test

SunScreen 3.2 Administrator's Overview

Address Object

An address object can be used in filtering rules, NAT rules, interface definitions, remote access rules, and VPN gateways. It can be an individual address, a range of addresses, or a group of addresses. You manipulate an address object through the SunScreen GUI or the configuration editor.

The addresses named * and localhost are reserved and cannot be modified in any way. The value of * is all IP addresses, as if a RANGE were defined with a starting IP address of 0.0.0.0 and an ending IP address of 255.255.255.255.

The value of localhost is the set of all addresses associated with the machine that SunScreen is running on--that is, the Screen's own IP address.

Optionally, you can associate addresses with a specific Screen object. In this case, its value is only used on the Screen with which it is associated. This approach enables multiple Screens to have different values for an address object with the same name. This is useful if, for example, you want to use the address "inside" and "outside" for all the Screens being managed.

An address object's unique name is its given name plus the name of the Screen if it is associated with one. All references to addresses are to their generic names without regard to any associated Screen.

There are three types of address objects:

Host Address

SunScreen identifies a host address as an individual host by linking its unique IP address to an address object. This address object can use the name of the host, IP address of the host, or some other identifier. The figure below shows an example of a host identified by its IP address (172.16.1.1).

Figure 4-1 HOST - Single Address

Graphic

Address Range

An address range is a set of numerically contiguous IP addresses. Networks and subnetworks are typically identified by a name for the range of IP addresses. You use the beginning and ending addresses to identify an IP address range.

You can set up an address object to represent an address range in SunScreen. The figure below shows examples of ranges of addresses for the Corporate and Sales networks. For example, the Corporate address object is defined as a range of addresses from 172.16.3.2 to 172.16.3.255. You could then establish access or encryption rules for hosts on the Corporate network by indicating the rule applies to the Corporate address object.

Note -

SunScreen 3.2 supports four syntaxes for ranges:

In the figure below, for example, the following are all the same:

The values in parentheses in the figure (255.255.255.0) represent a netmask.

Figure 4-2 Range of IP Addresses

Graphic

Address Group

An address group is a collection of host addresses, address ranges, and other address groups. After you set up an address group, you can use it to identify multiple hosts as a single element. You can define groups in terms of the addresses they include ("Address group A consists of the IP address 1.2.3.4 and the members of address group B"), the addresses they exclude ("Address group C consists of all the hosts on the 192.4.5.0 network except 192.4.5.5 and 192.4.5.9"), or both. Address groups cannot be self-referential; that is, you cannot include address group X as a member of address group Y and then define address group Y as a member of address group X.

Note -

There are two addresses you cannot modify: localhost, which is the IP address or addresses of the actual Screen and *, which represents all IP addresses.

The value of an address group is determined first by all included addresses, which means that all the IP addresses explicitly specified and all IP addresses contained in any other address groups included in the group are added to the address group. Next, all IP addresses of all the addresses and address groups that are excluded are removed from the address group. Note that you cannot control the order in which the IP addresses are added or removed: all includes are done before all excludes.

Designing an Addressing Scheme

You can take several steps when creating address objects to simplify maintenance of your security policies. When you are planning your addressing scheme, choose interface names that describe which addresses are on that interface or that reflect the names of the interfaces. Make naming conventions meaningful and consistent so that maintenance and daily administration are uneventful.

A network interface is a network connection coming into a Screen through which one or more IP addresses are accessible. These IP addresses need to be identified to SunScreen so that IP spoofing can be detected and prevented.

The easiest way to define address objects for network interfaces is to define an address group for each network interface. You can choose names that identify which addresses are on that network interface (such as, Corporate, Sales, ftp-www, and Internet) or names that identify the interfaces by type (such as le0 or qe0).

In most cases, one interface has the majority of addresses on it. For example, the Internet network interface in the network illustrated in figure below has the most addresses, because it is the interface for all addresses except those in the Corp, ftp-www, and Sales networks.

Figure 4-3 SunScreen as Internet Firewall

Graphic

Rather than enumerating all the addresses for the Internet, you can define the address group for the Internet address object to include all network addresses (*) and then exclude those that you do not want to be part of that address. In the example shown in the figure, you would define the Internet address object as an address group that includes all addresses except Corp, Sales, and ftp-www. You would then define which hosts, networks, or address groups are members of the Corp, Sales, and ftp-www addresses to exclude them from the Internet address group.