Securing Sun Fire 15K Domains
The Sun Fire™ 15K server is the largest Sun server ever sold and will be used in a wide variety of projects and deployments from server-consolidation projects in financial institutions to extremely sensitive data-storage applications at government agencies. These deployments of Sun Fire 15K servers require that systems be secured against unauthorized access and misuse by malicious individuals.
Sun Fire 15K domains introduce a new variable to Solaris™ Operating Environment (Solaris OE) systems with platform-specific software components (for example, daemons) and services. These platform-specific software components impact the processes and procedures which must be used to secure the Solaris OE configuration running on the Sun Fire 15K domains. To properly secure a Sun Fire 15K domain, you must understand the impact of these new software components and have access to a well-documented and well-supported configuration to identify which modifications are appropriate and which are not.
This Sun BluePrints™ OnLine article documents all of the security modifications that can be performed on a Sun Fire 15K domain without affecting its behavior. The configuration described in this article, which includes all of the permitted security modifications, may not be appropriate for Sun Fire 15K domains with applications that require these disabled services. While configurations that do not use all of the security modifications in this article are acceptable, you should carefully evaluate services that are not disabled to ensure that they are absolutely required and that they are carefully protected against misuse.
This article focuses on Sun Fire 15K domain-specific software. While the configuration documented by this article performs generic Solaris OE hardening tasks, references to Sun BluePrints OnLine articles that provide more detailed information are provided, when necessary.
In addition, the article provides information about simplifying the installation and deployment of hardened Sun Fire 15K domains by automating security modifications with the Solaris Security Toolkit software. A Sun Fire 15K domain-specific driver for use with the toolkit is being released in parallel with this article, enabling you to implement all of the Solaris OE modifications possible on a Sun Fire 15K domain.
This Sun BluePrints article is the second in a series of Sun BluePrints articles that will provide specific recommendations for enhancing the security of a Sun Fire 15K server. The first article in this series, "Securing the Sun Fire™ 15K System Controller," was published in November 2001. This article, as well as the Sun BluePrints OnLine articles it references, are available in electronic format from Sun BluePrints OnLine at http://www.sun.com/security/blueprints
The goal of this Sun BluePrints OnLine article is to provide a baseline security configuration for Sun Fire 15K domains by describing all of the possible security modifications. After reading about the Sun tested and Sun supported configuration presented in this article, you will understand how the configuration of a secured Sun Fire 15K domain differs from the secured configurations of other Sun servers.
A Solaris OE configuration hardened to the degree described in this article may not be appropriate for all environments. When installing and hardening a specific Solaris OE instance, you can perform fewer hardening operations than are recommended. For example, if your environment requires Network File System (NFS)-based services, you can leave them enabled. However, hardening beyond that which is presented in this article should not be performed and is neither recommended, nor supported.
Standard security rules apply to hardening Sun Fire 15K domains: That which is not specifically permitted is denied.