Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
61626364656667686970
Solaris 9 Security CX-310-301 63
¾ Kerberos is not a transparent service, like PAM where modules can be plugged in. In order to use
Kerberos, each service needs to be modified
¾ The KDC server provides a single point of failure and could potentially stop all access to services
if it becomes unavailable
¾ Kerberos stores all of its encrypted passwords using a single key, so if the server is ever
compromised, then ALL passwords must be changed
¾ The KDC server must be extremely secure and “locked down” because it would be a higher
priority target for an attacker
¾ Kerberos stores its tickets in the /tmp directory, so is not geared towards multi-user systems. It
makes the tickets vulnerable to theft and spoofing of services
Host and Network Prevention
This section is concerned with securing access to the network or system. It describes some basic terms that
you need to be familiar with and shows how to manually restrict the services and functions that the system
is running. Also, using the Solaris Security Toolkit is described, which allows a system to be secured
automatically.
Fundamentals
This section describes some basic terms used in conjunction with network and host security.
Firewall
Derived from the firefighting technique of building a barrier to prevent a fire from spreading. A firewall is
a suite of programs that protects the assets of a private network from assets and users from other networks.
It is usually located at or near the gateway to a company, on the external interface (i.e. one facing the
Internet). Often these are dedicated appliance systems, like the CISCO PIX firewall, but can also be
software run on a workstation or server, like Sun Microsystems Sunscreen firewall. Examples of firewall
functionality include:
¾ Packet Filtering – one which inspects each packet and checks the source and destination address
for validity
¾ Stateful Application Filtering – one which inspects each packet and decides its validity based on
the actual content of the packet as well as the source and destination addresses. This type of
firewall is much more secure, but requires greater resource to process the overhead involved and is
more likely to affect network response times
¾ Proxy – where the real address of a host is hidden, or masked, from the outside world. The proxy
function forwards packets onto the “real” internal host