From: <Saved by Microsoft Internet Explorer 5>
Subject: Solaris: Network Settings for Security
Date: Wed, 14 Nov 2001 08:37:21 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
	boundary="----=_NextPart_000_003D_01C16CE7.93E1D2A0";
	type="text/html"
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200

This is a multi-part message in MIME format.

------=_NextPart_000_003D_01C16CE7.93E1D2A0
Content-Type: text/html;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://ist.uwaterloo.ca/security/howto/2000-06-29.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- $Id: 2000-06-29.html,v 1.1 2000/06/28 16:59:25 reggers Exp $ =
--><HTML><HEAD><TITLE>Solaris: Network Settings for Security</TITLE>
<META content=3D"text/html; charset=3Dwindows-1252" =
http-equiv=3DContent-Type><LINK=20
href=3D"mailto:reggers@ist.uwaterloo.ca" rev=3Dmade>
<META content=3D"MSHTML 5.00.3315.2870" name=3DGENERATOR></HEAD>
<BODY =
background=3Dhttp://ist.uwaterloo.ca/security/howto/images/back.jpg>
<HR>

<TABLE width=3D"100%">
  <TBODY>
  <TR>
    <TD align=3Dleft>
      <H2>Solaris: Network Settings for Security</H2>
      <H4>Information Systems and Technology <BR>University of Waterloo=20
      <BR>29-Jun-2000</H4>
    <TD align=3Dright><A href=3D"http://ist.uwaterloo.ca/"><IMG =
alt=3D[IST] border=3D0=20
      height=3D75 src=3D"http://ist.uwaterloo.ca/ISTlogo.gif" =
width=3D75>=20
</A></TR></TBODY></TABLE>
<HR>

