After the initial installation and configuration, use Oracle hardware and software security features to continue controlling hardware and tracking system assets.
Contact your IT Security Officer for additional security requirements that pertain to your system and specific environment.
You can use software to turn power on and off to some Oracle systems. The power distribution units (PDUs) for some system cabinets can be enabled and disabled remotely. Authorization for these commands is typically set up during system configuration and is usually limited to system administrators and service personnel.
Refer to your system or cabinet documentation for further information.
Use serial numbers to track inventory. Oracle embeds serial numbers in firmware on option cards and system motherboards. You can read these serial numbers through local area network (LAN) connections.
You can also use wireless radio frequency identification (RFID) readers to further simplify asset tracking. An Oracle white paper, How to Track Your Oracle Sun System Assets by Using RFID, is available at:
Security enhancements are introduced through new software releases and patches. Effective proactive patch management is a critical part of system security. For best security practices, update your system with the more recent software release, and all necessary security patches.
Check regularly for software updates and security patches.
Always install the latest released version of the software or firmware.
Install any necessary security patches for your software.
Remember that devices such as network switches also contain firmware and might require patches and firmware updates.
After the networks are configured based on security principles, regular review and maintenance are needed. Follow these guidelines to secure local and remote access to your systems.
Limit remote configuration to specific IP addresses using SSH instead of Telnet. Telnet passes user names and passwords in clear text, potentially allowing everyone on the local area network (LAN) segment to see login credentials. Set a strong password for SSH.
Use version 3 of Simple Network Management Protocol (SNMP) to provide secure transmissions. Earlier versions of SNMP are not secure and transmit authentication data in unencrypted text.
Change the default SNMP community string to a strong community string if SNMP is necessary. Some products have PUBLIC set as the default SNMP community string. Attackers can query a community to draw a very complete network map and possibly modify management information base (MIB) values.
Always log out after using the system controller if it uses a browser interface.
Disable unnecessary network services, such as Transmission Control Protocol (TCP) or Hypertext Transfer Protocol (HTTP). Enable necessary network services and configure these services securely.
Create a banner message that appears at login to state that unauthorized access is prohibited. You can inform users of any important policies or rules. The banner can be used to warn users of special access restrictions for a given system, or to remind users of password policies and appropriate use.
Use access control lists to apply restrictions where appropriate.
Set time-outs for extended sessions and set privilege levels.
Use authentication, authorization, and accounting features for local and remote access to a switch.
If possible, use the RADIUS and TACACS+ security protocols:
RADIUS (Remote Authentication Dial In User Service) is a client/server protocol that secures networks against unauthorized access.
TACACS+ (Terminal Access Controller Access-Control System) is a protocol that permits a remote access server to communicate with an authentication server to determine if a user has access to the network.
Follow LDAP security measures when using LDAP to access the system.
Use the port mirroring capability of the switch for intrusion direction system (IDS) access.
Implement port security to limit access based on a MAC address. Disable auto trunking on all ports.
For more information about network security, refer to the Oracle ILOM Security Guide, which is part of the Oracle ILOM documentation library. You can find the Oracle ILOM documentation at:
http://www.oracle.com/goto/ILOM/docs
Follow these guidelines to maximize data protection and security.
Back up important data using devices such as external hard drives or USB storage devices. Store the backed up data in a second, off-site, secure location.
Use data encryption software to keep confidential information on hard drives secure.
When disposing of an old hard drive, physically destroy the drive or completely erase all the data on the drive. Information can still be recovered from a drive after files are deleted or the drive has been reformatted. Deleting the files or reformatting the drive removes only the address tables on the drive. Use disk wiping software to completely erase all data on a drive.
Inspect and maintain your log files on a regular schedule. Use these methods to secure log files:
Enable logging and send system logs to a dedicated secure log host.
Configure logging to include accurate time information, using Network Time Protocol (NTP) and timestamps.
Perform regularly scheduled scans of network device logs for unusual network activity or access.
Review logs for possible incidents and archive them in accordance with a security policy.
Periodically retire log files when they exceed a reasonable size. Maintain copies of the retired files for possible future reference or statistical analysis.