SunScreen in the real world
How one organization grants users Internet access while shielding its online data.
With the Internet at their gateways, network administrators have become hostages. They fear external access can open up security holes or lead a trail of crumbs for potential hackers. Companies like Teknekron Software Systems (Palo Alto, CA) are limited by the lack of security options; there are many firewalls to choose from, yet few ways to secure traffic. To maintain security, Teknekron had no choice but to restrict Internet access to a privileged few, limit Internet e-mail, and forbid ftp access. Now thanks to SunScreen, an Internet security system by Sun's Internet Commerce Group (ICG), Teknekron has attained its Internet freedom.
"With SunScreen, we feel we could let people go onto the Internet; we could become full Internet participants," said John Mathon, head of Teknekron Internet projects and services. Teknekron first tested SunScreen last spring as an alpha and beta site. It is now in the process of installing the shipping version. (Teknekron also evaluated DEC's firewall, but found it offered little beyond bundled public domain software, Mathon said.)
Teknekron, a $120 million developer of network interface middleware for financial traders, turned to SunScreen out of necessity. Secure transactions are, of course, critical to traders, and Teknekron wanted to sell software that allows firms to transact business using the Internet -- safely.
With SunScreen, Teknekron creates for its customers (and itself) virtual private networks over the Internet through the use of an encrypted communications tunnel. Authentication also protects the information passing between two SunScreen boxes placed at both ends of the conversation.
For $68,000, SunScreen consists of firewall software, an IPX gateway to the Internet, an i486-based "administration station," consulting, and the SF-100, which is a rebadged SPARCstation 5. The SPF-100 is the heart of SunScreen. This is where data packets are filtered and the encryption and authentification processes occur. Traffic packets can be filtered by connection type, address, protocol, or protocol port number.
According to Bob McKee, SunScreen product marketing manager, SunScreen
runs an embedded stripped down version of Solstice. Unnecessary
features were removed to accelerate the operating system as well as
make it more secure. For instance, there is no rlogin or
On the other hand, Sun's security solution added value beyond the basic firewall protection. It provided multilayered protection with an "invisible" (no IP address) firewall. SunScreen also offered a superior security protocol, Simple Key-Management for Internet Protocols (SKIP), which generates the keys and digital certificates of authority. Using Diffie/Hellman certificates, the nodes can compute authenticated master keys which can then be used to encrypt packets. (ICG serves as a SunScreen Certification Authority for worldwide key distribution and authority.)
McKee says Sun selected the DES, RC2, and RC4 public key encryption standards for their speed and changeable session key features. The faster the algorithms and more inconsistent the keys, the harder it is for the hacker to decode the encrypted data. Even if the hacker cracks one key, he or she will only get a portion of the data and will not be able to access the rest of the data because the keys are consistently changing, said McKee. In addition, administrators can set up SunScreen to use multiple encryption keys. SunScreen automatically implements the key changes. Yet another layer of protection is provided with a secure key storage device for validating both the data and the administrator of the administration station.
"SunScreen acts as two firewalls. It protects our service from outside access and then protects it further by protecting (our) transactions," Mathon said. "We are able to use the same box to accomplish both security objectives."
Configuration and setup
The SPF-100's five Ethernet ports makes SunScreen flexible in its configuration. Teknekron runs different networks and protocols through four different interfaces, enabling the company to run several networks off the same box. The fifth port is used to interface the administrative station. The use of the last port for just the PC does not please Teknekron network administrator John Kirkman who would rather group the administrative PC with the other groups to fully utilize the interface. However, the disadvantage posed by the "isolated" PC -- its inability to be used as a working desktop -- is the extra security advantage SunScreen brings to its configuration. The isolated PC is insurance against hackers trying to capture the encryption keys residing on the administrative PC.
On the surface, SunScreen appears to operate like a router, but without the headaches of router configuration and setup. Rather than creating multiple subnets with the traditional router-based network, Kirkman says SunScreen lets you configure your network around a singular IP subnet. So instead of defining the protocols and their use by whom and for what, the protocols like the users are arbitrarily grouped by their functions.
