Interface Object

An interface object is a common object that describes a network interface which is associated with a SunScreen configuration. You can manipulate interface objects through the administration GUI or the configuration editor.

When configuring interface objects, you must specify the type of interface being used. SunScreen uses five types of interfaces, which are discussed later in this section. Note that when using the configuration editor to add or modify an interface, the interface type must be typed using all caps as shown below:

• ROUTING

• STEALTH

• ADMIN

• HA

• DISABLED

See the SunScreen 3.2 Installation Guide for detailed information about interface types and their installation, including a caution about mixing routing and stealth interface modes. See also the SunScreen 3.2 Administration Guide and the SunScreen 3.2 Configuration Examples, the latter of which includes an example of a mixed-mode configuration.

You can, as an option, associate any interface with a specific Screen object. If the specified Screen name is part of a centralized management group (CMG), this association is necessary to distinguish which interface definition belongs to which Screen.

In addition to the interface type and Screen parameters, there are several other parameters which are part of the interface object. These parameters are defined as follows:

• Description - The interface description allows for an optional COMMENT of 256 characters or less.

• Valid Addresses - Specifies the set of addresses reachable through a particular interface. The interface's valid address set is the basis for packet forwarding decisions in stealth mode and for source address spoof protection in routing mode.

• Spoof Protection - Each routing interface is marked as having a complete or incomplete valid address set.

  If the valid address set is complete, only the addresses defined in the set are allowed as the source address for packets received on the interface. Any other addresses are considered "spoofed" and the packets are dropped.

  If the valid address set is incomplete, some of the source address spoof protection is disabled. Specifically, addresses defined in another interface's valid address set are disallowed on the incomplete interface, but addresses that are not explicitly assigned to another interface are considered legal, and therefore allowed.

  ---

  Note -

  If the valid address sets are empty and incomplete is set (default after routing mode install), all source addresses are valid on all interfaces.

  If the address sets are empty, and complete is set, no source addresses are valid on any interface. The Screen will not pass any traffic if configured like this.

  Spoof checking is the first thing that is done to a packet when it arrives on the interface. No other SunScreen processing is performed unless the packet passes the spoof check.

  ---

• Address Overlap - Each routing interface optionally may specify an overlap parameter that contains a set of addresses that are allowed to overlap between this interface's valid address set and that of another routing interface on the same Screen. Otherwise, it is an error to define two routing interfaces that have overlapping valid address sets. This option is not available for stealth interfaces.

• Logging - Identifies the disposition of a packet when a packet arriving on an interface does not match any rule or does not pass the spoof check. It has the values:

  • None - Do not log.

  • Summary - Record the first 40 bytes of the packet in the log.

  • Detail - Record the complete packet in the log.

• SNMP Alerts - Specifies whether the Screen should issue an SNMP alert when a packet received on an interface does not match a rule or does not pass the spoof check. the options are:

  • SNMP_NONE - Do not send an SNMP alert message. This is the default.

  • SNMP - Send an SNMP alert message to the SNMP receivers listed in the Screen object when a packet received on this interface is rejected.

• ICMP Action - Identifies the ICMP rejection message that is issued if a packet received on the interface is rejected. In most cases, the Screen rejects packets by sending and ICMP Destination Unreachable packet with the reject code set as specified in the ICMP action on the interface. However, if a TCP packet matches a DENY rule, and the ICMP action is set to PORT_UNREACHABLE, a TCP RESET packet is issued instead. It has the options:

  • NONE

  • NET_UNREACHABLE

  • HOST_UNREACHABLE

  • PORT_UNREACHABLE

  • NET_FORBIDDEN

  • HOST_FORBIDDEN

• Router IP Address - Specifies the router's address when the Interface type is stealth. A stealth interface may define up to five routers, by IP Address. These routers are used for forwarded traffic not on the local network.

Routing Interface

Routing interfaces have one or more IP addresses and route packets using the standard IP routing mechanisms in the operating system. Each routing interface is connected to a different IP network just like a standard IP router. In terms of network placement, a Screen with routing interfaces replaces a router. A routing interface can also receive administrative traffic from a remote Administration Station.

Connections to and from proxies can only occur through ROUTING interfaces. Thus, to run proxies or if you want to install additional network services on the Screen, you must configure the Screen to have at least one routing interface.

Use routing interfaces to:

• Replace an existing router

• Control packet flow between different IP networks

• Receive administrative traffic for the SunScreen configuration

• Install proxies or other network services on the Screen

A Screen with routing interfaces does not need a separate admin interface, because the administrative traffic can come in through one of the routing interfaces. If Screens are part of an HA cluster, they each must have a unique HA interface for the dedicated HA heartbeat network.

Stealth Interface

Stealth interfaces have no IP address. A Screen with stealth interfaces partitions an IP network and controls packet flow between the partitions. Screens containing only STEALTH interfaces are required to have one ADMIN interface for administrative traffic.

Although it acts much like an IP bridge or switch, a Screen with stealth interfaces does not implement the bridging algorithms that detect loops. Make sure that no loops exist in your network configuration where a packet could be sent out from one stealth interface and be received on another. Also note that HA (high availability) clusters require that the machines be connected by means of a non-switching hub.

Stealth interfaces provide a higher degree of security than routing interfaces because they are separate from the standard IP mechanisms used by the operating system. Thus, packets flowing through stealth interfaces cannot inadvertently leak into other network applications running on the system, thereby compromising the security of the firewall.

Admin Interface

An admin interface is a special case of a routing interface configured only to pass administration traffic for the Screen. An admin interface is not required for a Screen with routing interfaces because routing interfaces can pass administration traffic through to the Screen.

Because stealth interfaces have no IP address, they cannot provide the IP address needed for administration traffic. You must, therefore, configure a Screen that has only stealth interfaces with an additional admin interface.

Routing and Stealth Interfaces on a Single Screen

You can configure a Screen with a mixture of routing and stealth interfaces subject to the following restrictions:

• Packets do not flow between the routing and stealth interfaces. Packets received on a stealth interface are only sent out on another stealth interface. Packets received on a routing interface are only sent out on another routing interface.

• Any packet affected by NAT or encryption must only pass through the Screen once.

HA Interface

Each Screen that is part of an HA cluster must have a single, unique HA interface for the dedicated HA heartbeat network. It is possible to administer the HA cluster over this interface, but it is primarily for synchronizing the Screens within the cluster and passing configuration data from the primary Screen to the secondary Screens.

Disabled Interface

An interface of type DISABLED does not filter any traffic. It is important to understand that traffic can still flow across such an interface if it is configured "up" within Solaris. Care should be taken to understand the possible ramifications of using a DISABLED interface in this manner.

If the Screen contains ROUTING interfaces, it is possible for packets to flow between the DISABLED interface and the ROUTING interface (due to Solaris routing). The packets entering or leaving the disabled interface are not filtered, but the packets leaving the Screen over the ROUTING interface are filtered.

If the DISABLED interface is defined on a Stealth-mode-only Screen, it will pass no traffic.