1. Home
  2. Networking
  3. Check Point FireWall

Securing Solaris

Installing only the Core packages in Solaris is recommended because minimizing the amount of software on the system minimizes the potential security holes. If you require a GUI on your Solaris platform, need additional functionality, or are new to Solaris, you might consider the End User installation, though it adds over 100 additional packages?exposing your system to far greater risk. I strongly discourage you from using anything but Core.

Partitioning Your Drive

During the initial installation, you will be asked to partition the hard drive. Here's a recommended approach:

  • / (root filesystem): everything else not listed below

  • swap: the greater of 256 or double the amount of RAM

  • /var: 400MB

  • /var/opt/CPfw1-50: 15GB or a different drive entirely

  • /usr: 500MB (optional, if you want a separate read-only partition)

The /var/opt/CPfw1-50 partition is where FireWall-1 log files are typically stored. Thus you should put this on a separate partition or on a rather large partition on the disk.

Patching Your Installation

Once the system has rebooted after the installation, be sure to install the Recommended Patch Cluster from Sun. Also, FireWall-1 NG requires two additional patches that are not part of the cluster, specifically 108434-02 and 108435-02. You can download patches from http://sunsolve.sun.com.

Minimal Packages for SPARC Solaris 2.8

A core installation on Solaris 2.8 installs the following packages.

system  SUNWadmr    System & Network Administration Root
system  SUNWatfsr   AutoFS, (Root)
system  SUNWatfsu   AutoFS, (Usr)
system  SUNWauda    Audio Applications
system  SUNWaudd    Audio Drivers
system  SUNWauddx   Audio Drivers (64-bit)
system  SUNWcar     Core Architecture, (Root)
system  SUNWcarx    Core Architecture, (Root) (64-bit)
system  SUNWcg6     GX (cg6) Device Driver
system  SUNWcg6x    GX (cg6) Device Driver (64-bit)
system  SUNWcsd     Core Solaris Devices
system  SUNWcsl     Core Solaris, (Shared Libs)
system  SUNWcslx    Core Solaris Libraries (64-bit)
system  SUNWcsr     Core Solaris, (Root)
system  SUNWcsu     Core Solaris, (Usr)
system  SUNWcsxu    Core Solaris (Usr) (64-bit)
system  SUNWdfb     Dumb Frame Buffer Device Drivers
system  SUNWdtcor   Solaris Desktop /usr/dt filesystem anchor
system  SUNWeridx   Sun RIO 10/100 Mb Ethernet Drivers (64-bit)
system  SUNWesu     Extended System Utilities
system  SUNWfcip    Sun FCIP IP/ARP over FibreChannel Device Driver
system  SUNWfcipx   Sun FCIP IP/ARP over FibreChannel Dev Drvr (64-bit)
system  SUNWfcp     Sun FCP SCSI Device Driver
system  SUNWfcpx    Sun FCP SCSI Device Driver (64-bit)
system  SUNWfctl    Sun Fibre Channel Transport layer
system  SUNWfctlx   Sun Fibre Channel Transport layer (64-bit)
system  SUNWftpr    FTP Server, (Root)
system  SUNWftpu    FTP Server, (Usr)
system  SUNWged     Sun Gigabit Ethernet Adapter Driver
system  SUNWhmd     SunSwift SBus Adapter Drivers
system  SUNWhmdx    SunSwift SBus Adapter Drivers (64-bit)
system  SUNWi15cs   X11 ISO8859-15 Codeset Support
system  SUNWi1cs    X11 ISO8859-1 Codeset Support
system  SUNWkey     Keyboard configuration tables
system  SUNWkvm     Core Architecture, (Kvm)
system  SUNWkvmx    Core Architecture (Kvm) (64-bit)
system  SUNWlibms   Sun WorkShop Bundled shared libm
system  SUNWlmsx    Sun WorkShop Bundled 64-bit shared libm
system  SUNWloc     System Localization
system  SUNWlocx    System Localization (64-bit)
system  SUNWluxdx   Sun Enterprise Network Array sf Device Drvr (64-bit)
system  SUNWluxop   Sun Enterprise Network Array firmware and utilities
system  SUNWluxox   Sun Enterprise Network Array libraries (64-bit)
system  SUNWm64     M64 Graphics System Software/Device Driver
system  SUNWm64x    M64 Graphics System Software/Device Driver (64-bit)
system  SUNWmdi     Sun Multipath I/O Drivers
system  SUNWmdix    Sun Multipath I/O Drivers (64-bit)
system  SUNWnamos   Northern America OS Support
system  SUNWnamow   Northern America OW Support
system  SUNWnisr    Network Information System, (Root)
system  SUNWnisu    Network Information System, (Usr)
system  SUNWpcelx   3COM EtherLink III PCMCIA Ethernet Driver
system  SUNWpcmci   PCMCIA Card Services, (Root)
system  SUNWpcmcu   PCMCIA Card Services, (Usr)
system  SUNWpcmcx   PCMCIA Card Services (64-bit)
system  SUNWpcmem   PCMCIA memory card driver
system  SUNWpcser   PCMCIA serial card driver
system  SUNWpd      PCI Drivers
system  SUNWpdx     PCI Drivers (64-bit)
system  SUNWpl5u    Perl 5.005_03
system  SUNWpsdpr   PCMCIA ATA card driver
system  SUNWqfed    Sun Quad FastEthernet Adapter Driver
system  SUNWqfedx   Sun Quad FastEthernet Adapter Driver (64-bit)
system  SUNWrmodu   Realmode Modules, (Usr)
system  SUNWses     SCSI Enclosure Services Device Driver
system  SUNWsesx    SCSI Enclosure Services Device Driver (64-bit)
system  SUNWsndmr   Sendmail root
system  SUNWsndmu   Sendmail user
system  SUNWsolnm   Solaris Naming Enabler
system  SUNWssad    SPARCstorage Array Drivers
system  SUNWssadx   SPARCstorage Array Drivers (64-bit)
system  SUNWswmt    Install and Patch Utilities
system  SUNWtleux   Thai Language Environment user files (64-bit)
system  SUNWudf     Universal Disk Format 1.50, (Usr)
system  SUNWudfr    Universal Disk Format 1.50
system  SUNWudfrx   Universal Disk Format 1.50 (64-bit)
system  SUNWusb     USB Device Drivers
system  SUNWusbx    USB Device Drivers (64-bit)
system  SUNWwsr2    Solaris Product Registry & Web Start runtime support
system  SUNWxwdv    X Windows System Window Drivers
system  SUNWxwdvx   X Windows System Window Drivers (64-bit)
system  SUNWxwmod   OpenWindows kernel modules
system  SUNWxwmox   X Window System kernel modules (64-bit)

