This chapter details the prerequisites recommended prior to installing SunScreen EFS 3.0.
Topics included are:
Determine your security policy
Determine your network configuration
Preparing for installation
Before installing, review the SunScreen EFS 3.0 Release Notes for the latest information about this product.
Before actually installing the SunScreen EFS 3.0 software, you should first determine your network security policy. For a more thorough discussion of this topic, we suggest you read Computer Security Policies and SunScreen Firewalls by Kathryn M. Walker and Linda Croswhite Cavanaugh. Additional resources are listed in the Preface.
In brief, considerations when creating a security policy are:
what services do employees need to access?
what services do customers need to access?
will you allow Internet access, and if so, what services do users need to access?
what type of threat are you trying to protect your company from?
do you need to use Network Address Translation (NAT)?
Prior to installing SunScreen EFS 3.0, you should make a map of your network. This will help identify any potential security problems inherent in the way the network is currently connected. A diagram of your network will aid installation and should include:
Routers to the Internet
FTP, WWW or TELNET servers
Application relay servers
Remote networks
Internal subnetworks
Your HA configuration
You must determine your initial level of security. You have three possible security levels to choose from when installing SunScreen EFS 3.0 in routing mode. Each security level corresponds to a different set of network services permitted to, from, and through the Screen. If you are in doubt about which security level to select for the Initial configuration, use a more permissive security mode. You can always reconfigure it to be more secure by changing the rules using the Administration GUI.
The security levels are as follows:
Restrictive - This level of security denies all traffic to, from, and through the Screen, except encrypted administration traffic. This level is best for deploying the Screen in a hostile network environment. It requires that static routing and the naming service have been configured on the host (that is, names must be resolved by means of a local hosts file).
Secure - This level of security denies all traffic to and through the Screen, except encrypted administration traffic. It allows common services (like NFS) from the Screen, naming service selection (such as, DNS and NIS), and routing (RIP). This level is a good starting point to get a Screen up and running on a friendly network, where the Screen may not be a stand-alone machine and may depend on NIS, DNS, or NFS to function properly.
Permissive - This level allows the same traffic as the Secure level with the addition of allowing inbound connections to the Screen itself and allowing all traffic through the Screen. This security level is for installing the Screen onto a machine that has multiple network interfaces and is acting as a router, or on a machine that is acting as a server (for example, for NFS, NIS, or HTTP).
You must also determine which naming service to use. You may choose one (NIS or DNS), both (NIS and DNS), or none. For none, deselect both.
In routing mode, SunScreen EFS 3.0 automatically installs all Ethernet interfaces that have been configured on the machine. In stealth mode, only the interface used for remote administration should be configured, and the other interfaces must not be configured.
If you are converting FireWall-1 configurations for use on SunScreen EFS 3.0, or when planning to convert a FireWall-1 machine to a SunScreen EFS 3.0 machine, read the information and instructions in Chapter 7 first.
Once the following preparation criteria are met, continue to the appropriate chapter for your particular installation.
The following sections describe how to prepare for initial installations on both locally and remotely administered SunScreen EFS 3.0 machines.
SunScreen EFS 3.0 runs on Solaris 2.6 and Solaris 7 operating environments for SPARC and x86 platforms. If you are running Solaris 2.5.1, or earlier, you must upgrade your operating environment to at least Solaris 2.6.
Minimally, the Screen must have installed the Core System Support software group, and the Administration Station must have installed the End User Distribution software group. Prior to installing SunScreen EFS 3.0, additional Solaris packages are required and must be installed.
Do not reinstall the Core System Support software group if you are upgrading from either SunScreen EFS 1.1 or 2.0 to SunScreen EFS 3.0, as described in Chapter 6.
Add the following packages to the Screen from your Solaris CD, if not already on your system:
system SUNWdoc Documentation Tools
system SUNWeuluf UTF-8 L10N For Language Environment User Files
system SUNWjvjit Java JIT compiler
system SUNWjvrt JavaVM run time environment
system SUNWlibC SPARCompilers Bundled libC
system SUNWlibms SPARCompilers Bundled shared libm
system SUNWsprot SPARCompilers Bundled tools
system SUNWtoo Programming Tools
system SUNWvolr Volume Management (Root)
system SUNWvolu Volume Management (Usr)
system SUNWxwice ICE components
system SUNWxwplt X Window System platform software
system SUNWxwrtl X Window System & Graphics Runtime Library Links
system SUNWmfrun Motif RunTime Kit
If you are using Solaris 2.6 as your operating environment, add the following patches, if not already on your system, by typing:
For SPARC systems: # cd /cdrom/cdrom0/sparc/Patches # patchadd 106125-06 # patchadd 105181-11 # patchadd 105284-15 # patchadd 105490-04 # patchadd 106040-10 # patchadd 106409-01 For x86 systems: # cd /cdrom/cdrom0/i386/Patches # patchadd 106126-06 # patchadd 105182-13 # patchadd 105285-15 # patchadd 105491-04 # patchadd 106041-10 # patchadd 106410-01 |
These patches must be added in the order given.
Reboot by typing:
# sync; init 6 |
If you will be operating the SunScreen in routing mode, configure all network interfaces that will be used.
See the documentation accompanying the Solaris operating environment, if needed.
If you will be operating the SunScreen in stealth mode, configure only the network interface that will be used for remote administration.
See the documentation accompanying the Solaris operating environment, if needed.
If you will be using a remote administration station, add the following packages to the Administration Station from your Solaris CD, if not already on your system:
system SUNWjvrt JavaVM run time environment
system SUNWmfrun Motif RunTime Kit
system SUNWxwplt X Window System Platform software
If you are using Solaris 2.6 as your operating environment, add the following patches, if not already on your system, by typing:
For SPARC systems: # cd /cdrom/cdrom0/sparc/Patches # patchadd 106125-06 # patchadd 105284-15 # patchadd 105490-04 # patchadd 106040-10 # patchadd 106409-01 For x86 systems: # cd /cdrom/cdrom0/i386/Patches # patchadd 106126-06 # patchadd 105285-15 # patchadd 105491-04 # patchadd 106041-10 # patchadd 106410-01 |