Tuning the Network (Task Map)

Task	Description	For Instructions
Disable the network routing daemon.	Limits access to systems by would-be network sniffers.	How to Disable the Network Routing Daemon
Prevent the dissemination of information about the network topology.	Prevents the broadcast of packets.	How to Disable Broadcast Packet Forwarding
	Prevents responses to broadcast echo requests and multicast echo requests.	How to Disable Responses to Echo Requests
For systems that are gateways to other domains, such as a firewall or a VPN node, turn on strict source and destination multihoming.	Prevents packets that do not have the address of the gateway in their header from moving beyond the gateway.	How to Set Strict Multihoming
Prevent DOS attacks by controlling the number of incomplete system connections.	Limits the allowable number of incomplete TCP connections for a TCP listener.	How to Set Maximum Number of Incomplete TCP Connections
Prevent DOS attacks by controlling the number of permitted incoming connections.	Specifies the default maximum number of pending TCP connections for a TCP listener.	How to Set Maximum Number of Pending TCP Connections
Generate strong random numbers for initial TCP connections.	Complies with the sequence number generation value specified by RFC 6528.	How to Specify a Strong Random Number for Initial TCP Connection
Prevent ICMP redirection.	Removes indicators of the network topology.	How to Prevent ICMP Redirects
Return network parameters to their secure default values.	Increases security that was reduced by administrative actions.	How to Reset Network Parameters to Secure Values

How to Disable the Network Routing Daemon

Use this procedure to prevent network routing after installation by specifying a default router. Otherwise, perform this procedure after configuring routing manually.

Note - Many network configuration procedures require that the routing daemon be disabled. Therefore, you might have disabled this daemon as part of a larger configuration procedure.

Before You Begin

You must become an administrator who is assigned the Network Management rights profile. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

Verify that the routing daemon is running.

# svcs -x svc:/network/routing/route:default
svc:/network/routing/route:default (in.routed network routing daemon)
 State: online since April 10, 2011 05:15:35 AM PDT
   See: in.routed(1M)
   See: /var/svc/log/network-routing-route:default.log
Impact: None.

If the service is not running, you can stop here.

Disable the routing daemon.

# routeadm -d ipv4-forwarding -d ipv6-forwarding
# routeadm -d ipv4-routing -d ipv6-routing
# routeadm -u

Verify that the routing daemon is disabled.

# svcs -x routing/route:default
svc:/network/routing/route:default (in.routed network routing daemon)
 State: disabled since April 11, 2011 10:10:10 AM PDT
Reason: Disabled by an administrator.
   See: http://support.oracle.com/msg/SMF-8000-05
   See: in.routed(1M)
Impact: This service is not running.

See Also

routeadm(1M) man page

How to Disable Broadcast Packet Forwarding

By default, Oracle Solaris forwards broadcast packets. If your site security policy requires you to reduce the possibility of broadcast flooding, change the default by using this procedure.

Note - When you disable the _forward_directed_broadcasts network property, you are disabling broadcast pings.

Before You Begin

Set the broadcast packet forwarding property to 0 for IP packets.
```
# ipadm set-prop -p _forward_directed_broadcasts=0 ip
```

Verify the current value.

# ipadm show-prop -p _forward_directed_broadcasts ip
PROTO  PROPERTY                     PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ip    _forward_directed_broadcasts  rw   0         --           0         0,1

See Also

ipadm(1M) man page

How to Disable Responses to Echo Requests

Use this procedure to prevent the dissemination of information about the network topology.

Before You Begin

Set the response to broadcast echo requests property to 0 for IP packets, then verify the current value.

# ipadm set-prop -p _respond_to_echo_broadcast=0 ip

# ipadm show-prop -p _respond_to_echo_broadcast ip
PROTO  PROPERTY                  PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ip    _respond_to_echo_broadcast rw   0         --           1         0,1

Set the response to multicast echo requests property to 0 for IP packets, then verify the current value.