Of these 83 packages, the following 58 are not needed for FireWall-1 and can be removed using the command pkgrm. Don't worry about errors on dependencies because you are also removing the dependencies. Note that on Sun Blade 100 and Sun Blade 1000 platforms, you should not remove the two USB-related devices.

system  SUNWadmr    System & Network Administration Root
system  SUNWatfsr   AutoFS, (Root)
system  SUNWatfsu   AutoFS, (Usr)
system  SUNWauda    Audio Applications
system  SUNWaudd    Audio Drivers
system  SUNWauddx   Audio Drivers (64-bit)
system  SUNWcg6     GX (cg6) Device Driver
system  SUNWcg6x    GX (cg6) Device Driver (64-bit)
system  SUNWdfb     Dumb Frame Buffer Device Drivers
system  SUNWdtcor   Solaris Desktop /usr/dt filesystem anchor
system  SUNWfcip    Sun FCIP IP/ARP over FibreChannel Device Driver
system  SUNWfcipx   Sun FCIP IP/ARP over FibreChannel Dev Drvr (64-bit)
system  SUNWfcp     Sun FCP SCSI Device Driver
system  SUNWfcpx    Sun FCP SCSI Device Driver (64-bit)
system  SUNWfctl    Sun Fibre Channel Transport layer
system  SUNWfctlx   Sun Fibre Channel Transport layer (64-bit)
system  SUNWftpr    FTP Server, (Root)
system  SUNWftpu    FTP Server, (Usr)
system  SUNWi15cs   X11 ISO8859-15 Codeset Support
system  SUNWi1cs    X11 ISO8859-1 Codeset Support
system  SUNWkey     Keyboard configuration tables
system  SUNWluxdx   Sun Enterprise Network Array sf Device Drvr (64-bit)
system  SUNWluxop   Sun Enterprise Network Array firmware and utilities
system  SUNWluxox   Sun Enterprise Network Array libraries (64-bit)
system  SUNWm64     M64 Graphics System Software/Device Driver
system  SUNWm64x    M64 Graphics System Software/Device Driver (64-bit)
system  SUNWmdi     Sun Multipath I/O Drivers
system  SUNWmdix    Sun Multipath I/O Drivers (64-bit)
system  SUNWnamos   Northern America OS Support
system  SUNWnisr    Network Information System, (Root)
system  SUNWnisu    Network Information System, (Usr)
system  SUNWpcelx   3COM EtherLink III PCMCIA Ethernet Driver
system  SUNWpcmci   PCMCIA Card Services, (Root)
system  SUNWpcmcu   PCMCIA Card Services, (Usr)
system  SUNWpcmcx   PCMCIA Card Services (64-bit)
system  SUNWpcmem   PCMCIA memory card driver
system  SUNWpcser   PCMCIA serial card driver
system  SUNWpl5u    Perl 5.005_03
system  SUNWpsdpr   PCMCIA ATA card driver
system  SUNWrmodu   Realmode Modules, (Usr)
system  SUNWses     SCSI Enclosure Services Device Driver
system  SUNWsesx    SCSI Enclosure Services Device Driver (64-bit)
system  SUNWsndmr   Sendmail root
system  SUNWsndmu   Sendmail user
system  SUNWsolnm   Solaris Naming Enabler
system  SUNWssad    SPARCstorage Array Drivers
system  SUNWssadx   SPARCstorage Array Drivers (64-bit)
system  SUNWtleux   Thai Language Environment user files (64-bit)
system  SUNWudf     Universal Disk Format 1.50, (Usr)
system  SUNWudfr    Universal Disk Format 1.50
system  SUNWudfrx   Universal Disk Format 1.50 (64-bit)
system  SUNWusb     USB Device Drivers
system  SUNWusbx    USB Device Drivers (64-bit)
system  SUNWwsr2    Solaris Product Registry & Web Start runtime support
system  SUNWxwdv    X Windows System Window Drivers
system  SUNWxwdvx   X Windows System Window Drivers (64-bit)
system  SUNWxwmod   OpenWindows kernel modules
system  SUNWxwmox   X Window System kernel modules (64-bit)

