What's New in the Solaris 9 9/04 Operating Environment

Security Enhancements

The Solaris 9 release includes the following security enhancements.

Internet Key Exchange (IKE) Protocol

Internet Key Exchange (IKE) automates key management for IPsec. IKE replaces manual key assignment and refreshment on an IPv4 network. IKE enables the administrator to manage larger numbers of secure networks.

System administrators use IPsec to set up secure IPv4 networks. The in.iked daemon provides key derivation, authentication, and authentication protection at boot time. The daemon is configurable. The administrator sets up the parameters in a configuration file. After the parameters are set up, no manual key refreshment is required.

For further information, see Chapter 21, Internet Key Exchange, in System Administration Guide: IP Services.

Solaris Secure Shell

Secure Shell allows a user to securely access a remote host over an unsecured network. Data transfers and interactive user network sessions are protected from eavesdropping, session hijacking, and intermediary attacks. Solaris 9 Secure Shell supports SSHv1 and SSHv2 protocol versions. Strong authentication that uses public-key cryptography is provided. The X Window System and other network services can be tunneled safely over Secure Shell connections for additional protection.

The Secure Shell server, sshd, supports the monitoring and filtering of incoming requests for network services. The server can be configured to log the client host name of incoming requests and thus enhance network security. sshd uses the same mechanism that is used by the Tcp-wrappers 7.6 utility that is described in Freeware Enhancements.

For further information, see the sshd(1M), hosts_access(4), and hosts_options(4) man pages. See also Chapter 11, Using Solaris Secure Shell (Tasks), in System Administration Guide: Security Services.

Kerberos Key Distribution Center (KDC) and Administration Tools

System administrators can improve system security by using Kerberos V5 authentication, privacy, and integrity. NFS is an example of an application that is secured with Kerberos V5.

The following list highlights the new features of Kerberos V5.

For further information, see Administering the Kerberos Database in System Administration Guide: Security Services.

Secure LDAP Client

The Solaris 9 release includes new features for LDAP client-based security. A new LDAP library provides for SSL (TLS) and CRAM-MD5 encryption mechanisms. These encryption mechanisms enable customers to deploy methods for encryption over the wire between LDAP clients and the LDAP server.

The Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server 5.1) is the LDAP directory server. For further information on this server, see Networking Enhancements.

Encryption Modules for IPsec and Kerberos

Strong encryption for IPsec and Kerberos is included in the Solaris 9 release. Prior to this release, encryption modules were available only on the Solaris Encryption Kit CD-ROM or through a web download. A number of these algorithms are now in the Solaris 9 operating environment. These algorithms include 56-bit DES privacy support for Kerberos as well as 56-bit DES and 128–bit 3-key Triple-DES support for IPsec.

Note –

Support for even stronger encryption is available on the Solaris Encryption Kit CD-ROM or through web download. IPsec supports the 128-bit, 192-bit, or 256-bit Advanced Encryption Standard (AES), and 32-bit to 448-bit Blowfish in 8–bit increments.

For information on IPsec support, see Chapter 19, IPsec (Overview), in System Administration Guide: IP Services. For information on Kerberos support, see Chapter 13, Introduction to SEAM, in System Administration Guide: Security Services.

IP Security Architecture for IPv6

The IPsec security framework has been enhanced in the Solaris 9 release to enable secure IPv6 datagrams between machines. For the Solaris 9 release, only the use of manual keys is supported when using IPsec for IPv6.

Note –

The IPsec security framework for IPv4 was introduced in the Solaris 8 release. The Internet Key Exchange (IKE) Protocol is available for IPv4.

For further information, see Chapter 19, IPsec (Overview), in System Administration Guide: IP Services.

Role-Based Access Control (RBAC) Enhancements

Role-based access control (RBAC) databases can be managed through the Solaris Management Console graphical interface. Rights can now be assigned by default in the policy.conf file. In addition, rights can now contain other rights.

For further information on RBAC, see Chapter 5, Role-Based Access Control (Overview), in System Administration Guide: Security Services. For information about the Solaris Management Console, see System Administration Tools.

Xserver Security Options

New options enable system administrators to allow only encrypted connections to the Solaris X server. For further information, see Solaris 9 Features for Desktop Users.

Generic Security Services Application Programming Interface (GSS-API)

The Generic Security Services Application Programming Interface (GSS-API) is a security framework that enables applications to protect their transmitted data. The GSS-API provides authentication, integrity, and confidentiality services to applications. The interface permits those applications to be entirely generic with respect to security. The applications do not have to check for the underlying platform, such as the Solaris platform, or security mechanism, such as Kerberos, being used. This means that applications that use the GSS-API can be highly portable.

For more information, see the GSS-API Programming Guide.

Additional Security Software

For information about SunScreenTM 3.2, a firewall product, see Additional Software.

See also Freeware Enhancements for information about the Tcp-wrappers 7.6 freeware in the Solaris 9 release. Tcp-wrappers 7.6 are small daemon programs that monitor and filter incoming requests for network services.