<H3>Synopsis</H3>
<BLOCKQUOTE>In the <A href=3D"http://www.sun.com/blueprints">Sun =
BluePrints=20
  OnLine</A> paper <A=20
  href=3D"http://www.sun.com/blueprints/1299/network.pdf"><EM>Solaris =
Operating=20
  Environment Network Settings for Security</EM></B></A> (December 1999) =
by=20
  Keith Watson and Alex Noordergraaf there's an in depth discussion of =
network=20
  settings, exploits and configuration choices for Solaris. They provide =
an <A=20
  =
href=3D"http://www.sun.com/software/solutions/blueprints/tools/nddconfig"=
>nddconfig</A>=20
  shell script for integration into the Solaris boot sequence that =
hardens a=20
  number of network parameters to better protect your system from =
various=20
  attacks. We recommend that configuration. </BLOCKQUOTE>
<H3>Discussion</H3>
<BLOCKQUOTE>There are lots of nasty tricks to make life difficult for =
systems=20
  on the Internet. Watson and Noordergraaf's paper provides an in depth =
analysis=20
  of many attacks and is well worth reading -- if you have the time. For =
those=20
  who are after a capsule summary here's a few examples:=20
  <P>
  <UL>
    <LI>The <B>ping(1)</B> command is used to test network connectivity =
-- it=20
    sends a short message to a system which echoes it back to the =
sender. The=20
    "Ping of Death" attack requires that the target machine echo the =
ping back=20
    to everyone. Protecting against that attack on current Solaris =
systems is a=20
    simple <B>ndd(1)</B> configuration option.=20
    <P></P>
    <LI>A popular denial of service attack is to flood your system with=20
    "half-open" connections. While you can't eliminate the vulnerability =
a=20
    simple <B>ndd(1)</B> configuration setting can reduce the risk. =
</LI></UL>
  <P>You may recall that there was quite fuss in the Spring of 2000 when =
several=20
  denial of service attacks were launched against several major web =
sites. The=20
  configuration settings Watson and Noordergraaf recommend go a long way =
towards=20
  helping Solaris systems survive such attacks. </P></BLOCKQUOTE>
<P>
<H3>Recommendation</H3>
<BLOCKQUOTE>The configuration supplied in the <A=20
  =
href=3D"http://www.sun.com/software/solutions/blueprints/tools/nddconfig"=
>nddconfig</A>=20
  shell script works well on the few systems where we've installed it. =
We would=20
  encourage all Solaris sites to install as per the instructions in the =
script:=20
  <UL>
    <LI>Copy <A=20
    =
href=3D"http://www.sun.com/software/solutions/blueprints/tools/nddconfig"=
>this=20
    script</A> to <B>/etc/init.d</B> and name it <B>'nddconfig'</B>.=20
    <LI>Create a hard link to <B>/etc/init.d/nddconfig</B> in =
<B>/etc/rc2.d</B>=20
    named <B>'S70nddconfig'</B>.=20
    <LI>Run the script as <B>nddconfig start</B> to make the settings =
effective=20
    immediately. </LI></UL>Some sites may wish to tailor the settings =
for their=20
  local needs. We've carefully read the script and see no reason to do =
so.=20
</BLOCKQUOTE>
<H3>Cautions and Beware</H3>
<BLOCKQUOTE>The script comes with a warning: "The settings included here =
are=20
  considered safe in terms of security. Some settings may not work in =
your=20
  environment." However, we have been running the configuration exactly =
as=20
  provided on personal Solaris 2.6 workstations for months with no ill =
effects.=20
  We've recently used the same configuration on two "back-room" secure =
Oracle=20
  servers and again we've seen no ill effects.=20
  <P>We are <EM>not</EM> aware of any problems at all! If you encounter =
any=20
  problems as a result of configuring your system as recommended we'd =
like to=20
  hear about them as would the authors of the original paper.=20
  <P><EM><B>One caution:</B></EM> the script provided isn't a "magic =
bullet" --=20
  it won't make your network services completely secure. It catches=20
  <EM>some</EM> problems but no doubt the clever hackers will discover =
new ones=20
  in due course. </P></BLOCKQUOTE>
<H3>References</H3>
<BLOCKQUOTE>
  <UL>
    <LI><A href=3D"http://www.sun.com/blueprints">Sun BluePrints =
OnLine</A> --=20
    excellent papers on various topics including a few on security =
issues.=20
    <LI><A =
href=3D"http://www.sun.com/blueprints/1299/network.pdf"><EM>Solaris=20
    Operating Environment Network Settings for Security</EM></B></A> =
(December=20
    1999) by Keith Watson and Alex Noordergraaf --- the in depth =
discussion of=20
    network settings, exploits and choices. PDF format.=20
    <LI><A=20
    =
href=3D"http://www.sun.com/software/solutions/blueprints/tools/nddconfig"=
>nddconfig</A>=20
    shell script (Dec 1999) by Keith Watson -- for integration into boot =

    sequence. </LI></UL></BLOCKQUOTE>
<HR>

<DIV align=3Dright><SMALL><EM>(ed) 29-June-2000; <A=20
href=3D"mailto:reggers@ist.uwaterloo.ca">Reg Quinton</A>, <A=20
href=3D"http://ist.uwaterloo.ca/">Information Systems and Technology</A> =

</EM></SMALL></DIV></BODY></HTML>

------=_NextPart_000_003D_01C16CE7.93E1D2A0
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Location: http://ist.uwaterloo.ca/ISTlogo.gif

