Chapter 4 Configuring a Stealth Mode Screen

A Screen running in routing mode filters packets passing between subnets on a Solaris system configured as a router. A Screen in stealth mode differs from routing mode in that it partitions a single subnet into two or more parts and filters packets passing between them.

Typically, SunScreen in stealth mode provides you with the following features:

• Filtering interfaces on stealth Screens do not have an IP address.

  Because no IP protocol stack is associated with the filtering interfaces, the Screen is invisible to the network. Therefore, it is very difficult for a potential attacker to know the firewall exists.

  Conceptually, a Screen running in stealth mode is like a bridge that filters IP addresses rather than media access control (MAC) addresses.

• Partitioning a single subnet.

  Each of the filtering interfaces has the identical IP subnet. Because a stealth Screen is not a router, it cannot connect to or pass packets between different subnets. Stealth mode uses Ethernet interfaces only.

  There is no need to reconfigure the hosts where the stealth Screen is inserted into a single subnet. The hosts on this subnet retain the same IP addresses they had before the stealth Screen was inserted.

• Optional hardening of the operating environment to increase the security on the system.

  Hardening of the operating environment removes packages and files from the Solaris operating environment that are not used by SunScreen. That is, hardening prevents network applications, such as telnet, from being configured.

  ---

  Caution -

  Hardening the operating environment is not reversible. To reverse the hardening requires that you to reinstall both the Solaris operating environment and the SunScreen software.

  ---

You should only plumb (configure) one network interface for use as the remote administration ADMIN interface. You set up your filtering interfaces as STEALTH type interfaces using SunScreen.

If you configure a network interface that you later set to stealth mode and the Screen hangs upon activation, reboot the Screen in single-user mode, remove the /etc/hostname.interface_name file (which unconfigures that interface), and reboot the Screen (follow the procedure for restoring proper operation as shown in the SunScreen Administrator's Overview).

Network Example

Figure 4-1 shows the Boston segment of the network. In this diagram, the administration interface is attached to the same subnet that the stealth Screen partitions (it can be attached to any subnet in the configuration). Screen, bos-screen1, does not pass packets between its filtering interfaces and the administration interface.

Figure 4-1 Boston Segment of the Sample Company Network

Stealth Mode Configuration

The stealth ADMIN interface is restricted to administration traffic over ports 3852 and 3953 only. Typically, this traffic is encrypted using SunScreen SKIP although it is also possible to use IKE. Either method requires the Screen and Administration Stations to have certificates. SunScreen supports:

• Self-signed certificates (that is, Unsigned Diffie-Hellman [UDH] SKIP certificates and X.509 IKE certificates.)

• Certificates signed by certification authority (CA).

See "Basic Encryption Configuration" in this manual and also the SunScreen 3.2 Administration Guide for more information on generating and using certificates.

Administrative access to the Screen is restricted to systems in a remote access rule using the SunScreen SKIP or IKE identity of that system for authentication. For SKIP, this remote access rule is configured as part of the Custom installation process. For IKE, you must explicitly configure this rule, see "Setting Up Remote Administration with IKE" for more information.

Prepare the Screen Machine

1. On the machine that will be the Screen, install the Solaris operating environment and configure a single interface to enable remote administration of the Screen from an Administration Station.

   In this example, you would configure an interface named le0 with the IP address of 192.168.1.3.

   The Screen is only able to resolve IP addresses using the administration interface. Since the Screen only needs to resolve the IP address of the Administration Station and any SNMP trap receivers, consider configuring /etc/nsswitch.conf only to use files for name resolution.

2. Install the recommended Solaris operating environment patches at this point, especially any Ethernet interface patches.

Set Up the Administration Station

1. On the Administration Station, install and configure the Administration Station software (For more details, see "Setting Up Remote Administration with SKIP" and "Setting Up Remote Administration with IKE".)

Install the Screen Software

1. On the Screen, install the SunScreen software as stealth mode.

2. Harden the Solaris operating environment (optional).

3. SKIP Only -- Add the Administration Station's certificate when prompted.

Finish the Administration Station

1. On the Administration Station, set up communication with the Screen.

   See "Enable Communication Between the Administration Station and the Screen" for a SKIP example .

2. Reboot the Administration Station and the Screen.

   ---

   Note -

   The Administration Station can only contact the Screen using the administration GUI or the command-line interface; you cannot use ping to test the connection to the Screen.

   ---

3. On the Administration Station, start a browser and connect to the Screen URL.

   In this example you would by type:

   http://192.168.1.3:3852

Finish the Screen

1. On the Screen, select the Screen object and define the network that the Screen partitions, as shown in Figure 4-2.

   ---

   Caution -

   Failure to do this step means the Screen will not work correctly.

   ---

   Figure 4-2 Network Address Used in the Example

   
   

2. Define the address objects you need to construct your rules.

   The network shown in this example requires the objects shown in the following table.

   Table 4-1 Example Address Object Definitions

   Name	TYPE	Details
   bos-ten-net	Range	10.0.2.0 to 10.0.2.255
   DMZ	Range	192.168.1.100 to 192.168.1.100
   192.168.1-private	Range	192.168.1.2 to 192.168.1.99
   192.168.1-public	Range	192.168.1.1 to 192.168.1.1
   Internal	Group	Include: {bos-ten-net 192.168.1-private} Exclude: {}
   Internet	Group	Include: {*}  Exclude: {Internal DMZ }
   hme0_grp	Group	Include: {DMZ} Exclude: {}
   hme1_grp	Group	Include: {Internal} Exclude: {}
   hme2_grp	Group	Include: {Internet} Exclude: {}

   The empty curly braces ({}) mean you exclude nothing. The last three objects are called the Interface Groups. These should contain all the IP addresses of all the hosts that can be reached from that interface. The Screen uses these groups to determine which interface to use when passing a packet.

   ---

   Note -

   Be sure the address groups do not overlap.

   ---

3. Define the stealth interfaces.

   In this example, you would define hme0, hme1, and hme2 as stealth interfaces. The following figure is an example for hme0.

   Figure 4-3 Stealth Interface Definitions

   
   

4. Define policy rules.

   These are the same type of Packet Filtering, NAT, and Encryption rules as you would use on a routing Screen.

5. Save and activate the policy.