JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Securing the Network in Oracle Solaris 11.1     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Using Link Protection in Virtualized Environments

Overview of Link Protection

Link Protection Types

Configuring Link Protection (Task Map)

How to Enable Link Protection

How to Disable Link Protection

How to Specify IP Addresses to Protect Against IP Spoofing

How to Specify DHCP Clients to Protect Against DHCP Spoofing

How to View Link Protection Configuration and Statistics

2.  Tuning Your Network (Tasks)

3.  Web Servers and the Secure Sockets Layer Protocol

4.  IP Filter in Oracle Solaris (Overview)

5.  IP Filter (Tasks)

6.  IP Security Architecture (Overview)

7.  Configuring IPsec (Tasks)

8.  IP Security Architecture (Reference)

9.  Internet Key Exchange (Overview)

10.  Configuring IKE (Tasks)

11.  Internet Key Exchange (Reference)

Glossary

Index

Overview of Link Protection

With the increasing adoption of virtualization in system configurations, guest virtual machines (VMs) can be given exclusive access to a physical or virtual link by the host administrator. This configuration improves network performance by allowing the virtual environment's network traffic to be isolated from the wider traffic that is received or sent by the host system. At the same time, this configuration can expose the system and the entire network to the risk of harmful packets that a guest environment might generate.

Link protection aims to prevent the damage that can be caused by potentially malicious guest VMs to the network. The feature offers protection from the following basic threats:


Note - Link protection does not replace the deployment of a firewall, particularly for configurations with complex filtering requirements.


Link Protection Types

The link protection mechanism in Oracle Solaris supplies the following protection types:

mac-nospoof

Enables protection against spoofing the system's MAC address. If the link belongs to a zone, enabling mac-nospoof prevents the zone's owner from modifying that link's MAC address.

ip-nospoof

Enables protection against IP spoofing. By default, outbound packets with DHCP addresses and link local IPv6 addresses are allowed.

You can add addresses by using the allowed-ips link property. For IP addresses, the packet's source address must match an address in the allowed-ips list. For an ARP packet, the packet's sender protocol address must be in the allowed-ips list.

dhcp-nospoof

Enables protection against spoofing of the DHCP client. By default, DHCP packets whose ID matches the system's MAC address are allowed.

You can add allowed clients by using the allowed-dhcp-cids link property. Entries in the allowed-dhcp-cids list must be formatted as specified in the dhcpagent(1M) man page.

restricted

Restricts outgoing packets to IPv4, IPv6, and ARP. This protection type is designed to prevent the link from generating potentially harmful L2 control frames.


Note - Packets that are dropped because of link protection are tracked by the kernel statistics for the four protection types: mac_spoofed, dhcp_spoofed, ip_spoofed, and restricted. To retrieve these per-link statistics, see How to View Link Protection Configuration and Statistics.