Go to main content

Oracle® Solaris 11.3 Security and Hardening Guidelines

Exit Print View

Updated: March 2018
 
 

Protecting the Network

At this point, you might have created users who can assume roles, and have created the roles.

From the following network tasks, perform the tasks that provide additional security according to your site requirements. These network tasks strengthen the IP, ARP, and TCP protocols.

Table 3  Configuring the Network Task Map
Task
Description
For Instructions
Disable the network routing daemon.
Limits access to systems by would-be network sniffers.
How to Disable the Network Routing Daemon in Securing the Network in Oracle Solaris 11.3
Prevent the dissemination of information about the network topology.
Prevents the broadcast of packets.
How to Disable Broadcast Packet Forwarding in Securing the Network in Oracle Solaris 11.3
Prevents responses to broadcast echo requests and multicast echo requests.
How to Disable Responses to Echo Requests in Securing the Network in Oracle Solaris 11.3
For systems that are gateways to other domains, such as a firewall or a VPN node, turn on strict source and destination multihoming.
Prevents packets that do not have the address of the gateway in their header from moving beyond the gateway.
How to Set Strict Multihoming in Securing the Network in Oracle Solaris 11.3
Prevent Denial of Service (DoS) attacks by controlling the number of incomplete system connections.
Limits the allowable number of incomplete TCP connections for a TCP listener.
How to Set Maximum Number of Incomplete TCP Connections in Securing the Network in Oracle Solaris 11.3
Prevent DoS attacks by controlling the number of permitted incoming connections.
Specifies the default maximum number of pending TCP connections for a TCP listener.
How to Set Maximum Number of Pending TCP Connections in Securing the Network in Oracle Solaris 11.3
Return network parameters to their secure default values.
Increases security that was reduced by administrative actions.
How to Reset Network Parameters to Secure Values in Securing the Network in Oracle Solaris 11.3
Add TCP wrappers to network services to limit applications to legitimate users.
Specifies systems that are allowed access to network services, such as FTP.
How to Use TCP Wrappers
Configure a firewall.
Uses the Packet Filter or IP Filter feature to provide a firewall.
Chapter 5, Configuring the Packet Filter Firewall in Securing the Network in Oracle Solaris 11.3
Chapter 7, Configuring IP Filter Firewall in Securing the Network in Oracle Solaris 11.3
Configure encrypted and authenticated network connections.
Uses IPsec and IKE to protect network transmissions between nodes and networks that are jointly configured with IPsec and IKE.
Chapter 9, Configuring IPsec in Securing the Network in Oracle Solaris 11.3
Chapter 11, Configuring IKEv2 in Securing the Network in Oracle Solaris 11.3

How to Use TCP Wrappers

The following steps show three ways that TCP wrappers are used or can be used in Oracle Solaris.

Before You Begin

You must assume the root role to modify a program to use TCP wrappers.

  1. You do not need to protect the sendmail application with TCP wrappers. It is protected by default.
  2. To enable TCP wrappers for all inetd services, see How to Use TCP Wrappers to Control Access to TCP Services in Administering TCP/IP Networks, IPMP, and IP Tunnels in Oracle Solaris 11.3.
  3. Protect the FTP network service with TCP wrappers.
    1. Follow the instructions in the /usr/share/doc/proftpd/modules/mod_wrap.html module.

      Because this module is dynamic, you must load it to use TCP wrappers with FTP.

    2. Load the module by adding the following instructions to the proftpd.conf file: 
      # pfedit /etc/proftpd.conf
<IfModule mod_dso.c>
    LoadModule mod_wrap.c
</IfModule>
    3. Restart the FTP service. 
      # svcadm restart svc:/network/ftp
Copyright © 2011, 2018, Oracle and/or its affiliates. All rights reserved. 
Previous
Next