Preface
This book is one of an ongoing series of books collectively known as the Sun
BluePrints program. This book provides a compilation of best practices and
recommendations, previously published as Sun BluePrints Online articles , for
securing Solaris Operating Environment (Solaris OE)
This book applies to Solaris OE Versions 2.51, 2.67, and 8
About This Book
Securing computer systems against unauthorized access is one of the most
pressing issues facing today's datacenter administrators. Recent studies
suggest that the number of unauthorized access continues to rise, as do the
monetary losses associated with these security breaches.
As with many security decisions, a balance must be attained between system
manageability and security.
Many attacks have preventative solutions available; however, every day, hackers
compromise systems using well-known attack methods. Being aware of how these
attacks are performed, you can raise awareness within your organization for the
importance of building and maintaining secure systems. Many organizations make
the mistake of addressing security only during installation, the never revisit
it. Maintaining security is an ongoing process and is something that must be
reviewed and revisited periodically.
Sun BluePrints Program
The mission of the Sun BluePrints program is to empower Sun's customers with
the technical knowledge required to implement reliable, extensible, and secure
information systems within the datacenter using Sun products. This program
provides a framework to identify, develop, and distribute best practices
information that applies across Sun product lines. Experts in technical
subjects in various areas contribute to the program and focus on the scope and
usefulness of the information.
The Sun BluePrints program includes books, guides, and online articles. Through
these vehicles, Sun can provide guidance, installation and implementation
experiences, real-life scenarios, and late-breaking technical information. The
monthly electronic magazine, Sun BluePrints OnLine, is located on the Web
at
http://www.sun.com/blueprints
.
To
be notified about updates to the Sun BluePrints program, please register at
this site.
Who Should Read This Book
This book is primarily intended for the busy system administrator (SA) who
needs help handling nonsecure systems. Secondary audiences include individuals
who architect and implement systems--for example, architects, consultants, and
engineers.
Before You Read This Book
You should be familiar with the basic administration and maintenance functions
of the Solaris OE. You should also have an understanding of standard network
protocols and topologies.
Because this book is designed to be useful to people with varying degrees of
experience or knowledge of security, your experience and knowledge are the
determining factors of the path you choose through this book.
How This Book Is Organized
This book is organized into six parts that organize security best practices and
recommendations as follows:
Part I--Solaris Operating Environment Security
Chapter 1: "Solaris Operating Environment Security,: by Alex
Noordergraaf and Keith Watson describes the Solaris OE subsystems and the
security issues surrounding those subsystems. This chapter provides
recommendations on how to secure Solaris OE subsystems.
Chapter 2: "Network Settings for Security" by Keith Watson and Alex
Noordegraaf describes known attack methods so that administrators become
aware of the need to set or change network settings. The application of most of
these network security settings requires planning and testing and should be
applicable to most computing environments.
Chapter 3: "Minimization" by Alex Noordergraaf focuses on
practices and methodology (processes) that improve overall system security by
minimizing and automating Solaris OE installation.
Chapter 4: "Auditing" by Will Osser and Alex Noordergraaf was
derived from an auditing case study and includes a set of audit events and
classes usable on Solaris 8 OE.
Part II--Architecture Security
Chapter 5: "Building Secure N-Tier Environments" by Alex
Noordergraaf provides recommendations for architecting and securing N-Tier
environments.
Chapter 6: "How Hackers Do It: Tricks, Tools, and Techniques" by Alex
Noordergraaf describes the tricks, tools, and techniques that hackers use
to gain unauthorized access to Solaris OE systems.
Part IV--Tools for Security
Chapter 7: "Solaris Fingerprint Database" by Vasanthan Dasan, Alex
Noordergraaf, and Lou Ordica provides an introduction to the Solaris
Fingerprint Database (sfpDB).
