Securing Solaris | Essential Check Point FireWall-1 NG: An Installation, Configuration, and Troubleshooting Guide

Installing only the Core packages in Solaris is recommended because minimizing the amount of software on the system minimizes the potential security holes. If you require a GUI on your Solaris platform, need additional functionality, or are new to Solaris, you might consider the End User installation, though it adds over 100 additional packages ”exposing your system to far greater risk. I strongly discourage you from using anything but Core .

Partitioning Your Drive

During the initial installation, you will be asked to partition the hard drive. Here's a recommended approach:

/ (root filesystem): everything else not listed below
swap : the greater of 256 or double the amount of RAM
/var : 400MB
/var/opt/CPfw1-50 : 15GB or a different drive entirely
/usr : 500MB (optional, if you want a separate read-only partition)

The /var/opt/CPfw1-50 partition is where FireWall-1 log files are typically stored. Thus you should put this on a separate partition or on a rather large partition on the disk.

Patching Your Installation

Once the system has rebooted after the installation, be sure to install the Recommended Patch Cluster from Sun. Also, FireWall-1 NG requires two additional patches that are not part of the cluster, specifically 108434-02 and 108435-02. You can download patches from http:// sunsolve .sun.com.

Minimal Packages for SPARC Solaris 2.8

A core installation on Solaris 2.8 installs the following packages.

 system  SUNWadmr    System & Network Administration Root system  SUNWatfsr   AutoFS, (Root) system  SUNWatfsu   AutoFS, (Usr) system  SUNWauda    Audio Applications system  SUNWaudd    Audio Drivers system  SUNWauddx   Audio Drivers (64-bit) system  SUNWcar     Core Architecture, (Root) system  SUNWcarx    Core Architecture, (Root) (64-bit) system  SUNWcg6     GX (cg6) Device Driver system  SUNWcg6x    GX (cg6) Device Driver (64-bit) system  SUNWcsd     Core Solaris Devices system  SUNWcsl     Core Solaris, (Shared Libs) system  SUNWcslx    Core Solaris Libraries (64-bit) system  SUNWcsr     Core Solaris, (Root) system  SUNWcsu     Core Solaris, (Usr) system  SUNWcsxu    Core Solaris (Usr) (64-bit) system  SUNWdfb     Dumb Frame Buffer Device Drivers system  SUNWdtcor   Solaris Desktop /usr/dt filesystem anchor system  SUNWeridx   Sun RIO 10/100 Mb Ethernet Drivers (64-bit) system  SUNWesu     Extended System Utilities system  SUNWfcip    Sun FCIP IP/ARP over FibreChannel Device Driver system  SUNWfcipx   Sun FCIP IP/ARP over FibreChannel Dev Drvr (64-bit) system  SUNWfcp     Sun FCP SCSI Device Driver system  SUNWfcpx    Sun FCP SCSI Device Driver (64-bit) system  SUNWfctl    Sun Fibre Channel Transport layer system  SUNWfctlx   Sun Fibre Channel Transport layer (64-bit) system  SUNWftpr    FTP Server, (Root) system  SUNWftpu    