This document contains information that was not available when the SunScreenTM 3.1 documents were printed. This document is the companion to the following:
SunScreen 3.1 Installation Guide (PN 806-4126-10)
SunScreen 3.1 Administration Guide (PN 806-4127-10)
SunScreen 3.1 Reference Manual (PN 806-4128-10)
SunScreen 3.1 Configuration Examples (PN 806-4425-10)
SunScreen SKIP User's Guide, Release 1.5.1 (PN 806-5397-10)
This document contains the following information:
If you are using remote administration or local administration with a VPN, you should secure any core files. A savecore file (kernel core dump) contains your local cryptographic secret or secrets. It would be difficult for someone to discern or discover, but it can be done! You should, therefore, protect a core file as carefully as any of your other local secrets.
Remember, if you send your core file out-of-house for analysis, you are giving your local secret to the analyst.
Because all regular system backups made while a core file exists contain the files in which your local secret or secrets are stored, any system backups must be considered a possible means of discovering your local secret or secrets.
Keep all of your regular system backups in a secure location.
SunScreen 3.1 adds:
Support for the Solaris 8 operating environment.
Support for Trusted Solaris 7.
SunScreen 3.1 runs on Trusted Solaris 7. Although SunScreen 3.1 filters packets that contain security labels, it does not filter based on security labels.
Installation improvements to the Solaris Web Start WizardsTM installer.
A single installation GUI asks if the machine is to perform Administration, Screen, or both functions. Based upon the response, the installer installs the appropriate packages and performs the appropriate installation scripts.
When installing in stealth mode, you are presented with a list of the plumbed interfaces from which you select the administration interface.
SunScreen 3.1 Lite, which is included with the Solaris 8 Early Access (EA) directory, beginning with Update 1, 6/00.
SunScreen 3.1 Lite is designed to be a feature-limited subset of the full version. It is designed to protect individual server assets as opposed to the full version that includes features for perimeter defense and enterprise-level network protection.
Improvements to SunScreen 3.1 administration GUI include the Policy Rules table, which is now directly editable.
That is, you no longer need to use the Edit button, thus increasing the convenience with which rules can be modified. If a named object is changed in a rule, the corresponding rule is modified and the Save button is enabled. The disk image of the policy is only updated when you press the Save button.
Also, when selecting a named object in a rule, its details are displayed in the common objects area. This object can also be edited from the common objects area.
Support for ATM CIP mode and Gigabit Ethernet.
ATM classical IP (CIP) mode and Gigabit Ethernet interfaces can now be filtered by the SunScreen packet filter in the same way as other interfaces.
Support for SNMP status reporting.
A predefined system receives a regular SNMP trap message that contains status information about the Screen. Thus, the administrator can know how well a Screen is running. This approach is particularly useful with stealth Screens because it is not always possible to log into a stealth Screen to get information about its status.
The ATM logical interface is not supported.
The following information applies when running SunScreen 3.1 on Trusted Solaris 7:
Packets with TSOL and UNLABELED templates have been thoroughly tested. Other templates may work but no other templates have been tested.
You must invoke the installer from the command line instead of clicking on the installer icon. Use the following command:
# /cdrom/cdrom0/installer |
HotJavaTM is the default supported browser. To use Netscape NavigatorTM, you must edit your system's profile and assign it the right privileges.
After SunScreen 3.1 is removed, the SunScreen or SunScreen Admin profile remains in the system. Clear out the SunScreen or SunScreen Admin profile manually, as needed.
The following problems are known to exist in SunScreen 3.1. They include workarounds as available.
Synopsis: Deleted stealth interface continues filtering based on old policy.
Description: When you activate a configuration that has removed an interface, that interface continues to filter based on the old policy.
Workaround: Reboot.
Synopsis: Screen will not come up when removing an interface from a Screen.
Description: When you physically remove an interface from the host or change the Solaris network configuration and reboot without first removing the SunScreen Interface object definition for that interface, the Screen will not work. This happens when the interface that was removed has already been defined in the Screen.
Workaround: The following steps explain how to fix this problem:
Log onto the console of the Screen as root.
Type the ssadm edit command to remove the offending Interface object from your SunScreen policy.
# ssadm edit Initial edit> delete interface qfe2 edit> save edit> quit |
See Appendix B, "Command-Line Reference", in the SunScreen 3.1 Reference Manual for more information on using the command-line interface.
