SunScreen consists of two components: Administration Station and a Screen. The two components can be installed on separate machines with Screen on one or more machines and another machine as a remote Administration Station, or they can be installed on a single machine for local administration of a Screen. If both components are installed on a single machine, the Administration Station can administer not only the local Screen, but other Screens that are remote as well.
The number of Screens and Administration Stations needed at a site depends on its network topology and security policies. Typically, one Screen is installed at each network direct public access location that needs to be restricted. One or more Administration Stations can manage multiple Screens.
You typically choose whether to administer a Screen locally or remotely when you install the SunScreen software. You can add a remote Administration Station after the Screen software has been installed.
Remote administration from an Administration Station to the Screen, installs the software packages, including the SunScreen SKIP, on separate machines, as shown in FIGURE 2-2. SunScreen uses SunScreen SKIP to encrypt all communication between the remote Administration Station and the Screen.
In FIGURE 2-2, a remote Administration Station on the internal network administers the Screen located between the internal network and the Internet. This Screen is the router between the internal network and the Internet. A second remote Administration Station for this Screen is located on the external network. The Administration Stations must be configured to communicate with the Screen using encryption.
Local administration is performed on the same host where the Screen software is installed, as shown in FIGURE 2-3. Because administrative commands do not travel over a network, local administration does not require encrypted communication.
A Screen only controls traffic that passes through it and must, therefore, be placed in the network so the traffic you want to control passes through it. All packets coming into the network and leaving it must pass through the Screen that you want to control the network.
FIGURE 2-3 shows a Screen dividing a network. In this case, the Screen is placed at the single boundary between the Internet and the corporate network; it controls the traffic between those two networks.
If multiple paths exist between the Internet and the corporate network, then the Screen will not work optimally, because, depending on the routing, traffic can pass through the Screen in one direction, but can bypass it in the reverse direction. To control the traffic on a network properly, both the incoming traffic and the outgoing traffic must pass through the same Screen.
FIGURE 2-4 shows a network divided into several pieces by the Screen.
Like the example in Figure 2-3, two of these networks are the Internet and the company's network. In this example, however, the network is further divided into several demilitarized zones (DMZ) where public services reside. The advantage of dividing the network into one or more DMZs is that even if the systems on a DMZ is compromised, the traffic on that system must still pass through the Screen