This chapter describes SunScreen generally and discusses the following topics:
SunScreen 3.2 is a versatile firewall that provides access control, authentication, and network data encryption. SunScreen has a dynamic packet-filtering engine for network-access control (routing mode) and an encryption and authentication engine (stealth mode) for creating secure VPN gateways by integrating public-key encryption technology. SunScreen addresses high availability (HA) for standards-based encryption. Secure administration is provided through a browser-based administration GUI or a command line editor.
Each physical network interface in a SunScreen environment can operate in either routing or stealth mode. An interface in routing mode has its own IP address and behaves like a bridge. If two or more routing mode interfaces are present, SunScreen connects multiple networks or subnetworks. Virtual interfaces are supported only in routing mode. An interface in stealth mode does not have an IP address, nor does it have a TCP/IP stack. Multiple stealth interfaces act like a bridge that subdivides a single subnet with respect to routing.
SunScreen consists of two primary components: a Screen which is the firewall responsible for screening packets and performing necessary encryption and decryption, and an Administration Station, where you define your security policy and from where you administer your Screen or Screens. The two components can be installed on separate machines for remote administration or on a single machine for local administration.
There are two methods of administering SunScreen: the SunScreen administration graphical user interface (GUI) and the command line configuration editor. Note that the command line interface is a superset of the GUI. The GUI is handy for simple, highly-interactive tasks. The command line interface is scriptable. See Appendix B, Configuration Editor Reference for detailed descriptions of the configuration editor and the command line interface.
For remote administration of a Screen, you must use either SunScreen SKIP (Simple Key-Management for Internet Protocols) or IPsec/IKE (IP Security Architecture/Internet Key Exchange) for secure communication between the Administration Station and the Screen. IKE or SKIP protects network traffic against unauthorized modification and eavesdropping, and securely authenticates parties that are communicating with each other.
SKIP technology enables encryption, authentication, access control, and secure virtual private networks (VPN). SunScreen incorporates SunScreen SKIP, release 1.5.1 for the SolarisTM operating environment. You can use the SunScreen administration GUI to administer SKIP on the Screen, but if you need further debugging capabilities, you must use the command line. See the SunScreen SKIP User's Guide, Release 1.5.1, for further information regarding SKIP encryption and administration.
The IPsec protocol is a set of security extensions that use modern cryptographic methods to provide privacy and authentication services. IPsec alone, without IKE, uses manual keying to establish security sessions. SunScreen also supports manual keying. The IKE feature in SunScreen is supported only in the Solaris 8 operating environment. See System Administration Guide, Volume 3, for information about IPsec and IPv6. IKE, with signed certificates, must be used for remote administration and for VPNs created with vpngateway objects.
For encryption, SunScreen supports IPsec (Internet Protocol Security) with manual keying and IKE (Internet Key Exchange) as well as SKIP (Simple Key Management for Internet Protocol). You can use IKE and SKIP on the same Screen, but they cannot encrypt the same traffic.
You can administer SunScreen remotely from any system that has a browser compliant with JDK 1.1.3 and has a supported version of IKE or SKIP software installed. SKIP software is available for the Sun Solaris operating environment and the Microsoft Windows operating environment (Windows 95, Windows 98, NT 4.x with PC SKIP) . IKE is available for Solaris or Windows 2000 with IKE.
The table below lists the installation requirements for SunScreen 3.2.
Table 1-1 SunScreen 3.2 Installation Requirements
SunScreen includes HotJava 1.1, SunScreen SKIP for Solaris, and IKE software.
To read the SunScreen documentation from the administration GUI, you must have the Adobe Acrobat Reader plug-in installed on your system.
Because of a limitation in SunScreen SKIP 1.5.1 for Solaris, the RC2 encryption algorithm is not available when running Solaris 7 or 8 in 64-bit mode.
See the SunScreen 3.2 Installation Guide for a list of required patches.
With Java plug-in software applets using Java technology on your Web pages can use Java Runtime Environment (JRE) instead of the browser's default runtime. Java plug-in software is available for Microsoft Windows and Sun Solaris-based browsers.
Java plug-in software system requirements:
Windows 95, Windows 98, or Windows NT 4.0
Pentium 90 MHz or faster processor
10 MBytes free hard disk space (recommended 20 MBytes)
24 MBytes system RAM
Solaris 2.5 or compatible versions
SPARC or Intel microprocessor
10 MBytes free hard disk space (recommended 20 MBytes)
32 MBytes system RAM (recommended 48 MBytes)
Java plug-in software is available at no charge at the following URL: http://java.sun.com/products/plugin/1.1.2/index-1.1.2.html
See Appendix A, "Using the Command Line," in the SunScreen 3.2 Administration Guide for instructions on how to install the plug-in software.
SunScreen 3.2 can communicate with older SunScreen firewalls either in the clear or as part of a VPN.
The obsolete ss_client command that is used in SunScreen SPF-200, Release 1.0, and SunScreen EFS, Release 2.0, is maintained so that you can still manage Screens running these versions of the software remotely through the command line.
See Appendix A, Migrating From Earlier SunScreen Firewall Products for information regarding command compatibility with previous releases. For information regarding the current commands for SunScreen, see Appendix B, Configuration Editor Reference.
The SunScreen SKIP encryption system built into SunScreen 3.2 is compatible with other SKIP implementations, such as earlier releases of SunScreen firewall products, SunScreen SKIP for Solaris, or SunScreen SKIP for the Microsoft Windows Operating Environment. SunScreen 3.2 exchanges encrypted information with other SunScreen firewall products transparently.
To upgrade to SunScreen 3.2 from earlier SunScreen firewall releases, see the upgrading instructions in the SunScreen 3.2 Installation Guide.
SunScreen Lite is a stateful, packet-filtering firewall that has a subset of the features in SunScreen. It protects individual servers and small work groups.
This manual is a reference for both SunScreen Lite and SunScreen applications. Keep the following differences and similarities in mind when configuring and administering SunScreen Lite.
The SunScreen 3.2 Lite firewall:
Supports basic packet filtering.
Displays all data for supported SunScreen types and data fields.
Can be used for secondary machines in a centralized management group.
Uses SunScreen SKIP or IKE for encryption. SunScreen SKIP and IKE are included as part of SunScreen 3.2 Lite and are automatically installed.
The SunScreen Lite firewall does not support some features that are available in SunScreen. A SunScreen Lite firewall:
If you have more than two interfaces and ip_forwarding is on, cannot support more than two routing interfaces. Any additional interfaces that are configured on this system will not have filtering rules applied to them. Note that Lite supports virtually unlimited routing interfaces when the Screen is not acting as a router--when ip_forwarding is turned off. This is ideal for protecting server systems that have multiple interfaces for connectivity, administration, and backup, but that are not routing packets between interfaces.
Does not support and cannot create the ADMIN, HA, or STEALTH interfaces.
Cannot support more than ten unregistered IP addresses that can be translated to registered addresses using network address translation (NAT); it is limited to two NAT rules.
Cannot create and cannot be made the primary Screen in a centralized management group (CMG).
Topical help is available for each page of the administration GUI by clicking the Help button on a page or by clicking the Documentation button.
Click the Documentation button for the PDF files. They are installed with the SUNWsfwd package.
The man pages for SunScreen are located in /usr/share/man/man4sunscreen.
The man pages for SunScreen SKIP and IPsec/IKE are located in the standard Solaris man page directory.