This chapter introduces SunScreen EFS 3.0 installation concepts.
Topics covered include:
What is SunScreen EFS 3.0
Operating the firewall in routing mode
Operating the firewall in stealth mode
Before installing SunScreen EFS 3.0
Upgrading from SunScreen EFS 1.1 or 2.0, to SunScreen EFS 3.0
Upgrading from SunScreen SPF-200 to SunScreen EFS 3.0
Converting from FireWall-1 to SunScreen EFS 3.0
Security issues
Software and hardware requirements
Online help and documentation
Installation problems
SunScreen EFS 3.0, software can be installed on a single machine (local administration) or on different machines (remote administration).
Remote administration includes the Screen and its Administration Station. Depending upon how you choose to deploy SunScreen EFS 3.0, the number of Screens and Administration Stations varies. You need a Screen at every point in the network where you want to restrict access. In the strictest sense, you need one Screen for each point in the network that has direct public access (usually one per site). One Administration Station can manage multiple Screens, although more Administration Stations can be installed for redundancy and ease of access. Encryption is used to protect access and to limit management of a Screen to an authorized Administration Station.
SunScreen EFS 3.0 is a software security solution, which is installed on a Solaris\256TM-based machine. It lets companies connect their departmental networks to public internetworks securely. SunScreen EFS 3.0 functions as a firewall and router for hosts on the network it is protecting.
The Screen is the firewall responsible for screening packets. The Administration Station is used to define rules and to administer the Screen. The number of Screens and Administration Stations depends on your site's network topology and security policies.
Local administration means that administration of the Screen is conducted on the Screen itself, as shown in Figure 1-1. Local administration does not require encryption as the processes are executing on the Screen. No network traffic is generated, and as such, local administration does not require or utilize encryption.
Remote administration means that administration of the Screen is conducted on an Administration Station, which is a separate machine from the Screen, as shown in Figure 1-2. Remote administration uses encrypted communication between the Screen and Administration Station to protect access and to limit the management of a Screen to an authorized Administration Station. The data which the administrator sees is protected, so the information about the security policy in place on the Screen can not be obtained by others.
The Screen may be both headless and keyboardless, and communicates with the Administration Station through a TCP/IP interface that need not be exposed to the Internet (although it may be exposed to the local network, depending on the topology you use, and your choice of operating in stealth or routing mode).
Operate SunScreen EFS 3.0 in routing mode if you need routing functions in addition to firewall capabilities. In this mode, SunScreen EFS 3.0 operates as both a router and a firewall, with at least two exposed IP interfaces, and a hop visible to traceroute and other network utilities. Be aware that your firewall is visible when operating in routing mode, and you have a slightly greater exposure to attack than when operating in stealth mode.
Key differences when operating SunScreen EFS 3.0 in routing, rather than stealth, mode:
The existing Solaris machine must be acting as a router.
It makes use of the Solaris IP stack on the filtering interfaces, so it does not possess stealth characteristics.
It provides IP routing.
You must divide up different networks, like any router.
The addition of a SunScreen to your network may require re-numbering IP addresses on your hosts, if you did not already have a router where your SunScreen is being placed.
Operate SunScreen EFS 3.0 in stealth mode if you do not need routing functions, or if you want to decrease possibilities for attacks. In stealth mode, SunScreen EFS 3.0 acts much like a bridge in that no IP interfaces are exposed to the public or private network, and packets are transparently passed through the Screen. While operating in this mode, the SunScreen cannot be attacked through any means other than a denial of service attack, and cannot be seen or detected through traceroute or similar network tools.
Key differences when operating SunScreen EFS in stealth, rather than routing, mode:
Acts as a bridge, not a router.
Configure only the network interface you plan on using for remote administration.
Configuration of additional network interfaces may result in a non-operational Screen.
SunScreen EFS 3.0 allows the use of SPF-style stealth network interfaces. But it does not operate in the exact same fashion as a SunScreen SPF-200 does. Some notable differences between operating SunScreen EFS 3.0 in stealth mode, from the SunScreen SPF-200, are:
It is a layered product instead of a dedicated installation. It is not able to detect all user installed services which may be vulnerable.
It does not boot from the CD-ROM.
An installation diskette is not required.
Before you install SunScreen EFS 3.0, complete the following tasks:
Be acquainted with these documents:
SunScreen EFS 3.0 Installation Guide
SunScreen EFS 3.0 Administration Guide
SunScreen EFS 3.0 Reference Manual
SunScreen EFS 3.0 Release Notes
SunScreen SKIP 1.5 User's Guide
Ensure that the system that is to run SunScreen EFS 3.0 is secure--consider reinstalling the Solaris operating environment from CD-ROM to ensure that it has not been altered.
Ensure that a set of issued keys and certificates, if you are using them, is available for each host.
After installing SunScreen EFS 3.0, you are ready to set up and implement the security policy for your network. For instructions on administering your SunScreen, refer to the SunScreen EFS 3.0 Administration Guide.
If you are presently running SunScreen EFS 1.1 or 2.0, and you want to use the same configurations when you upgrade to SunScreen EFS 3.0, read the information and instructions in Chapter 6.
