Securing the Sun Fire Midframe System Controller
This article provides recommendations on how to securely deploy the Sun Fire_ midframe system controller (SC). These recommendations apply to environments where security is a concern, particularly environments where the uptime requirements of the SC and/or the information on the Sun Fire server is critical to the organization.
Many issues are involved in securing the Sun Fire SC. The most significant is its use of insecure administrative protocols. In addition, it is sensitive to some types of network-based attacks such as Denial of Service (DoS) attacks.
The recommendations in this article include building a separate and private SC network, to which the insecure protocols required to manage an SC are restricted. A midframe service processor (MSP) is the secure gateway into the private SC network. A detailed, supported, and secured MSP configuration is described.
This article contains the following topics:
"Securing the System Controller"
"Building a Secure MSP"
"Backing Up, Restoring, and Updating the SC"
"Resetting a Platform Administrator's Lost Password"
"Verifying Hardening Results"
This Sun BluePrints OnLine article is updated for the Solaris_ 8 (2/02) Operating Environment, version 5.13.0 of the SC application, and version 23 of the SC Real Time Operating System (RTOS). The recommendations in this article should apply to all SC application 5.13 releases.
The main changes are in the SC:
The peek and poke commands available in the interactive SC power on self test (SCPOST) facility can now be disabled by a write-protect jumper on the SC board.
The Telnet service can be disabled. If it is enabled, then a session idle timeout can be set.
The showplatform and showdomain commands now indicate the syslog facility.
BugId 4417940, which affected the operation of setkeyswitch secure mode, was fixed.
Network ports 68, 111, and 1024 are disabled on the SC.
Support for SC failover is introduced.
Support for Simple Network Time Protocol (SNTP) is introduced to the SC.