Administration

SunScreen consists of two components: an Administration Station and a Screen. The two components can be installed on separate machines with Screen on one or more machines and another machine as a remote Administration Station, or they can be installed on a single machine for local administration of a Screen. If both components are installed on a single machine, the Administration Station can administer not only the local Screen, but other Screens that are remote as well.

The number of Screens and Administration Stations needed at a site depends on its network topology and security policies. Typically, one Screen is installed at each network-direct public access location that needs to be restricted. An Administration Station can manage multiple Screens.

You typically choose whether to administer a Screen locally or remotely when you install the SunScreen software. Alternatively, you can add a remote Administration Station after the Screen software has been installed.

Local Administration

Local administration is performed on the host where the Screen software is installed, as shown in the figure below. Because administrative commands do not travel over a network, local administration does not require encrypted communication.

Figure 2-2 Local Administration of a Screen

Remote Administration

Remote administration is performed from an Administration Station, where the administration software, including SunScreen SKIP and/or IKE, is installed. As shown in the figure below, a remote Administration Station on the internal network administers the Screen located between the internal network and the Internet. This Screen could be configured as the router between the internal network and the Internet. A second remote Administration Station for this Screen is located on the external network. The Administration Stations must be configured to communicate with the Screen using encryption. SunScreen SKIP or IKE is used to encrypt all communication between the remote Administration Stations and Screens, regardless of network topology between them.

Figure 2-3 Remote Administration From an Administration Station to a Screen

Locating the SunScreen Screen

A Screen can only control traffic that passes through it; the Screen must, therefore, be placed in the network such that the traffic you want to control passes through it. All packets coming into the network and leaving it must pass through the Screen that controls the network.

If multiple paths exist between the Internet and the corporate network, the Screen will not work optimally, because, depending on the routing, traffic can pass through the Screen in one direction, but can bypass it in the reverse direction. To control the traffic on a network properly, both incoming and outgoing traffic must pass through the same Screen.

The figure below shows a network divided into several pieces by a Screen.

Figure 2-4 SunScreen as Internet Firewall Dividing a Network into Several Pieces

In the figure above there are two networks: the Internet and the company's network. The company's network is further divided into several demilitarized zones (DMZs) where public services reside. The advantage of dividing the network into two or more DMZs is that even if a system on a DMZ is compromised, the traffic on that system must still pass through the Screen.