Operating SunScreen EFS 3.0 in stealth mode acts much like a bridge in that no IP interfaces are exposed to the public or private network, and packets are transparently passed through the Screen. When operating in stealth mode, the firewall cannot be directly attacked through any means other than a denial of service attack, and cannot be seen or detected through traceroute or similar network tools.
Prior to beginning the procedure that follows, configure only the network interface that will be used for remote administration. See the documentation accompanying the Solaris operating environment, if needed.
In this procedure, you will be asked if you want to harden the Screen. Hardening is optional and if chosen, is an automated removal of Solaris files and packages which might otherwise make the Screen vulnerable to an attack. Once you have hardened your Screen, it becomes a dedicated firewall and the machine can not be used for another purpose without first reinstalling the Solaris operating environment.
The following procedures explain how to install SunScreen EFS 3.0 in stealth mode using either self-generated or issued certificate technology.
This type of installation requires several steps to complete. You proceed in the following order:
Install the SunScreen Administration software on the Administration Station.
This step installs the required SKIP packages on the Administration Station. This is the first prerequisite to creating a secure method of communication between the Administration Station and the Screen. The use of SKIP technology enables encrypted communication between the two.
Install the Administration certificate on the Administration Station.
Install the SunScreen software on the Screen.
This procedure requires the Administration Station's certificate ID and installs the Screen's certificate.
Install the Screen's certificate ID on the Administration Station.
Start encrypted communication between the Administration Station and the Screen by enabling SKIP on the Administration Station.
The installation procedure requires that the machine be rebooted when indicated. Do not perform any other tasks on the machine while installing the software, as a delay in rebooting the machine may affect installation and cause your system to hang.
Do not begin this procedure until you have read the information in Chapter 2.
Open a terminal window and become root.
Ensure that the OpenWindows(TM) File Manager is not running because it interferes with the operation of the volcheck command used for installation.
Insert the SunScreen EFS 3.0 CD-ROM into the CD-ROM drive.
Mount the CD-ROM by typing:
# volcheck |
# /cdrom/cdrom0/adminInstaller |
Due to late software changes, the appearance of the installation wizards may differ slightly from that shown. Functionality and performance is not affected. The panels of the installation wizards can be resized, if needed.
The SunScreen EFS Admin Install's Welcome window appears, as shown in Figure 5-1.
Click Next to continue the installation process.
The Select Type of Install window appears. You are given two choices: Default Install and Custom Install. Default Install is the default.
The HotJava browser, version 1.1.5, is packaged on the SunScreen EFS 3.0 CD-ROM and is installed as part of the Default Install. If you do not want this installed, select Custom Install and deselect package SUNWdthj.
Select the type of install desired, and Click Next.
The disk space on your machine is checked. An error message appears if you do not have enough disk space.
The Ready to Install window appears, as shown in Figure 5-2. The size of the packages to be installed is confirmed.
Click Install Now to continue the installation process.
The Installing window appears, as shown in Figure 5-3. The status bar shows the progress of the installation.
Click Next to complete the installation process.
An Installation Summary window appears, as shown in Figure 5-4.
Select Exit to complete the installation process using the installation wizard.
The installation wizard disappears.
Set the PATH and MANPATH by editing your shell initialization file (such as .profile or.login file).
Eject the CD-ROM from the CD-ROM drive by typing
# eject cdrom0 |
Install any SKIP upgrades (Export Controlled [1024-bit] or U.S. and Canada Use Only [2048-bit] keys) as instructed in the documentation that is included with the SKIP upgrade CD-ROM.
Reboot to complete installation by typing:
# sync; init 6 |
The software packages have been installed. You continue the installation process on the machine that is the Administration Station.
You now return to the Administration Station and proceed with "To Set the PATH, Install SKIP Upgrades, and Display the AdminSetup.readme File".
The procedure to install the software on the Screen when using Issued Certificates is nearly identical to the previous procedure, which used Self-Generated Certificates. The difference is only that your certificates are contained on diskette instead of being self-generated, and they must be installed when the Select Certificate Window appears.
