Foreigner regional registration office in Goa yet to start OCI facility despite getting powers – Think India Foundation

Foreigner regional registration office in Goa yet to start OCI facility despite getting powers – Think India Foundation.

Advertisements

A passage to Goa: a generation and more later…

Source : http://permalink.gmane.org/gmane.culture.region.india.goa/82375

This is a translation of an article
"Passagem para a India" that was
published on the magazine section of O
Expresso of December 8, 2001. It was
translated by Gabriel Figueiredo
gdefigueiredo  yahoo.com.au, and
reproduced here with his permission. It
tells the story from a Portuguese
perspective ...

---
Commencing at 0:00 hours of December 18, 1961, the invasion
of Goa, Damão and Diu lasted 36 hours. The disproportion was
excessive, with the Indian forces being 13 times larger than
the Portuguese garrison. The "total sacrifice" requested by
Salazar would have been a tragedy. This was the understanding
of General Vassalo e Silva, the last governor of a 451-year
history, when he surrendered. Carlos Azaredo was one of the
military personnel who took part in the events. 40 years
later, the general was the guide of O Expresso in a visit to
the last years of India Portuguesa.
---

Carlos Azaredo disembarked for the first time in Goa, on
September 17, 1954. An ensign of the Cavalry, 23 years old,
he volunteered to defend the so-called "Estado da India
Portuguesa" (State of Portuguese India), against a quite
probable invasion by the powerful Union of India. "We left
Lisbon on board the 'Serpa Pino'; I was the only Cavalry
officer on board".

Born in a family with a firm monarchical tradition in the
district of Baião, he joined the Escola do Exército
(Military School) in 1948, against the wishes of his father
who would have liked his first-born to study Engineering.

He then joined the Escola Prática de Cavalaria (Cavalry
Training School) at Torres Novas, and the Regimento de
Cavalaria No 6 (Cavalry Regiment no 6) at Porto, "my first
regiment". The journey by ship is slow and uneventful. "We
passed the Suez Canal and the British were still in Aden". He
disembarked at Mormugão, the most important port of Goa
conquered by Afonso de Albuquerque on 25 November 1510.

The neighbouring immense Union of India is a volcano of
nationalistic fervour. Independent of England since 1947,
even before independence already its principal directors had
proclaimed the integration of the territories of Estado
Portuguêsda India: Goa, Damão andiu D.

Mahatma Gandhi, the father of the great Indian nation, would
be the first to declare that Goa could not remain separate.
This would be a political fixation of the prime minister
Pandit Jawaharlal Nehru, who in 1950, formally reclaimed the
territories administered by Portugal, proposing the opening
of negotiations.

          The government presided by Oliveira Salazar
          refuses, with the argument that Goa and other
          territories form part of the whole nation [of
          Portugal]. In Goa, Damão and Diu, the
          manifestations of civil disobedience or in favour
          of right to autonomy have prison, deportation or
          censorship as a reply. Many Goans, be they
          Catholics or Hindus, are compelled to exile.

In the dialogue of the deaf, a new tactic is followed: that
of pressure, through economic blockades and recourse to the
famous "satyagrahis", who peacefully invade Portuguese
territories. Literally signifying the "force of truth", the
"satyagrahis" were created by Gandhi and played a decisive
role in its strategy of non-violent resistance.

Successive waves of these "satyagrahis" fringed by military
personnel invade the Portuguese enclaves of Dadrá and
Nagar-Aveli, near Damão, in 1954. The first one falls on the
22nd July, the second one eleven days after.

In the confrontations in Dadrá, two Portuguese police
officers are killed. "Died for the Motherland", according to
the inscription on a headstone, which is still maintained in
a garden of one of the forts in Damão. Ready to defend the
dear jewel of the empire, Salazar responds with diplomatic
and military plans. On the day immediately following its
admission to the United Nations, Portugal appeals to
International Tribunal of Justice (in The Hague) against the
annexation of the two enclaves. And he strengthens the
defence of India (Portuguesa), resorting to volunteers.

