SunScreen EFS Release 3.0 Installation Guide

Chapter 1 Introduction to Installing SunScreen EFS 3.0

This chapter introduces SunScreen EFS 3.0 installation concepts.

Topics covered include:

SunScreen EFS 3.0, software can be installed on a single machine (local administration) or on different machines (remote administration).

Remote administration includes the Screen and its Administration Station. Depending upon how you choose to deploy SunScreen EFS 3.0, the number of Screens and Administration Stations varies. You need a Screen at every point in the network where you want to restrict access. In the strictest sense, you need one Screen for each point in the network that has direct public access (usually one per site). One Administration Station can manage multiple Screens, although more Administration Stations can be installed for redundancy and ease of access. Encryption is used to protect access and to limit management of a Screen to an authorized Administration Station.

What Is SunScreen EFS 3.0

SunScreen EFS 3.0 is a software security solution, which is installed on a Solaris\256TM-based machine. It lets companies connect their departmental networks to public internetworks securely. SunScreen EFS 3.0 functions as a firewall and router for hosts on the network it is protecting.

The Screen is the firewall responsible for screening packets. The Administration Station is used to define rules and to administer the Screen. The number of Screens and Administration Stations depends on your site's network topology and security policies.

Local Administration

Local administration means that administration of the Screen is conducted on the Screen itself, as shown in Figure 1-1. Local administration does not require encryption as the processes are executing on the Screen. No network traffic is generated, and as such, local administration does not require or utilize encryption.

Figure 1-1 Example of a Locally Administered SunScreen EFS

Graphic

Remote Administration

Remote administration means that administration of the Screen is conducted on an Administration Station, which is a separate machine from the Screen, as shown in Figure 1-2. Remote administration uses encrypted communication between the Screen and Administration Station to protect access and to limit the management of a Screen to an authorized Administration Station. The data which the administrator sees is protected, so the information about the security policy in place on the Screen can not be obtained by others.

Figure 1-2 Example of a Remotely Administered SunScreen EFS

Graphic

The Screen may be both headless and keyboardless, and communicates with the Administration Station through a TCP/IP interface that need not be exposed to the Internet (although it may be exposed to the local network, depending on the topology you use, and your choice of operating in stealth or routing mode).

Operating the Firewall in Routing Mode

Operate SunScreen EFS 3.0 in routing mode if you need routing functions in addition to firewall capabilities. In this mode, SunScreen EFS 3.0 operates as both a router and a firewall, with at least two exposed IP interfaces, and a hop visible to traceroute and other network utilities. Be aware that your firewall is visible when operating in routing mode, and you have a slightly greater exposure to attack than when operating in stealth mode.

Key differences when operating SunScreen EFS 3.0 in routing, rather than stealth, mode:

Operating the Firewall in Stealth Mode

Operate SunScreen EFS 3.0 in stealth mode if you do not need routing functions, or if you want to decrease possibilities for attacks. In stealth mode, SunScreen EFS 3.0 acts much like a bridge in that no IP interfaces are exposed to the public or private network, and packets are transparently passed through the Screen. While operating in this mode, the SunScreen cannot be attacked through any means other than a denial of service attack, and cannot be seen or detected through traceroute or similar network tools.

Key differences when operating SunScreen EFS in stealth, rather than routing, mode:

SunScreen EFS 3.0 allows the use of SPF-style stealth network interfaces. But it does not operate in the exact same fashion as a SunScreen SPF-200 does. Some notable differences between operating SunScreen EFS 3.0 in stealth mode, from the SunScreen SPF-200, are:

Before Installing SunScreen EFS 3.0

Before you install SunScreen EFS 3.0, complete the following tasks:

After installing SunScreen EFS 3.0, you are ready to set up and implement the security policy for your network. For instructions on administering your SunScreen, refer to the SunScreen EFS 3.0 Administration Guide.

Upgrading From SunScreen 1.1 or 2.0 to SunScreen EFS 3.0

If you are presently running SunScreen EFS 1.1 or 2.0, and you want to use the same configurations when you upgrade to SunScreen EFS 3.0, read the information and instructions in Chapter 6.


Caution - Caution -

To avoid corruption of your existing configurations, do not attempt to manually remove or add packages. Upgrading is not an initial installation, and the upgrade script removes packages as needed.


Upgrading from SunScreen SPF-200 to SunScreen EFS 3.0

You can upgrade the same machine that operates as your SPF-200 Screen to become a SunScreen EFS 3.0 Screen operating in stealth mode. You can also transfer your SPF-200 configurations to a new machine, and perform the conversion on the new machine.

Since SunScreen EFS 3.0 uses ordered packet filtering rules and ordered NAT mappings, you must to review your packet filtering rules after the conversion is complete to verify the filtering order is as you want. NAT mappings have changed considerably since the release of SPF-200. See the SunScreen EFS 3.0 Reference Manual for detail on NAT mappings.

