Oracle® Solaris 11 Security Guidelines

Exit Print View

Updated: August 2014

Remote Access

Remote access attacks can damage a system and a network. Oracle Solaris provides defense in depth for network transmissions. Defense features include encryption and authentication checks for data transmission, login authentication, the disabling of unnecessary remote services.

IPsec and IKE

IP security (IPsec) protects network transmissions by authenticating the IP packets, by encrypting them, or by doing both. Because IPsec is implemented well below the application layer, Internet applications can take advantage of IPsec without requiring modifications to their code.

IPsec and its automatic key exchange protocol, IKE, use algorithms from the Cryptographic Framework. Additionally, the Cryptographic Framework provides a central keystore. When IKE is configured to use the metaslot, organizations have the option of storing the keys on disk, on an attached hardware keystore, or in a software keystore called softtoken.

IPsec and IKE require configuration, so are installed but not enabled by default. When properly administered, IPsec is an effective tool in securing network traffic.

Secure Shell

By default, the Secure Shell feature of Oracle Solaris is the only active remote access mechanism on a newly installed system. All other network services are either disabled or in listen-only mode.

Secure Shell creates an encrypted communications channel between systems. Secure Shell can also be used as an on-demand virtual private network (VPN) that can forward X Window system traffic or can connect individual port numbers between a local system and remote systems over an authenticated and encrypted network link.

Thus, Secure Shell prevents a would-be intruder from being able to read an intercepted communication and prevents an adversary from spoofing the system.

Kerberos Service

The Kerberos feature of the Oracle Solaris enables single sign-on and secure transactions, even over heterogeneous networks where systems run different operating systems and run the Kerberos service.

Kerberos is based on the Kerberos V5 network authentication protocol that was developed at the Massachusetts Institute of Technology (MIT). The Kerberos service offers strong user authentication, as well as integrity and privacy. Using the Kerberos service, you can log in once and access other systems, execute commands, exchange data, and transfer files securely. Additionally, the service enables administrators to restrict access to services and systems.