SunScreen 3.2 offers the following enhancements:
Support for the Trusted Solaris 8 and Solaris 9 operating environments.
Support for IPsec, the IETF standard security protocols for data privacy and authentication. Cryptographic keys can be configured manually or configured using IKE (Internet Key Exchange).
IKE includes the following capabilities:
Support for SunScreen IKE protocol for automatic algorithm and key exchange.
If you are using Trusted Solaris 8, IKE and IPsec require the Solaris SUNWcryr and SUNWcryrx packages that contain encryption modules. You must download these packages from: www.sun.com/software/solaris/encryption/download.html.
If you are using Solaris 9, DES and 3DES cryptographic support is bundled with the operating environment. However, if you need more support (for AES for example), you also have to install the cryptography packages.
Support for IKE with the centralized management group feature.
Support for IKE between a Windows 2000 system and a Screen using pre-shared keys or CA-signed certificates.
Support for IKE between a Screen and a Windows 2000 system acting as a remote Administration Station using CA-issued certificates.
For background information on IKE, see the SunScreen 3.2 Administrators Overview. For step-by-step instructions on performing IKE related tasks, see the SunScreen 3.2 Administrators Guide. For network examples using IKE, see the SunScreen 3.2 Configuration Examples manual.
SunScreen SKIP 128-bit encryption as the default (SunScreen SKIP, release 1.5.1)
An updated installer developed to meet Solaris software requirements
Updated packaging that makes graphical user interface (GUI) and encryption software installations optional.
Spoof detection is more robust and configurable.
Enhanced performance for transmission control protocol (TCP), user datagram protocol (UDP), and network address translation (NAT).
Supports Destination Address Checking used to detect certain kinds of routing misconfigurations and misbehaving applications.
Blocks IPv6 interfaces.
SunScreen identifies IPv6 interfaces when they are plumbed and blocks those interfaces configured for use by SunScreen from passing IPv6 packets through the firewall.
Support for tcp_keepalive state engine.
Supports overlap of interface address groups (used for IPMP, and so forth).
Support for up to 15 stealth interfaces and virtually unlimited routing interfaces.
Support for SNMP alerts and logging of HA events; specifically HA failover.
Support for fault tolerant pnet interfaces.
This interface is used with the Netra ft1800. Modifications were made to the startup scripts to successfully and securely plumb the interface of the Netra ft1800.
Support for generating WebTrends Enhanced Log Format (WELF) format log files using the SunScreen welfmt utility.
The SunScreen welfmt program reads a SunScreen binary log file and generates an ASCII log file to WELF standards. WebTrends Firewall Suite (WFS) produces various reports from the SunScreen WELF log files on such topics as bandwidth usage, protocol distribution, email and Web activity, FTP transfers, and Telnet sessions.
WFS is a third-party product from WebTrends. If it is already loaded on your system, ensure you are using version 3.0 or later.