Planning Network Security

Starting with the Solaris 10 11/06 release, you have the option during an initial installation to change the network security settings so that all network services, except Secure Shell, are disabled or restricted to respond to local requests only. This option minimizes the potential vulnerabilities a remote attacker might try to exploit. In addition, this option provides a base for customers to enable only the services they require. This security option is only available during an initial installation, not during an upgrade. An upgrade maintains any set services that were previously set. If necessary, you can restrict network services after an upgrade by using the netservices command.

Depending on the installation program you are using, you can select to restrict network services or keep the services enabled by default:

For the Solaris interactive installation, you can select the option of enabling network services by default as in previous Solaris releases. Or, you can select the option to restrict network services. For a detailed description of hands-on installations, see Chapter 2, Installing With the Solaris Installation Program (Tasks), in Solaris 10 11/06 Installation Guide: Basic Installations.
For an automated JumpStart installation, you can set this security restriction by using a new keyword, service_profile in the sysidcfg file. For further information about this keyword, see service_profile Keyword in Solaris 10 11/06 Installation Guide: Network-Based Installations.

Restricted Security Specifics

If you choose to restrict network security, numerous services are fully disabled. Other services are still enabled, but these services are restricted to local connections only. The Secure Shell remains fully enabled.

For example, the following table lists network services that, for the Solaris 10 11/06 release, are restricted to local connections.

Table 3–3 Solaris 10 11/06 SMF Restricted Services


Service	FMRI	Property
rpcbind	`svc:/network/rpc/bind`	`config/local_only`
syslogd	`svc:/system/system-log`	`config/log_from_remote`
sendmail	`svc:/network/smtp:sendmail`	`config/local_only`
smcwebserver	`svc:/system/webconsole:console`	`options/tcp_listen`
WBEM	`svc:/application/management/wbem`	`options/tcp_listen`
X server	`svc:/application/x11/x11-server`	`options/tcp_listen`
dtlogin	`svc:/application/graphical-login/cde-login`	`dtlogin/args`
ToolTalk	`svc:/network/rpccde-ttdbserver:tcp`	`proto=ticotsord`
dtcm	`svc:/network/rpccde-calendar-manager`	`proto=ticits`
BSD print	`svc:/application/print/rfc1179:default`	`bind_addr=localhost`

Revising Security Settings After Installation

With the restricted network security feature, all of the affected services are controlled by the Service Management Framework (SMF). Any individual network service can be enabled after an initial installation by using the svcadm and svccfg commands.

The restricted network access is achieved by invoking the netservices command from the SMF upgrade file found in /var/svc/profile. The netservices command can be used to switch the service startup behavior.

To disable network services manually, run the following command:

# netservices limited

This command can be used on upgraded systems, where no changes are made by default. This command can also be used to re-establish the restricted state after enabling individual services.

Similarly, default services can be enabled as they were in previous Solaris releases by running the following command:

# netservices open

For further information about revising security settings, see How to Create an SMF Profile in System Administration Guide: Basic Administration. See also the following man pages.

netservices(1M)
svcadm(1M)
svccfg(1M) commands.