RE: SunScreen Lite vs. IPF.

From: Stuart Flisher (
Date: 08/14/01

From: "Stuart Flisher" <>
To: "'Tan Wee Yeh'" <>, "'Focus-Sun'" <>
Subject: RE: SunScreen Lite vs. IPF.
Date: Tue, 14 Aug 2001 11:50:54 +0100
Message-ID: <000401c124ae$fe3bb5c0$02d3020a@SONYVAIO>

I have installed SunScreen Lite without really any issues.

SunScreen Full can be deployed in a SunScreen HA pair for redundancy.
SunScreen lite cannot. This is what the Readme refers to.

Don't install on Sun Cluster machines, word is that it is incompatible until
next version of SS Lite (but don't quote me). Something to do with the
interfaces. Can't give you more info I am afraid.

Didn't notice any performance impact with SS Lite. You should consider how
you wish to administer all the machines i.e. command line or GUI. I prefer
command line myself.

One point IPF is a packet filter (right?) whereas SunScreen is stateful

Good luck.



-----Original Message-----
From: Tan Wee Yeh []
Sent: 11 August 2001 02:45
To: Focus-Sun
Subject: SunScreen Lite vs. IPF.


*Beginner alert*. Please pardon me if the answers are already

I'm in the midst of evaluating both SunScreen Lite and IP Filter
as a host-based firewall for some of our Solaris8 machines with
an private network. We do not need a perimeter defence (this is
already done by the nice network folks). One of the more
important feature we want is to be able to run services within
the private network (on the boundary node) that is not accessible
from the public network.

I would like to know the following:
 - SunScreen lite's README says that is "Cannot be a member of a
   HA cluster". Does this refer to the configuration of HA
   firewall or the more general HA setup like provided with Sun
   Cluster 3.0?? We are going to run the machines with Cluster3
   so this is of fundamental importance.

 - What are the performance impact of either??

 - During the evaluation, what are the issues I should pay
   attention to? Currently, I have:
   - Features (just to make sure it can do what I want). I may
     alter the administration structure a little.
   - System requirements (The solution is for a group of machines
     so it will be best if the final choice can run nicely on all
     of them).
   - performance impact on the machines

Please correct me if you feel I have misunderstood any issues.


        Just me,
        Wire ...

Tan Wee Yeh
For PGP public key :
PGP fingerprint = CB 11 61 BE 4E EF FB 84  71 15 CF 22 46 FD 4C B3