Perceptible to the vehement appeal to defend the Motherland,
the ensign1 Azaredo volunteers. In all, three more army
battalions arrive in Goa. The governor, General Benard
Guedes, has 12,000 troops at his disposal in the three
territories.

          Goa was not totally unknown to young Azaredo -- at
          least at the level of attachment and family
          connections. Born in 4th October 1930, at Marco de
          Canavezes, Carlos Manuel de Azaredo Pinto Melo e
          Leme belongs to the Távora familythrough maternal
          links, the same family that the Marquês de Pombal
          had taken on as a love rival. Francisco de Assis
          Távora, the last marquês with that title, was the
          45th viceroy ofIndia (1750/54). No wonder, then,
          that the family had become one of the largest
          proprietors of the colony. Once numerous, rich and
          influential, the Noronha e Távora thatAzaredo met
          in Goa are no longer what they were. D. Augusto is
          the head of the family. "He was the first cousin of
          my grandfather. He married a Goan and stayed on to
          take care of the family property -- each time
          smaller, it is said".

D. Augusto, the 90 year-old cousin, is not at home. A major
stroke forced him to be hospitalised. A metallic plaque with
the inscription: D. Augusto de Noronha e Távora, better
known as "Lobé", marks the residence in an ordinary building
in a chaotic road in Panaji.

The general is received by one of his daughters, Margarida.
On a wall is a family tree, starting from D. Lourenço Carlos
Bernardo de Noronha and his link with D. Veridiana Amália
Henriques da Cunha Lobato de Faria. "Our cousins from Porto
sent it to us", explains Margarida. On a table, an ashtray of
the Futebol Clube do Porto, the latter of which Lobé was a
relentless supporter. "The last time I saw him was during
President Mario Soares' visit, in 1992; he was at the
reception of the hotel, wearing a cap of FCPorto".

The last of the Távoras in Goa was in room no. 10 of the
hospital at Bambolim. With tubes and a drip, D. Augusto is
not aware of his circumstances, let alone recognise cousin
Carlos. A nurse even tries to get old Lobé out of his
torpor, but without success. In the silence of the room, one
feels it is torpor of death. The general takes his leave with
a gentle caressing of the hand and an inaudible goodbye.

Having arrived in Goa, the ensign is given the command of a
detachment at Perném, near the river Tiracol, which borders
the Union of India. His mission is to control the northern
frontier, with a platoon of thirty personnel -- 27 privates
and 3 sergeants. "We set up in conical canvas tents, where we
spent the whole of the monsoon".

          The most identifiable frontier post is Tiracol, at
          the northern margin of the river, protected by a
          fort built in 1746. In August 1954, some time
          before the arrival of Azaredo, the satyagrahis had
          taken possession of the fort and hoisted the Indian
          tricolour until it was regained by a police force.
          The subsequent peace reduces the border control to
          little more than a routine job. "In my time,
          nothing happened. We would go out of Perném, catch
          a customs launch and come down the river Tiracol
          until the fort. It was a very beautiful trip".

The Tiracol fort, made of laterite blocks, has been
transformed into a pleasant hotel, which welcomes above all
tourists from Goa. The bridge is quite far, which
necessitates taking a "ferry-boat" near Querim, which takes
10 minutes to make the journey between the two riverbanks.

The view towards the Querim beach, to the south, is
fantastic. The interior of the small fortress is very well
preserved. The façade of the Jesuit chapel, of 1822, is
whitewashed and preserves statues of the three saints: the
martyr Sebastian, the inevitable Francis Xavier and Anthony
of Lisboa, the patron saint. The old fort of Terekhol (as is
written in Konkani, the language most prevalent in Goa), a
leading lookout facing the state of Maharashtra, is one of
the best examples of the Portuguese military architecture.

The commission in Perném lasts six months. A commission at
Maulinguem follows, in the northeastern frontier, as a
shooting-range officer. "I was there for three months. At the
time, I made a report in which it was stated that 60% of the
ammunition was unused". The rifles were Lee-Enfield, five
shots, British-made, 1917 model. "The humidity would
penetrate the cartridge-belts and the rifle-barrels had to be
unblocked with a rod".