Type the ssadm command to activate the policy.
# ssadm activate Initial |
Reboot the system.
Synopsis: Upgrade script cannot determine existing version when upgrading from SunScreen EFS 3.0, revision A (May 1999).
Description: The original release of SunScreen EFS 3.0 (May 1999) had an incorrect version name. When running the upgrade script for SunScreen 3.1, the script cannot determine the version of SunScreen currently installed. SunScreen EFS 3.0, revision B, (August 1999) does not have this problem.
Workaround: Install the patch for SunScreen EFS 3.0, revision A, before attempting to upgrade to SunScreen 3.1. The patch is available for download from:
http://www.sun.com/software/securenet/securenet3/install.html
This patch corrects the version name, which allows you to proceed with the upgrade to SunScreen 3.1.
The following information was not included in the documentation when the SunScreen 3.1 documents were printed.
For future documentation updates, see http://docs.sun.com.
To upgrade from a SunScreen 3.1 Lite configuration to the Full release of SunScreen 3.1, follow the instructions in Chapter 7, "Upgrading from SunScreen EFS and SunScreen SPF-200" in the SunScreen 3.1 Installation Guide. The instructions that apply to SunScreen EFS 1.1, 2.0, and 3.0 also apply to SunScreen 3.1 Lite.
If you installed SunScreen 3.1 from the installer, and the Product Registry is present, to uninstall SunScreen from the Product Registry run the product registry by typing:
$ /usr/bin/prodreg |
SunScreen 3.1 appears as an installed component, which you can select and uninstall by clicking the "uninstall" button.
The section in Chapter 1, "To Install the Required Java Plug-In," in the SunScreen 3.1 Installation Guide is missing an important part of Step 5, which sets an environment variable to point to the Java(TM) Plug-In directory. The step should also instruct you to add the path or the setenv statement to your .cshrc, .profile, or .login file. Unless you perform this step, the path to the plug-in directory will be lost at the next system reboot and you will not be able to run the administration GUI.
When running in stealth mode, SunScreen supports the passing of Ethernet packets that are not IP-based. Examples of these types of packets include Novell IPX, AppleTalk, DECNet, and others. The method for passing these packets is based on the undocumented ether state engine.
To pass such packets, you must define a new service using the ether state engine, and must know exact Ethernet frame types that are used by the non-IP packets.
The following supplements the information in Chapter 9, "Removing SunScreen 3.1," in the SunScreen 3.1 Installation Guide.
If you remove SunScreen packages from a Screen when the active configuration includes rules that use proxies, the disabled Solaris services, such as the standard FTP daemon, are not reinstated.
To ensure that they are reinstated, perform the following steps before removing the SunScreen packages:
Remove the Screen from the managed group, if it is a secondary Screen.
Use the instructions in the Section, To Remove a Screen From a Cluster in the Centralized Group, in Appendix A, "Using the Command Line," in the SunScreen 3.1 Administration Guide.
Stop the current proxies in one of the following two ways:
Activate a policy that does not contain proxy rules.
Deactivate the proxies manually using the command line, as root, by typing:
# rm /etc/opt/SUNWicg/SunScreen/.active/*.conf # /etc/init.d/proxy stop |
This method is specific to SunScreen 3.1, as it uses path names and interfaces that are not guaranteed to exist in future releases.
The original daemons (that is, sendmail, telnetd, and ftpd) are reinstated.
SunScreen 3.1 encryption is 56 bits and offers a 128-bit SKIP upgrade to increase the encryption strength. This product is subject to the following export and import restrictions.
This product is subject to United States export laws and may be subject to export and import laws of other countries. Customers will strictly comply with all such laws and obtain licenses to export, re-export, or import as may be required. Unless authorized by the United States Government, Customers will not, directly or indirectly, export or re-export products, nor direct products therefrom, to Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Serbia, Sudan, Syria, or to any embargoed or restricted country identified in the United States export laws, including but not limited to the Export Administration Regulations (15 C.F.R. Parts 730-774).
In addition, the 128-bit version of this product may only be exported or re-exported to individuals, commercial firms, and non-government end users unless otherwise authorized by the United States Government.
Customers must not be identified on any United States Government export exclusion lists. Customers will not use this product for nuclear, missile, chemical-biological weaponry, or other weapons of mass destruction.