Manualshelf

HP-UX 11i v2 Installation and Update Guide, December 2005

ManualsBrandsHP ManualsSoftwareHP-UX 11i v2 Foundation OE LTU
51525354555657585960
Choosing an Installation Method
Security Considerations
Chapter 3 57
Configuring Sec20MngDMZ or Sec30DMZ for Use with
Serviceguard
Serviceguard uses dynamic ports. To enable operation, the possible-SG
port range must be opened. Opening the port range is not consistent with
the security goals of Sec20MngDMZ (MANDMZ.config) and Sec30DMZ
(DMZ.config) since multiple services (including other rpc-like
applications), may also listen to this same port range. The firewall,
however, will still provide security benefits consistent with the
Serviceguard security deployment model as described in the Securing
Serviceguard document at:
http://docs.hp.com/en/5874/securingserviceguard.pdf
Before you open the Serviceguard port range make sure you review the
required IPFilter-SG rules, which are documented in the HP-UX IPFilter
Version A.03.05.09 Administrator's Guide at:
http://docs.hp.com/en/B9901-90021/B9901-90021.pdf
Configuring HP-UX Bastille Sec10Host
When the Serviceguard security patch of 2004 is installed, Serviceguard
is not compatible with the Sec10Host security deployment assumptions.
Specifically, the Sec10Host configuration disables the identd daemon,
but Serviceguard with the security patch requires the identd daemon to
be running for authentication purposes consistent with the Service
Guard security deployment model described above.
To configure HP-UX Bastille Sec10Host, follow the steps below:
1. Edit the HP-UX Bastille /etc/opt/sec_mgmt/bastille/config
configuration file by changing the answer to the question:
Should Bastille ensure inetd's ident service does not run
on this system?
2. Change the answer from Y to N as follows:
SecureInetd.deactivate_ident="N"