Part V--Hardware and Software Security
Chapter 8: "Securing the Sun Fire 15K System Controller" by Alex
Noordergraaf and Dina Kurktchi provides recommendations on how to enhance
the security of a Sun Fire 15K system Controller (SC)
Chapter 9: "Security Sun Fire 15K Domains" by Alex Noordergraaf and
Dina Kurktchi documents all of the security modifications that can be
performed on a Sun Fire 15K domain without negatively affecting its
behavior.
Chapter 10: "Securing Sun Enterprise 10000 System Service Processors"
by Alex Noordergraaf describes a secure Sun Enterprise 10000
configuration that is fully Sun Supported. It provides tips, instructions, and
guidance for creating a more secure Sun Enterprise 10000 system.
Chapter 11: "Sun Cluster 3.0 (12/01) Security with the Apache and iPlanet
Web and Messaging Agents" by Alex Noordergraaf, Mark Hashimoto, and
Richard Lau describes a supported procedure by which certain Sun Cluster
3.0 (12/01) software agents can be run on secured and hardened Solaris OE
systems.
Chapter 12: "Securing the Sun Fire Midframe System Controller" by
Alex Noordergraaf and Tony M. Benson provides recommendations on how to
securely deplay the Sun Fire System Controller (SC)
Part VI--Solaris Security Toolkit Documentation
Chapter 13: "Quick Start" by Alex Noordergraaf and Glenn Brunette
is for individuals who want to get started with the Solaris Security
Toolkit software as quickly possible. Only the bare seesntials in getting the
Solaris Security Toolkit software downloaded and installed are
addressed.
Chapter 14: "Installation, Configuration, and User Guide" by Alex
Noordergraaf and Glenn Brunette describes the advanced configuration and
user options available in version 0.3 of the Solaris Security Toolkit
software.
Chapter 15: "Internals" by Alex Noordergraaf and Glenn Brunette
describes all of the directories and scripts used by the Solaris Security
Toolkit software to harden and minimize Solaris OE systems.
Chapter 16: "Release Notes" by Alex Noordergraaf and Glenn
Brunette describes the changes made to the Soalris Security Toolkit since
the release of version 0.2 in November 0f 2000.
Ordering Sun Documents
The SunDocs program provides more than 250 manuals from Sun Microsystems,
Inc. If you live in the United States, Canada, Europe, or Japan, you can
purchase documentation sets or individual manausl through this program.
Accessing Sun Documentation Online
The docs.sun.com web site enables you to
access Sun technical documentation online. You can browse the archive or search
for a specific book title or subject.
Related Documentation
At the end of each chapter in this book is a "Related Resources" section, which
provides references to publications and web sites applicable to the information
in each chapter.
Sun Welcomes Your Comments
We are interested in improving our documentation and welcome your comments
and suggestions. You can email your comments to us at:
docfeedback@sun.com
Please include the part number (8xx-xxxx-xx) of your document in the subject
line of your email.
About the Authors
ALEX NOORDERGRAAF authored or worked with other authors on thes chapters
in this book. In some cases, he was the primary author, and in other cases, he
was a co-author. Refer to "How This Book Is Organized" on page xxiii for the
names of authors for each chapter. The following provides biographical
information for all authors in alphabetical order by last name.
TONY M. BENSON has over twenty years of experience of developing software
solutions in the areas of military, aerospace, and financial applications. As a
Staff Engineer in the Enterprise Server Products group of Sun Microsystems, he
is developing system management solutions for the Enterprise Server Product
line. Prior to his role in the Enterprise Server Products group, he developed
secure, distributed revenue collection systems for a worldwide base of
customers in the transit industry.
GLENN BRUNETTE has more that eight years of experience in the areas of
computer and network security. Glenn currently works within the Sun
Professional Services organization where he is the Lead Security Architect
for the Northeastern USA region. In this role, he works with amny Fortune 500
companies to deliver tailored security solations such as assessments,
architecting design and implementation, as well as policy and procedure review
and development. His customers have included major financial institutions, ISP,
New Media, and government organizations. In addition to billable services,
Glenn works with the Sun Professional Services Global Security Practice and
Enterprise Engineering group on the development and review of new security
methodologies, best practices, and tools.
