Use the following notes for the installation and configuration of a server and related equipment.
Physical hardware can be secured fairly simply: limit access to the hardware and record serial numbers.
Restrict access
Install servers and related equipment in a locked, restricted access room.
If equipment is installed in a rack with a locking door, keep the door locked except when you have to service components in the rack.
Restrict access to USB consoles, which can provide more powerful access than SSH connections. Devices such as system controllers, power distribution units (PDUs), and network switches can have USB connections.
Restrict access to hot-plug or hot-swap devices in particular because they can be easily removed.
Store spare field-replaceable units (FRUs) and customer-replaceable units (CRUs) in a locked cabinet. Restrict access to the locked cabinet to authorized personnel.
Record serial numbers
Security-mark all significant items of computer hardware such as FRUs. Use special ultraviolet pens or embossed labels.
Keep a record of the serial numbers of all your hardware.
Keep hardware activation keys and licenses in a secure location that is easily accessible to the system manager in system emergencies. The printed documents might be your only proof of ownership.
Most hardware and software security is implemented through software measures.
Refer to the documentation that came with your software to enable any security features available for the software.
Implement port security to limit access based upon MAC addresses. Disable auto-trunking on all ports.
Use a dedicated network for service processors to separate them from the general network.
You can boot a system securely over a wide area network (WAN) or a storage area network (SAN). For information about using WAN Boot or iSCSI Boot for secure booting, refer to the Oracle Solaris Installation Guide: Network-Based Installations book for your Oracle Solaris operating system release.
Change all default passwords when installing a new system. Most types of equipment use default passwords, such as changeme, that are widely known and would allow unauthorized access to the equipment.
Change every password on network switches which might have multiple user accounts and passwords by default.
Refer to Oracle Solaris Security Guidelines documents for information on:
How to harden Oracle Solaris
How to use Oracle Solaris security features when configuring your systems
How to operate securely when you add applications and users to a system
How to protect network-based applications
Oracle Solaris Security Guidelines documents can be found at http://www.oracle.com/technetwork/indexes/documentation/index.html#sys_sw
Use Oracle Linux OS commands to restrict access to the software, harden the OS, use security features, and protect applications. Refer to the Oracle Linux Security Guide for Release 6 at http://docs.oracle.com/cd/E37670_01/E36387/html/index.html.
Different switches offer different levels of port security features. Refer to the switch documentation to learn how to do the following:
Use authentication, authorization, and accounting features for local and remote access to the switch.
Manage switches out-of-band (separated from data traffic). If out-of-band management is not feasible, then dedicate a separate VLAN number for in-band management.
Use the port mirroring capability of the network switch for intrusion detection system (IDS) access.
Maintain a switch configuration file off-line and limit access only to authorized administrators. The configuration file should contain descriptive comments for each setting.
Use these port security features if they are available on your switch:
MAC Locking involves tying a Media Access Control (MAC) address of one or more connected devices to a physical port on a switch. If you lock a switch port to a particular MAC address, superusers cannot create backdoors into your network with rogue access points.
MAC Lockout disables a specified MAC address from connecting to a switch.
MAC Learning uses the knowledge about each switch port’s direct connections so the network switch can set security based on current connections.
Use the superuser account to set up and update the OpenBoot PROM (OBP) or other Oracle firmware. Ordinary user accounts allow users to view but not edit firmware. The Oracle Solaris OS firmware update process prevents unauthorized firmware modifications.
For information for setting OBP security variables, refer to the OpenBoot 4.x Command Reference Manual at http://download.oracle.com/docs/cd/E19455-01/816-1177-10/cfg-var.html#pgfId-17069
You can actively secure, manage, and monitor system components through Oracle Integrated Lights Out Manager (Oracle ILOM) management firmware which is preinstalled on some SPARC servers.
Refer to Oracle ILOM documentation to understand more about setting up passwords, managing users, and applying security-related features, including Secure Shell (SSH), Secure Socket Layer (SSL), and RADIUS authentication: http://docs.oracle.com/cd/E37444_01/index.html
If you set up a virtual local area network (VLAN), remember that VLANs share bandwidth on a network and require additional security measures.
Define virtual local area networks (VLANs) to separate sensitive clusters of systems from the rest of the network. This decreases the likelihood that users will gain access to information on these clients and servers.
Assign a unique native VLAN number to trunk ports.
Limit the VLANs that can be transported over a trunk to only those that are strictly required.
Disable VLAN Trunking Protocol (VTP), if possible. Otherwise, set the following for VTP: management domain, password and pruning. Then set VTP into transparent mode.
Infiniband (IB) security is a function of the IB Fabric and the Subnet Manager (SM) running in the IB fabric. Keep all IB hosts attached to IB fabric secure. An IB fabric is as secure as the least secure IB host attached to it. Attackers having root access to a host can bring the whole IB fabric down. (Physical access is also important in this regard - an attacker able to connect his own host to an IB switch may be able to compromise security of IB fabric.)
When an Oracle Dual Port EDR InfiniBand Adapter or an Oracle Dual Port QDR InfiniBand Adapter M4 is used in a virtualized environment, pay special attention to the security of the physical domain because a compromised physical domain would lead to all virtual machines being exposed and vulnerable.
For more information about securing InfiniBand and supported switches, which also run the SM, see the InfiniBand Switch Security Guide for the applicable switch:
For Sun Datacenter InfiniBand Switch 36, see the Sun Datacenter InfiniBand Switch 36 Hardware Security Guide at: http://docs.oracle.com/cd/E36265_01/
For Sun Network QDR InfiniBand Gateway Switch, see the Sun Network QDR InfiniBand Gateway Switch Hardware Security Guide at: http://docs.oracle.com/cd/E36256_01/
For the IB switch and SM on an Oracle Virtual Network InfiniBand switch, see: http://docs.oracle.com/cd/E38500_01/
Set up RADIUS and TACACS+ access protocols if possible: RADIUS (Remote Authentication Dial In User Service) is a client/server protocol that secures networks against unauthorized access.
TACACS+ (Terminal Access Controller Access-Control System) is a protocol that permits a remote access server to communicate with an authentication server to determine if a user has access to the network.
Limit use of superuser account (root). It has special privileges, which, if misused, can adversely affect security. Instead, use other, lower privileged, user accounts whenever possible. That applies to host operating system (Solaris, Linux), as well as Oracle ILOM.
Use access control lists where appropriate.
Set time-outs for extended sessions.
Set privilege levels.
Create a system banner to remind the user that unauthorized access is prohibited.
Enable logging and send logs to a dedicated secure log host.
Configure logging to include accurate time information, using NTP and timestamps.