SunScreen 3.2 Administrator's Overview

Defining a VPN

A VPN is a group of Screens that transfer encrypted data among themselves. A VPN simulates a private network using a public network, with IP-level encryption providing privacy.

Note -

A VPN object in SunScreen--called a "VPN" in this document--is not a virtual private network as generally defined in the firewall industry. It is a mechanism for implementing SunScreen's version of a VPN.

After a VPN has been defined, you can refer to it when adding rules to your security policy. This means you can define your security policy with fewer rules. The system automatically generates the multiple rules that the VPN defines.

In defining a VPN:

When defining a VPN gateway object, which is a list of Screens, specify the following information:

Note -

See ssadm-rule(1m) for information about VPNs using IPsec/IKE.

The site shown in Figure 6-3 has ten Screens. One of the systems protected by each Screen is a mail server. Assume that your security policy allows the exchange of encrypted mail between all these mail servers and you want to define rules to allow SMTP between all of the mail servers.

Figure 6-3 Sample Ten-Network Site


Without a VPN, you must define nine rules on each Screen for each mail server to send mail encrypted to the other nine mail servers. Because you have ten mail servers, you must define a total of 90 rules. If, instead you defined a VPN, you only need a single rule: one that allows the mail servers to send mail to the other mail servers using the VPN. Because you have ten Screens in the VPN, you must define ten VPN gateway entries.

Looking at this example in detail, the figure below shows the configuration. In this example, the name for the VPN is "ourVPN." The Screens are labeled Screen1 through Screen10. The mail servers behind them are labeled mail1 through mail10 and are part of network1 through network10.

Once you have defined the VPN objects, as shown in the figure below, you can use the VPN in any rule. Select VPN as the action for the data between the sender and the SMTP server, and specify the name of the VPN.

Figure 6-4 VPN Tab with VPN Entries


Adding a VPN Rule

Assuming an address group named MailServers containing all the mail servers exchanging encrypted mail, define the rule in the Rule Definition dialog box shown in the figure below.

Figure 6-5 Completed Rule Definition Dialog Box for the VPN Rule


The VPN rule appears on the Packet Filtering tab of the Policy Rules page. The more restrictive a rule is, the earlier it should be ordered in the list of rules because the rules take effect in order. The more restrictive VPN rule comes before the more general rule and so will take effect earlier.

Figure 6-6 VPN Rule


There is no limit to the number of VPNs to which a Screen can belong. For example, you can define two VPNs--one for encryption at 1024 bits, and one for encryption at 4096 bits. A single Screen can belong to both of those VPNs: one entry specifying the 1024-bit certificate, and the other specifying the 4096-bit certificate.

VPN Limitations

Currently, the VPN object has the following limitation: