|
|
|
|
Secure Shell is a multi-platform replacement for the traditional rsh, rlogin, rcp, and telnet commands. This integration increases security within the enterprise by assuring that interactive sessions with the Solaris OS are encrypted and strongly authenticated. Secure Shell allows for strong authentication of both the client and server machines as well as userids. It provides a secure method for system access including a lightweight VPN.
|
Allows for enhanced security through encryption of sensitive sessions.
|
|
IPSec is the encryption of IP traffic and a key technology on VPNs. Internet Key Exchange (IKE) automates key management for IPSec. IKE replaces manual key assignment and refreshment on an IPv4 network. The Solaris 9 OS now ships with 128-bit encryption by default.
|
IPSec increases security between both servers and communication channels so that only authorized parties can communicate with them. IKE simplifies the set-up and management of large numbers of secure networks.
|
Kerberos v5 Server
|
Kerberos is a standards-based solution to secure single sign-on for both applications and operating systems. Kerberos v5 server includes the principal administration system, the Key Distribution Center, and the principal database replication system. In the Solaris 9 OS, the Kerberos V Key Distribution Center and kerberos-ready client software (including telnet, rlogin, rsh, and rcp) can be configured at install time and administered through a convenient graphical user interface.
|
Improved system security with single sign-on for applications and systems. Bundles functionality previously available in a separate product, Sun Enterprise Authentication Mechanism software (SEAM). It is standards based so it interoperates with MIT Kerberos and Microsoft's Active Directory, simplifying deployment across heterogeneous environments and increasing interoperability.
|
SunScreen 3.2 Firewall
|
Sun's highly scalable and feature rich enterprise class firewall is included with the Solaris 9 OS. Some of the key features are:
- Stateful packet filter
- Configurable as a Stealth and Routing mode firewall
- Standalone IPSec/IKE
- Centralized management facility
- Failover functionality (HA)
- Proxy Services for telnet, ftp, http and smtp with TrendMicro Anti-Virus scan
- Network Address Translation
|
The integrated firewall provides both host-based and network-based access control capabilities. There is no need to purchase an additional firewall product resulting in cost savings.
|
Pluggable Authentication Modules (PAM) Enhancements
|
The PAM framework has been changed to consist of more modular, smaller shared object files. The PAM API has not been changed. Isolation from naming services is greater. Specifically, the framework has been enhanced to allow customers to concentrate on developing their own solution without needing to manipulate many of the naming service and authentication details.
|
Customers or developers now have the flexibility to write their own Pluggable Authentication Modules to enhance and control logins to the Solaris OS. Examples of such enhancements are dictionary checking of passwords, password history, etc.
|
Random Number Generator
|
Integration of /dev/random into the Solaris OS for both kernel and user based applications. This implementation also hides details of hardware verses software based random number generators. The utility is provided for both kernel-level and traditional user-level applications.
|
Since the strength of encryption and security is dependent on the quality of the random number generator, this feature significantly improves randomness of numbers generated resulting in improved security.
|
Secure LDAP
|
The Solaris LDAP client has been enhanced to support SSL and DIGEST-MD5 encryption. Secure LDAP allows the naming of objects and secure access to the naming service. It provides a flexible attribute mapping schema, and is architected for complete password management support via the directory server.
|
Provides better security over previous releases. Passwords are no longer exchanged on systems in the clear.
|
System Minimization
|
Operating system components are now divided into finer-grain packages. Sensitive utilities such as telnet and FTP are installed as their own packages and can be easily removed without impacting the rest of the Solaris OS.
|
Provides greater flexibility in removing packages with security implications, resulting in easier implementation of a secure environment.
|
Extended File Attributes
|
Allows arbitrary data tags to be associated with files and system objects.
|
Enables new security and other functionality to be added to files.
|
TCP Wrappers
|
TCP Wrappers capitalizes on the client-server relationship necessary for most
TCP/IP applications by inserting itself into the middle of the relationship.
Using its access control feature to authenticate hosts, it acts as the server
until - using its access control feature - it authenticates the client/host. The well known TCP Wrapper application is fully integrated into the Solaris 9
Operating System.
|
It provides an extremely effective method for monitoring and filtering
incoming network requests for network services such as systat, finger, FTP,
Telnet, rlogin, rsh, and more.
|
Thread Safe BSM
|
The Base Security Module (BSM) supports the creation of audit trails for kernel
events in the Solaris 9 Operating System. Previously a single-threaded
application, the Solaris 9 platform provides a multithreaded version of the
audit daemon. The audit files can be used for billing, intrusion detection, or
system usage reports. The Solaris Operating System auditing is fully
supported in both the C and Java programming languages, and works well with
the Solaris Management Console.
|
Performance improvements versus previous versions of Solaris software are
expected to be significant depending on exactly what is being audited.
|
Enhanced Buffer Overflow Exploit Protection (Disable Stack Execution)
|
The Solaris 9 Operating System reduces system vulnerabilities by preventing
malicious code from executing and accessing other information on the stack. It
provides the ability to prevent executable code from being written onto the
stack and then executing it, typically using the return address that is also on
the stack.
|
Security is enhanced since it is much less likely to use a stack-based buffer
overflow to run code on the stack and gain root access.
|
Extensible Password Encryption
Coming Soon
|
Password encryption, normally supplied by 'crypt', can now be replaced by a user-supplied module.
|
This is important where government or industry regulations require strong encryption for password storage.
|
Role-based Access Control (RBAC)
|
RBAC enables assigning rights to perform specific operations. RBAC separates system authority and controls the delegation of privileged operations to individual users. This allows individual, trusted users to assume a higher privilege for performing limited administration functions, and can be used to partition root privileges among a group of administrators.
|
Minimizes the chance that any user will go beyond their realm of expertise and inadvertently - or intentionally- make a change that results in a system failure or breach of security.
|
Generic Security Services Application Programming Interface (GSS-API)
|
GSS-API is a security framework that enables applications to protect the data they transmit.
|
Provides authentication, integrity and confidentiality services to applications.
Security administrators can use this technology to protect a computer desktop or individual application by requiring users to authenticate themselves by means of a smart card.
|
Smart Card Support
|
The Solaris Smart Card feature implements the Open Card Framework (OCF) 1.1 standard.
|
Provides authentication, integrity and confidentiality services to applications.
Security administrators can use this technology to protect a computer desktop or individual application by requiring users to authenticate themselves by means of a smart card.
|
