Locating the SunScreen Screen

A Screen only controls traffic that passes through it and must, therefore, be placed in the network so the traffic you want to control passes through it. All packets coming into the network and leaving it must pass through the Screen that you want to control the network.

FIGURE 2-3 shows a Screen dividing a network. In this case, the Screen is placed at the single boundary between the Internet and the corporate network; it controls the traffic between those two networks.

If multiple paths exist between the Internet and the corporate network, then the Screen will not work optimally, because, depending on the routing, traffic can pass through the Screen in one direction, but can bypass it in the reverse direction. To control the traffic on a network properly, both the incoming traffic and the outgoing traffic must pass through the same Screen.

FIGURE 2-4 shows a network divided into several pieces by the Screen.

Figure 2-4 SunScreen as Internet Firewall Dividing a Network into Several Pieces

Like the example in Figure 2-3, two of these networks are the Internet and the company's network. In this example, however, the network is further divided into several demilitarized zones (DMZ) where public services reside. The advantage of dividing the network into one or more DMZs is that even if the systems on a DMZ is compromised, the traffic on that system must still pass through the Screen