FTP Server, (Usr) system  SUNWged     Sun Gigabit Ethernet Adapter Driver system  SUNWhmd     SunSwift SBus Adapter Drivers system  SUNWhmdx    SunSwift SBus Adapter Drivers (64-bit) system  SUNWi15cs   X11 ISO8859-15 Codeset Support system  SUNWi1cs    X11 ISO8859-1 Codeset Support system  SUNWkey     Keyboard configuration tables system  SUNWkvm     Core Architecture, (Kvm) system  SUNWkvmx    Core Architecture (Kvm) (64-bit) system  SUNWlibms   Sun WorkShop Bundled shared libm system  SUNWlmsx    Sun WorkShop Bundled 64-bit shared libm system  SUNWloc     System Localization system  SUNWlocx    System Localization (64-bit) system  SUNWluxdx   Sun Enterprise Network Array sf Device Drvr (64-bit) system  SUNWluxop   Sun Enterprise Network Array firmware and utilities system  SUNWluxox   Sun Enterprise Network Array libraries (64-bit) system  SUNWm64     M64 Graphics System Software/Device Driver system  SUNWm64x    M64 Graphics System Software/Device Driver (64-bit) system  SUNWmdi     Sun Multipath I/O Drivers system  SUNWmdix    Sun Multipath I/O Drivers (64-bit) system  SUNWnamos   Northern America OS Support system  SUNWnamow   Northern America OW Support system  SUNWnisr    Network Information System, (Root) system  SUNWnisu    Network Information System, (Usr) system  SUNWpcelx   3COM EtherLink III PCMCIA Ethernet Driver system  SUNWpcmci   PCMCIA Card Services, (Root) system  SUNWpcmcu   PCMCIA Card Services, (Usr) system  SUNWpcmcx   PCMCIA Card Services (64-bit) system  SUNWpcmem   PCMCIA memory card driver system  SUNWpcser   PCMCIA serial card driver system  SUNWpd      PCI Drivers system  SUNWpdx     PCI Drivers (64-bit) system  SUNWpl5u    Perl 5.005_03 system  SUNWpsdpr   PCMCIA ATA card driver system  SUNWqfed    Sun Quad FastEthernet Adapter Driver system  SUNWqfedx   Sun Quad FastEthernet Adapter Driver (64-bit) system  SUNWrmodu   Realmode Modules, (Usr) system  SUNWses     SCSI Enclosure Services Device Driver system  SUNWsesx    SCSI Enclosure Services Device Driver (64-bit) system  SUNWsndmr   Sendmail root system  SUNWsndmu   Sendmail user system  SUNWsolnm   Solaris Naming Enabler system  SUNWssad    SPARCstorage Array Drivers system  SUNWssadx   SPARCstorage Array Drivers (64-bit) system  SUNWswmt    Install and Patch Utilities system  SUNWtleux   Thai Language Environment user files (64-bit) system  SUNWudf     Universal Disk Format 1.50, (Usr) system  SUNWudfr    Universal Disk Format 1.50 system  SUNWudfrx   Universal Disk Format 1.50 (64-bit) system  SUNWusb     USB Device Drivers system  SUNWusbx    USB Device Drivers (64-bit) system  SUNWwsr2    Solaris Product Registry & Web Start runtime support system  SUNWxwdv    X Windows System Window Drivers system  SUNWxwdvx   X Windows System Window Drivers (64-bit) system  SUNWxwmod   OpenWindows kernel modules system  SUNWxwmox   X Window System kernel modules (64-bit)

