Firewall Operation Modes

You typically install SunScreen in either routing mode (where the Screen performs routing as well as firewall functions (or stealth mode (where no IP interfaces are exposed to the public or private network). You can also set up your Screen to operate in a "mixed mode" where the interfaces protecting you from the outside network are stealth and the interfaces to your internal network are routing. This configuration is not covered in this manual but you can find an example configuration in the SunScreen Configuration Examples manual.

Routing Mode

Typically, you operate the Screen in routing mode if you need a machine to act both as a router and a firewall. Another reason to choose Routing mode is if you want to use proxies with the firewall. In this mode, you need at least two exposed IP interfaces, and a hop visible to traceroute and other network utilities. In routing mode your firewall is visible and you have a slightly greater exposure to attack than when operating in stealth mode.

Be aware of the following considerations when operating in Routing mode:

• The existing Solaris machine must be acting as a router. The Screen uses Solaris to provide IP routing.

• The Screen makes use of the Solaris IP stack on the filtering interfaces, so it does not possess stealth characteristics.

• You must divide up different networks as you would with any router.

• The addition of a SunScreen to your network may require re-numbering IP addresses on your hosts (if you did not already have a router where your SunScreen is being placed.)

Stealth Mode

You can operate SunScreen in stealth mode if you do not need routing functions, or if you want to decrease possibilities for attacks. In stealth mode, SunScreen acts much like a bridge in that no IP interfaces are exposed to the public or private network, and packets are transparently filtered by the Screen. While operating in this mode, the Screen cannot be attacked through any means other than a denial of service attack, and cannot be seen or detected through traceroute or similar network tools.

Be aware of the following considerations when operating in stealth mode:

• The Screen acts similar to a bridge and does not route packets.

• Stealth mode does not require IP address re-numbering on hosts.

• You only need to configure the network interface you plan on using for remote administration.