Network Security

The Solaris operating environment provides a sophisticated security system that controls the way users access files, protect system databases, and use system resources. Solaris security is network-wide security, providing security over several different systems, not just one. The Solaris security system is designed to accommodate different security models, giving users the flexibility to choose the model that best fits their needs now and in the future. There are a number of new features that add to the Solaris security system in the areas of access control, encryption, and authentication.

NFS Kerberos

Kerberos authentication uses DES encryption to improve security over the network. The kernel implementations of NFS and RPC network services have been modified to add support for a new RPC authentication flavor that is based on the Generalized Security Services API (GSS-API). This support contains the hooks to add stronger security to the NFS environment.

The share and mount commands have been altered to provide NFS support for Kerberos. Also, the share command now allows for multiple authentication flavors from different clients.

For more information, refer to NFS Administration Guide.

RPCSEC_GSS

The user-level RPC implementation has been modified to add support for a new authentication flavor. This flavor is based on the GSS-API and provides the hooks to add stronger authentication, privacy, and integrity for RPC-based services.

Pluggable Authentication Modules (PAM) Framework

The PAM framework enables you to "plug in" new authentication technologies without changing the login, ftp, or telnet commands. You can also use PAM to integrate UNIX login with other security mechanisms like DCE or Kerberos.

Mechanisms for account, session, and password management can also be plugged in using this framework.

Some of the benefits PAM provides are

• Flexible configuration policy

• Ease of use for the end user

• The ability to pass optional parameters to the user authentication services

For more information, see System Administration Guide.

Bind 4.9.4-P1

The Solaris operating environment now supports and includes Domain Name System (DNS) Berkeley Internet Name Daemon (BIND) version 4.9.4 patch level 1. BIND is the most popular implementation of DNS. BIND is critical for Internet connectivity because it provides an Internet naming service that stores host (IP) addresses, mail information, and similar data for lookup purposes. BIND always includes a number of programs and the resolver library. The main program is named, the daemon that provides DNS information. Applications such as telnet communicate with named via the resolver library.

BIND 4.9.4-P1 provides new security over the Internet. The older version of BIND did little to prevent DNS spoofing. Intruders could cause BIND to provide incorrect name data. Services that use this (some of which do not verify data) could be tricked into allowing remote access to unauthorized users. The 4.9.4 version fixes many holes in security.

For more information, see Solaris Naming Administration Guide.