SunScreen 3.2 is a versatile firewall that provides access control, authentication, and network data encryption. SunScreen has a dynamic packet-filtering engine for network-access control (routing mode) and an encryption and authentication engine (stealth mode) for creating secure VPN gateways by integrating public-key encryption technology. SunScreen addresses high availability (HA) for standards-based encryption. Secure administration is provided through a browser-based administration GUI or a command line editor.
Each physical network interface in a SunScreen environment can operate in either routing or stealth mode. An interface in routing mode has its own IP address and behaves like a bridge. If two or more routing mode interfaces are present, SunScreen connects multiple networks or subnetworks. Virtual interfaces are supported only in routing mode. An interface in stealth mode does not have an IP address, nor does it have a TCP/IP stack. Multiple stealth interfaces act like a bridge that subdivides a single subnet with respect to routing.
SunScreen consists of two primary components: a Screen which is the firewall responsible for screening packets and performing necessary encryption and decryption, and an Administration Station, where you define your security policy and from where you administer your Screen or Screens. The two components can be installed on separate machines for remote administration or on a single machine for local administration.
There are two methods of administering SunScreen: the SunScreen administration graphical user interface (GUI) and the command line configuration editor. Note that the command line interface is a superset of the GUI. The GUI is handy for simple, highly-interactive tasks. The command line interface is scriptable. See Appendix B, Configuration Editor Reference for detailed descriptions of the configuration editor and the command line interface.
For remote administration of a Screen, you must use either SunScreen SKIP (Simple Key-Management for Internet Protocols) or IPsec/IKE (IP Security Architecture/Internet Key Exchange) for secure communication between the Administration Station and the Screen. IKE or SKIP protects network traffic against unauthorized modification and eavesdropping, and securely authenticates parties that are communicating with each other.
SKIP technology enables encryption, authentication, access control, and secure virtual private networks (VPN). SunScreen incorporates SunScreen SKIP, release 1.5.1 for the SolarisTM operating environment. You can use the SunScreen administration GUI to administer SKIP on the Screen, but if you need further debugging capabilities, you must use the command line. See the SunScreen SKIP User's Guide, Release 1.5.1, for further information regarding SKIP encryption and administration.
The IPsec protocol is a set of security extensions that use modern cryptographic methods to provide privacy and authentication services. IPsec alone, without IKE, uses manual keying to establish security sessions. SunScreen also supports manual keying. The IKE feature in SunScreen is supported only in the Solaris 8 operating environment. See System Administration Guide, Volume 3, for information about IPsec and IPv6. IKE, with signed certificates, must be used for remote administration and for VPNs created with vpngateway objects.
For encryption, SunScreen supports IPsec (Internet Protocol Security) with manual keying and IKE (Internet Key Exchange) as well as SKIP (Simple Key Management for Internet Protocol). You can use IKE and SKIP on the same Screen, but they cannot encrypt the same traffic.
You can administer SunScreen remotely from any system that has a browser compliant with JDK 1.1.3 and has a supported version of IKE or SKIP software installed. SKIP software is available for the Sun Solaris operating environment and the Microsoft Windows operating environment (Windows 95, Windows 98, NT 4.x with PC SKIP) . IKE is available for Solaris or Windows 2000 with IKE.