Network communications can be protected by features such as firewalls, TCP wrappers on networked applications, and encrypted and authenticated remote connections.
Packet filtering provides basic protection against network-based attacks. Oracle Solaris includes the OpenBSD Packet Filter, the IP Filter feature, and TCP wrappers.
The OpenBSD Packet Filter (PF) feature of Oracle Solaris is a network firewall that captures inbound packets and evaluates them for entry to and exit from the system. PF provides stateful packet inspection. It can match packets by IP address and port number as well as by the receiving network interface.
PF is based on OpenBSD Packet Filter version 5.5, which is enhanced to work with Oracle Solaris components, such as zones with exclusive IP instances. In Oracle Solaris 11.3, both PF and IP Filter are available for filtering packets.
For more information, see the following:
For an overview, see Chapter 4, OpenBSD Packet Filter Firewall in Oracle Solaris in Securing the Network in Oracle Solaris 11.3.
For examples of using PF, see Chapter 5, Configuring the Packet Filter Firewall in Securing the Network in Oracle Solaris 11.3 and the man pages.
The IP Filter feature of Oracle Solaris creates a firewall to ward off network-based attacks.
Specifically, IP Filter provides stateful packet filtering capabilities and can filter packets by IP address or network, port, protocol, network interface, and traffic direction. It also includes stateless packet filtering and the capability to create and manage address pools. In addition, IP Filter also has the capability to perform network address translation (NAT) and port address translation (PAT).
For more information, see the following:
For an overview of IP Filter, see Chapter 6, IP Filter Firewall in Oracle Solaris in Securing the Network in Oracle Solaris 11.3.
For examples of using IP Filter, see Chapter 7, Configuring IP Filter Firewall in Securing the Network in Oracle Solaris 11.3 and the man pages.
For information and examples about the syntax of the IP Filter policy language, see the ipnat(4) man page.
Selected man pages include ipfilter(5), ipf(1M), ipnat(1M), svc.ipfd(1M), and ipf(4).
TCP wrappers provide access control for internet services. When various internet (inetd) services are enabled, the tcpd daemon checks the address of a host requesting a particular network service against an ACL. Requests are granted or denied accordingly. TCP wrappers also log host requests for network services in syslog, which is a useful monitoring function.
The Secure Shell and sendmail features of Oracle Solaris are configured to use TCP wrappers. Network services that have a one-to-one mapping to executable files, such as proftpd and rpcbind, are candidates for TCP wrappers.
TCP wrappers support a rich configuration policy language that enables organizations to specify security policy not only globally but on a per-service basis. Further access to services can be permitted or restricted based upon host name, IPv4 or IPv6 address, netgroup name, network, and even DNS domain.
For information about TCP wrappers, see the following:
For information and examples of the syntax of the access control language for TCP wrappers, see the hosts_access(4) man page.
Selected man pages include tcpd(1M) and inetd(1M).
Remote access attacks can damage a system and a network. Oracle Solaris provides defense in depth for network transmissions. Defense features include encryption and authentication checks for data transmission, login authentication, and the disabling of unnecessary remote services.
IP security (IPsec) protects network transmissions by authenticating the IP packets, by encrypting them, or by doing both. Because IPsec is implemented well below the application layer, Internet applications can take advantage of IPsec without requiring modifications to their code.
IPsec and its automatic key exchange protocol, IKE, use algorithms from the Cryptographic Framework. Additionally, the Cryptographic Framework provides a central keystore. When IKE is configured to use the metaslot, organizations have the option of storing the keys on disk, on an attached hardware keystore, or in a software keystore called softtoken. Oracle Solaris supports both the IKE Version 2 (IKEv2) protocol and the IKEv1 protocol.
IPsec and IKE require configuration, so are installed but not enabled by default. When properly administered, IPsec is an effective tool in securing network traffic.
For more information, see the following:
Chapter 8, About IP Security Architecture in Securing the Network in Oracle Solaris 11.3
Chapter 9, Configuring IPsec in Securing the Network in Oracle Solaris 11.3
IPsec and FIPS 140-2 in Securing the Network in Oracle Solaris 11.3
Chapter 10, About Internet Key Exchange in Securing the Network in Oracle Solaris 11.3
Chapter 11, Configuring IKEv2 in Securing the Network in Oracle Solaris 11.3
Selected man pages include ipsecconf(1M) and in.iked(1M).
By default, the Secure Shell feature of Oracle Solaris is the only active remote access mechanism on a newly installed system. All other network services are either disabled or in listen-only mode.
The current Oracle Solaris release includes both the default sunssh implementation of Secure Shell and a new openssh implementation of Secure Shell that is built on OpenSSH 6.5p1 plus additional features.
Secure Shell creates an encrypted communications channel between systems. Secure Shell can also be used as an on-demand virtual private network (VPN) that can forward X Window system traffic or can connect individual port numbers between a local system and remote systems over an authenticated and encrypted network link.
Thus, Secure Shell prevents a would-be intruder from being able to read an intercepted communication and prevents an adversary from spoofing the system.
For more information, see the following:
Chapter 1, Using Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.3
OpenSSH and FIPS 140-2 in Managing Secure Shell Access in Oracle Solaris 11.3
Selected man pages include ssh(1), sshd(1M), sshd_config(4), and ssh_config(4).
The Kerberos feature of the Oracle Solaris enables single sign-on and secure transactions, even over heterogeneous networks where systems run different operating systems and run the Kerberos service. You can install Kerberos clients by using AI, so that the client is a Kerberized system at first boot.
Kerberos is based on the Kerberos V5 network authentication protocol that was developed at the Massachusetts Institute of Technology (MIT). The Kerberos service offers strong user authentication, as well as integrity and privacy. Using the Kerberos service, you can log in once and access other systems, execute commands, exchange data, and transfer files securely. Additionally, the service enables administrators to restrict access to services and systems.
For more information, see the following:
How to Configure Kerberos Clients Using AI in Installing Oracle Solaris 11.3 Systems
Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3
Selected man pages include kadmin(1M), kdcmgr(1M), kerberos(5), kinit(1), and krb5.conf(4).