Solaris Operating Environment Network Settings for Security: Updated for Solaris 9 Operating Environment
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
This article describes network settings available within the Solaris_ Operating Environment (Solaris OE) and recommends how to adjust network settings to strengthen the security posture of Solaris OE systems.
Various trade-offs must be made when enhancing Solaris OE security. A balance is needed between system manageability and security. Not all network security configurations mentioned in this article can be used in all environments. When changing a particular network setting adversely affects the default system operation, the side effects are described.
This article does not discuss high-level network security. High-level network security involves configuring inetd, NFS, NIS/NIS+, RPC, DNS, and other application-level services. That topic is addressed in the Sun BluePrints_ OnLine article, "Solaris Operating Environment Security: Updated for the Solaris 9 Operating Environment" published in July, 2002.
The information in this article is applicable to Solaris 2.5.1, 2.6, 7, 8 and 9 OE releases. Some evaluation is necessary prior to using the settings in this article with other Solaris OE releases.
The application of most of these network security settings require planning and testing but should be applicable to most computing environments. Being cognizant of the known network attacks will hopefully provide the needed leverage to apply beneficial changes.
A free and publicly available security tool called the SolarisTM Security Toolkit (also known as JASS) can assist in configuring these network changes and other security related processes. Many Sun customer sites use this toolkit to configure security on their Sun systems. Additional information about this toolkit can be found at: http://www.sun.com/security/jass/.
The ndd Command
Several of the network settings discussed in this article are configured using the ndd command. It is used to examine and set kernel module parameters, namely the Transmission Control Protocol/Internet Protocol (TCP/IP) drivers. Most kernel parameters accessible through ndd can be modified without rebooting the system. To see which parameters are available, use the following ndd commands:
# ndd /dev/arp \? # ndd /dev/icmp \? # ndd /dev/ip \? # ndd /dev/tcp \? # ndd /dev/udp \?
These commands list the parameters for the Address Resolution Protocol (ARP), Internet Control Message Protocol (ICMP), IP, TCP, and User Datagram Protocol (UDP) drivers. In this updated BluePrint OnLine article, the various drivers are listed in alphabetic order.
The Solaris 8 and 9 OE releases include support for the next version of the Internet Protocol suite (IPv6) and the Internet Protocol Security architecture (IPsec). These have additional drivers. A list of parameters for these drivers can be found with the following commands:
# ndd /dev/ip6 \? # ndd /dev/icmp6 \? # ndd /dev/tcp6 \? # ndd /dev/udp6 \? # ndd /dev/ipsecesp \? # ndd /dev/ipsecah \?
The IPv6 parameters for the ICMP, IP, TCP, and UDP drivers are also listed in the standard (IPv4) parameter lists. This article does not discuss IPsec, but the parameters are listed here for completeness. Neither IPv6 nor IPsec support will be supported in any Solaris OE release earlier than Solaris 8 OE.
There are also network interface device drivers with parameters that can be adjusted using the ndd command. The following command will list the parameters for the hme (FastEthernet) device driver:
# ndd /dev/hme \?
The "\?" string is required to prevent the shell from interpreting the "?" as a special character. Using "\?" will list all parameters for the driver and indicate whether the parameter is read only, write only, or read and write. The current parameter value or status information can be read by specifying the driver and parameter names.
This example shows the output of a ndd command examining the debugging status of the ARP driver. (The output "0" indicates that the option is disabled.)
# ndd /dev/arp arp_debug 0
ndd-specified parameter values are integers with "0" meaning disable, "1" meaning enable, or a large integer to set a time or size value. Setting parameters requires the "-set" option, the driver name, the parameter name, and the new value. For example, to enable debugging mode in the ARP driver use this ndd command:
# ndd -set /dev/arp arp_debug 1
Notes on Parameter Changes
Previously, only some ndd parameter documentation was available from Sun. This has been a known problem. Since the release of the Solaris 8 OE, there is now documentation of selected tunable TCP/IP parameters. The book is the Solaris Tunable Parameters Reference Manual and is available on the docs.sun.comSM web site. Most of the parameter information for the Solaris 9 OE is also applicable to previous releases.
Network parameters set with the ndd command apply to the currently running Solaris instance; parameter changes do not last past system reboots. Once a system is booted, the default parameters will be used. To provide a simple method of setting the ndd network parameters mentioned in this article at Solaris boot time, a system init script has been created and is described in "Sample System nddconfig init Script."
Setting driver parameters involves making trade-offs. Most parameters involve changing the default Solaris OE configuration. The default settings are optimal for most situations. Adjusting parameters might affect normal system operation, so Sun does not encourage parameter changes.
All ndd parameter changes suggested in this article include a discussion of trade-offs, where appropriate. Some settings change the expected operation of systems; these are noted. Most of these recommended parameter changes are being actively used on production systems at customer sites.
Sun sometimes alters parameter names or adds additional parameters between releases of the Solaris OE. Most of the IPv4 parameters described in this article are used consistently across Solaris OE releases. When there are exceptions, the text for the parameter specifically mentions the OE differences.
Ultimately, you must decide which settings are appropriate for a specific computing environment.