Skip Navigation Links | |
Exit Print View | |
Oracle VM Server for SPARC 2.2 Security Guide Oracle VM Server for SPARC |
1. Oracle VM Server for SPARC Security Overview
Security Features Used by Oracle VM Server for SPARC
Oracle VM Server for SPARC Product Overview
2. Secure Installation and Configuration of Oracle VM Server for SPARC
3. Oracle VM Server for SPARC Security Features
You can configure guest domains in a variety of ways to provide varying levels of guest domain isolation, hardware sharing, and domain connectivity. These factors contribute to the security level of the overall Oracle VM Server for SPARC configuration, to which you can apply some of the following general security principles:
Minimize the attack surface.
Minimize the unintentional configuration errors by creating operational guidelines that enable you to regularly evaluate the security of the system. See “Counter Measure #1: Operational Guidelines” in Secure Deployment of Oracle VM Server for SPARC.
Carefully plan the architecture of the virtual environment to maximize the isolation of the domains. See the counter measures described for “Threat #2: Errors in the Architecture of the Virtual Environment” in Secure Deployment of Oracle VM Server for SPARC.
Carefully plan which resources to assign and whether they are to be shared. See “Counter Measure #7: Carefully Assigning Hardware Resources” and “Counter Measure #8: Careful Assignment of Shared Resources” in Secure Deployment of Oracle VM Server for SPARC.
Ensure that the logical domains are protected from manipulation by applying the counter measures described for “Threat #4: Manipulation of the Execution Environment” and “Counter Measure #28: Securing the Guest OS” in Secure Deployment of Oracle VM Server for SPARC.
Expose a guest domain to the network only when necessary. You can use virtual switches to limit a guest domain's network connectivity to only the appropriate networks.
Follow the steps to minimize the attack surface for Oracle Solaris 10 and Oracle Solaris 11 as described in Oracle Solaris 10 Security Guidelines and Oracle Solaris 11 Security Guidelines.
Protect the core of the hypervisor as described by “Counter Measure #15: Validating Firmware and Software Signatures” and “Counter Measure #16: Validating Kernel Modules” in Secure Deployment of Oracle VM Server for SPARC.
Protect the control domain against denial-of-service attacks. See “Counter Measure #17: Console Access” in Secure Deployment of Oracle VM Server for SPARC.
Ensure that the Logical Domains Manager cannot be run by unauthorized users. See “Threat #8: Unauthorized Use of Configuration Utilities” in Secure Deployment of Oracle VM Server for SPARC.
Ensure that the service domain cannot be accessed by unauthorized users or processes. See “Threat #9: Manipulation of a Service Domain” in Secure Deployment of Oracle VM Server for SPARC.
Protect an I/O domain or a service domain against denial-of-service attacks. See “Threat #10: Denial-of-Service of IO Domain or Service Domain” in Secure Deployment of Oracle VM Server for SPARC.
Ensure that an I/O domain cannot be accessed by unauthorized users or processes. See “Threat #11: Manipulation of an IO Domain” in Secure Deployment of Oracle VM Server for SPARC.
Disable unnecessary domain manager services. The Logical Domains Manager provides network services for domain access, monitoring, and migration. Disable any of the following network services when they are not being used:
Migration service on TCP ports 4983 and 8101
To disable this service, see the description of the ldmd/incoming_migration_enabled and ldmd/outgoing_migration_enabled properties in the ldmd(1M) man page.
Extensible Messaging and Presence Protocol (XMPP) support on TCP port 6482
To disable this service, see XML Transport in Oracle VM Server for SPARC 2.2 Administration Guide.
Simple Network Management Protocol (SNMP) on UDP port 161
Determine whether you want to use the Oracle VM Server for SPARC Management Information Base (MIB) to observe domains. This feature requires that the SNMP service is enabled. Based on your choice, do one of the following:
Enable the SNMP service to use the Oracle VM Server for SPARC MIB. Securely install the Oracle VM Server for SPARC MIB. See How to Install the Oracle VM Server for SPARC MIB Software Package in Oracle VM Server for SPARC 2.2 Administration Guide and Managing Security in Oracle VM Server for SPARC 2.2 Administration Guide.
Disable the SNMP service. To disable this service, see How to Remove the Oracle VM Server for SPARC MIB Software Package in Oracle VM Server for SPARC 2.2 Administration Guide.
Discovery service on multicast address 239.129.9.27 and port 64535
You cannot disable this service while the Logical Domains Manager daemon, ldmd, is running. Instead, use the IP Filter feature of Oracle Solaris to block access to this service, which minimizes the attack surface of the Logical Domains Manager. Blocking access prevents unauthorized use of the utility, which effectively counters denial-of-service attacks and other attempts to misuse these network services. See Chapter 20, IP Filter in Oracle Solaris (Overview), in Oracle Solaris Administration: IP Services and Using IP Filter Rule Sets in Oracle Solaris Administration: IP Services.
Also see “Counter Measure #14: Securing the ILOM” and “Counter Measure #20: Hardening LDoms Manager” in Secure Deployment of Oracle VM Server for SPARC.
Provide the least privilege to perform an operation.
Isolate systems into security classes, which are groups of individual guest systems that share the same security requirements and privileges. By only assigning guest domains from a single security class to a single hardware platform, you create an isolation breach, which prevents the domains from crossing into a different security class. See “Counter Measure #2: Carefully Assigning Guests to Hardware Platforms” in Secure Deployment of Oracle VM Server for SPARC.
Use RBAC to restrict the capability to manage domains with the ldm command. Only those users who must administer domains should be given this capability. Assign a role that uses the LDoms Management rights profile to users who require access to all of the ldm subcommands. Assign a role that uses the LDoms Review rights profile to users who only require access to the list-related ldm subcommands. See Using Rights Profiles and Roles in Oracle VM Server for SPARC 2.2 Administration Guide.
Use RBAC to restrict access to the console of only those domains that you, as the administrator of Oracle VM Server for SPARC, must access. Do not permit general access to all domains. See Using Rights Profiles and Roles in Oracle VM Server for SPARC 2.2 Administration Guide.
Monitor system activity.
Enable Oracle VM Server for SPARC auditing. See Enabling and Using Auditing in Oracle VM Server for SPARC 2.2 Administration Guide.
For recommendations about deploying the Oracle VM Server for SPARC software in a secure manner, see “Recommended Deployment Options” in Secure Deployment of Oracle VM Server for SPARC.