FireWall-1 NG needs the following 5 packages if you install a Core installation. You may have others you want or need to add based on your requirements. At a minimum, add these 5 packages.

system  SUNWlibC    Sun Workshop Compilers Bundled libC
system  SUNWlibCx   Sun WorkShop Bundled 64-bit libC
system  SUNWter     Terminal Information
system  SUNWadmc    System administration core libraries
system  SUNWadmfw   System & Network Administration Framework

The following are some optional packages you can install if desired. Keep in mind that extra software may introduce extra vulnerabilities that can be exploited.

system  SUNWbash    GNU Bourne-Again shell (bash)
system  SUNWbzip    The bzip compression utility
system  SUNWbzipx   The bzip compression library (64-bit)
system  SUNWgzip    The GNU Zip (gzip) compression utility
system  SUNWzip     The Info-Zip (zip) compression utility
system  SUNWdoc     Documentation Tools
system  SUNWman     On-Line Manual Pages
system  SUNWadmc    System administration core libraries
system  SUNWadmfw   System & Network Administration Framework
system  SUNWntpu    NTP, (Usr)
system  SUNWntpr    NTP, (Root)

# Truss and other troubleshooting tools
system  SUNWtoo     Programming Tools
system  SUNWtoox    Programming Tools (64-bit)

# Snoop sniffing utility (Snort is an optional sniffing utility
# included with the Sun Companion CDROM.)
system  SUNWfns     Federated Naming System
system  SUNWfnsx    Federated Naming System (64-bit)

# To support Secure Shell X Tunneling
system  SUNWxcu4    XCU4 Utilities
system  SUNWxcu4x   XCU4 Utilities (64-bit)
system  SUNWxwplt   X Window System platform software
system  SUNWxwplx   X Window System library software (64-bit)
system  SUNWxwrtl   X Window System & Graphics Runtime Library Links
system  SUNWxwrtx   X Window System Runtime Compat. Package (64-bit)

# To support compiling (not recommended)
system  SUNWsprot   Solaris Bundled tools
system  SUNWhea     SunOS Header Files
system  SUNWtoo     Programming Tools
system  SUNWtoox    Programming Tools (64-bit)
system  SUNWarc     Archive Libraries
system  SUNWarcx    Archive Libraries (64-bit)
system  SUNWbtool   CCS tools bundled with SunOS
system  SFWaconf    autoconf - GNU autoconf
system  SFWamake    automake - GNU automake
system  SFWgcc      gcc - GNU Compiler Collection

Removing Unnecessary Services

Many unnecessary services originate from inetd, which is configured with the file /etc/inetd.conf. You should comment out (i.e., add a comment character, #, at the beginning of the line) every service in this file except for the two lines for Telnet and FTP. If you install SSH on your firewall, you can probably eliminate these two as well.

