| Skip Navigation Links | |
| Exit Print View | |
|
SPARC and Netra SPARC T4 Series Servers Security Guide |
Oracle hardware and software provide a number of security features controlling hardware and tracking assets.
Some Oracle systems can be set up to be turned on and off by software commands. In addition, the power distribution units (PDUs) for some system cabinets can be enabled and disabled remotely by software commands. Authorization for these commands is typically set up during system configuration and is usually limited to system administrators and service personnel. Refer to your system or cabinet documentation for further information.
Oracle serial numbers are embedded in firmware located on option cards and system mother boards. These serial numbers can be read through local area network connections for inventory tracking.
Wireless radio frequency identification (RFID) readers can further simplify asset tracking. An Oracle white paper, How to Track Your Oracle Sun System Assets by Using RFID is available at:
Always install the latest released version of the software or firmware on your equipment. Devices such as network switches contain firmware and might require patches and firmware updates.
Install any necessary security patches for your software.
Follow these guidelines to ensure the security of local and remote access to your systems:
Create a banner to state that unauthorized access is prohibited.
Use access control lists where appropriate.
Set time-outs for extended sessions and set privilege levels.
Use authentication, authorization, and accounting (AAA) features for local and remote access to a switch.
If possible, use the RADIUS and TACACS+ security protocols:
RADIUS (Remote Authentication Dial In User Service) is a client/server protocol that secures networks against unauthorized access.
TACACS+ (Terminal Access Controller Access-Control System) is a protocol that permits a remote access server to communicate with an authentication server to determine if a user has access to the network.
Use the port mirroring capability of the switch for intrusion detection system (IDS) access.
Implement port security to limit access based upon a MAC address. Disable auto-trunking on all ports.
Limit remote configuration to specific IP addresses using SSH instead of Telnet. Telnet passes user names and passwords in clear text, potentially allowing everyone on the LAN segment to see login credentials. Set a strong password for SSH.
Early versions of SNMP are not secure and transmit authentication data in unencripted text. Only version 3 of SNMP can provide secure transmissions.
Some products come out of the box with PUBLIC set as the default SNMP community string. Attackers can query a community to draw a very complete network map and possibly modify management information base (MIB) values. If SNMP is necessary, change the default SNMP community string to a strong community string.
Enable logging and send logs to a dedicated secure log host.
Configure logging to include accurate time information, using NTP and timestamps.
Review logs for possible incidents and archive them in accordance with the security policy.
If your system controller uses a browser interface, be sure to log out after using it.
Follow these guidelines to maximize data security:
Back up important data using devices such as external hard drives, pen drives, or memory sticks. Store the backed up data in a second, off-site, secure location.
Use data encryption software to keep confidential information on hard drives secure.
When disposing of an old hard drive, physically destroy the drive or completely erase all the data on the drive. Deleting all the files or reformatting the drive will remove only the address tables on the drive - information can still be recovered from a drive after deleting files or reformatting the drive. (Use disk wiping software to completely erase all data on a drive.)
Follow these guidelines to maximize your network security:
Most switches allow you to define virtual local area networks (VLANs). If you use your switch to define VLANs, separate sensitive clusters of systems from the rest of the network. This decreases the likelihood that users will gain access to information on these clients and servers.
Manage switches out-of-band (separated from data traffic). If out-of-band management is not feasible, then dedicate a separate VLAN number for in-band management.
Keep Infiniband hosts secure. An Infiniband fabric is only as secure as its least secure Infiniband host.
Note that partitioning does not protect an Infiniband fabric. Partitioning only offers Infiniband traffic isolation between virtual machines on a host.
Maintain a switch configuration file off-line and limit access only to authorized administrators. The configuration file should contain descriptive comments for each setting.
Use static VLAN configuration, when possible.
Disable unused switch ports and assign them an unused VLAN number.
Assign a unique native VLAN number to trunk ports.
Limit the VLANs that can be transported over a trunk to only those that are strictly required.
Disable VLAN Trunking Protocol (VTP), if possible. Otherwise, set the following for VTP: management domain, password and pruning. Then set VTP into transparent mode.
Disable unnecessary network services, such as TCP small servers or HTTP. Enable necessary network services and configure these services securely.
Different switches will offer different levels of port security features. Use these port security features if they are available on your switch:
MAC Locking: This involves tying a Media Access Control (MAC) address of one or more connected devices to a physical port on a switch. If you lock a switch port to a particular MAC address, superusers cannot create backdoors into your network with rogue access points.
MAC Lockout: This disables a specified MAC address from connecting to a switch.
MAC Learning: Use the knowledge about each switch port’s direct connections so the switch can set security based on current connections.
|