For someone who had volunteered for a possible war, the
inactivity is deceptive. "As nothing was happening, I
requested a passage to the home country". Minister Santos
Costa rejects the request. "The dispatch only stated 'when an
ensign of the Cavalry volunteers, it is for everything. Bear
with it!' And bear it I did, what a panacea!"

The rest of the commission is spent at the Mapuça squadron,
at an old school converted to quarters. He shares a house in
the centre of the city with another officer.

          "Each one had a batman and the cook was common --
          but all were Africans. At this time there were
          soldiers from Landim (a place on the banks of the
          Zambesi), in Mozambique (of the Vátua tribe of the
          famous Gunguhnana) stationed in Goa". The preferred
          entertainment is to go to the cinema at night, to
          watch Indian films. "I was always attacked by huge
          bugs. When I reached home, I used to undress, enter
          the house naked and leave the infested clothes at
          the door to be washed. Thus was the life at Mapuça".

Mapusa is today the third city of the State of Goa -- next to
Panaji and Margão. The market is very lively and there are
abundant cinema halls. A marble slab records that it was the
general Craveiro lopes who, in 1933, inaugurated the Liceu
Municipal D. Francisco d'Almeida.

The school became quarters and is now converted back into a
school. It is called St. Mary School, very old and run by
Carmelite nuns. The sentry boxes no longer exist. "The
sentries were Landins. Perfect statues, they were the best
soldiers that I've seen".

The school is closed -- it is the Diwali holidays, or the
festival of lights, which mark the Hindu New Year. At the
door, various cars of a driving school were parked, having a
Brahmanic cross (which inspired the Nazi swastika) on their
logo.

In September 1955, Prime Minister Nehru orders to put an end
to the movements of the satyagrahis. The decision is taken
after the excursion of 15th August, the anniversary of Indian
independence. On this bloodstained day, three thousand
pacifists penetrated into Goa, Damão and Di.

          "The Portuguese police and military forces opened
          fire against the satyagrahi without warning and in
          various places," writes P.N. Khera (in "Operation
          Vijay. The liberation of Goa and Other Portuguese
          Colonies in India"). Estimate: 22 dead and 225
          wounded. Non-violence is put on hold, which forces
          New Delhi to change the strategy. On one side,
          Nehru tightens the economic siege of Goa, now
          totally dependent on imports. On the other hand, he
          abandons the pacifism preached by Gandhi and
          progresses to a military solution.

In February 1956, after 18 months of a volunteer commission
in Goa, Carlos Azaredo returns to Portugal. Already a
lieutenant, he gets married and seriously dedicates himself
to horsemanship.

At the turn of the decade, the anti-colonialistic wave is
growing bigger and is on the verge of reaching the Portuguese
territories in Africa: Angola and Guiné, as also Mozambique.
Lisbon re-evaluates the political situation. Priority is to
Africa -- even because it is known, with a certain knowledge,
that Goa is militarily indefensible, as Salazar would
otherwise have already known.

          The verdict of the international Tribunal at The
          Hague is known in April 1960. It is an ambiguous
          pronouncement, which permits Lisbon and Delhi to
          claim victory. On one side, Portuguese sovereignty
          on the enclaves of Dadrá and Nagar Aveli is
          recognised; on the other hand, India has the right
          to obstruct the passage of foreigners through its
          territory.

At the end of the year, the under-secretary of the Army
Staff1 makes a survey visit to India (Portuguesa). Pragmatic
and realistic, the Lt-Col Costa Gomes proposes a drastic
reduction in the military grouping. Salazar agrees. In a few
months the garrison changes from 12,000 men to around 3,500.
The navy, which had come to consist of two ships, is now
reduced to the ageing "Afonso de Albuquerque", retaining the
three small customs launches to attend to the three
territories and to the island of Angediva. As to the Air
Force, it continued to be non-existent.

In January 1961, quite unexpectedly, Azaredo and India cross
each other for a second time. Promoted to a captain, he
returns to Goa for a new commission -- no longer as a
volunteer. "At this stage, I was already married, so that I
took along my wife Lúcia and our three children-- a boy and
two girls".

