Cisco Systems 10200

2-8

Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x

OL-16000-07

Chapter 2 Managing BTS Users and Commands Using EMS

Solaris OS Security and BTShard Package

• The following UNIX accounts are to be LOCKED but not removed from the system: lp, uucp, nuucp,

nobody, listen, and any other Cisco support accounts not used in the normal course of field

operation. Services managed by root are the only accounts allowed to utilize one of these identities.

This is the default behavior.

• Modifications to the Solaris kernel parameters were made to close potential breeches in the OS.

These types of security precautions are most often geared toward “denial of service” attacks. These

types of attacks create situations that degrade the performance of a system and as a result, prohibit

the critical applications from delivering the service they are designed to provide.

• The TCP protocol uses random initial sequence numbers.

• All failed login attempts are logged.

• The following users are not allowed direct FTP access to the machine: root, daemon, bin, sys, adm,

nobody, and noaccess.

• A root user cannot telnet directly to the machine. Direct root user access is granted to the console

only. A user who wants to access the root account must use the su command from a nonprivileged

account.

• The break key (<STOP> <A>) on the keyboard is disabled.

• IP_FORWARD_DIRECTED_BROADCASTS—This option determines whether to forward

broadcast packets directed to a specific net or subnet, if that net or subnet is directly connected to

the machine. If the system is acting as a router, this option can be exploited to generate a great deal

of broadcast network traffic. Turning this option off helps prevent broadcast traffic attacks. The

Solaris default value is 1 (True). For example:

ip_forward_directed_broadcasts=0

• IP_FORWARD_SRC_ROUTED—This option determines whether to forward packets that are

source routed. These packets define the path the packet should take instead of allowing network

routers to define the path. The Solaris default value is 1 (True). For example:

ip_forward_src_routed=0

• IP_IGNORE_REDIRECT—This option determines whether to ignore the ICMP packets that define

new routes. If the system is acting as a router, an attacker may send redirect messages to alter routing

tables as part of sophisticated attack (man-in-the-middle attack) or a simple denial of service. The

Solaris default value is 0 (False). For example:

ip_ignore_redirect=1

• IP_IRE_FLUSH_INTERVAL—This option determines the period of time at which a specific route

will be kept, even if currently in use. Address Resolution Protocol (ARP) attacks may be effective

with the default interval. Shortening the time interval may reduce the effectiveness of attacks. The

default interval is 1200000 milliseconds (20 minutes). For example:

ip_ire_flush_interval=60000

• IP_RESPOND_TO_ADDRESS_MASK_BROADCAST—This option determines whether to

respond to ICMP netmask requests, typically sent by diskless clients when booting. An attacker may

use the netmask information for determining network topology or the broadcast address for the

subnet. The default value is 0 (False). For example:

ip_respond_to_address_mask_broadcast=0