Instructions for upgrading from SunScreen SPF-200 are in Chapter 6.

Converting From FireWall-1 to SunScreen EFS 3.0

If you are presently using FireWall-1 and plan to use a similar security policy on SunScreen EFS 3.0, you have two ways to do this:

Conversion instructions are in Chapter 7.

Security Issues

The machines that are used as gateways, or that are in vulnerable positions on the network, should have only the minimum Solaris packages installed as designated. This way, fewer potentially exploitable applications are allowed.

If no Solaris applications or services are needed on a SunScreen machine, consider installing the software in stealth mode with the hardened OS feature. This is discussed in Chapter 5.

Software and Hardware Requirements

Table 1-1 lists the minimum hardware and operating system requirements for installing SunScreen EFS 3.0.

Table 1-1 SunScreen EFS 3.0 Installation Requirements

Requirement 

Description 

Operating system 

Solaris 2.6 or Solaris 7 operating environment for SPARC(TM) and Solaris x86 platforms.

Requires a Java-enabled Web browser compliant with JDK(TM) 1.1.3 or later.

Hardware 

All SPARCStation, UltraSPARC, and x86 platforms supported by the Solaris 2.6 and Solaris 7 operating environment. 

Disk space

Minimum of 1 Gbyte (>300Mbytes unused). 

Memory

Administration Station: Minimum of 32-Mbytes, 64-Mbytes strongly recommended.

Screen: Minimum of 32-Mbytes. 

Network interfaces 

For SPARC systems: 10 Mbps or 100 Mbps Ethernet interfaces (le, qe, hme, be, qfe), or Token Ring, or ATM (155 and 622 Mbps in LAN emulation mode), or FDDI, or PCI-based Ethernet cards.

For x86 systems: 10 Mbps or 100 Mbps Ethernet interfaces (dnet, elxl).

Stealth mode supports 10 Mbps or 100 Mbps Ethernet only. 

See supported devices listed at: http://access1.sun.com/driver/hcl/hcl.html 

 

Media

CD-ROM drive and diskette drive.  

The Screen can support up to 15 network interfaces at one time.

A remote Administration Station can connect directly to a Screen only through an Ethernet local area network (LAN) or a Fiber Distributed Data Interface (FDDI). An Administration Station can connect to the Screen by an Asynchronous Transfer Mode (ATM) or Token Ring LAN, but only after it is connected directly to the network by way of an Ethernet or FDDI connection first.

SunScreen EFS 3.0 includes the SunScreen(TM) SKIP software.

The HotJava(TM) 1.1.5 browser is packaged on the SunScreen EFS 3.0 CD-ROM and is installed as part of the Default Install when using the installation wizard. If you do not want this version of HotJava installed, select Custom Install instead and deselect package SUNWdthj. The following Web browsers are supported:

If you do not have Internet access, we provide the Java plug-in, version 1.1.2, on the SunScreen EFS 3.0 CD-ROM. It is located in the directory javaplugins.To install it, see the SunScreen EFS 3.0 on-line help topic "Allow Local File Access".

Online Help and Documentation

Context-sensitive help is available for each page of the Administration graphic user interface (GUI) for SunScreen EFS 3.0. To access the context-sensitive help, click the Help button on a GUI page.

SunScreen EFS 3.0 documentation is automatically installed from the CD-ROM. Once installed, click the Documentation button on the Administration GUI toolbar.

The man pages for SunScreen EFS administration commands are located in /opt/SUNWicg/SunScreen/man.

Installation Problems

On certain workstations that have Solaris 7 pre-installed, problems using the SunScreen EFS 3.0 installation wizard can occur. These are described below.

Re-install

If the installation wizard is used to install SunScreen EFS 3.0 and pkgrm is used to remove it, subsequent attempts to install using the installation wizard results in a message which says that the product is already installed. This can happen even after the software packages have been removed.

If this happens, exit the installation wizard and remove the SunScreen EFS 3.0 packages using /usr/bin/prodreg before attempting to re-install SunScreen EFS 3.0 using the installation wizard.

Overinstall

If you attempt to install SunScreen EFS 3.0 on a machine that already has a complete installation, the installation wizard completes most of the installation but fails during the pkgadd of the SUNWicgSS package. It then proceeds to remove all packages added to that point.

Subsequent installations through the installation wizard screenInstaller or pkgadd and ss_install are successful.

Uninstall

The panel displayed after the installation of SunScreen EFS 3.0 packages refers to a log file. This log file mentions the creation of an uninstall class during the installation process. Do not attempt the uninstall SunScreen EFS 3.0 with this uninstall class. It does not properly remove the SunScreen EFS 3.0 packages.

The correct method is to use pkgrm to remove the packages installed from the CD and to remove the /etc/opt/SUNWicg, /var/opt/SUNWicg, and /etc/skip directories. See Chapter 8 for instructions on removing the software.