Impressum

DATKO DATenKOmmunikation

Home

ALL CONTENT IS PROVIDED "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED.
Not yet ready, any improving comment is welcome.






Solaris 10 Security Features

Archives By Subject http://www.sun.com/solutions/blueprints/browsesubject.html#security
Scripts and Tools:    http://www.sun.com/solutions/blueprints/tools/index.html



(c) Joachim.Datko@datko.de


OSI
Layer

IP
Protocol Suite

IP Filter
FireWall

IPsec

VPN Tunnel

Kerberos
v5

Secure
LDAP
Server

TCP Wrapper

SSH
Secure Shell

SSH
Tunnel



7. Application

Application


encrypted data

encrypted data

 Kerberos
Server

LDAP
sever certificate
client certificate

TCP-Connection
monitoring and filtering

SSH ( sshd )

client<-->daemon
(pop3, ftp, smtp, ...)


6. Presentation

5. Session

4. Transport

TCP / UDP

Port (PAT)

TCP / UDP

SSL
TCP(636)

TCP

TCP (22)

TCP (22)

3. Network

IP


IP (NAT)

IPsec
IP ( Protocol Nr. 50 , 51)

IPTunnel ( IPOrignal )

IP

IP

IP

IP

IP


2. Data Link

 


 

 

 

 

 

 

 

 

Physical

Interfaces


DATKO Home



VPN Tunnel :

Every network packet is encrypted for transmission about a unsecure net.
There are many proprietary protocols like SKIP from Sun Microsystems, developed for building VPN's. In the feature IPsec will be used. For IPv6 is IPsec the recommended encryption standard.



Secure LDAP Server
SASL/DIGEST-MD5 and SSL/TLS 1.0

Solaris 9 providing native LDAP services is the integrated iPlanet Directory Server, complete with a license supporting as many as 200.000 directory entries. Administrators who use the LDAP-based directory should find it easier to manage users and resources throughout the enterprise.



TCP wrappers 7.6

is installed with Solaris 9, but needs additional configuration.


Secure Shell ( ssh ) www.sun.com/bigadmin/features
Based on the established OpenSSH

Sun's SSH (Secure Shell) version 1.0 (protocol support for SSH versions 1.5/2.0)

For replacement of telnet, ftp, rlogin, rsh, rcp and for encrypted X-Windows sessions.
a) No cleartext passwords
b) Session encryption, no cleartext data.

1. Server:

Generation of two public key-pairs
a) Generation of Server-Host public and secure Key : SHPK , SHSK
b) Start of the sshd process --> generation of Server public and secure Key : SPK , SSK

2. Client

Asks the server for a secure connection

3. Server

The server sends the client his two public keys : SHPK and SPK

4. Client

Encrypts a random number ( RN ) with SHPK and SPK and sends it to the server.

5. Server

The server decrypts the RN with his two secure keys SHSK and SHSK. So he gets the random number RN.

6. Server and client

Gets the same session key using the random number RN.


Remote Computing via SSH Port Tunneling

SSH listens on the client (remote home) machine for well known ports (i.e: 25 for SMTP, 143 for IMAP, 80 for http, X11) and transports it to server machine encrypted.



Not in the Table

RBAC Role-Based Access Control

RBAC is an alternative to the traditional superuser model of root access to UNIX systems. It lets administrators assign rights to individual trusted users and allow specific operations, including access to such resources as serial port, file, log, user login control and system shutdown.
Users are authenticated before any role is assumed, all privileged activities can be logged and associated with a account. Access control lists (ACLs) let you control file access rights on a per-user basis.

PAM Pluggable Authentication Modules

PAM provide a uniform means for the Solaris Operating Environment and for third-party applications to access user authentication facilities.
PAM modules can be constructed to support site-specific authentication requirements, for example, an interface with a biometric scanning device for user identification.

Smart Card Support

Smart cards offers a tremendous boost to an enterprise's security architecture. Solaris 9 supports the following functions:
smart card authentication
storing of personal information
Java applet management
support for the Open Card Framework (OCF)

snoop Packet Filter

Solaris comes with snoop, a own sniffer utility.

Java Security

A more secure alternative to CGI and PHP, helping improve HTTP. Java has several built-in mechanisms as well as a number of extensions that address security concerns.

* Java language security
* Sandbox
* byte code verifier, class loader, security manager

* The verification process - what is verified and how?
* Type safety - static type checking versus dynamic type checking

* Java Protection Domains Security Model
* Java Security Policy file and format (system and user file)

* Java Cryptography Architecture

* Message Digests

* Encryption and SSL

Sun ONE Application Server (J2EE 1.3 compliant)

The inclusion of application middleware into Solaris 9 OE can lower the cost of operations as companies develop Web services. Sun customers will still be able to work with third party applications and middleware with Solaris 9 OE. The company is avoiding proprietary lock-ins."
Application servers act as intermediaries between customer browsing Web pages and the back-end databases. Application servers assembling database information into useful forms, for example can create online catalog pages on the fly or run shopping cart software for keeping track of customer purchases.

Preventing wellknown TCP/IP Attacks (examples)

  • Ping of Death Attack
    Solaris is immune to this attack

  • ip_respond_to_echo_broadcast, ip_forward_directed_broadcasts
    Set both to 0, disables ping replies to broadcast addresses.

  • TCP_STRONG_ISS
    Different initial sequenze number generation possible (again packet replay attacks).



Minimal installation

Solaris 9 gives IT managers the option of performing a minimal installation. For example, you could choose not to install packages such as Telnet, DNS (Domain Name System) and NFS (Network File System) that could compromise security.

Sun ONE Portal Server

Trusted Solaris 8 (with EAL4 LSPP     Common Criteria Security certification, equivalent to the Orange Book B1 )
( Not Solaris 9 )

Trusted Solaris 8 is a special Solaris OS release. It provides an additional layer of security that limits access to all types of system resources ( printers, files, applications, connections, .. ). Users can only access and interact with the information they have authorization for, and authorization can be granted or denied at low levels.

security hardening scripts


Solaris Fingerprint Database (MD5)

OE Solaris 8

The Solaris Fingerprint Database (sfpDB) is a SunSolve service that enables you to verify the integrity of files distributed with the Solaris OE (for example, the /bin/su executable file), Solaris patches and unbundled products such as SPARCcompilers. The Fingerprint Database is updated daily, and it now contains close to 1 million digital fingerprints for files used in the Solaris OE, Solaris patches and unbundled products.

SSL ACCELERATION

Boards for speed up SSL.


Logging

  • Berkeley UNIX Syslogd

    • /var/adm/messages

  • Logging Files

    • /var/adm/lastlog

    • /var/adm/loginlog

    • /var/adm/utmpx

    • /var/adm/wtmpx

Process Accounting

Suite of programs developed to provide information about system use. From a security standpoint is the accounting package a system monitoring tool.


BSM Basic Security Modul
Part of the C2 Security Features.

  • Monitoring user commands using BSM audit logs (logging commands and system calls).

  • Security of I/O Devices (cartridge tape drive and floppy drive allocation)



ASET Automated Security Enhancement Tool

ASET is a set of administrative utilities that can improve the system security. It is checking the settings of system files. It warns of potential security problems and can set sytem files according security levels, specified.


Home