Manualshelf

HP-UX Bastille Version B.3.3 User Guide

ManualsBrandsHP ManualsSoftwareHP-UX 11i Bastille Software
21222324252627282930
A Install-Time Security (ITS) using HP-UX Bastille
Install-Time Security (ITS) adds a security step to the installation or update process. This additional
step allows the HP-UX Bastille security lock-down engine to run during system installation with
one of four configurations ranging from default security to DMZ. ITS includes the following
bundles:
Sec00Tools (recommended software bundle)
Sec10Host (optional software bundle)
Sec20MngDMZ (optional software bundle)
Sec30DMZ (optional software bundle)
A.1 Choosing security levels
At cold install or update time, you can choose one of the security levels listed in Table A-1. Each
level provides incrementally higher security.
Table A-1 Security levels
Description
Configuration file name
1
Security level
The Install Time Security infrastructure. No security changes.
Not applicable
Sec00Tools
2
Host-based lock down with firewall pre-enablement. Some common
clear-text services are turned off, excluding Telnet and FTP.
HOST.config
Sec10Host
3
Lock down that allows secure management. IPFilter firewall blocks
incoming connections except common, relatively safe, management
protocols.
MANDMZ.config
Sec20MngDMZ
3
Network-DMZ lock down. IPFilter blocks all incoming connections
except HP-UX Secure Shell.
DMZ.config
Sec30DMZ
3
1
Configuration files are installed in /etc/opt/sec_mgmt/bastille/configs/defaults.
2 Sec00Tools is installed by default.
3 Sec10Host, Sec20MngDMZ, and Sec30DMZ are selectable.
NOTE: When you select either the Sec20MngDMZ or Sec30DMZ security level, IPFilter restricts
inbound network connections. For more information on how to add inbound ports to your /etc/
opt/ipf.customerrules file, see the HP-UX IPFilter (Version A.03.05.09 and later)
Administrator's Guide and the HP-UX System Administrator's Guide.
Using one of these security levels applies a default security profile, simplifying the lock-down
process. The following tables list the services and protocols affected by each security level.
A.1 Choosing security levels 27