# ipadm set-prop -p _respond_to_echo_multicast=0 ipv4
# ipadm set-prop -p _respond_to_echo_multicast=0 ipv6

# ipadm show-prop -p _respond_to_echo_multicast ipv4
PROTO  PROPERTY                  PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv4  _respond_to_echo_multicast rw   0         --           1         0,1
# ipadm show-prop -p _respond_to_echo_multicast ipv6
PROTO  PROPERTY                  PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv6  _respond_to_echo_multicast rw   0         --           1         0,1

How to Set Strict Multihoming

For systems that are gateways to other domains, such as a firewall or a VPN node, use this procedure to turn on strict multihoming. The hostmodel property controls the send and receive behavior for IP packets on a multihomed system.

Before You Begin

Set the hostmodel property to strong for IP packets.

# ipadm set-prop -p hostmodel=strong ipv4
# ipadm set-prop -p hostmodel=strong ipv6

Verify the current value and note the possible values.

# ipadm show-prop -p hostmodel ip
PROTO  PROPERTY    PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv6   hostmodel   rw   strong    strong       weak      strong,src-priority,weak
ipv4   hostmodel   rw   strong    strong       weak      strong,src-priority,weak

See Also

For more information, see hostmodel (ipv4 or ipv6) in Oracle Solaris 11.1 Tunable Parameters Reference Manual and the ipadm(1M) man page.

For more information about the use of strict multihoming, see How to Protect a VPN With IPsec in Tunnel Mode.

How to Set Maximum Number of Incomplete TCP Connections

Use this procedure to prevent denial of service (DOS) attacks by controlling the number of pending connections that are incomplete.

Before You Begin

Set the maximum number of incoming connections.
```
# ipadm set-prop -p _conn_req_max_q0=4096 tcp
```

Verify the current value.

# ipadm show-prop -p _conn_req_max_q0 tcp
PROTO  PROPERTY         PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
tcp   _conn_req_max_q0  rw   4096      --           128       1-4294967295

See Also

For more information, see _conn_req_max_q0 in Oracle Solaris 11.1 Tunable Parameters Reference Manual and the ipadm(1M) man page.

How to Set Maximum Number of Pending TCP Connections

Use this procedure to prevent DOS attacks by controlling the number of permitted incoming connections.

Before You Begin

Set the maximum number of incoming connections.
```
# ipadm set-prop -p _conn_req_max_q=1024 tcp
```

Verify the current value.

# ipadm show-prop -p _conn_req_max_q tcp
PROTO  PROPERTY         PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
tcp   _conn_req_max_q   rw   1024      --           128       1-4294967295

See Also

For more information, see _conn_req_max_q in Oracle Solaris 11.1 Tunable Parameters Reference Manual and the ipadm(1M) man page.

How to Specify a Strong Random Number for Initial TCP Connection

This procedure sets the TCP initial sequence number generation parameter to comply with RFC 6528.

Before You Begin

You must become an administrator who is assigned the solaris.admin.edit/etc.default/inetinit authorization. By default, the root role has this authorization. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

Change the default value for the TCP_STRONG_ISS variable.

# pfedit /etc/default/inetinit
# TCP_STRONG_ISS=1
TCP_STRONG_ISS=2

Reboot the system.
```
# /usr/sbin/reboot
```

How to Prevent ICMP Redirects

Routers use ICMP redirect messages to inform hosts of more direct routes to a destination. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Before You Begin

Set the ignore redirect property to 1 for IP packets, then verify the current value.

ICMP redirect messages modify the host's route table and are unauthenticated. Additionally, the processing of redirected packets increases CPU demands on systems.

# ipadm set-prop -p _ignore_redirect=1 ipv4
# ipadm set-prop -p _ignore_redirect=1 ipv6
# ipadm show-prop -p _ignore_redirect ipv4
PROTO  PROPERTY         PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv4  _ignore_redirect  rw   1         1            0         0,1
# ipadm show-prop -p _ignore_redirect ipv6
PROTO  PROPERTY         PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv6  _ignore_redirect  rw   1         1            0         0,1

Prevent sending ICMP redirect messages.

