Use the following information when installing and configuring the server and related equipment.
Contact your IT Security Officer for additional security requirements that pertain to your system and specific environment.
Passwords are an important aspect of security since poorly chosen passwords could result in unauthorized access to company resources. Implementing password management best practices ensures that users adhere to a set of guidelines for creating and protecting their passwords. Typical components of a password policy should define:
Password length and strength
Password duration
Common password practice
Enforce the following standard practices for creating strong complex passwords:
Do not create a password that contains the user name, employee name, of family names.
Do not select passwords that are easy to guess.
Do not create passwords that contain a consecutive string of numbers such as 12345.
Do not create passwords that contain a word or string that is easily discovered by a simple Internet search.
Do not allow users to reuse the same password across multiple systems.
Do not allow users to reuse old passwords.
Change passwords on a regular basis. This helps to prevent malicious activity and ensures that passwords adhere to current password policies.
Refer to Oracle operating system (OS) documents for information on:
How to use security features when configuring your systems
How to operate securely when you add applications and users to a system
How to protect network-based applications
Security Guide documents for supported Oracle operating systems are part of the documentation library for the operating system. To find the Security Guide document for an Oracle operating system, go to the Oracle operating system documentation library:
Oracle Solaris OS - http://docs.oracle.com/cd/E23824_01/html/819-3195/index.html
Oracle Linux OS - http://www.oracle.com/technetwork/documentation/ol-1-1861776.html
Oracle VM - http://www.oracle.com/technetwork/documentation/vm-096300.html
For information on operating systems from other vendors, such as Red Hat Enterprise Linux, SUSE Linux Enterprise Server, Microsoft Windows, and VMware ESXi, refer to the vendor's documentation.
Different switches offer different levels of port security features. Refer to the switch documentation to learn how to do the following.
Use authentication, authorization, and accounting features for local and remote access to the switch.
Change every password on network switches that might have multiple user accounts and passwords by default.
Manage switches out-of-band (separated from data traffic). If out-of-band management is not feasible, then dedicate a separate virtual local area network (VLAN) number for in-band management.
Use the port mirroring capability of the network switch for intrusion detection system (IDS) access.
Maintain a switch configuration file off-line and limit access only to authorized administrators. The configuration file should contain descriptive comments for each setting.
Implement port security to limit access based upon MAC addresses. Disable auto-trunking on all ports.
Use these port security features if they are available on your switch:
MAC Locking involves associating a Media Access Control (MAC) address of one or more connected devices to a physical port on a switch. If you lock a switch port to a particular MAC address, superusers cannot create backdoors into your network with rogue access points.
MAC Lockout disables a specified MAC address from connecting to a switch.
MAC Learning uses the knowledge about each switch port's direct connections so that the network switch can set security based on current connections.
If you set up a virtual local area network (VLAN), remember that VLANs share bandwidth on a network and require additional security measures.
Separate sensitive clusters of systems from the rest of the network when using VLANs. This decreases the likelihood that users will gain access to information on these clients and servers.
Assign a unique native VLAN number to trunk ports.
Limit the VLANs that can be transported over a trunk to only those that are strictly required.
Disable VLAN Trunking Protocol (VTP), if possible. Otherwise, set the following for VTP: management domain, password, and pruning. Then set VTP into transparent mode.
Use static VLAN configurations, when possible.
Disable unused switch ports and assign them an unused VLAN number.
Keep Infiniband hosts secure. An Infiniband fabric is only as secure as its least secure Infiniband host.
Note - Partitioning does not protect an Infiniband fabric. Partitioning only offers Infiniband traffic isolation between virtual machines on a host.