Next, look at /etc/rc2.d and /etc/rc3.d, which also contain many unneeded services. Table A.1 lists the services that can be disabled. You can simply disable these services by renaming the file from S<whatever> to s<whatever>. This keeps the file in the directory in case you want to run it in the future but prevents Solaris from starting the file.

Table A.1. Startup files you can disable in Solaris

Startup File

Description

/etc/rc2.d/S73nfs.client

Used for NFS mounting a system.

/etc/rc2.d/S74autofs

Used for automounting.

/etc/rc2.d/S80lp

Used for printing.

/etc/rc2.d/S88sendmail

Used for listening for incoming mail. You can still send mail without running this.

/etc/rc2.d/S71rpc

Used for RPC Portmapper, which is highly insecure but required if CDE is running.

/etc/rc2.d/S99dtlogin

Used to start CDE.

/etc/rc3.d/S15nfs.server

Used if you want to be an NFS server.

/etc/rc3.d/S76snmpdx

SNMP daemon, not usually necessary.

Logging and Tweaking

Once you have eliminated as many services as possible, you should enable some logging. Most system logging occurs in /var/adm. You should add two additional log files to that directory: sulog and loginlog. The file /var/adm/sulog logs all su attempts, both successful and failed. This allows you to monitor anyone who attempts to gain root access on your system. The file /var/adm/loginlog logs consecutive failed login attempts. When a user attempts to log in five times, and all five attempts fail, it is logged. To enable this, use the following commands:

# touch /var/adm/loginlog /var/adm/sulog
# chmod 640 /var/adm/loginlog /var/adm/sulog

Tweaking involves some file administration. You first want to create the file /etc/issue. This file is an ASCII text banner that appears for all Telnet logins. You also want to create the file /etc/ftpusers. This file simply contains names of accounts that cannot FTP to the system. It is meant to restrict root and other common system accounts from using FTP.

Ensure that root cannot Telnet to the system. This forces users to log in to the system as themselves and then su to root. This is a system default, but always confirm this in the file /etc/default/login, where console is left uncommented.

In addition, eliminate the Telnet OS banner, and create a separate banner for FTP. (It is usually not wise to advertise the operating system.) For Telnet, you can do this by creating the file /etc/default/telnetd and adding the statement:

BANNER=""    # Eliminates the "SunOS 5.x" banner for Telnet

For FTP, you can do this by creating the file /etc/default/ftpd and adding the statement:

BANNER="WARNING: Authorized use only"    # Warning banner for ftp

To protect the operating system itself when FireWall-1 is not running, it is recommended that you install and use TCP Wrappers. TCP Wrappers, although they do not encrypt, do log and control who can access your system. It is a binary that wraps itself around inetd services, such as Telnet or FTP. With TCP Wrappers, the system launches the wrapper for inetd connections, logs all attempts, and then verifies the attempt against an access control list. If the connection is permitted, TCP Wrappers hands the connection to the proper binary, such as Telnet. If the connection is rejected by the access control list, the connection is dropped. For more information on TCP Wrappers, visit ftp://ftp.porcupine.org/pub/security/index.html.



    		Frequently Asked Questions
    		Preface
    		Chapter 1. Introduction to Firewalls
    		Chapter 2. Planning Your FireWall-1 Installation
    		Chapter 3. Installing FireWall-1
    		Chapter 4. Building Your Rulebase
    		Chapter 5. Logging and Alerting
    		Chapter 6. Common Issues
    		Chapter 7. Remote Management
    		Chapter 8. User Authentication
    		Chapter 9. Content Security
    		Chapter 10. Network Address Translation
    		Chapter 11. Site-to-Site VPN
    		Chapter 12. SecuRemote and SecureClient
    		Chapter 13. High Availability
    		Chapter 14. INSPECT
    		Appendix A. Securing Your Bastion Host
    		Securing Solaris
    		Securing Windows NT
    		Securing Windows 2000
    		Securing Linux
    		Appendix B. Sample Acceptable Usage Policy
    		Appendix C. 'firewall-1.conf' File for Use with OpenLDAP v1
    		Appendix D. 'firewall-1.schema' File for Use with OpenLDAP v2
    		Appendix E. Performance Tuning
    		Appendix F. Sample 'defaultfilter.pf' File
    		Appendix G. Other Resources
    		Appendix H. Further Reading