To avoid corruption of your existing configurations, do not attempt to manually remove or add packages. Upgrading is not an initial installation, and the upgrade script removes packages as needed.
You can upgrade the same machine that operates as your SPF-200 Screen to become a SunScreen EFS 3.0 Screen operating in stealth mode. You can also transfer your SPF-200 configurations to a new machine, and perform the conversion on the new machine.
Since SunScreen EFS 3.0 uses ordered packet filtering rules and ordered NAT mappings, you must to review your packet filtering rules after the conversion is complete to verify the filtering order is as you want. NAT mappings have changed considerably since the release of SPF-200. See the SunScreen EFS 3.0 Reference Manual for detail on NAT mappings.
Instructions for upgrading from SunScreen SPF-200 are in Chapter 6.
If you are presently using FireWall-1 and plan to use a similar security policy on SunScreen EFS 3.0, you have two ways to do this:
You can convert the machine that is running FireWall-1 to become the SunScreen EFS 3.0 Screen.
You can convert the security policy configurations on FireWall-1 and use them on a SunScreen EFS 3.0 machine.
Conversion instructions are in Chapter 7.
The machines that are used as gateways, or that are in vulnerable positions on the network, should have only the minimum Solaris packages installed as designated. This way, fewer potentially exploitable applications are allowed.
If no Solaris applications or services are needed on a SunScreen machine, consider installing the software in stealth mode with the hardened OS feature. This is discussed in Chapter 5.
Table 1-1 lists the minimum hardware and operating system requirements for installing SunScreen EFS 3.0.
Table 1-1 SunScreen EFS 3.0 Installation Requirements
The Screen can support up to 15 network interfaces at one time.
A remote Administration Station can connect directly to a Screen only through an Ethernet local area network (LAN) or a Fiber Distributed Data Interface (FDDI). An Administration Station can connect to the Screen by an Asynchronous Transfer Mode (ATM) or Token Ring LAN, but only after it is connected directly to the network by way of an Ethernet or FDDI connection first.
SunScreen EFS 3.0 includes the SunScreen(TM) SKIP software.
The HotJava(TM) 1.1.5 browser is packaged on the SunScreen EFS 3.0 CD-ROM and is installed as part of the Default Install when using the installation wizard. If you do not want this version of HotJava installed, select Custom Install instead and deselect package SUNWdthj. The following Web browsers are supported:
HotJava 1.1.5.
Netscape Navigator(TM) 4.x with the Java(TM) plug-in. If you have Internet access, for information on the plug-in, go to http://java.sun.com/products/plugin/1.1.2/index-1.1.2.html.
If you do not have Internet access, we provide the Java plug-in, version 1.1.2, on the SunScreen EFS 3.0 CD-ROM. It is located in the directory javaplugins.To install it, see the SunScreen EFS 3.0 on-line help topic "Allow Local File Access".
Netscape Navigator 4.5 with its own Java, but this has the limitation that you can not read or write files.
IE 4.01 with its own Java, but this has the limitation that you can not read or write files.
For an Administration Station which remotely administers a Screen, SunScreen EFS 3.0 allows any machine with a Java-enabled web browser compliant with JDK 1.1.3 or later as an Administration Station, as long as it can connect securely to the Screen using SKIP. See Chapter 4 for more information.
Context-sensitive help is available for each page of the Administration graphic user interface (GUI) for SunScreen EFS 3.0. To access the context-sensitive help, click the Help button on a GUI page.
SunScreen EFS 3.0 documentation is automatically installed from the CD-ROM. Once installed, click the Documentation button on the Administration GUI toolbar.
The man pages for SunScreen EFS administration commands are located in /opt/SUNWicg/SunScreen/man.
On certain workstations that have Solaris 7 pre-installed, problems using the SunScreen EFS 3.0 installation wizard can occur. These are described below.
If the installation wizard is used to install SunScreen EFS 3.0 and pkgrm is used to remove it, subsequent attempts to install using the installation wizard results in a message which says that the product is already installed. This can happen even after the software packages have been removed.
If this happens, exit the installation wizard and remove the SunScreen EFS 3.0 packages using /usr/bin/prodreg before attempting to re-install SunScreen EFS 3.0 using the installation wizard.
If you attempt to install SunScreen EFS 3.0 on a machine that already has a complete installation, the installation wizard completes most of the installation but fails during the pkgadd of the SUNWicgSS package. It then proceeds to remove all packages added to that point.
Subsequent installations through the installation wizard screenInstaller
or pkgadd and ss_install are successful.
The panel displayed after the installation of SunScreen EFS 3.0 packages refers to a log file. This log file mentions the creation of an uninstall class during the installation process. Do not attempt the uninstall SunScreen EFS 3.0 with this uninstall class. It does not properly remove the SunScreen EFS 3.0 packages.
The correct method is to use pkgrm to remove the packages installed from the CD and to remove the /etc/opt/SUNWicg, /var/opt/SUNWicg, and /etc/skip directories. See Chapter 8 for instructions on removing the software.