The boundary protection system (firewall) must be configured to only allow encrypted protocols to ensure that passwords are transmitted via encryption.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-48233	SOL-11.1-050270	SV-61105r2_rule		Medium

Description
Proper configuration of the firewall will only allow encrypted, authenticated protocols such as SSHv2. Stateful packet filtering and logging must also be enabled.

STIG	Date
Solaris 11 X86 Security Technical Implementation Guide	2019-12-18

Details

Check Text ( C-50665r2_chk )
Ensure that either the IP Filter or Packet Filter Firewall is installed correctly. Determine the OS version you are currently securing. # uname –v For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter. The IP Filter Management profile is required for IP Filter. Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs ipfilter If ipfilter is not listed with a state of online, this is a finding. The IP Filter Management profile is required. Check that the filters are configured properly. # ipfstat -io If the output of this command does not include these lines: block out log all keep state keep frags pass in log quick proto tcp from any to any port = ssh keep state block in log all block in log from any to 255.255.255.255/32 block in log from any to 127.0.0.1/32 This is a finding. Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding. For Solaris 11.3 or newer that use Packet Filter the Network Firewall Management rights profile is required. Check that the Packet Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed. # svcs firewall:default If firewall is not listed with a state of "online", this is a finding. The Network Firewall Management rights profile is required. Check that the filters are configured properly. # pfctl -s rules If the output of this command does not include these lines: pass in log (to pflog0) quick on any proto tcp from any to any port = 22 flags S/SA block drop log (to pflog0) all This is a finding.

Check Text ( C-50665r2_chk )

Ensure that either the IP Filter or Packet Filter Firewall is installed correctly.

Determine the OS version you are currently securing.
# uname –v

For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter.
The IP Filter Management profile is required for IP Filter.

Check that the IP Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed.

# svcs ipfilter

If ipfilter is not listed with a state of online, this is a finding.

The IP Filter Management profile is required.

Check that the filters are configured properly.

# ipfstat -io

If the output of this command does not include these lines:

block out log all keep state keep frags
pass in log quick proto tcp from any to any port = ssh keep state
block in log all
block in log from any to 255.255.255.255/32
block in log from any to 127.0.0.1/32

This is a finding.

Even if the lines above are included in the output, it is possible that other lines can contradict the firewall settings. Review the firewall rules and ensure that they conform to organizational and mission requirements. If the firewall rules are not configured to organizational standards, this is a finding.

For Solaris 11.3 or newer that use Packet Filter the Network Firewall Management rights profile is required.

Check that the Packet Filter firewall is enabled and configured so that only encrypted SSH sessions are allowed.
# svcs firewall:default

If firewall is not listed with a state of "online", this is a finding.

The Network Firewall Management rights profile is required.
Check that the filters are configured properly.
# pfctl -s rules

If the output of this command does not include these lines:
pass in log (to pflog0) quick on any proto tcp from any to any port = 22 flags S/SA
block drop log (to pflog0) all

This is a finding.

Fix Text (F-51841r2_fix)
The root role is required. For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter configure and enable the IP Filters policy. # pfedit /etc/ipf/ipf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick proto tcp from any to any port = 22 keep state # Do not allow all outbound traffic, keep state, and log block out log all keep state keep frags # Block and log everything else that comes in block in log all block in log from any to 255.255.255.255 block in log from any to 127.0.0.1/32 Enable ipfilter. # svcadm enable ipfilter Notify ipfilter to use the new configuration file. # ipf -Fa -f /etc/ipf/ipf.conf For Solaris 11.3 or newer that use Packet Filter configure and enable the Packet Filter’s policy. # pfedit /etc/firewall/pf.conf. Add these lines to the file: # Allow SSH (note you cannot restrict to SSHv2 here. This can # only be done in /etc/ssh/sshd_config.) pass in log quick on any proto tcp to port ssh # Block and log all traffic on all interfaces in either direction from # anywhere to anywhere block log all Enable Packet Filter. # svcadm enable firewall:default Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.

Fix Text (F-51841r2_fix)

The root role is required.

For Solaris 11, 11.1, 11.2, and 11.3 that use IP Filter configure and enable the IP Filters policy.

# pfedit /etc/ipf/ipf.conf.

Add these lines to the file:

# Allow SSH (note you cannot restrict to SSHv2 here. This can
# only be done in /etc/ssh/sshd_config.)
pass in log quick proto tcp from any to any port = 22 keep state
# Do not allow all outbound traffic, keep state, and log
block out log all keep state keep frags
# Block and log everything else that comes in
block in log all
block in log from any to 255.255.255.255
block in log from any to 127.0.0.1/32

Enable ipfilter.

# svcadm enable ipfilter

Notify ipfilter to use the new configuration file.

# ipf -Fa -f /etc/ipf/ipf.conf

For Solaris 11.3 or newer that use Packet Filter configure and enable the Packet Filter’s policy.
# pfedit /etc/firewall/pf.conf.

Add these lines to the file:

# Allow SSH (note you cannot restrict to SSHv2 here. This can
# only be done in /etc/ssh/sshd_config.)
pass in log quick on any proto tcp to port ssh
# Block and log all traffic on all interfaces in either direction from
# anywhere to anywhere
block log all

Enable Packet Filter.
# svcadm enable firewall:default

Note: This is an extremely strict firewall policy disabling all network traffic except incoming SSH (port 22) connections. Operational requirements may dictate the addition of other protocols such as DNS, NTP, HTTP, and HTTPS to be allowed.