Of these 83 packages, the following 58 are not needed for FireWall-1 and can be removed using the command pkgrm . Don't worry about errors on dependencies because you are also removing the dependencies. Note that on Sun Blade 100 and Sun Blade 1000 platforms, you should not remove the two USB- related devices.

 system  SUNWadmr    System & Network Administration Root system  SUNWatfsr   AutoFS, (Root) system  SUNWatfsu   AutoFS, (Usr) system  SUNWauda    Audio Applications system  SUNWaudd    Audio Drivers system  SUNWauddx   Audio Drivers (64-bit) system  SUNWcg6     GX (cg6) Device Driver system  SUNWcg6x    GX (cg6) Device Driver (64-bit) system  SUNWdfb     Dumb Frame Buffer Device Drivers system  SUNWdtcor   Solaris Desktop /usr/dt filesystem anchor system  SUNWfcip    Sun FCIP IP/ARP over FibreChannel Device Driver system  SUNWfcipx   Sun FCIP IP/ARP over FibreChannel Dev Drvr (64-bit) system  SUNWfcp     Sun FCP SCSI Device Driver system  SUNWfcpx    Sun FCP SCSI Device Driver (64-bit) system  SUNWfctl    Sun Fibre Channel Transport layer system  SUNWfctlx   Sun Fibre Channel Transport layer (64-bit) system  SUNWftpr    FTP Server, (Root) system  SUNWftpu    FTP Server, (Usr) system  SUNWi15cs   X11 ISO8859-15 Codeset Support system  SUNWi1cs    X11 ISO8859-1 Codeset Support system  SUNWkey     Keyboard configuration tables system  SUNWluxdx   Sun Enterprise Network Array sf Device Drvr (64-bit) system  SUNWluxop   Sun Enterprise Network Array firmware and utilities system  SUNWluxox   Sun Enterprise Network Array libraries (64-bit) system  SUNWm64     M64 Graphics System Software/Device Driver system  SUNWm64x    M64 Graphics System Software/Device Driver (64-bit) system  SUNWmdi     Sun Multipath I/O Drivers system  SUNWmdix    Sun Multipath I/O Drivers (64-bit) system  SUNWnamos   Northern America OS Support system  SUNWnisr    Network Information System, (Root) system  SUNWnisu    Network Information System, (Usr) system  SUNWpcelx   3COM EtherLink III PCMCIA Ethernet Driver system  SUNWpcmci   PCMCIA Card Services, (Root) system  SUNWpcmcu   PCMCIA Card Services, (Usr) system  SUNWpcmcx   PCMCIA Card Services (64-bit) system  SUNWpcmem   PCMCIA memory card driver system  SUNWpcser   PCMCIA serial card driver system  SUNWpl5u    Perl 5.005_03 system  SUNWpsdpr   PCMCIA ATA card driver system  SUNWrmodu   Realmode Modules, (Usr) system  SUNWses     SCSI Enclosure Services Device Driver system  SUNWsesx    SCSI Enclosure Services Device Driver (64-bit) system  SUNWsndmr   Sendmail root system  SUNWsndmu   Sendmail user system  SUNWsolnm   Solaris Naming Enabler system  SUNWssad    SPARCstorage Array Drivers system  SUNWssadx   SPARCstorage Array Drivers (64-bit) system  SUNWtleux   Thai Language Environment user files (64-bit) system  SUNWudf     Universal Disk Format 1.50, (Usr) system  SUNWudfr    Universal Disk Format 1.50 system  SUNWudfrx   Universal Disk Format 1.50 (64-bit) system  SUNWusb     USB Device Drivers system  SUNWusbx    USB Device Drivers (64-bit) system  SUNWwsr2    Solaris Product Registry & Web Start runtime support system  SUNWxwdv    X Windows System Window Drivers system  SUNWxwdvx   X Windows System Window Drivers (64-bit) system  SUNWxwmod   OpenWindows kernel modules system  SUNWxwmox   X Window System kernel modules (64-bit)

FireWall-1 NG needs the following 5 packages if you install a Core installation. You may have others you want or need to add based on your requirements. At a minimum, add these 5 packages.

 system  SUNWlibC    Sun Workshop Compilers Bundled libC system  SUNWlibCx   Sun WorkShop Bundled 64-bit libC system  SUNWter     Terminal Information system  SUNWadmc    System administration core libraries system  SUNWadmfw   System & Network Administration Framework

The following are some optional packages you can install if desired. Keep in mind that extra software may introduce extra vulnerabilities that can be exploited.

 system  SUNWbash    GNU Bourne-Again shell (bash) system  SUNWbzip    The bzip compression utility system  SUNWbzipx   The bzip compression library (64-bit) system  SUNWgzip    The GNU Zip (gzip) compression utility system  SUNWzip     The Info-Zip (zip) compression utility system  SUNWdoc     Documentation Tools system  SUNWman     On-Line Manual Pages system  SUNWadmc    System administration core libraries system  SUNWadmfw   System & Network Administration Framework system  SUNWntpu    NTP, (Usr) system  SUNWntpr    NTP, (Root) # Truss and other troubleshooting tools system  SUNWtoo     Programming Tools system  SUNWtoox    Programming Tools (64-bit) # Snoop sniffing utility (Snort is an optional sniffing utility # included with the Sun Companion CDROM.) system  SUNWfns     Federated Naming System system  SUNWfnsx    Federated Naming System (64-bit) # To support Secure Shell X Tunneling system  SUNWxcu4    XCU4 Utilities system  SUNWxcu4x   XCU4 Utilities (64-bit) system  SUNWxwplt   X Window System platform software system  SUNWxwplx   X Window System library software (64-bit) system  SUNWxwrtl   X Window System & Graphics Runtime Library Links system  SUNWxwrtx   X Window System Runtime Compat. Package (64-bit) # To support compiling (not recommended) system  SUNWsprot   Solaris Bundled tools system  SUNWhea     SunOS Header Files system  SUNWtoo     Programming Tools system  SUNWtoox    Programming Tools (64-bit) system  SUNWarc     Archive Libraries system  SUNWarcx    Archive Libraries (64-bit) system  SUNWbtool   CCS tools bundled with SunOS system  SFWaconf    autoconf - GNU autoconf system  SFWamake    automake - GNU automake system  SFWgcc      gcc - GNU Compiler Collection

