You can configure guest domains in a variety of ways to provide varying levels of guest domain isolation, hardware sharing, and domain connectivity. These factors contribute to the security level of the overall Oracle VM Server for SPARC configuration. For recommendations about deploying the Oracle VM Server for SPARC software in a secure manner, see Security in a Virtualized Environment and Defending Against Attacks.
You can apply some of the following general security principles:
Minimize the attack surface.
Minimize unintentional configuration errors by creating operational guidelines that enable you to regularly evaluate the security of the system. See Countermeasure: Creating Operational Guidelines.
Carefully plan the architecture of the virtual environment to maximize the isolation of the domains. See the countermeasures described for Threat: Errors in the Architecture of the Virtual Environment.
Carefully plan which resources to assign and whether they are to be shared. See Countermeasure: Carefully Assigning Hardware Resources and Countermeasure: Carefully Assigning Shared Resources.
Ensure that the logical domains are protected from manipulation by applying the countermeasures described for Threat: Manipulation of the Execution Environment and Countermeasure: Securing the Guest Domain OS.
Countermeasure: Using Role Separation and Application Isolation describes the importance of assigning functionality roles to the various domains and ensuring that the control domain runs software that provides the infrastructure that is required to host guest domains. You should run applications that can be run by other systems on guest domains that are designed for this purpose.
Countermeasure: Configuring a Dedicated Management Network describes a more advanced network configuration that connects servers with SPs to a dedicated management network to shield the SP from network access.
Expose a guest domain to the network only when necessary. You can use virtual switches to limit a guest domain's network connectivity to only the appropriate networks.
Protect the core of the hypervisor as described by Countermeasure: Validating Firmware and Software Signatures and Countermeasure: Validating Kernel Modules.
Protect the control domain against denial-of-service attacks. See Countermeasure: Securing Console Access.
Ensure that the Logical Domains Manager cannot be run by unauthorized users. See Threat: Unauthorized Use of Configuration Utilities.
Ensure that the service domain cannot be accessed by unauthorized users or processes. See Threat: Manipulation of a Service Domain.
Protect an I/O domain or a service domain against denial-of-service attacks. See Threat: Experiencing a Denial-of-Service of an I/O Domain or a Service Domain.
Ensure that an I/O domain cannot be accessed by unauthorized users or processes. See Threat: Manipulation of an I/O Domain.
Disable unnecessary domain manager services. The Logical Domains Manager provides network services for domain access, monitoring, and migration. See Countermeasure: Hardening the Logical Domains Manager and Countermeasure: Securing the ILOM.
Provide the least privilege to perform an operation.
Isolate systems into security classes, which are groups of individual guest systems that share the same security requirements and privileges. By assigning only guest domains from a single security class to a single hardware platform, you create an isolation barrier, which prevents the domains from crossing into a different security class. See Countermeasure: Carefully Assigning Guests to Hardware Platforms.
Use rights to restrict the capability to manage domains with the ldm command. Only those users who must administer domains should be given this capability. Assign a role that uses the LDoms Management rights profile to users who require access to all of the ldm subcommands. Assign a role that uses the LDoms Review rights profile to users who only require access to the list-related ldm subcommands. See Using Rights Profiles and Roles in Oracle VM Server for SPARC 3.1 Administration Guide .
Use rights to restrict access to the console of only those domains that you, as the administrator of Oracle VM Server for SPARC, administer. Do not permit general access to all domains. See Controlling Access to a Domain Console by Using Rights in Oracle VM Server for SPARC 3.1 Administration Guide .
Monitor system activity.
Enable Oracle VM Server for SPARC auditing. See Enabling and Using Auditing in Oracle VM Server for SPARC 3.1 Administration Guide .