This section highlights information for existing customers about important new network security in this release.
The OpenBSD Packet Filter is a network firewall that captures logged packets and evaluates them for entry to the system. PF is based on OpenBSD Packet Filter (PF), version 5.5, which is enhanced to work with Oracle Solaris components, such as zones with exclusive IP instances. For the policy-based routing option (PBR), see the route-to description in Packet Filter Rule Optional Actions.
To log PF rules by using the log action, see Packet Filter Logging and Using Packet Filter Logging.
The SSL kernel proxy supports the TLS 1.0 and SSL 3.0 protocols, although the SSL 3.0 protocol is disabled by default.
IKE and IPsec can use the latest algorithm mechanisms from the Cryptographic Framework. In this release, Camellia is now available.
To aid in making the transition from IKEv1 to IKEv2, the IPsec administrator can specify the version of the IKE protocol that an IPsec policy rule must use. By specifying one IKE protocol on a system or a network of systems, an administrator can transition systems from IKEv1 to the newer IKEv2 protocol while maintaining backward compatibility with systems that cannot support IKEv2. See Specifying an IKE Version and Example 33, Configuring IPsec Policy to Use the IKEv2 Protocol Only.
The IPsec administrator can use the or pass {} instruction in an IPsec rule to specify that unencrypted packets that otherwise satisfy the rule can pass through rather than be dropped. This option enables a server to support IPsec clients as well as clients that are not yet configured with IPsec. For more information, see Example 34, Transitioning Client Systems to Use IPsec by Using the or pass Action on the Server and the ipsecconf(1M) man page.