This time, he travels on board the "Timor". The route is the
same, but the differences are clear. "At Port Said, the
statue of Ferdinand Lesseps, the constructor of the Suez
Canal, had been knocked down; the British military were no
longer at Aden".

One of the rare officers with Goan experience, Azaredo stays
in the capital, in charge of the Police of the Estado da
India. The headquarters are at the centre of Panjim, in the
Largo das Sete Janelas. The commander is also a captain of
the Cavalry, Joaquim Pinto Brás. "I started off as a
provisional second commander; then, I went on to command the
sections of Procedures, Traffic, Municipal Police, Military
Training and Foreign Service --I hope I havem't forgotten any
other."

          The effective forces are around five hundred police
          personnel, European and Goan. The eastern and
          southern frontier "was my responsibility. I had to
          visit and inspect the posts -- which, at this time,
          were dedicated mainly to combat terrorism". The
          so-called subversive war is at its peak: between
          1955 and 1959, the Army Staff records 179 assaults,
          152 sabotages and a hundred other unsuccessful
          attempts -- that would result in the deaths of 30
          Portuguese and 73 Indians.

The Goa State Police headquarters are situated in the very
same headquarters in Panaji. The Portuguese coat-of-arms had
been erased from the door, maintaining only the inscription
containing the date of its construction: 1832. The exterior
-- painted in a bold yellow -- was the target of a
restoration project, subsidised by the Fundação Oriente.

The receptionist is a woman-police officer, in brown uniform
and wearing a black beret pulled backwards, to allow a
"bindi", the red mark that the Hindus wear between the
eyebrows, to be visible. At the front stands only one sentry,
with a moustache, a rifle and bayonet. Cars and jeeps, police
and civilians come and go.

The old alarm bell, made of the same bronze that was used for
the cannons, reminds that the empire was built on a very odd
association of clergymen and the military. Polished but
silent, there were times when it sounded furiously, against
fire or attacks by Moslems and Maharajas.

          The interior parade is practically unaltered. The
          same mango trees, gigantic and majestic. The
          unmistakable crows, bluish-black and with a nasal
          caw. Even the lawn, used for education and
          training, seems to preserve the same football goal
          posts of 40 years ago. The only difference is a
          roof to protect vehicles from sun and rain, and the
          slender King Ashoka pillar.

Contrary to the headquarters, the ample square in front is
unrecognisable. Starting with the name, which has changed
from Sete Janelas to Azad Maidan (field of independence). The
huge statue of Vasco da Gama, in bronze, has been removed to
the museum at Old Goa. In its place a monument -- in an ugly
combination of blue, white, black and gold - has been
erected, containing the mortal remains of Tristão de
Braganza Cunha. Died in 1958, he was the founder of the Goa
Congress Committee, the first of the various Goan
nationalistic organisations, among which the radical Azad
Gomantak Dal was prominent.

In a corner of the square there is another memorial in honour
of "the martyrs in the fight for liberty and colonialism in
India". Dated 1973, it was financed by the Goan Freedom
Fighters Association, which records the name of 67 combatants
inscribed on stone -- in English and in Hindi, the official
national language. Some were native Goans, others natives of
other parts of India -- Maharashtra, Madhya Pradesh, Punjab
and even Bangladesh. Between the two monuments, school
students make use of the grounds to practice cricket, the
chief sport of India and Goa.

          The Azaredo family settles in a house close to the
          headquarters. "I never knew the name of the road".
          The landlord is a rich Goan merchant, of the shop
          Velho e Filhos, who supplies the troops and other
          clients with wine and dried cod (bacalhau). They
          rent the first floor, at the rear of the Medical
          School Hospital (Hospital Escolar). "Sometimes we
          witnessed macabre sights: the Muslim cadavers being
          washed in the mortuary before being buried facing
          Mecca". It is a house with a large veranda and
          windows with carepas -- fish scales instead of
          glass. The next-door tenant is a friendly doctor
          whose surname is Almeida, who studied in Lisbon and
          who, with eleven children, always has his house
          full.

