You must determine your initial level of security. You have three possible security levels to choose from when installing SunScreen EFS 3.0 in routing mode. Each security level corresponds to a different set of network services permitted to, from, and through the Screen. If you are in doubt about which security level to select for the Initial configuration, use a more permissive security mode. You can always reconfigure it to be more secure by changing the rules using the Administration GUI.
The security levels are as follows:
Restrictive - This level of security denies all traffic to, from, and through the Screen, except encrypted administration traffic. This level is best for deploying the Screen in a hostile network environment. It requires that static routing and the naming service have been configured on the host (that is, names must be resolved by means of a local hosts file).
Secure - This level of security denies all traffic to and through the Screen, except encrypted administration traffic. It allows common services (like NFS) from the Screen, naming service selection (such as, DNS and NIS), and routing (RIP). This level is a good starting point to get a Screen up and running on a friendly network, where the Screen may not be a stand-alone machine and may depend on NIS, DNS, or NFS to function properly.
Permissive - This level allows the same traffic as the Secure level with the addition of allowing inbound connections to the Screen itself and allowing all traffic through the Screen. This security level is for installing the Screen onto a machine that has multiple network interfaces and is acting as a router, or on a machine that is acting as a server (for example, for NFS, NIS, or HTTP).
You must also determine which naming service to use. You may choose one (NIS or DNS), both (NIS and DNS), or none. For none, deselect both.
In routing mode, SunScreen EFS 3.0 automatically installs all Ethernet interfaces that have been configured on the machine. In stealth mode, only the interface used for remote administration should be configured, and the other interfaces must not be configured.
If you are converting FireWall-1 configurations for use on SunScreen EFS 3.0, or when planning to convert a FireWall-1 machine to a SunScreen EFS 3.0 machine, read the information and instructions in Chapter 7 first.
Once the following preparation criteria are met, continue to the appropriate chapter for your particular installation.