Security Enhancements

The Solaris 9 release includes the following security enhancements.

Internet Key Exchange (IKE) Protocol

Internet Key Exchange (IKE) automates key management for IPsec. IKE replaces manual key assignment and refreshment on an IPv4 network. IKE enables the administrator to manage larger numbers of secure networks.

System administrators use IPsec to set up secure IPv4 networks. The in.iked daemon provides key derivation, authentication, and authentication protection at boot time. The daemon is configurable. The administrator sets up the parameters in a configuration file. After the parameters are set up, no manual key refreshment is required.

For further information, see “Internet Key Exchange” in System Administration Guide: IP Services.

Solaris Secure Shell

Secure Shell allows a user to securely access a remote host over an unsecured network. Data transfers and interactive user network sessions are protected from eavesdropping, session hijacking, and intermediary attacks. Solaris 9 Secure Shell supports SSHv1 and SSHv2 protocol versions. Strong authentication that uses public-key cryptography is provided. The X Window System and other network services can be tunneled safely over Secure Shell connections for additional protection.

The Secure Shell server, sshd, supports the monitoring and filtering of incoming requests for network services. The server can be configured to log the client host name of incoming requests and thus enhance network security. sshd uses the same mechanism that is used by the Tcp-wrappers 7.6 utility that is described in Freeware Enhancements.

For further information, see the sshd(1M), hosts_access(4), and hosts_options(4) man pages. See also “Using Solaris Secure Shell (Tasks)” in System Administration Guide: Security Services.

Kerberos Key Distribution Center (KDC) and Administration Tools

System administrators can improve system security by using Kerberos V5 authentication, privacy, and integrity. NFS is an example of an application that is secured with Kerberos V5.

The following list highlights the new features of Kerberos V5.

• Kerberos V5 Server – The server includes the following components:

  • Principal (user) administration system – Includes a centralized server for local and remote administration of principals and security policies. The system includes both a GUI and a CLI administration tool.

  • Key Distribution Center (KDC) – Uses the principal database information that was created by the administration server. Issues tickets for clients.

  • Principal database replication system – Duplicates the KDC database to a backup server.

• MIT and Microsoft Windows 2000 password change interoperability – Kerberos V5 passwords can now be changed from a Solaris client to an MIT Kerberos server and Microsoft Windows 2000.

• Tuned DES – Kerberos V5 kernel DES operations have been optimized for the Sun4u architecture.

• Kerberos-encrypted communications now supported with the Solaris core – An encryption module that supports Kerberos encrypted-communications is available in the Solaris 9 operating environment. Previously, an encryption module was available only on the Solaris Encryption Kit CD-ROM or through a web download.

• Addressless tickets – System administrators and users can now specify addressless tickets. This ability can be necessary in multihomed and NAT network environments.

• Kerberos V5 PAM module supports password aging – The pam_krb5 module supports password aging that is set in the KDC for each user principal.

For further information, see “Administering the Kerberos Database” in System Administration Guide: Security Services.

Secure LDAP Client

The Solaris 9 release includes new features for LDAP client-based security. A new LDAP library provides for SSL (TLS) and CRAM-MD5 encryption mechanisms. These encryption mechanisms enable customers to deploy methods for encryption over the wire between LDAP clients and the LDAP server.

The Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server 5.1) is the LDAP directory server. For further information on this server, see Networking Enhancements.

Encryption Modules for IPsec and Kerberos

Strong encryption for IPsec and Kerberos is included in the Solaris 9 release. Prior to this release, encryption modules were available only on the Solaris Encryption Kit CD-ROM or through a web download. A number of these algorithms are now in the Solaris 9 operating environment. These algorithms include 56-bit DES privacy support for Kerberos as well as 56-bit DES and 128–bit 3-key Triple-DES support for IPsec.

Support for even stronger encryption is available on the Solaris Encryption Kit CD-ROM or through web download. IPsec supports the 128-bit, 192-bit, or 256-bit Advanced Encryption Standard (AES), and 32-bit to 448-bit Blowfish in 8–bit increments.

For information on IPsec support, see “IPsec (Overview)” in System Administration Guide: IP Services. For information on Kerberos support, see “Introduction to SEAM” in System Administration Guide: Security Services.

IP Security Architecture for IPv6

The IPsec security framework has been enhanced in the Solaris 9 release to enable secure IPv6 datagrams between machines. For the Solaris 9 release, only the use of manual keys is supported when using IPsec for IPv6.

The IPsec security framework for IPv4 was introduced in the Solaris 8 release. The Internet Key Exchange (IKE) Protocol is available for IPv4.

For further information, see “IPsec (Overview)” in System Administration Guide: IP Services.

Role-Based Access Control (RBAC) Enhancements

Role-based access control (RBAC) databases can be managed through the Solaris Management Console graphical interface. Rights can now be assigned by default in the policy.conf file. In addition, rights can now contain other rights.

For further information on RBAC, see “Role-Based Access Control (Overview)” in System Administration Guide: Security Services. For information about the Solaris Management Console, see System Administration Tools.

Xserver Security Options

New options enable system administrators to allow only encrypted connections to the Solaris X server. For further information, see Solaris 9 Features for Desktop Users.

Generic Security Services Application Programming Interface (GSS-API)

The Generic Security Services Application Programming Interface (GSS-API) is a security framework that enables applications to protect their transmitted data. The GSS-API provides authentication, integrity, and confidentiality services to applications. The interface permits those applications to be entirely generic with respect to security. The applications do not have to check for the underlying platform, such as the Solaris platform, or security mechanism, such as Kerberos, being used. This means that applications that use the GSS-API can be highly portable.

For more information, see the GSS-API Programming Guide.

Additional Security Software

For information about SunScreen^TM 3.2, a firewall product, see Additional Software.

See also Freeware Enhancements for information about the Tcp-wrappers 7.6 freeware in the Solaris 9 release. Tcp-wrappers 7.6 are small daemon programs that monitor and filter incoming requests for network services.