To install the software on the Screen when using Issued Certificates, follow the instructions contained in the procedure, "To Install The Software on the Administration Station". When the Select Certificate Type window appears, select Issued Certificate and follow the procedure below. Once the certificates are installed, return to the previous procedure and resume with Step 17.
To do this procedure, you need the Key and Certificate diskette.
From the Select Certificate Type window, select Issued Certificates and Click Next.
The Select Certificate Window is show in Figure 5-5. The Issued Certificate Key Diskettes window next appears, as show in Figure 5-6.
Insert the Key and Certificate diskette and Click Read Diskette.
Wait until the Issued Certificate ID appears at the bottom of the window, as show in Figure 5-7.
Write down the certificate ID, which is eight characters long, and Click Next.
The Issued Certificate Key Diskettes window appears, as shown in Figure 5-8.
Insert the Screen's Certificate ID diskette into the floppy drive and Click Read Diskette button.
The Issued Certificate ID appears at the bottom of the window.
Write down the Screen's certificate ID, which is eight characters long, and Click Next.
The Select Initial Security Level Window appears.
Complete installation on the Screen by the following the instructions in the previous procedure, "To Install The Software on the Administration Station". Resume with Step 17.
On the Screen, open a terminal window and become root, if not already.
Set the PATH and MANPATH by editing your shell initialization file (such as .profile or .login file).
Install any SKIP upgrades (Export Controlled [1024-bit] or U.S. and Canada Use Only [2048-bit] keys) as instructed in the documentation that is included with the SKIP upgrade CD-ROM.
To display the AdminSetup.readme file, in a terminal window type:
# more /etc/opt/SUNWicg/SunScreen/AdminSetup.readme |
The AdminSetup.readme file contains the Screen's certificate ID as well as the command you run in order to give the Administration Station the Screen's certificate ID, as shown in Figure 5-9. Write the command down for later use, which begins with skiphost -a.
Eject the CD-ROM by typing:
# eject cdrom0 |
If SKIP upgrades were installed, reboot the Screen by typing:
# sync; init 6 |
You now return to the Administration Station to complete SKIP configuration. Proceed to "Using SKIP for Encrypted Communication".
To obtain encrypted communication between the Administration Station and the Screen, certificates must be installed on both machines. This can be done by either using self-generated certificates or by installing issued certificates. Both methods are done on the Administration Station.
If you are using self-generated certificates, use Option 1. If you are using issued certificates, use Option 2.
Open a terminal window and create the required SKIP directories by typing:
# skiplocal -i |
Create the self-generated certificate on the Administration Station by typing:
# skiplocal -k -f -V |
The local certificate ID appears, as shown in Figure 5-10. It is the Administration Station's 32-character certificate ID (MKID).
Write down the certificate ID, beginning with Ox.
Add SKIP to all the interfaces by typing:
# skipif -a |
Reboot to complete the installation by typing:
# sync; init 6 |
The Administration Station's certificate ID has been generated. You next move to the Screen to install the SunScreen software. Continue to the section, "Installing the Software on the Screen".
To do this procedure, you will need the Key and Certificate diskette.
Open a terminal window on the Administration Station and become root.
Ensure that the OpenWindows File Manager is not running because it interferes with the operation of the volcheck command used for installation.
Create the required SKIP directories by typing:
# skiplocal -i |
Insert the Key and Certificate diskette into the Administration Station's floppy drive.
Mount the floppy by typing:
# volcheck |
Install the SKIP keys by typing:
# install_skip_keys -icg /floppy/floppy0 |
Start the SKIP daemon by typing:
# skipd_restart |
Eject the Key and Certificate diskette by typing:
# eject floppy0 |
Write down the certificate ID, which is eight characters long.
Add SKIP to all the interfaces by typing:
# skipif -a |
Reboot to complete the installation by typing:
# sync; init 6 |
The Administration Station's certificate ID has been installed. You next move to the Screen to install the SunScreen software.