Administering the Screen

SunScreen has two types of components for administration: a Screen and an Administration Station. The two components can be installed separately and remotely or they can be installed locally on a single system.

You can administer Screens either through the administration GUI or through the command line. See the SunScreen 3.2 Administration Guide for GUI procedures and Appendix B, Configuration Editor Reference for information about the command line.

You typically choose whether to administer a Screen locally or remotely when you create the initial SunScreen configuration. You can also add a remote Administration Station after the SunScreen software has been installed. A system that is being administered remotely can be headless (no monitor) and have no keyboard.

The number of Screens and Administration Stations needed at a site depends on its network topology and security policies. Typically, one Screen is installed at each network direct public access location that needs to be restricted. One or more Administration Stations can manage multiple Screens.

Object definitions, policies, logs, etc. reside on the Screen(s). logmacros and the logs themselves reside on all Screens (master, slave, primary, secondary). All other configuration information resides only on the master Screen in a CMG. Multiple admin stations have equal and uniform access to the same configuration information. This provides for multiple administrators, mobile administrations, and other flexibility advantages. Once logs are downloaded (via the log browser and/or the command line log manipulation tools), their accessibility is outside of the provisions of the SunScreen management model. The administrative organization, access control, policies and procedures, and log retrieval, analysis, and archival should be carefully planned and articulated to users.

Local Administration

Local administration is performed on the same host where the Screen software is installed, as shown in the figure below. Because administrative commands do not travel over a network, local administration does not require encrypted communication.

Figure 5-1 Local Administration of a Screen in Routing Mode

Remote Administration

For remote administration of a Screen from an Administration Station, install the software packages, including SunScreen SKIP and/or IKE, on separate systems, as shown in the figure below. In the figure, a remote Administration Station on the internal network administers the Screen located between the internal network and the Internet. This Screen is the router between the internal network and the Internet. A second remote Administration Station for this Screen is located on the external network. Note that communication between a remote Administration Station and a Screen must be encrypted.

Figure 5-2 Remote Administration From an Administration Station to a Screen in Routing Mode