Deciding on Your Initial Security Level

You must determine your initial level of security. You have three possible security levels to choose from when installing SunScreen in Routing mode. Each security level corresponds to a different set of network services permitted to, from, and through the Screen. If you are in doubt about which security level to select for the Initial configuration, use a more permissive security mode. You can always reconfigure it to be more secure by changing the rules using the Administration GUI.

If you only install the Core Distribution of Solaris, you will either have to change your DISPLAY variable for using the installer to a machine with a windowing system or install using the command line installation procedure described in Appendix A, Command Line Installation.

Security Levels

The security levels are:

• Restrictive--This level of security denies all traffic to, from, and through the Screen, except encrypted administration traffic. This level is best for deploying the Screen in a hostile network environment. It requires that static routing and the naming service have been configured on the host (that is, names must be resolved by means of a local hosts file).

• Secure--This level of security denies all traffic to and through the Screen, except encrypted administration traffic. It allows common services (like NFS) from the Screen, naming service selection (such as, DNS and NIS), and routing (RIP). This level is a good starting point to get a Screen up and running on a friendly network, where the Screen may not be a stand-alone machine and may depend on NIS, DNS, or NFS to function properly.

• Permissive--This level allows the same traffic as the Secure level and also allows inbound connections to the Screen itself and allows all traffic through the Screen. This security level is appropriate for installing the Screen on a machine that has multiple network interfaces and is acting as a router, or on a machine that is acting as a server (for example, for NFS, NIS, or HTTP).

Naming Services

You must also choose which naming service to use. You may choose one (NIS or DNS), both (NIS and DNS), or no naming service. Selection of NIS, DNS, or both NIS and DNS allows the name service packets to pass to the screen. To use a local host file, deselect both services.

Interfaces

In Routing mode, SunScreen automatically configures all plumbed Ethernet interfaces to filter. In Stealth mode, only the administrative port should be plumbed and all filtering interfaces should be configured using the SunScreen administration GUI after installation has completed. Stealth interfaces must not be configured in Solaris.

Once the following preparation criteria are met, continue to the appropriate chapter for your particular installation.