The road continues not to have a visible name, but has lost
its former tranquillity and charm -- there is so much noise
and fumes from buses, cars and "rickshaws". The house,
however, is quite the same.

At the entrance on the ground floor, was the glazed tile
inscribed with the name of the very same landlord: "Velho".
The descendants of the old Velho now live there, who receive
the general with open arms, a cup of tea and a plate of
homemade cakes.

Cheerfully, Loretta Dias Velho makes it a point to show
everything to the unexpected visitor: dining room, bedrooms,
kitchen and the bathroom. As in all Christian homes in Goa,
there is no shortage of religious motifs, including the
statue of Our Lady of Fátima and a photograph of Pope John
Paul II. A china plate from Alcobaça guarantees that "with
three letters only one can write the word Mum".  Built in
1952, the house always had military tenants -- Portuguese
first, Indian later. "We only managed to get it back in
1991". Azaredo states "after the invasion, they attacked it
and threw practically everything out of the window. I was
left with nothing".

          In the adjoining apartment Dr. Almeida continues
          living. Romualdo António de Jesus Almeida will
          complete ninety years. Bed-ridden, he receives his
          former neighbour with a happy smile. All his eleven
          children "still live". Three are triplets, but
          memory fails and he can only mention two: Mário
          and Arnaldo. On a wall proudly hangs the diploma of
          Medicine. Dated 1936.

On the 30th July, the Panjim Police takes another prisoner,
Ravindra Kelecar, one of the many "Freedom Fighters". "I was
the last Goan to be imprisoned by the Portuguese". Ravindra
would have been one of the very rare Hindus of his generation
to attend the Liceu Nacional Afonso de Albuquerque.

"There was a sort of 'apartheid' between the Portuguese and
the Hindus", he reveals. Reason why these "never had a good
impression" of the other.

The course of his life is marked by an unforgettable date: 18
June 1948, when Ram Manohar Lohia, the Indian socialist
leader, went to Margão to hold a rally. "Some six or seven
hundred people gathered to listen to him. One could never
imagine that it would be possible to gather so many people".

The police ended up obstructing the session, but the message
got through: "Without struggle, Goans will never be able to
liberate their country". Ravindra took the message to heart.

          The non-violence theorised by Gandhi and practiced
          by the "satyagrahis" wasn't the only tactic used.
          "I went about with bombs, revolvers and all",
          recollects Ravindra. When requested to divulge the
          exact details, he stops with an enigmatic "they
          were unimportant things, dictate d by youth and
          enthusiasm." Things he does not repent, even
          because, he highlights "I did not kill anyone."

Ravindra Kelecar, 76 years old, receives us in his house,
near Mardol. Member of the Brahmin caste, he is a respected
intellectual. He dresses up in a Hindu suit made of fine
cotton, white, reaching to his feet; the few hairs, left long
and white, are pushed backwards; his small and vivid eyes
peer behind thick lenses.

He offers us hot tea, whilst apologising for his Portuguese
-- which is surprisingly excellent. Ravindra and Azaredo do
not recognise each other -- in spite of the former being held
prisoner in the headquarters of the latter.

The Goan remembers that, at the time of his detention, "the
Police commandant was Pinto Brás". Insisted by the
Portuguese, he remembers, however, that he was "well
treated". "The problem", he adds, "was that I was never
questioned, nor tried, let alone being condemned".

Isolated in a cell, the family used to visit him on
Saturdays. "One day, they did not allow me to receive any
visits. I wrote to Pinto Brás in protest, who sent a reply
that he did not know why I was imprisoned -- and there I was
for three months! Four hours later, a corporal set me free".
An unusual ending to an arbitrary imprisonment.

Since 1962, he devoted himself to winning autonomy for Goa. A
battle that lasted five years and which "was worth being
imprisoned another 26 times". Disappointed and retired from
politics, he wrote his memoirs, which unfortunately have not
been translated into English. In his final years, he
discovered Fernando Pessoa and his "Livro de Desassossego"
(Book of Restlessness), "one of the saddest and profound
books in the literary world."

