We help IT Professionals succeed at work.

Need security products for Solaris...

denmarkw asked
Medium Priority
Last Modified: 2020-04-13
I am looking at a couple security products. But I'll need to
evaluate them first. I downloaded some information on the
Sun Security Manager 4.4 from the Sun internet site.
But when I called Sun Express, they told me that they can't
ship outside the U.S. I know we can purchase the "export controlled"
version, but it means we might have to settle for 40bit encryption.
 They also told me that this product has no evaluation copy.
 It's really a family of about 4 products,but they are expensive.

I also found a security product by Entrust Technologies from
Canada, but I need to contact them about an evaluation copy.
What advice can you give me regarding third party security products
for Sun? We want to ensure security on the following network
DESKTOP,LAN,WAN,Database Application

Thanks in advance for your help!

Denmark W.


Knowledge is power, but it is only useful if it is shared!
Watch Question


 Please state the Solaris version, and what is your primary goal. You can easily port source code from GNU sites like Sunsite and make them available for Solaris. The first ones I will suggest is the shadow(salt encryptions for passwords), the encryption public key, secure telnet, and please be specific for DATABASES and LAN. About Desktop ?? what you need for desktop. So far the only thing I can think for desktop are screensavers like Xoclock with password locking ... please give me an idea ... It seems all very interesting ...

 Good Luck ...

Please state the exact thing u require from ur question i am percepting that u are expecting an security products in the LAN, DESKTOP etc., ur question is still unclear for me. I would appreciate if that question was escalated more.  U can reach me at srini75@hotmail.com.


As an MIT student, I may be not be very impartial, but I find
kerberos to be a good security product. It is freely available
outside the US, and uses 56-bit DES encryption. Certain databases
also support it for authentication and encryption.
Unlock this solution and get a sample of our free trial.
(No credit card required)

You may want to state what country you are in. Many telesales people don't realize it but Canada counts as domestic for the purposes of the munitions restrictions on greater than 40 bit encryption codes. (Yeah, yeah there's plenty of annexing Canada jokes but remember that ithis year a US border town petitioned and was granted to be redefined as a Canadian Town rather than a US town on the basis of various fishing right treaties so unbeknownst to most, Canada annexed a small piece of the US this year and without bloodshed except for the fish).

Even so, good security products rarely require encryption since it's usually a matter of detecting intrusion and mitigating the damage, the encryption libraries are usually just to provide a better means of checksumming. Tripwire and a good alternate boot scenario (diskless or off a backup boot disk) is usually good enough for most sites and free stuff like tripwire are easier to run without fancy encryption libraries. Running Crack is a good thing to do but make sure you have a policy about what to do with the users whose passwords you can crack.

The problem I have with kerberos is the presumption of one user per machine. Although this is a good assumption from the point of view of usage patterns by actual users, enforcing it effectively disables most of the convenience of maintaining a large number of machines from a central computer. What I find is that kerberos sites actively disable the ability to rsh, rexec, telnet, ftp, rdist to the workstation forcing administration to be done at the actual terminal like a PC and soon all the workstations get out of sync with each other because the administrators take a as needed approach to everything because they can't take a mass distribution approach. The result being unadministered or loosely administered machines which I feel is worse than not running kerberos. Besides most wire sniffing concerns that require encryption are going away as we deploy more and more switches instead of hubs.

Conversely, I don't like commercial security apps because security is about identifying and controlling the software on your system, not about adding more without understanding where your security holes may be in the first place. There are some products that are terribly useful but you should play with the basics of identifying how your current access points work and how your logging systems work.

I'm against the as many group entries as users paradigm from a logistics point of view and from a redundant function point of view. People do the multiple group entries cause of a poor understanding of how permissions work so they make the groups work like users to simplify their thought processes. This is similar to the old name your NIS domain the same as your FQDN domain nonsense back in the 80's. You'll get more security by reading chapter 2 of "Essential System Administration" and thinking long and hard about how group permissions can benefit you rather than make it difficult to administer and as ridiculous as your passwd file. Remember take the advice of Linux administrators with a grain of salt, they usually have relatively small installations, and are often already pre-hacked.

There are trade-offs with everything you do for security. Do shadow passwords and you'll need a distribution scenario other than NIS; do NIS+ and you need to create a private public key for each machine for the triple DES encryption; shut down rdist and you need another way of getting configuration changes to everything.

I'm also against consultants unless it's me and at a high rate because it's more important for the administrator who'll be there in the long run to understand his system than it is for a quick housecleaning. One year I got the reputation of a miracle worker because some very expensive supercomputers had their IP addresses hard-wired into the rc.boot file by a consultant such that once a very expensive move from one facility to another was done, they could not boot up to change the IP address cause it was trying to do mounts as if they were still on the old subnets even in single user boots (the people doing the move was getting ready to call it a massive loss and send it all back to the other city when I showed them the magic of diskless boots); if you don't know what your consultant is doing then he shouldn't be there, unless of course you're prepared to call the consultant in again which is what the consultant wants.

obkb: To refute your kerberos arguments, kerberos *does not*
make any assumptions about the number of users per machine.
While sites you are familiar with may have disabled telnet,
rsh, rexec, ftp, etc., this is not required. In fact, kerberos
support for all of these applications are included with the
standard kerberos distributions from MIT and Cygnus. At MIT,
for example, I regularly telnet into a machine that has about 100
other users, and each user has their own kerberos tickets, and
can securely use services without any fear of eavesdropping or
attacks from any of the other users. Also, as a side note, the
standard ssh source includes support for kerberos.

On a switched network, you still have to trust the switch, all
the lines, and all of the machines, because if someone can
compromise one of the machines by obtaining a user's password,
he can potentially compromise all of the machines that that
user can log in to, just by sniffing the local line. So even on
a switched network, you should use encryption.


We are running Solaris 2.5.1 on E3000 & Sparc 4/5 's over an Ethernet Lan. We also have
2 NT 4.0 servers and a Novell 3.12 server.
We are implementing a private WAN over our countrywide branch network using our Telephone/Internet service provider.
Our 8 branches have a Sparc4 or 5 running Solaris 2.5.1 on  Ethernet LANs.
Our application is client/server. On the server side (Solaris 2.5.1) we have Informix OWS 7.2.UC2 and MicroFocus Cobol 4.0. On the client side we have Win95b and APS generated DLLs.
Our telephone service provider is  saying that the PVC will be secure but I don't think that is absolutely true.
We want to protect our clients' data from outsiders, primarily.
We are located in Belize, Central America.
What security & encryption functions can I enable from Solaris, for example Kerberos & DES. I recall trying to setup DES encryption on a Sparc20 a few years ago, but It got messy and I could not access root account again. I had to reinstall the machine.
How can I find out what security & encryption tools are installed or available on the Solaris OS?
I'm having some problems with unix groups: Even with group permissions set, users in the same group cannot overwrite files from other users in the same group. This is needed because the group is for developers who frequently recompile executables, etc.
The only way that a user can overwrite another user's file in the same group is if the permissions are set to 777. I tried setting the umask to 000 but that only results in 666.
It's really weird why the permissions don't appear to be working the way they should.

I also would appreciate some comments or suggestions about this problem.

Thanks in advance for your help!

Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.