The following network security features are supported:
Internet Key Exchange (IKE) – IKE Version 2 (IKEv2) provides automatic key management for IPsec using the latest version of the IKE protocol. IKEv2 and IPsec use cryptographic algorithms from the Cryptographic Framework feature of Oracle Solaris. IKEv2 includes more Diffie-Hellman groups and can also use Elliptic Curve Cryptography (ECC) groups. See Chapter 8, About Internet Key Exchange, in Securing the Network in Oracle Solaris 11.2 .
IP Security Architecture (IPsec) – IPsec includes AES-CCM and AES-GCM modes and is capable of protecting network traffic for the Trusted Extensions feature of Oracle Solaris (Trusted Extensions). See Chapter 6, About IP Security Architecture, in Securing the Network in Oracle Solaris 11.2 .
IP Filter Firewall – IP Filter Firewall, which is similar to the open source IP Filter feature, is compatible, manageable, and highly integrated with SMF. This feature enables selective access to ports, based on IP address.
Kerberos – Kerberos is capable of mutual authentication of clients and servers in this release. Also, support for initial authentication by using X.509 certificates with the PKINIT protocol has been introduced. See OpenSSL Support in Oracle Solaris in Managing Encryption and Certificates in Oracle Solaris 11.2 .
OpenSSL 1.0.1 – Starting with Oracle Solaris 11.2, OpenSSL 1.0.1 is supported. This version of OpenSSL provides you with a choice between performance or FIPS-140 compliance. See https://blogs.oracle.com/observatory/entry/openssl_on_solaris_11_2.
Secure by Default – You use the Secure by Default feature to disable and protect several network services from attack, which provides minimization of network exposure. In Oracle Solaris 10, this feature was introduced, but was turned off by default and had to be enabled during the OS installation or by running the netservices limited command. Starting with Oracle Solaris 11, this feature is enabled by default, and only SSH is enabled for remote access to the system. To enable remote access for other services, see instructions in the man page for each specific network service.
SSH – Support for host and user authentication by using X.509 certificates is supported.