2.1. Sun Ray Clients

This section describes the security benefits provided by the Sun Ray Clients.

2.1.1. Fiber Ethernet Connections

Both the Sun Ray 2FS Client and the Sun Ray 3 Plus Client provide fiber ethernet capabilities, which provide an additional security benefit over copper-based ethernet. Fiber cable does not generate radiated emissions along the length of the wire, so fiber cable is more difficult to tap than copper-based cable.

The Sun Ray 2FS Client has a built-in 100-FX port and the Sun Ray 3 Plus Client has an SFP (Small Form-factor Pluggable) network module slot. The SFP slot on the Sun Ray 3 Plus Client can accept a third-party module supporting a variety of commercial 1 Gb or 100 Mb optical fiber SFP network modules. See the Sun Ray 3 Series Clients Product Guide for details.

2.1.2. 802.1x Authentication

With the 802.1x authentication feature, you can configure Sun Ray Clients to provide proper credentials to successfully authenticate and gain access to the local area network under 802.1x access control. Sun Ray Clients support the Extensible Authentication Protocol Modes: MD5, TLS, MSCHAPV2, PEAP, TTLS, GTC, and OTP.

See 802.1x Authentication in the Administration Guide for details.

2.1.3. Built-in Virtual Private Network (VPN)

Sun Ray Clients can be located anywhere. If they are located outside the corporate network, their built-in VPN capabilities make it more difficult for network traffic to be intercepted.

The IPsec capability in the Sun Ray Client firmware enables the Sun Ray Client to act as a VPN endpoint device. The most commonly used encryption, authentication, and key exchange mechanisms are supported, along with Cisco extensions that enable a Sun Ray Client to interoperate with Cisco gateways that support the Cisco EzVPN protocol. Sun Ray Clients currently support IPSec VPN concentrators from Cisco and Netscreen (Juniper). See VPN Support in the Administration Guide for details.

2.1.4. IPsec

Beyond the IPsec capability to make Sun Ray Client as a VPN endpoint device, Sun Ray Software also supports IPsec to provide high quality, cryptographically-based security between Sun Ray Clients and Sun Ray servers. After configuring and enabling IPsec on the Sun Ray server and the Sun Ray Client, the Sun Ray Client will negotiate a secure end-to-end IPsec tunnel with the Sun Ray server before interacting with Sun Ray services on the server.

The Sun Ray Software implementation of IPsec is incorporated into the Sun Ray Client firmware. The Sun Ray Client will always be the initiator of a connection, so it does not have to respond to inbound connection requests. This type of negotiation is similar to the current IPsec VPN behavior, where IPsec is established with a VPN gateway before Sun Ray services are invoked. However, both IPsec implementations require different configurations.

See IPsec Support in the Administration Guide for details.

2.1.5. Firmware Update Authentication

The Sun Ray Operating Software (firmware) images for the Sun Ray Clients are digitally signed. Because the Sun Ray Client verifies the firmware signature as part of the firmware update process, the client will not accept an image that has been tampered with. This minimizes the chance of installing firmware that can compromise the Sun Ray Client.

To gain the latest features and security enhancements, you should always update your site's Sun Ray Clients with the latest Sun Ray Operating Software.