Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)

From: Alex Noordergraaf (Alex.Noordergraaf@sun.com)
Date: 10/29/01


Message-ID: <3BDD8327.25C0FF40@sun.com>
Date: Mon, 29 Oct 2001 11:26:15 -0500
From: Alex Noordergraaf <Alex.Noordergraaf@sun.com>
To: Markus.Fleischmann@ConSors.de
Subject: Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)

Markus.Fleischmann@ConSors.de wrote:
>
> Hello,
>
> we, at our company, use two Sun Clusters (one 3.0, the other 2.2) with OPS
> (8.1.7) running on both
> and like to make them (at least more) secure. Now the question is, if there
> are any restrictions (f.e. with
> respect to the communication between the two Cluster nodes) which prevent
> the usage of the
> Solaris Security Toolkit (formerly known as JASS) to secure the whole
> thing?
> Has anybody made experiences with securing a Sun Cluster and can tell me
> which ports, services,
> etc. can be deactivated without any problems?

There are two parts to your question - which may or may not be important
to you:

a) what SunCluster configurations are supported by Sun?

b) what security modifications can I made if I don't care about support?

There are no secured configurations of SC2.2 or SC3.0 available today
which are supported. I can say that this is going to change - but can't
give any specifics yet as legal doesn't let us talk about futures.

That being said I'm not going to go into details on securing SC2.2 or
SC3.0 except to say that both products will break if hardened with the
default JASS 'secure.driver'. Please don't run JASS (or any other
hardening tool) on a SunCluster without understanding your support
issues and being willing/able to deal with the problems that come up as
a result of the hardening.

-Alex

>
> Thanks in advance,
>
> Markus

-- 
Alex Noordergraaf                  (voice) 781.442.3447
Enterprise Eng. Security Architect (email) alex.noordergraaf@sun.com
BluePrints Security articles       http://sun.com/security/blueprints