VASANTHAN DASAN is an ES Pricipal Engineer, one of five high-ranked
engineers in Sun's Enterprise Services. Vasanthan joined Sun Microsystems in
1992 and is currently a Technology Startegist in the Support Services Global
Startegy Business Development group. He is responsible for architecting
application availabillity services and for providing technical expertise on
merger and aquisition activities.
Vasanthan was the Chief Architect for Support Services Engineering, responsible
for developing online support services for Sun's customer support engineers and
external customers. Prior to that, he worked on Solaris products such as
CacheFS, AutoClient, Solstice PC Products and JumpStart as part of the Solaris
engineering team. Vasanthan co-authored Hands-On Intranet
published by Sun Microsystems Press and Prentice Hall PTR, and has written
numerous Sun whitepapers. He was largely responsible for Sun's early adoption of
the Web in 1994, and holds one of the industry's first Web patents, awarded for
the invention of we-based personl;a newspapers.
MARK HASHIMOTO has been with Sun Microsystems in Menlo Park, California
for the past three years. Currently, he is developing the user interface
components for the Cun Cluster Products group. mark was also one of the
originators of the SunPlex Manager GUI tool. Mark holds a Master's degree in
Computer Science from the University of Arizona.
DINA KURKTCHI is a senior software engineer with 15 years of experience
in many areas from device drivers to databases. Her last four years have been
focused in secure software development tools, intrusion detection systems and
public key infrastructures. Currently, she works with the Enterprise Systems
Group at Sun Microsystems.
RICHARD LAU has three years of working experience. As part of the Sun
Cluster QA group of Sun Microsystems, his duties include Sun Cluster 2.2 patch
testing, testing new features, and performing tests for Sun Cluster 3.0
products.
ALEX NOORDERGRAAF has over 10 years experience in the areas of computer
and network security. As the Security Architect of the Enterpris Server Products
(ESP) group at Sun Microsystems, he is responsible for the security of Sun
Servers. He is the driving force behind the very popular freeware Solaris
Security Toolkit. Prior to his role in ESP, he was a Senior Staff Engineer in
the Enterprise Engineering (EE) group at Sun Microsystem , where he developed,
documented, and published security best practices through the Sun BluePrints
program. Published topics include: Sun Fire Midframe 15K system, secure N-tier
environments. He coauthored JumpStartTechnology:
Effective Use in the Solaris Operating Environment.
Prior to his role in EE, he was a Senior Security Architect with Sun
Professional Services where he worked with many Fortune 500 companies on
projects that inclulded security assessment methodology and training curriculum
to be used worldwide by Sun Professional Services. His customers included major
telecommunication firms, financial institutions, ISPs, and ASPs. Before joining
Sun, Alex was an independent contractor specializing in network security. His
clients included BTG, Inc. and Thinking Machines Coporation,
LOU ORDORICA worked for several years as a system administrator at Sun
Microsystems. He went on to teach and write about system administration for Sun
employee and customers, and is currently providing online support to customers
using the Web.
WILL OSSER has over eight years of experience in the area of Computer and
Network Security. He has worked extensively with B-1 secure UNIX[R] systems in a
variety of roles including developing, sustaining, pre- and post-sales support,
as well as training. He has also worked as a security consultatnt designing
system and software architecture. Will is currently a software engineer working
for Sun Microsystems in the Solaris Secure Technology Group
KEITH WATSON has spent nearly four years at Sun working in the area of
computer and network security. He is currently the product manager doe core
Solaris security. Previously Keith was a member of the Global Enterprise
Security Service (GESS) team in Sun Professional Services. He is also a
co-developer of an enterprise network security auditing tool named the Sun
Enterprise Network Security Service (SENSS). Prior to joiningSun, Keith was part
of the Computer Operations, Audit, and Security Technologies (COAST) laboratory
(now part of the CERIAS research center at Purdue University
