|
New Approaches to Making Solaris More Secure
Rich Teer
When it comes to systems (or network) security, a little paranoia is a Good Thing. Some people like to secure their networks on a system by system basis, while others are content to install their OSes with the default settings, trusting their firewall to keep the Bad Guys at bay. Being the paranoid type, I prefer to use a multi-tiered approach to security. Judicious firewall and/or router settings help keep the Bad Guys out of the network (or at the very least, restrict what type of traffic they can employ), and tightening up the security on the individual hosts in the network will limit what damage they can do should they get past the outer defenses.
Setting up firewalls and routers is beyond the scope of this article; but I intend to show you how to tighten up the security of your Solaris boxes, using a couple of scripts I wrote to help automate the process. Before we go into the process of tightening up our systems, we need to get the foundation right.
Install the OS
The first step is to install the latest possible release of Solaris that your hardware will support. Later releases of Solaris are generally more secure, and better performing - not to mention more feature rich - than the earlier ones. For this article, I'll be using Solaris 7.
Until your system is secure, you should isolate it from any untrusted network. It should not be on any publicly accessible network until we're finished. If this precaution isn't taken, there's a chance that someone could break into it, possibly installing trojan horses, thereby rendering the whole exercise futile! To copy the scripts and their associated files to the target machine, you should attach a tape drive to the new system, and restore the files from a tape you created on a trusted machine. Or, you could use a trusted LAN to transfer the files.
A golden rule of system security is "the fewer services your system is running, the fewer potential vulnerabilities it has".
|
