Routing and Stealth Mode Interfaces

SunScreen includes routing-mode capabilities from SunScreen EFS and stealth-mode from SunScreen SPF.

Routing Mode Interface

Routing-mode interfaces have IP addresses and can perform IP routing. Routing mode requires that you connect each interface to a different network with its own network number.

Access to all proxies is through the transmission control protocol (TCP) and can only run on Screens configured with at least one routing mode interface.

Stealth Mode Interface

A SunScreen in stealth mode bridges the MAC layer. It therefore partitions an existing single network and, consequently, does not itself divide the network into subnetworks. A stealth-mode interface does not have an associated IP address.

In stealth mode, you must configure one interface as an administration interface (to perform remote administration). This interface is special case of a routing interface that is configured so that it only passes encrypted administration traffic between the Screen and a remote Administration Station.

Hardening the OS

If all of your filtering interfaces are in stealth mode, SunScreen offers optional hardening of the OS, which removes packages and files from the Solaris operating system that are not used by SunScreen--in accordance with the best practices as described in http://www.sun.com/blueprints/browsesubject.html#security. Hardening in SunScreen 3.2 is based upon JASS (JumpStart Architecture and Security Scripts). The JASS scripts are in /usr/lib/sunscreen/admin/jass. The hardening script is /usr/lib/sunscreen/lib/harden_os. The process of hardening can be carried out at install time or at a later time by running the script.

WARNING: this script cannot be reversed; once files have been removed, the only way to recover them is to reinstall Solaris.

If some of your filtering interfaces are in stealth mode and other interfaces are in routing mode, you should not use the option of hardening of the OS that SunScreen offers.