Remote access attacks can damage a system and a network. Oracle Solaris provides defense in depth for network transmissions. Defense features include encryption and authentication checks for data transmission, login authentication, the disabling of unnecessary remote services.
IP security (IPsec) protects network transmissions by authenticating the IP packets, by encrypting them, or by doing both. Because IPsec is implemented well below the application layer, Internet applications can take advantage of IPsec without requiring modifications to their code.
IPsec and its automatic key exchange protocol, IKE, use algorithms from the Cryptographic Framework. Additionally, the Cryptographic Framework provides a central keystore. When IKE is configured to use the metaslot, organizations have the option of storing the keys on disk, on an attached hardware keystore, or in a software keystore called softtoken.
IPsec and IKE require configuration, so are installed but not enabled by default. When properly administered, IPsec is an effective tool in securing network traffic.
For more information, see the following:
Chapter 6, About IP Security Architecture, in Securing the Network in Oracle Solaris 11.2
Chapter 7, Configuring IPsec, in Securing the Network in Oracle Solaris 11.2
IPsec and FIPS 140 in Securing the Network in Oracle Solaris 11.2
Chapter 8, About Internet Key Exchange, in Securing the Network in Oracle Solaris 11.2
Chapter 9, Configuring IKEv2, in Securing the Network in Oracle Solaris 11.2
Selected man pages include ipsecconf (1M) and in.iked (1M) .
By default, the Secure Shell feature of Oracle Solaris is the only active remote access mechanism on a newly installed system. All other network services are either disabled or in listen-only mode.
Secure Shell creates an encrypted communications channel between systems. Secure Shell can also be used as an on-demand virtual private network (VPN) that can forward X Window system traffic or can connect individual port numbers between a local system and remote systems over an authenticated and encrypted network link.
Thus, Secure Shell prevents a would-be intruder from being able to read an intercepted communication and prevents an adversary from spoofing the system.
For more information, see the following:
Chapter 1, Using Secure Shell, in Managing Secure Shell Access in Oracle Solaris 11.2
Secure Shell and FIPS 140 in Managing Secure Shell Access in Oracle Solaris 11.2
Selected man pages include ssh (1) , sshd (1M) , sshd_config (4) , and ssh_config (4) .
The Kerberos feature of the Oracle Solaris enables single sign-on and secure transactions, even over heterogeneous networks where systems run different operating systems and run the Kerberos service.
Kerberos is based on the Kerberos V5 network authentication protocol that was developed at the Massachusetts Institute of Technology (MIT). The Kerberos service offers strong user authentication, as well as integrity and privacy. Using the Kerberos service, you can log in once and access other systems, execute commands, exchange data, and transfer files securely. Additionally, the service enables administrators to restrict access to services and systems.
For more information, see the following:
Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2
Selected man pages include kadmin(1M), kdcmgr(1M), kerberos(5), kinit(1), and krb5.conf(4).