Standard Security Precautions (Solaris ISP Server 2.0 Administration Guide)

Solaris ISP Server 2.0 Administration Guide

Standard Security Precautions

The following standard security precautions will help safeguard your network.

Design your network for as few software components per machine as is compatible with the machine's purpose. Any software product has the potential to introduce security holes, whether through known vulnerabilities or through bugs. The fewer processes running and the fewer protocols supported, the more secure the computer will be.

In addition, if an intruder were to compromise one computer, only a portion of the resources and services in your system would be involved.
Disable Solaris services that are not needed on the particular computer. Solaris ISP Server host configuration software offers recommendations based on your choice of application software, for example, disabling some 'r' commands (such as rlogin) to ensure protection for passwords and to restrict access to hosts for unauthorized individuals. Unless you have a specific reason for enabling a service, accept these recommendations.
Change passwords regularly and encourage using difficult-to-guess passwords. The directory services do not enforce periodic changing of passwords; you must have your users change them at appropriate intervals.
Use public-key cryptography to encrypt all traffic between trusted hosts at the IP level. SunScreen SKIP, bundled with Solaris ISP Server, authenticates incoming IP traffic and ensures that outgoing data is not altered or viewed by others while in transit.
Use routers that can identify trusted hosts and block spoofed IP addresses.
Fix vulnerabilities and bullet proof your code. Ensure that all applications check buffer limits and prevent overruns.
Grant access only to the portions of the system that employees need to do their jobs. Limit administrator rights to only those services they actually manage. Sun Internet Administrator supports this effort by offering a centralized way to manage administrator access. Administrators do not even need UNIX accounts to do their work.
Implement security mechanisms such as network monitoring and firewalls.