features in SunScreen. It protects individual servers and small work groups.

This manual is a reference for both SunScreen Lite and SunScreen applications. Keep the following differences and similarities in mind when configuring and administering SunScreen Lite.

Supported Features

The SunScreen 3.2 Lite firewall:

• Can be administered from a remote Administration Station.

• Supports basic packet filtering.

• Displays all data for supported SunScreen types and data fields.

• Can be used in virtual private networks (VPNs).

• Can be used for secondary machines in a centralized management group.

• Uses SunScreen SKIP or IKE for encryption. SunScreen SKIP and IKE are included as part of SunScreen 3.2 Lite and are automatically installed.

Limitations

The SunScreen Lite firewall does not support some features that are available in SunScreen. A SunScreen Lite firewall:

• Does not support stealth-mode operation.

• If you have more than two interfaces and ip_forwarding is on, cannot support more than two routing interfaces. Any additional interfaces that are configured on this system will not have filtering rules applied to them. Note that Lite supports virtually unlimited routing interfaces when the Screen is not acting as a router--when ip_forwarding is turned off. This is ideal for protecting server systems that have multiple interfaces for connectivity, administration, and backup, but that are not routing packets between interfaces.

• Does not support and cannot create the ADMIN, HA, or STEALTH interfaces.

• Cannot support more than ten unregistered IP addresses that can be translated to registered addresses using network address translation (NAT); it is limited to two NAT rules.

• Cannot be a member of a high availability (HA) cluster.

• Cannot create and cannot be made the primary Screen in a centralized management group (CMG).

• Does not support proxies.

• Does not support and cannot create time objects.

• Ignores the time-of-day field in rules.

Online Help and Documentation

Topical help is available for each page of the administration GUI by clicking the Help button on a page or by clicking the Documentation button.

Click the Documentation button for the PDF files. They are installed with the SUNWsfwd package.

The man pages for SunScreen are located in /usr/share/man/man4sunscreen.

The man pages for SunScreen SKIP and IPsec/IKE are located in the standard Solaris man page directory.