Documentation Home
> SunScreen 3.2 Administrator's Overview
SunScreen 3.2 Administrator's Overview
Book Information
Preface
Chapter 1 SunScreen Overview
What Is SunScreen?
Software and Hardware Requirements
Required Patches
Java Plug-In Software
Compatibility With Other SunScreen Products
SunScreen Lite
Supported Features
Limitations
Online Help and Documentation
Chapter 2 SunScreen Concepts
Why Use SunScreen?
A Sample SunScreen Network Map
How SunScreen Works
Routing and Stealth Mode Interfaces
Routing Mode Interface
Stealth Mode Interface
Hardening the OS
Administration
Local Administration
Remote Administration
Locating the SunScreen Screen
Security Policy
Configuration
Stateful Packet Filtering
Centralized Management Group
Network Address Translation (NAT)
Tunneling and Virtual Private Networks (VPN)
High Availability (HA)
Encryption
Logging
Proxies
Event Logging With Proxies
IPsec/IKE
Internet Key Exchange (IKE)
SunScreen IPsec Configuration
Chapter 3 Packet Filtering
SunScreen Model
Stateful Packet Filtering
Inbound Packet Rule Checking
Outbound Packet Rule Checking
Policy Rules
Sequence of Rules
Services and Service Groups in Rules
Rule Syntax
Example of a Rule Configuration
Policy Versions
Chapter 4 Common Objects
Service Object
Single Service
Service Group
Address Object
Host Address
Address Range
Address Group
Designing an Addressing Scheme
Screen Object
Miscellaneous Parameters
SNMP Information
HA and CMG Parameters
Mail Proxy Configuration
Interface Object
Routing Interface
Stealth Interface
Admin Interface
Routing and Stealth Interfaces on a Single Screen
HA Interface
Disabled Interface
authuser Object
Time Object
proxyuser Object
Jar Signature Object
Jar Hash Object
Certificate Object
Single Certificate
Certificate Group
IPsec Key Object
Administration GUI Limitations
Chapter 5 Administration
Administering the Screen
Local Administration
Remote Administration
Centralized Management Group
Logging
Common Objects Used in Centralized Administration
Creating Common Objects and Policies for Multiple Screens
Interface Objects
Policies
Chapter 6 Encryption, Tunneling, and Virtual Private Networks
Encryption and Decryption
How SunScreen Uses Encryption
Packet Examination
Tunneling
Using IKE With SunScreen
IKE Options
IKE Certificates
Pre-Shared Option
Certificate Options
IKE Policy Rules
IKE Policy Rule Syntax
Defining a VPN
Adding a VPN Rule
VPN Limitations
Chapter 7 Network Address Translation
Network Address Translation
NAT Rules
Static NAT
One-to-One Translations
Address Range to Another Address Range
Dynamic NAT
Dynamic NAT Collisions
Choosing NAT Addresses
NAT Examples
Example One
Example Two
Scenario 1: DMZ Uses Registered Addresses
Scenario 2: DMZ Uses NAT Addresses
Routing Interface Examples
Stealth Interface Examples
Applying NAT
Chapter 8 High Availability
Why High Availability?
Hardware Requirements
SunScreen HA Definitions
SunScreen HA Configurations
Basic SunScreen HA in Routing Mode
Remotely Administered SunScreen HA Configuration in Routing or Stealth Mode
Services Allowed on The HA and ADMIN Interfaces
Administering the Secondary Screen
HA Using Switches
HA Network Connections and Failovers
Configuring HA
Administering HA
Chapter 9 Authentication
User Authentication
User Identification
Authorized User
Defining an Authorized User Object
Creating an Authorized User Object
Example: Displaying An Authorized User
Examples: Creating Authorized User Objects
Authorized User Authentication Processing Logic
Administrative User
Proxy Users
Defining a Proxy User Object
Creating a Proxy User Object
Examples: Displaying, Creating, Adding, Removing Proxy User Objects
Proxy User Processing Logic
Null Authentication
Referenced Authorized User Authentication
SPECIAL External Method Authentication
User Access Control Processing Logic
RADIUS User Authentication Details
RADIUS Server Configuration
RADIUS Node Secret Configuration
Typical RADIUS Configuration
Examples: Typical RADIUS Configurations
Other vars for RADIUS Configuration
Other RADIUS Protocol Notes
RADIUS Testing
RADIUS Usage
SecurID User Authentication Processing Details
ACE/Client, ACE/Agent, and the SunScreen Stub Client
SecurID ACE/Agent
SecurID Stub Client
SecurID Access Paths
SecurID PIN Establishment
Typical SecurID Configuration
Examples: SecurID Configurations
Other SecurID Details
SecurID Usage
Chapter 10 Proxies
SunScreen Proxies
How Proxies Work
Policy Rule Matching
Proxy User Authentication
Proxy Limitations
Automatically-Saved Common Objects
FTP Proxy
FTP Proxy Operation
FTP Proxy and Anonymous FTP
FTP Proxy Use
Other FTP Proxy Issues
HTTP Proxy
HTTP Proxy Port Restrictions
HTTP Proxy Access for ftp://
HTTP Proxy User Authentication
HTTP Proxy Operation
Java Virtual Machine (JVM)
Jar Hashes and Signatures
Jar Hashes
Jar Signatures
HTTP Proxy Limitations
