Deciding on Your Initial Security Level

You must determine your initial level of security. There are three possible security levels when installing SunScreen in routing mode. (Installation in stealth mode automatically uses the Restrictive security level.) Each security level corresponds to a different set of network services permitted to, from, and through the Screen. If you are in doubt about which security level to select for the initial configuration, use a more permissive security mode. You can always use the administration GUI to change the rules to be more secure later.

Security Levels

The security levels are:

• Restrictive - This level of security denies all traffic to, from, and through the Screen except encrypted administration traffic. This level is best for deploying the Screen in a hostile network environment. Static routing and the naming service must be configured on the host (that is, names must be resolved by means of a local hosts file).

• Secure - This level of security denies all traffic to and through the Screen except encrypted administration traffic. It allows common services (like NFS) from the Screen, naming service selection (such as DNS and NIS), and routing (RIP). This level is a good starting point to get a Screen up and running on a friendly network, where the Screen may not be a standalone system and may depend on NIS, DNS, or NFS to function properly.

• Permissive - This level allows the same traffic as the Secure level. It also allows inbound connections to the Screen itself and allows all traffic through the Screen. This security level is appropriate for installing the Screen on a system that has multiple network interfaces and is acting as a router, or on a system that is acting as a server (for example, for NFS, NIS, or HTTP). Permissive is the default level.

Naming Services

You must also choose which naming service to use. You may choose one (NIS or DNS), both (NIS and DNS), or no naming service. Selection of NIS, DNS, or both NIS and DNS allows the name service packets to pass to the Screen. To use a local host file, deselect both services.

Interfaces

In routing mode, SunScreen automatically configures all plumbed interfaces to filter. In stealth mode, only the administrative port is plumbed and after installation, you must configure all filtering interfaces using the SunScreen administration GUI. Stealth interfaces must not be configured in the Solaris operating environment.

Once the following preparation criteria are met, continue to the appropriate chapter for your particular installation.