How SunScreen Works

SunScreen is a Solaris software product that supports the following platforms: Solaris 2.6, Solaris 7, and Solaris 8 and compatible versions, for both the SPARC and Intel platforms, and Trusted Solaris 8 for the SPARC platform.

Upgrade your system to at least Solaris 2.6. SunScreen cannot be used with Solaris 2.5.1 because of Unicode internationalization requirements.

For local administration, the administration GUI works on any hardware or software system with a browser that supports JDK 1.1 (up to and including 1.1.3). For remote administration, the administration GUI works on any hardware or software system with a browser that supports JDK 1.1 (up to and including 1.1.3) and SKIP or IPsec/IKE installed.

Integration of the two SunScreen firewall products--SunScreen EFS and SunScreen SPF-200--in SunScreen 3.2 enables you to create:

• A stealth-mode firewall as a dedicated perimeter defense and extranet firewall

• A routing-mode firewall as a traditional firewall on the perimeter of a network

• A remote-access server inside the intranet to segregate departments

You can also deploy SunScreen on existing application and data servers throughout an enterprise to control access and provide encryption.

SunScreen includes the following graphical user interfaces (GUIs):

• SunScreen install wizard

• SunScreen administration GUI

• SunScreen SKIP skiptool GUI (for configuring SKIP on an Administration Station)

Use the install wizard to configure your Screen in routing mode (the default) or in stealth mode.

For machines without a monitor, use pkgadd to install SunScreen and ssadm configure to configure the initial configuration.

Following installation, use the administration GUI to administer your Screen locally (on the same machine) or remotely (from an Administration Station). With the administration GUI you can administer single Screens, high availability (HA) clusters, or centralized management groups (CMGs) of Screens--locally or remotely.

The skiptool GUI is not available on a SunScreen Screen; it is incompatible with SunScreen's SKIP implementation.

The behavior of a SunScreen is governed by a set of ordered rules called a policy. Individual policies and versions or histories of a policy can be copied or saved into a new policy. Each version of a policy is stored in a separate file on the (master) Screen. You can either use all of a policy or a portion of a policy at a later date.

The network address translation (NAT) feature enables the Screen to map unregistered internal network addresses to a registered network address. NAT can also map an internal network address to a different network address. As the packet passes between an internal host and a public network, it replaces the addresses in the packet with new addresses transparently, corrects the checksums and sequence numbers, and monitors the state of the address map. You specify when the ordered NAT rules apply to a packet based on source and destination addresses. Note that SunScreen performs NAT of source address before encrypting and NAT of destination address after decrypting. See Chapter 7, Network Address Translation for detailed information about NAT.

High availability (HA) protects data by using a set of Screens to provide failover protection. One member of the HA cluster, the active Screen, services packets travelling between a protected inside network and an insecure outside network. Other members--the passive Screens--receive the same packets, perform the same calculations, and mirror the state of the active Screen, but they do not forward traffic between the inside network and the outside network. One of the passive Screens automatically becomes the active Screen if the active Screen fails.