R0lGODlhYABfALMAAP///wAAAJ2dnYAGHPDm6F1dXSwsLNK3vKJJWkZGRv7+/saQmrNreIKCgpIq
PeHM0CH5BAEAAAAALAAAAABgAF8AAAT+EMhJq7046827/2AojmRpnmiqrmzrvuZxbAoB3yAzT8ww
MJPHAOHY4Y4SI2AxUCQHB6ZzCR0ikUKGDXCASoSL3rQHcAAzhMP2SmIOtorfhFnkaQcLjcMhZ48I
CE0TCGcbBGsXe10Pfh0EOhMEPkonj10OD4iNFwd7A4wSCwdTKZKieJsbCAt7DqQuXT6gCpSpAAoO
C4SaLWmgAEK/jWu4XpsMDo+8OIF5Eq9sTg5EdVcKrM22EmY+DNDMA8nI32wPZsJHgEXhBOTat3vL
KQqBMgju2g9drDfF6O8UOmHDh4LAAoLvEARyoaAQQA7XaqFghfDhhUcM/oWQhMrih2v+PpyZIMDH
oUcNgfZU9HBA40kLZm693KQPxQMG3jIcaMCTp4cHDwQIHSpgCwGiSJMOlXgCFx8EGQQEmBrAgKEC
BqhqnbpD6tavXwtguKlFhBBaDqJuzaCgAditOw68nRtArIU4Q6BuDBcTg9epVi8oSECXatfCYO1W
MCVFxIFV+P5WxVAAMdcklrcqrpAr3EoRAgyINpDgguTCcUUnUJ1V62rSohtgeLTA5QVR8kQQaE21
AFMNbqkGhkHkUwq5WmWPCA4YRycfuU4wn/rZwvThH/SJ3BDl8W8JAlav3iyhcu8S10HgDQdLK/by
WsmDSA9ClLncJCS/B2B+qvwP9H3+cAAyxqygn3Xu4QeceyHQYdwGQoTEwYEVnNZAdRQECMIDCnHQ
BU7fgcfgYl8ZUFQIGjriQx8aCKTGhCNW0N9WBhRwIgcpdoBbBz1MAqNwF/E2l4345OgCUAoCQKEF
u2XWwDJGarMkk9PRZQAvUWpwyAtTXhQeYldWkGUG65g0G5IexmjITqu9pdwEXXJAEgNEbMDHitv5
peYHRwlJXYZ7yllSWijhtEBtPzZHwmBbCQAokCHgVBMLcYJAgGaPKupRpSDMWNoEY27CKYBqhtrI
qB5MaaofqHag4ao2VdQqB55mOlkID2D4WJ6cbJUkW1u9CQCsc5hR3T4IKRBsCTP+BqDErIv15cEh
tlFAWHzV3nWAnwG8QuwzW76A3FfKKcAabOi6KWagDzXr3zOZJbgupC8xiikAl8Z72byaspGkAs3a
pWy8Bmi06iMotERIBwdcW5cE+SKWgADurLqPCXixku0EtAiwgwJKIZUrhEjJqU+BIxSxh5kzwbTi
gyMUg0nLNGgn7QgMHEQzWxTgEmJ29+xMwS5BqBCLzjs35AMCvwoYThZCd/EIOytcQ09HNEuyBxMb
R4r1zo/lnEwvOxiURyYPDbgGMk2TEMgPN6eCDB9tV4JHLHWrAAcUwfg7Dd1yuyJBOGz7MXUt7Rxx
Mb5EN0LLBcgskLfXk18x9Q94lWNACyhaC91D4aV44sxjmePQOQtMAFCn0KEUiI1tq0MchRVUsMLy
TBR98UNjSzROhC42aN2DDdeYUbotHwZiw4c4SfB5R9OYwnoH9CjifBNrDwBAH2KsMv20I+M7RB9S
9PUA0t//IUMkB6Gd/vvwxy///PTXz0EEADs=

------=_NextPart_000_003D_01C16CE7.93E1D2A0
Content-Type: image/jpeg
Content-Transfer-Encoding: base64
Content-Location: http://ist.uwaterloo.ca/security/howto/images/back.jpg

