Configuring the Network

At this point, you might have created users who can assume roles, and have created the roles. Only the root role can modify system files.

From the following network tasks, perform the tasks that provide additional security according to your site requirements. These network tasks notify users who are logging in remotely that the system is protected, and strengthen the IP, ARP, and TCP protocols.

Task	Description	For Instructions
Display warning messages that reflect your site's security policy.	Notifies users and would-be attackers that the system is monitored.	Display Security Message to `ssh` and `ftp` Users
Disable the network routing daemon.	Limits access to systems by would-be network sniffers.	Disable the Network Routing Daemon
Prevent the dissemination of information about the network topology.	Prevents the broadcast of packets.	Disable Broadcast Packet Forwarding
	Prevents responses to broadcast echo requests and multicast echo requests.	Disable Responses to Echo Requests
For systems that are gateways to other domains, such as a firewall or a VPN node, turn on strict source and destination multihoming.	Prevents packets that do not have the address of the gateway in their header from moving beyond the gateway.	Set Strict Multihoming
Prevent DOS attacks by controlling the number of incomplete system connections.	Limits the allowable number of incomplete TCP connections for a TCP listener.	Set Maximum Number of Incomplete TCP Connections
Prevent DOS attacks by controlling the number of permitted incoming connections.	Specifies the default maximum number of pending TCP connections for a TCP listener.	Set Maximum Number of Pending TCP Connections
Generate strong random numbers for initial TCP connections.	Complies with the sequence number generation value specified by RFC 1948.	Specify a Strong Random Number for Initial TCP Connection
Return network parameters to their secure default values.	Increases security that was reduced by administrative actions.	Reset Network Parameters to Secure Values
Add TCP wrappers to network services to limit applications to legitimate users.	Specifies systems that are allowed access to network services, such as FTP. By default, the `sendmail` application is protected with TCP wrappers, as described in Support for TCP Wrappers From Version 8.12 of sendmail in Oracle Solaris Administration: Network Services.	To enable TCP wrappers for all `inetd` services, see How to Use TCP Wrappers to Control Access to TCP Services in Oracle Solaris Administration: IP Services. For an example of TCP wrappers protecting the FTP network service, see How to Start an FTP Server Using SMF in Oracle Solaris Administration: Network Services.

Display Security Message to `ssh` and `ftp` Users

Use this procedure to display warnings at remote login and file transfer.

Before You Begin

You must be in the root role. You created the /etc/issue file in Step 1 of Place Security Message in Banner Files.

To display a security message to users who are logging in by using ssh, do the following:
1. Uncomment the Banner directive in the /etc/sshd_config file.
```
# vi /etc/ssh/sshd_config
# Banner to be printed before authentication starts.
Banner /etc/issue
```
2. Refresh the ssh service.
```
# svcadm refresh ssh
  
```
For more information, see the issue(4) and sshd_config(4) man pages.
To display a security message to users who are logging in by using ftp, do the following:
1. Add the DisplayConnect directive to the proftpd.conf file.
```
# vi /etc/proftpd.conf
# Banner to be printed before authentication starts.
DisplayConnect /etc/issue
```
2. Restart the ftp service.
```
# svcadm restart ftp
```
  For more information, see the ProFTPD web site.

Disable the Network Routing Daemon

Use this procedure to prevent network routing after installation by specifying a default router. Otherwise, perform this procedure after configuring routing manually.

Note - Many network configuration procedures require that the routing daemon be disabled. Therefore, you might have disabled this daemon as part of a larger configuration procedure.

Before You Begin

You must be assigned the Network Management rights profile.

Verify that the routing daemon is running.

# svcs -x svc:/network/routing/route:default
svc:/network/routing/route:default (in.routed network routing daemon)
 State: online since April 10, 2011 05:15:35 AM PDT
   See: in.routed(1M)
   See: /var/svc/log/network-routing-route:default.log
Impact: None.

If the service is not running, you can stop here.

Disable the routing daemon.

# routeadm -d ipv4-forwarding -d ipv6-forwarding
# routeadm -d ipv4-routing -d ipv6-routing
# routeadm -u

Verify that the routing daemon is disabled.

# svcs -x routing/route:default
svc:/network/routing/route:default (in.routed network routing daemon)
 State: disabled since April 11, 2011 10:10:10 AM PDT
Reason: Disabled by an administrator.
   See: http://sun.com/msg/SMF-8000-05
   See: in.routed(1M)
Impact: This service is not running.

