Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: March 2018

What's New in Network Security in Oracle Solaris 11.3

    This section highlights information for existing customers about important new network security in this release.

  • The OpenBSD Packet Filter is a network firewall that captures logged packets and evaluates them for entry to the system. PF is based on OpenBSD Packet Filter (PF), version 5.5, which is enhanced to work with Oracle Solaris components, such as zones with exclusive IP instances. For the policy-based routing option (PBR), see the route-to description in Packet Filter Rule Optional Actions.

    To log PF rules by using the log action, see Packet Filter Logging and Using Packet Filter Logging.

  • The SSL kernel proxy supports the TLS 1.0 and SSL 3.0 protocols, although the SSL 3.0 protocol is disabled by default.

  • IKE and IPsec can use the latest algorithm mechanisms from the Cryptographic Framework. In this release, Camellia is now available.

  • To aid in making the transition from IKEv1 to IKEv2, the IPsec administrator can specify the version of the IKE protocol that an IPsec policy rule must use. By specifying one IKE protocol on a system or a network of systems, an administrator can transition systems from IKEv1 to the newer IKEv2 protocol while maintaining backward compatibility with systems that cannot support IKEv2. See Specifying an IKE Version and Example 34, Configuring IPsec Policy to Use the IKEv2 Protocol Only.

  • The IPsec administrator can use the or pass {} instruction in an IPsec rule to specify that unencrypted packets that otherwise satisfy the rule can pass through rather than be dropped. This option enables a server to support IPsec clients as well as clients that are not yet configured with IPsec. For more information, see Example 35, Transitioning Client Systems to Use IPsec by Using the or pass Action on the Server and the ipsecconf(1M) man page.

Note -  The Cryptographic Framework feature of Oracle Solaris is validated for FIPS 140-2, Level 1. For IKE's use of FIPS 140-2 mode, see Figure 13, Table 13, IKEv2 and IKEv1 Implementation in Oracle Solaris. For hardware and software details, see Oracle FIPS 140-2 Software Validations (http://www.oracle.com/technetwork/topics/security/fips140-software-validations-1703049.html).