/9j/4AAQSkZJRgABAgEASABIAAD/7QG4UGhvdG9zaG9wIDMuMAA4QklNA+kAAAAAAHgAAwAAAEgA
SAAAAAAC2gIo/+H/4gL5AkYDRwUoA/wAAgAAAEgASAAAAAAC2gIoAAEAAABkAAAAAQABAQEAAAAB
Jw8AAQABAAAAAAAAAAAAAAAAAAIAGQGQAAAAAABAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAA4
QklNA+0AAAAAABAASAAAAAEAAQBIAAAAAQABOEJJTQPzAAAAAAAIAAAAAAAAAAA4QklNJxAAAAAA
AAoAAQAAAAAAAAACOEJJTQP1AAAAAABIAC9mZgABAGxmZgAGAAAAAAABAC9mZgABAKGZmgAGAAAA
AAABADIAAAABAFoAAAAGAAAAAAABADUAAAABAC0AAAAGAAAAAAABOEJJTQP4AAAAAABwAAD/////
////////////////////////A+gAAAAA/////////////////////////////wPoAAAAAP//////
//////////////////////8D6AAAAAD/////////////////////////////A+gAADhCSU0EBgAA
AAAAAgAC/+4ADkFkb2JlAGSAAAAAAf/bAIQADAgICAkIDAkJDBELCgsRFQ8MDA8VGBMTFRMTGBEM
DAwMDAwRDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAENCwsNDg0QDg4QFA4ODhQUDg4ODhQR
DAwMDAwREQwMDAwMDBEMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AAEQgAYABgAwEiAAIR
AQMRAf/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIEBQYHCAkKCwEAAQUBAQEBAQEAAAAAAAAAAQAC
AwQFBgcICQoLEAABBAEDAgQCBQcGCAUDDDMBAAIRAwQhEjEFQVFhEyJxgTIGFJGhsUIjJBVSwWIz
NHKC0UMHJZJT8OHxY3M1FqKygyZEk1RkRcKjdDYX0lXiZfKzhMPTdePzRieUpIW0lcTU5PSltcXV
5fVWZnaGlqa2xtbm9jdHV2d3h5ent8fX5/cRAAICAQIEBAMEBQYHBwYFNQEAAhEDITESBEFRYXEi
EwUygZEUobFCI8FS0fAzJGLhcoKSQ1MVY3M08SUGFqKygwcmNcLSRJNUoxdkRVU2dGXi8rOEw9N1
4/NGlKSFtJXE1OT0pbXF1eX1VmZ2hpamtsbW5vYnN0dXZ3eHl6e3x//dAAQABv/aAAwDAQACEQMR
AD8A9GHtHKbcToFKQmn5BFSwlS8p1TaKQLQElLFgTe3hJz5UNZSUkcdICZo8U0kJCSkpnP7o+aGT
rqiF2kKOwclJSzXaqTgCowJTgT3SU//Q9FAcE+3u5Rc4ypAyNSipQMmAE5b4mEwIHCkAOTqUlMDH
ASACRBJ0TQQUlMnN00TNHjwn3GIT699ElK3DwTF274JbR3PyShJSgB2GiRmNE4BPJ0UiQElP/9H0
QCU5GibcVMERqipgCZRI8SogDnukZnQJKZEho05UdeSmg904geZSUrhNukqYb4qLi1qSlvhqniOT
qnDhGiiG6yUlMtY0US091MEnRo+ag+Qkp//S9GO3gJASkPIJ4J0CKlSBwmk/BLYZklOGg8lJSwPh
qnBhMSQYCcDTXRJSxeeygZKmSANAo6JKUAQlOvKm0AhRLDKSmQPYapbZ1KW6BCYvJ0SU/wD/0/Rw
AdJUpa1QGvCRb4mEVLPdPCZpSjXRSASUtu8FJuupUHAgqTYiSUlLu93CiWQFOWhR55OiSlhITgHu
lpymJKSlyG90vhoEhPhqlEauPySU/wD/1PRwY0ak4QOZKZvkJKltJ5RUj1TsKk4gaBRhJS5IJ4SM
p5ACaZSUrb4n5JAeSbvpqpapKXAJ1KTiAmc48BQM90lLh5lORPKiG90jokp//9k=

------=_NextPart_000_003D_01C16CE7.93E1D2A0--