See Also

routeadm(1M) man page

Disable Broadcast Packet Forwarding

By default, Oracle Solaris forwards broadcast packets. If your site security policy requires you to reduce the possibility of broadcast flooding, change the default by using this procedure.

Note - When you disable the _forward_directed_broadcasts network property, you are disabling broadcast pings.

Before You Begin

You must be assigned the Network Management rights profile.

Set the broadcast packet forwarding property to 0 for IP packets.
```
# ipadm set-prop -p _forward_directed_broadcasts=0 ip
```

Verify the current value.

# ipadm show-prop -p _forward_directed_broadcasts ip
PROTO  PROPERTY                     PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ip    _forward_directed_broadcasts  rw   0         --           0         0,1

See Also

ipadm(1M) man page

Disable Responses to Echo Requests

Use this procedure to prevent the dissemination of information about the network topology.

Before You Begin

You must be assigned the Network Management rights profile.

Set the response to broadcast echo requests property to 0 for IP packets, then verify the current value.

# ipadm set-prop -p _respond_to_echo_broadcast=0 ip

# ipadm show-prop -p _respond_to_echo_broadcast ip
PROTO  PROPERTY                  PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ip    _respond_to_echo_broadcast rw   0         --           1         0,1

Set the response to multicast echo requests property to 0 for IP packets, then verify the current value.

# ipadm set-prop -p _respond_to_echo_multicast=0 ipv4
# ipadm set-prop -p _respond_to_echo_multicast=0 ipv6

# ipadm show-prop -p _respond_to_echo_multicast ipv4
PROTO  PROPERTY                  PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv4  _respond_to_echo_multicast rw   0         --           1         0,1
# ipadm show-prop -p _respond_to_echo_multicast ipv6
PROTO  PROPERTY                  PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv6  _respond_to_echo_multicast rw   0         --           1         0,1

Set Strict Multihoming

For systems that are gateways to other domains, such as a firewall or a VPN node, use this procedure to turn on strict multihoming.

The Oracle Solaris 11 release introduces a new property, hostmodel, for IPv4 and IPv6. This property controls the send and receive behavior for IP packets on a multihomed system.

Before You Begin

You must be assigned the Network Management rights profile.

Set the hostmodel property to strong for IP packets.

# ipadm set-prop -p hostmodel=strong ipv4
# ipadm set-prop -p hostmodel=strong ipv6

Verify the current value and note the possible values.

# ipadm show-prop -p hostmodel ip
PROTO  PROPERTY    PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv6   hostmodel   rw   strong    strong       weak      strong,src-priority,weak
ipv4   hostmodel   rw   strong    strong       weak      strong,src-priority,weak

See Also

For more information, see hostmodel (ipv4 or ipv6) in Oracle Solaris Tunable Parameters Reference Manual and the ipadm(1M) man page.

For more information about the use of strict multihoming, see How to Protect a VPN With IPsec in Tunnel Mode in Oracle Solaris Administration: IP Services.

Set Maximum Number of Incomplete TCP Connections

Use this procedure to prevent denial of service (DOS) attacks by controlling the number of pending connections that are incomplete.

Before You Begin

You must be assigned the Network Management rights profile.

Set the maximum number of incoming connections.
```
# ipadm set-prop -p _conn_req_max_q0=4096 tcp
```

Verify the current value.

# ipadm show-prop -p _conn_req_max_q0 tcp
PROTO  PROPERTY         PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
tcp   _conn_req_max_q0  rw   4096      --           128       1-4294967295

See Also

For more information, see _conn_req_max_q0 in Oracle Solaris Tunable Parameters Reference Manual and the ipadm(1M) man page.

Set Maximum Number of Pending TCP Connections

Use this procedure to prevent DOS attacks by controlling the number of permitted incoming connections.

Before You Begin

You must be assigned the Network Management rights profile.

Set the maximum number of incoming connections.
```
# ipadm set-prop -p _conn_req_max_q=1024 tcp
```

Verify the current value.

# ipadm show-prop -p _conn_req_max_q tcp
PROTO  PROPERTY         PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
tcp   _conn_req_max_q   rw   1024      --           128       1-4294967295

See Also

For more information, see _conn_req_max_q in Oracle Solaris Tunable Parameters Reference Manual and the ipadm(1M) man page.

