| Skip Navigation Links | |
| Exit Print View | |
|
Sun Server X2-4 Security Guide |
Follow these security guidelines when using software and firmware tools to configure and manage your server:
Contact your IT Security Officer for additional security requirements that pertain to your system and specific environment.
Oracle Hardware Installation Assistant is an application that you can use for initial server configuration. This application helps you update firmware (Oracle ILOM firmware, BIOS, and RAID controller software) and to automate installation of a Linux or Microsoft Windows operating system. For more details, refer to the Oracle Hardware Installation Assistant 2.5 User's Guide for x86 Servers at:
http://www.oracle.com/pls/topic/lookup?ctx=hia
You can actively secure, manage, and monitor system components using Oracle Integrated Lights Out Manager (ILOM) management firmware, which is embedded on Oracle x86-based servers and Oracle SPARC-based servers. Depending on the authorization level granted to system administrators, functions might include the ability to power off the server, create user accounts, and mount remote storage devices.
Use a secure, internal trusted network.
Whether you establish a physical management connection to Oracle ILOM through the local serial port, dedicated network management port, or the standard data network port, it is essential that this physical port on the server is always connected to an internal trusted network, or a dedicated secure management or private network.
Never connect the Oracle ILOM service processor (SP) to a public network, such as the Internet. You should keep the Oracle ILOM SP management traffic on a separate management network and grant access only to system administrators.
Limit the use of the default Administrator account.
Limit the use of the default Administrator account (root) to the initial Oracle ILOM login. This default Administrator account is provided only to aid with the initial server installation. Therefore, to ensure the most secure environment, you must change the default Administrator password (changeme) as part of the initial setup of the system. Gaining access to the default Administrator account gives a user unrestricted access to all features of Oracle ILOM. In addition, establish new user accounts with unique passwords and assign authorization levels (user roles) for each new Oracle ILOM user.
Carefully consider risks when connecting the serial port to a terminal server.
Terminal devices do not always provide the appropriate levels of user authentication or authorization that are required to secure the network from malicious intrusions. To protect your system from unwanted network intrusions, do not establish a serial connection (serial port) to Oracle ILOM through any type of network redirection device, such as a terminal server, unless the server has sufficient access controls.
In addition, certain Oracle ILOM functions, such as password reset and the Preboot menu, are only made available using the physical serial port. Connecting the serial port to a network using an unauthenticated terminal server removes the need for physical access, and lowers the security associated with these functions.
Access to the Preboot menu requires physical access to the server.
The Oracle ILOM Preboot menu is a powerful utility that provides a way to reset Oracle ILOM to default values, and to flash firmware if Oracle ILOM were to become unresponsive. Once Oracle ILOM has been reset, a user is then required to either press a button on the server (the default) or type a password. The Oracle ILOM Physical Presence property controls this behavior (check_physical_presence=true). For maximum security when accessing the Preboot menu, do not change the default setting (true), so that access to the Preboot menu always requires physical access to the server.
Refer to the Oracle ILOM documentation.
Refer to Oracle ILOM documentation to learn more about setting up passwords, managing users, and applying security-related features. For security guidelines that are specific to Oracle ILOM, refer to the Oracle ILOM Security Guide, which is part of the Oracle ILOM documentation library. You can find the Oracle ILOM documentation at:
http://www.oracle.com/goto/ILOM/docs
Oracle Hardware Management Pack is available for your server, and for many other Oracle x86-based servers and some Oracle SPARC-based servers. Oracle Hardware Management Pack features two components: an SNMP monitoring agent and a family of cross-operating system command-line interface tools (CLI Tools) for managing your server.
Use Hardware Management Agent SNMP Plugins.
SNMP is a standard protocol used to monitor or manage a system. With the Hardware Management Agent SNMP Plugins, you can use SNMP to monitor Oracle servers in your data center with the advantage of not having to connect to two management points, the host and Oracle ILOM. This functionality enables you to use a single IP address (the host's IP address) to monitor multiple servers.
The SNMP Plugins run on the host operating system of Oracle servers. The SNMP Plugin module extends the native SNMP agent in the host operating system to provide additional Oracle MIB capabilities. Oracle Hardware Management Pack itself does not contain an SNMP agent. For Linux, a module is added to the net-snmp agent. For Oracle Solaris, a module is added to the Solaris Management Agent. For Microsoft Windows, the Plugin extends the native SNMP service. Any security settings related to SNMP for the Oracle Hardware Management Pack are determined by the settings of the native SNMP agent or service, and not by the Plugin.
Note that SNMPv1 and SNMPv2c provide no encryption and use community strings as a form of authentication. SNMPv3 is more secure and is the recommended version to use because it employs encryption to provide a secure channel, as well as individual user names and passwords.
Refer to the Oracle Hardware Management Pack documentation.
Refer to the Oracle Hardware Management Pack documentation for more information about these features. For security guidelines that are specific to Oracle Hardware Management Pack, refer to the Oracle Hardware Management Pack (HMP) Security Guide, which is part of the Oracle Hardware Management Pack documentation library. You can find the Oracle Hardware Management Pack documentation at:
|