Security Policy

A security policy is the collection of decisions an organization makes about network security and its stance regarding what network activities are permitted or denied. The most important aspect in installing and administering a firewall is a well-defined security policy.

Configuration

A SunScreen policy comprises the rules that a SunScreen Screen uses to implement your company's security policy. A configuration is the union of a SunScreen policy with common objects to form a complete description of the behavior of one or more Screens. A policy is a named set of policy objects. When the SunScreen software is first installed, there is one policy, named Initial, which contains a single rule and objects for the Screen and its interfaces. Common objects are data objects relevant to all policies. Common object types include address, screen, service, interface, certificate, and time. Ordered objects include filtering rules, NAT rules, administration access rules, and VPN (virtual private network) gateway descriptions.

Neither common objects nor rules include objects loaded into SKIP or IKE, but they do include the reference from the certificate name in the common object registry to the internal identity used by SKIP or IKE.

Stateful Packet Filtering

A Screen, which sits between the client and server, uses stateful packet filtering to examine each data packet as it arrives. Based on information in the packet, state retained from previous events, and a set of the security policy rules, the Screen either passes the data packet or blocks it.

SunScreen uses a set of ordered rules to filter packets. When you configure SunScreen, you translate the security policies for your site into a series of policy rules that specify which services are allowed, what to do with packets for services that are disallowed, and what to do when packets are dropped. You then place these policy rules in sequence to specify which rules override others.

Centralized Management Group

A centralized management group (CMG) reduces the overhead in configuring a set of firewalls and enables you to locate Screens at different points in the network and group them as an object. You can then manage this group of Screens with a standard set of objects through an Administration Station. All the firewalls in the group share the same policy, but apply it based upon their location in the network topology.

Network Address Translation (NAT)

Network address translation (NAT) translates one set of IP addresses to another set. NAT is typically used to:

• Hide the internal topology of a network - When the network's private (unregistered) addresses are translated to a set of public (registered) addresses, all traffic appears to come from this set of public addresses rather than from the network's private addresses.

• Use the public addresses assigned to a site efficiently - Many sites have a limited set of registered addresses assigned to them by their Internet service provider (ISP). With NAT you can use those addresses efficiently to support a large internal network. In this case, the addresses of the internal network are translated to the smaller set of registered addresses assigned by the ISP.

• Prevent having to renumber host addresses when changing ISPs - NAT enables you to map your old public addresses to the new set of registered addresses assigned by your new ISP.

• Use private or unregistered addresses on your internal network - The Internet Assigned Number Authority (IANA) has reserved the address ranges 10.0.0.0 through 10.255.255.255, 172.16.0.0 through 172.31.255.255, and 192.168.0.0 through 192.168.255.255 for use in private networks. NAT enables you to use these addresses in your internal network, yet still communicate with other networks by mapping those internal addresses into the registered addresses assigned to your site.

NAT modifies the address fields in the IP header of the packet as it passes through the Screen. It also modifies the checksum and sequence number fields in the packet. Certain protocols (such as ftp) also require that data within the packet containing address information be modified.

Tunneling and Virtual Private Networks (VPN)

Organizations typically have offices in more than one location. SunScreen provides a tunneling mechanism to let the different offices use public networks as a secure private network without needing dedicated lines and with no changes to user applications.

When a tunnel, or virtual private network (VPN), is set up between two or more locations, all data packets traveling from one location to the other are encrypted and wrapped inside other packets before they are sent over the public Internet. Encrypting the packets guarantees that their contents will remain private; anyone capturing packets with the snoop program on network traffic between the two locations will be unable to read them. When the packets arrive at the remote location, they are unwrapped, decrypted, and forwarded to their intended destination.

In addition to protecting the privacy of network traffic, tunneling also lets a site conceal the details of its network topology from intruders or eavesdroppers. Because the original packets are encrypted, the source and destination addresses in their IP headers cannot be read. When the encrypted packets are encapsulated inside other packets, the new IP headers identify the addresses of the Screens that protect the locations, not the hosts that originated the packets. Consequently, the network topology behind the Screens is never exposed.

High Availability (HA)

High Availability (HA) enables you to deploy groups of Screens together in situations in which the connection between a protected inside network and an insecure outside network is critical. At any time, one member of the HA cluster is the active Screen, which performs packet filtering, network address translation, logging, and encryption or decryption of packets travelling between the inside and outside networks. The other members of the Screens, receive the same packets, perform the same calculations as the active Screen, and mirror the state of the active Screen, but they do not forward traffic. When an active Screen fails, the passive Screen that has been running the longest takes over as the active Screen within 15 seconds. During this time (before the passive Screen takes over), no traffic will go through the HA cluster.

HA cluster, the passive

SunScreen provides flexible logging of packets. This means that each primary and secondary Screen can keep a log of its traffic. Logs of the packets are kept on the Screen that passed or rejected the packets.

Encryption

SunScreen uses a combination of public-key and shared-key cryptography to encrypt and decrypt packets. Any traffic that passes between any two machines or other SKIP or IKE devices can be encrypted. All traffic between a Screen and an Administration Station is encrypted.

Logging

You can configure SunScreen to log a packet when it matches a rule or when it does not match any particular rule. Most frequently, packets matching DENY rules or packets that are dropped because they do not match any rule are logged. The action defined in a rule controls whether a packet is logged and what information about the packet is recorded.

Examining logged packets is useful when you are trying to identify the causes of problems during configuration or administration. You should also examine logs periodically for evidence of attempts to break into your network.

In an HA cluster, only the active Screen logs network traffic. However, traffic destined for the active or passive HA machine itself may be logged according to the rule. This means that some passive Screens may log some traffic, but only the traffic to them, not the traffic that is going through them. Each machine in an HA cluster logs what that system passed or rejected, as well as any locally processed nonpacket events.