1. Security Guide
  2. Security Features for Oracle Private Cloud Appliance

3 Security Features for Oracle Private Cloud Appliance

This section outlines the specific security mechanisms offered by the Oracle Private Cloud Appliance. Oracle Private Cloud Appliance offers a full suite of authentication, access control, and security audit features. This section provides guidance on how to enable and use these features.

Whenever possible and practical, choose and configure secure default settings. Use the following default settings in Oracle Private Cloud Appliance:

  • A minimal software installation to reduce attack surface.

  • Oracle secure settings developed and implemented using Oracle best practices.

  • A password policy that enforces a standard complexity for password formulation.

  • Failed log-in attempts cause a lockout after a set number of failed attempts.

  • All default operating system accounts are locked and blocked from logging in.

  • Limited ability to use the su command.

  • Password-protected boot loader installation.

  • All unnecessary system services are disabled, including the internet service daemon (inetd/xinetd).

  • Software firewall configured wherever practical.

  • Restrictive file permissions on key security-related configuration files and executable files.

  • SSH listen ports restricted to management and private networks.

  • SSH limited to v2 protocol.

  • Disabled insecure SSH authentication mechanisms.

  • Configured-specific cryptographic ciphers.

  • Unnecessary protocols and modules are disabled from the operating system kernel.

Remote network access is always a security concern. Manage the management network switch configuration file offline, and limit access to the configuration file to authorized administrators. Place descriptive comments in the configuration file for each setting. Consider keeping a static copy of the configuration file in a source code control system. Periodic reviews of the client access network are required to ensure that secure host and other settings remain intact and in effect. In addition, periodic reviews of the settings ensure that they remain intact and in effect.

These network security guidelines help to ensure the security of local and remote access to the Oracle Private Cloud Appliance system:

  • Create a login banner to state that unauthorized access is prohibited.

  • Use access control lists to apply restrictions where appropriate.

  • Set time-outs for extended sessions and set privilege levels.

  • Use authentication, authorization, and accounting (AAA) features for local and remote access to a switch.

  • Use the port mirroring capability of the switch for intrusion detection system (IDS) access.

  • Implement port security to limit access based upon a MAC address. Disable auto-trunking on all ports for any switch connected to Oracle Private Cloud Appliance.

  • Limit remote configuration to specific IP addresses using SSH.

  • Require users to use strong passwords by setting a standard complexity for password formulation and establishing password expiration policies.

  • Enable logging and send logs to a dedicated secure log host.

  • Configure logging to include accurate time information, using NTP and timestamps.

  • Review logs for possible incidents and archive them in accordance with the organization's security policy.