Specify a Strong Random Number for Initial TCP Connection

This procedure sets the TCP initial sequence number generation parameter to comply with RFC 1948.

Before You Begin

You must be in the root role to modify a system file.

Change the default value for the TCP_STRONG_ISS variable.

# vi /etc/default/inetinit
# TCP_STRONG_ISS=1
TCP_STRONG_ISS=2

Reset Network Parameters to Secure Values

Many network parameters that are secure by default are tunable, so they can be changed. If site conditions permit, return the following tunable parameters to their default values.

Before You Begin

You must be assigned the Network Management rights profile. The current value of the parameter is less secure than the default value.

Set the source packet forwarding property to 0 for IP packets, then verify the current value.

The default value prevents DOS attacks from spoofed packets.

# ipadm set-prop -p _forward_src_routed=0 ipv4
# ipadm set-prop -p _forward_src_routed=0 ipv6
# ipadm show-prop -p _forward_src_routed ipv4
PROTO  PROPERTY             PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv4  _forward_src_routed   rw   0         --           0         0,1
# ipadm show-prop -p _forward_src_routed ipv6
PROTO  PROPERTY             PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv6  _forward_src_routed   rw   0         --           0         0,1

For more information, see forwarding (ipv4 or ipv6) in Oracle Solaris Tunable Parameters Reference Manual.

Set the netmask response property to 0 for IP packets, then verify the current value.

The default value prevents the dissemination of information about the network topology.

# ipadm set-prop -p _respond_to_address_mask_broadcast=0 ip
# ipadm show-prop -p _respond_to_address_mask_broadcast ip
PROTO PROPERTY                           PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ip    _respond_to_address_mask_broadcast rw   0         --           0         0,1

Set the timestamp response property to 0 for IP packets, then verify the current value.

The default value removes additional CPU demands on systems and prevents the dissemination of information about the network.

# ipadm set-prop -p _respond_to_timestamp=0 ip
# ipadm show-prop -p _respond_to_timestamp ip
PROTO  PROPERTY                        PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ip    _respond_to_timestamp            rw   0         --           0         0,1

Set the broadcast timestamp response property to 0 for IP packets, then verify the current value.

The default value removes additional CPU demands on systems and prevents dissemination of information about the network.

# ipadm set-prop -p _respond_to_timestamp_broadcast=0 ip
# ipadm show-prop -p _respond_to_timestamp_broadcast ip
PROTO  PROPERTY                        PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ip    _respond_to_timestamp_broadcast  rw   0         --           0         0,1

Set the ignore redirects property to 0 for IP packets, then verify the current value.

The default value prevents additional CPU demands on systems.

# ipadm set-prop -p _ignore_redirect=0 ipv4
# ipadm set-prop -p _ignore_redirect=0 ipv6
# ipadm show-prop -p _ignore_redirect ipv4
PROTO  PROPERTY         PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv4  _ignore_redirect  rw   0         --           0         0,1
# ipadm show-prop -p _ignore_redirect ipv6
PROTO  PROPERTY         PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv6  _ignore_redirect  rw   0         --           0         0,1

Prevent IP source routing.

If you need IP source routing for diagnostic purposes, do not disable this network parameter.

# ipadm set-prop -p _rev_src_routes=0 tcp
# ipadm show-prop -p _rev_src_routes tcp
PROTO  PROPERTY         PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
tcp   _rev_src_routes   rw   0         --           0         0,1

For more information, see _rev_src_routes in Oracle Solaris Tunable Parameters Reference Manual.

Set the ignore redirects property to 0 for IP packets, then verify the current value.

The default value prevents additional CPU demands on systems. Redirects are typically not necessary on a well-designed network.

# ipadm set-prop -p _ignore_redirect=0 ipv4
# ipadm set-prop -p _ignore_redirect=0 ipv6
# ipadm show-prop -p _ignore_redirect ipv4
PROTO  PROPERTY           PERM  CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv4   _ignore_redirect   rw    0         --           0         0,1
# ipadm show-prop -p _ignore_redirect ipv6
PROTO  PROPERTY           PERM  CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv6   _ignore_redirect   rw    0         --           0         0,1

See Also

ipadm(1M) man page

Skip Navigation Links
Exit Print View
	Oracle Solaris 11 Security Guidelines Oracle Solaris 11 Information Library