"It's a big win to establish a common access for all elements. You don't have clients; the clients get screened through the common access," said Kirkman. "It puts more logic behind the protocols."
SunScreen's use of groups lets network administrators map out the network logically. For instance, some protocols can be grouped by their purpose such as "web services," while users are grouped by their rights. The rules which SunScreen then relies upon to regulate Internet activities reflects the traffic patterns the administrator plans for the network and its users.
The simplicity of SunScreen's singular subnetwork setup ultimately makes the network easier to maintain. Kirkman explains that once the groups are set up logically by rights and usage, adding users is straightforward. Worries about recreating routing instructions for each user is eliminated. The new user adopts the rules of the groups and network traffic is routed accordingly.
"If the rules are good, it's a matter of snapping users in and out of groups," said Kirkman.
Kirkman sees SunScreen's unique method of network configuration and set up as the greatest hurdle for new users, yet well worth it in the end. "They will have to learn to think of how to setup on a relational structure basis instead of creating lists of rules," said Kirkman.
While SunScreen administrators will not have to fuss with tedious router rules lists, they will have to create a thorough security policy. SunScreen does not replace a security policy. In fact, it is impossible to install SunScreen without one.
"Just using SunScreen does not guarantee security," Mathon said. "You can configure it to have holes." New users must have an clear understanding of the relationships of the groups and their traffic rights before an effective set of filtering rules can implement a successful security policy.
The PC-based administrative station is where the SF-100's rules regarding packet filtering are created, encryption paramenters are set up, and the certification of keys are performed. The encryption keys reside on the PC station through the use of a PCMCIA card.
An audit trail provides network administrators with traffic activities and patterns, and a log browser is included for detailed analysis of suspicious traffic. Because the audit logs can pile up fairly quickly, Kirkman recommends printing out the log or reviewing the logs frequently.
Complete packets can be viewed and packets captured for analysis. Passive and active alerts also can be created to notify an administrator if a certain threshold has been reached. For example, SunScreen can be programmed to shut down an interface if a particular source of traffic is found to repeatedly access the network. This is a particular useful alert since so many network access violations result from repetitive attempts from a single source.
The Administration Station's simple PC interface surprised Kirkman. In fact, Kirkman says Unix administrators might be reluctant to accept SunScreen's simple interface as an effective interface given the fact that Unix interfaces are traditionally complex command line interfaces. As Kirkman explains, your first reaction is that a $68,000 system would be complicated and require training. When in reality, it is quite the opposite. The SunScreen's administrative PC runs Windows to give network administrators a familiar interface for easy management.
Bandwidth and borders
Like the rest of the industry, Teknekron has its concerns about Internet bandwidth. With so many people using the Internet and the recent shortage of IP addresses, Teknekron is faced with the possibility of a bandwidth drain using a SunScreen-Internet configuration. At this time, available bandwidth is plentiful for the Teknekron network which is routing Internet traffic at about one-sixth of Ethernet speeds, said Kirkman. To be on the safe side, Kirkman and his team performed a bandwidth test and are pleased to report SunScreen was able to handle a sustained data rate fee of 56 to 128 kilobits per seconds without any degradation. Kirkman is not too concerned about the possible future flow of data bandwidth. He says the problem can be easily resolved with the addition of another SPF-100.
One obstacle facing Sun that can't be so easily resolved is the
development of a SunScreen version that meets export restrictions
(encryption devices and software are treated as munitions by the US
government). SunScreen currently is only available for U.S.
companies and its overseas subsidiaries. McKee says the Internet
Commerce Group plans to introduce an exportable version of SunScreen in
the first half of 1996. An exportable version of SunScreen will have a
But if Sun has anything to do with it, this too shall pass. Sun is actively lobbying in Washington D.C. to drive the
resolution of encryption issues and SunScreen into the international
If you have technical problems with this magazine, contact firstname.lastname@example.org