These messages include information from the route table that could reveal part of the network topology.

# ipadm set-prop -p _send_redirects=0 ipv4
# ipadm set-prop -p _send_redirects=0 ipv6
# ipadm show-prop -p _send_redirects ipv4
PROTO PROPERTY          PERM CURRENT  PERSISTENT   DEFAULT  POSSIBLE
ipv4  _send_redirects   rw   0        0            1        0,1

# ipadm show-prop -p _send_redirects ipv6
PROTO  PROPERTY        PERM CURRENT   PERSISTENT   DEFAULT  POSSIBLE
ipv6  _send_redirects  rw   0         0            1        0,1

For more information, see _send_redirects (ipv4 or ipv6) in Oracle Solaris 11.1 Tunable Parameters Reference Manual and the ipadm(1M) man page.

How to Reset Network Parameters to Secure Values

Many network parameters that are secure by default are tunable, and might have been changed from the default. If site conditions permit, return the following tunable parameters to their default values.

Before You Begin

Set the source packet forwarding property to 0 for IP packets, then verify the current value.

The default value prevents DOS attacks from spoofed packets.

# ipadm set-prop -p _forward_src_routed=0 ipv4
# ipadm set-prop -p _forward_src_routed=0 ipv6
# ipadm show-prop -p _forward_src_routed ipv4
PROTO  PROPERTY             PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv4  _forward_src_routed   rw   0         --           0         0,1
# ipadm show-prop -p _forward_src_routed ipv6
PROTO  PROPERTY             PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ipv6  _forward_src_routed   rw   0         --           0         0,1

For more information, see forwarding (ipv4 or ipv6) in Oracle Solaris 11.1 Tunable Parameters Reference Manual.

Set the netmask response property to 0 for IP packets, then verify the current value.

The default value prevents the dissemination of information about the network topology.

# ipadm set-prop -p _respond_to_address_mask_broadcast=0 ip
# ipadm show-prop -p _respond_to_address_mask_broadcast ip
PROTO PROPERTY                           PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ip    _respond_to_address_mask_broadcast rw   0         --           0         0,1

Set the timestamp response property to 0 for IP packets, then verify the current value.

The default value removes additional CPU demands on systems and prevents the dissemination of information about the network.

# ipadm set-prop -p _respond_to_timestamp=0 ip
# ipadm show-prop -p _respond_to_timestamp ip
PROTO  PROPERTY                        PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ip    _respond_to_timestamp            rw   0         --           0         0,1

Set the broadcast timestamp response property to 0 for IP packets, then verify the current value.

The default value removes additional CPU demands on systems and prevents dissemination of information about the network.

# ipadm set-prop -p _respond_to_timestamp_broadcast=0 ip
# ipadm show-prop -p _respond_to_timestamp_broadcast ip
PROTO  PROPERTY                        PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
ip    _respond_to_timestamp_broadcast  rw   0         --           0         0,1

Prevent IP source routing.
The default value prevents packets from bypassing network security measures. Source-routed packets allow the source of the packet to suggest a path different from the path configured on the router.

Note - This parameter might be set to 1 for diagnostic purposes. After diagnosis is complete, return the value to 0.
```
# ipadm set-prop -p _rev_src_routes=0 tcp
# ipadm show-prop -p _rev_src_routes tcp
PROTO PROPERTY          PERM CURRENT  PERSISTENT  DEFAULT  POSSIBLE
tcp   _rev_src_routes   rw   0        --          0        0,1
```
For more information, see _rev_src_routes in Oracle Solaris 11.1 Tunable Parameters Reference Manual.

See Also

ipadm(1M) man page

Skip Navigation Links
Exit Print View
	Securing the Network in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library