SMTP Proxy
SMTP Proxy Operation
Spam Control
Examples
Relay Control
Other Mail Configuration Issues
SMTP Proxy Rules
Telnet Proxy
Telnet Proxy Operation
Other Telnet Proxy Issues
Telnet Proxy Use
Using Encryption With Proxies
VirusWall Content Scanning
HTTP Proxy Access to VirusWall
VirusWallServerHTTP Variable
scan.0 Variable
HTTP Access Rules
SMTP Proxy Access to VirusWall
VirusWallServerSMTP Variable
scan.0 Variable
SMTP Access Rules
VirusWall Setup Issues
Chapter 11 Logging
Packet Logging
Logging Limitations
Log File Locations
Configuring Traffic Log Size
Configuring the Global Default Log Size
Examples: Setting or Displaying the Global Default Log File Size
Configuring the Log Size for a Specific Screen
Examples: Displaying and Setting the Log File Size
Configuring Events to be Logged
Network Traffic (Packet)
Network Session Summaries
Extended Events
Size of Logged Items
Level of Logging
Configuring Log Event Limiters
Examples: Manipulating Log Limiters
Log Retrieval and Clearing
Examples: get, clear, get_and_clear
Log Statistics
ssadm logstats Subcommand
Log Inspection and Browsing
Log Filters and the logdump Command
Examples: logdump Command
logdump Extensions
SunScreen welfmt Utility
HTTP Proxy Header Logging
Logged Network Packet Enhancements
General Event Type Enhancements
Log Record Format
Extended Log Event Enhancements
Log Filtering Macros
Displaying and Creating Log Macros
Examples: Log Macros on the Primary Screen
Examples: Log Macros on the Secondary Screen
Log Macro Name and Body
Listing Log Macros
Examples: Macro Definitions for the Primary Screen
Examples: Macro Definitions for the Secondary Screen
Log Macro Usage
Appendix A Migrating From Earlier SunScreen Firewall Products
Appendix B Configuration Editor Reference
What Is the Configuration Editor?
Save Not Required for Some Common Objects
Solaris (shell) Commands
ssadm
Executing an ssadm Command From a Local Screen
Executing an ssadm -r Command on a Remote Administration Station
ssadm Subcommands
ssadm Subcommand Summary
ssadm activate
ssadm active
ssadm algorithm
ssadm backup
ssadm certdb
ssadm certlocal
ssadm certrldb
ssadm configure
ssadm debug_level
ssadm edit
ssadm ha
ssadm lock
ssadm log
ssadm logdump
ssadm login
ssadm logout
ssadm logmacro
ssadm logstats
ssadm patch
ssadm policy
ssadm product
ssadm restore
ssadm spf2efs
ssadm sys_info
traffic_stats Subcommand
Unsupported Commands
ssadm lib/nattables
ssadm lib/screeninfo
ssadm lib/statetables -f
ssadm lib/support
ss_client
ssadm SKIP Commands
Configuration Editor
Configuration Editor Data Model
Configuration Editor Subcommands
add
add address
add screen
add service
add interface
add certificate
add key
add time
add rule
add nat
add accesslocal
add accessremote
add vpngateway
add_member
authuser
delete
delete_member
insert
jar_hash
jar_sig
list
list_name
load
lock
lock_status
search
move
replace
refer
referlist
rename
renamereference
save
saveas
reload
verify
mail_relay
mail_spam
proxyuser
vars
quit
QUIT
Network Monitoring and Maintenance
Using the ssadm logdump Command
Using the ssadm debug_level Command
Gathering Information From Your System to Report Support Issues
Appendix C Services and State Engines
Standard Services
* Service
ah Service
archie Service
CoolTalk Service
dns Service
esp Service
ftp Service
ICMP Packets
icmp Service
IP Packets
ip Services
ipsec Service
isakmp Service
ipv6 tunnel Service
nfs readonly Service
ntp Service
realaudio Service
rip Service
rpc Service
smtp (Electronic Mail) Service
sqlnet Service
TCP Services
traceroute Service
tsolpeerinfo Service
UDP Services
VDOLive Service
www (World-Wide-Web Access) Service
Network Service Groups
State Engines
Characteristics of State Engines
dns State Engine
ether State Engine
Ethernet II -- Common name: Ethernet
Ethernet 802.3 -- Common name: "Raw" 802.3
Ethernet 802.2 -- Common name: 802.3
Ethernet SNAP -- Common name: 802.3/SNAP or 802.3/802.2/SNAP
How SunScreen Checks the type Field
Example: Passing IPX Packets Between Host A and Host C
ftp State Engine
icmp State Engine
ip State Engine
ipfwd State Engine
ipmobile State Engine
iptunnel State Engine
nis State Engine
ntp State Engine
ping State Engine
pmap_nis State Engine
pmap_tcp State Engine
pmap_udp State Engine
realaudio State Engine
rpc_tcp State Engine
rpc_udp State Engine
rsh State Engine
sqlnet State Engine
tcp State Engine
tcp_keepalive State Engine
tcpall State Engine
udp State Engine
udpall State Engine
udp_datagram State Engine
udp_stateless State Engine
Appendix D Error Messages
Error Messages From ssadm edit
Error Messages From ssadm activate
Error Messages From ssadm lock
Appendix E Logged Packet Reasons
Why Codes
Glossary
Index
Numbers and Symbols
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
R
S
T
U
V
W
© 2010, Oracle Corporation and/or its affiliates