Removing Unnecessary Services

Many unnecessary services originate from inetd , which is configured with the file /etc/inetd.conf . You should comment out (i.e., add a comment character, # , at the beginning of the line) every service in this file except for the two lines for Telnet and FTP. If you install SSH on your firewall, you can probably eliminate these two as well.

Next, look at /etc/rc2.d and /etc/rc3.d , which also contain many unneeded services. Table A.1 lists the services that can be disabled. You can simply disable these services by renaming the file from S<whatever> to s<whatever> . This keeps the file in the directory in case you want to run it in the future but prevents Solaris from starting the file.

Table A.1. Startup files you can disable in Solaris

Startup File	Description
`/etc/rc2.d/S73nfs.client`	Used for NFS mounting a system.
`/etc/rc2.d/S74autofs`	Used for automounting.
`/etc/rc2.d/S80lp`	Used for printing.
`/etc/rc2.d/S88sendmail`	Used for listening for incoming mail. You can still send mail without running this.
`/etc/rc2.d/S71rpc`	Used for RPC Portmapper, which is highly insecure but required if CDE is running.
`/etc/rc2.d/S99dtlogin`	Used to start CDE.
`/etc/rc3.d/S15nfs.server`	Used if you want to be an NFS server.
`/etc/rc3.d/S76snmpdx`	SNMP daemon, not usually necessary.

Logging and Tweaking

Once you have eliminated as many services as possible, you should enable some logging. Most system logging occurs in /var/adm . You should add two additional log files to that directory: sulog and loginlog . The file /var/adm/sulog logs all su attempts, both successful and failed. This allows you to monitor anyone who attempts to gain root access on your system. The file /var/adm/loginlog logs consecutive failed login attempts. When a user attempts to log in five times, and all five attempts fail, it is logged. To enable this, use the following commands:

 #  touch /var/adm/loginlog /var/adm/sulog  #  chmod 640 /var/adm/loginlog /var/adm/sulog

Tweaking involves some file administration. You first want to create the file /etc/issue . This file is an ASCII text banner that appears for all Telnet logins. You also want to create the file /etc/ftpusers . This file simply contains names of accounts that cannot FTP to the system. It is meant to restrict root and other common system accounts from using FTP.

Ensure that root cannot Telnet to the system. This forces users to log in to the system as themselves and then su to root. This is a system default, but always confirm this in the file /etc/default/login , where console is left uncommented.

In addition, eliminate the Telnet OS banner, and create a separate banner for FTP. (It is usually not wise to advertise the operating system.) For Telnet, you can do this by creating the file /etc/default/telnetd and adding the statement:

 BANNER=""    # Eliminates the "SunOS 5.x" banner for Telnet

For FTP, you can do this by creating the file /etc/default/ ftpd and adding the statement:

 BANNER="WARNING: Authorized use only"    # Warning banner for ftp

To protect the operating system itself when FireWall-1 is not running, it is recommended that you install and use TCP Wrappers. TCP Wrappers, although they do not encrypt, do log and control who can access your system. It is a binary that wraps itself around inetd services, such as Telnet or FTP. With TCP Wrappers, the system launches the wrapper for inetd connections, logs all attempts, and then verifies the attempt against an access control list. If the connection is permitted, TCP Wrappers hands the connection to the proper binary, such as Telnet. If the connection is rejected by the access control list, the connection is dropped. For more information on TCP Wrappers, visit ftp://ftp.porcupine.org/pub/security/index.html.