The monsoon of 1961, which unleashes itself between May and
September, is not quite placid. A typhoon sweeps the whole
southern coast, between Margão and Canacona. General Vassalo
e Silva is the head of the government of Goa, since 1958.

Doing justice to his qualifications as an engineer, the
governor devotes himself to rebuilding the poor local
residences. He calls Azaredo to the Palácio do Idalcão
(Adil Khan Palace), which serves as the seat of government.

"He requested me to make an inventory of the damage. I don't
know how he remembered me -- it is a myster -- I visited the
whole of the affected region", advised by an engineering
officer, experienced in construction and works. "I handed in
the report in December. It gave a survey of the damage and
the material required: bricks, beams, tiles, galvanised sheets".

The collaboration between the Governor-General and the
Captain becomes closer. The former appreciates the initiative
of the latter, his earnestness and promptness. Azaredo, in
his turn, values the seriousness of the General, and his
passion for Goa and the Goans. At the Idalcão, near river
Mandovi, a friendship that would last a lifetime is born.

The Idalcão is older than the Portuguese conquest. The
former palace of the Adil Khan, the Muslim ruler defeated by
Albuquerque, was converted into an official residence of the
Viceroys in 1759.

The palace continues to be the seat of power [at the time
this article was published]. The Chief Minister -- a sort of
a Prime Minister of Goa -- works there. Manohar Parrikar
belongs to the Bharatiya Janata Party (BJP), the same party
that governs in New Delhi and which many accuse of being
Hindu fundamentalist. In Goa, it is in power going in its
second year, thanks to a conglomerate parliamentary unity

The age-old building is in need of complete restoration --
externally and internally. The noble old hall is a pallid
shadow of what it was. The portraits of the Governors and
Viceroys have gone to the Museum. In their place,
photographs, oils or pictures of high Indian dignitaries
hang: the famous Maharaja Shivaji, the ex-Prime Minister
Indira Gandhi, her son Rajiv, and others.

Of the long table, the plush carpets, the rich candlesticks
and porcelain -- there is no sign of them. The skylight,
which formerly used to light up the ample hall, no longer
allows a single ray of sunlight to pass through. The "maples"
of the waiting room are dirty and worn out with overuse; on
the white walls, hang a clock (ahead by 10 minutes) and paper
calendar.

Outside, on the other side of the road, is the Flagstaff of
Sovereignty. The Portuguese flag used to flutter at its
summit for centuries. Now, it is the Indian tricolour, first
hoisted on the 19th December 1961 that flutters.

In the first days of October, New Delhi is the platform for a
seminar on the Portuguese colonies. The surgeon P. D.
Gaitonde, an influential Goan politician who was imprisoned
in Portugal, initiated the idea.

Nehru is the host for liberation movement of Angola,
Mozambique, Guiné and Cabo Verde, also of Goa. The Indian
leader inquires what sort of assistance is most required:
Diplomatic? Financial? Miltary? The reply is unanimous:
terminate colonialism in his own country, by liberating Goa,
Damão and Diu. Nehru commits himself: "Id on't doubt that
Goa will be free shortly". Without losing time, Nehru
requests J. N. Chauduri for a scrutiny of the military
situation in Goa.

Perceptibly at the same time, the military commandant of Goa
returns to Panjim. The brigadier António Leitão, had been
on a two-month holiday in Portugal, and made use of it to try
to obtain reinforcements: armament and ammunition,
transporters, communication equipment.

The same (request) was being made, unsuccessfully, by Vassalo
e Silva himself. Most of the armament has been superseded,
even obsolete. There are those who don't have anything better
than the Kropatcheq rifle, dating prior to the First World
War!

"If it wasn't so tense, the situation would have been quite
comic", accepts Azaredo. "The police vehicles were no longer
armoured at the bottom. Rotten, the iron sheets would be
replaced with thick planks of wood used to transport bacalhau
(dried cod)".

As if this wasn't enough, the military presence was
continuing to thin out. First, to assist Luanda (capital of
Angola), where a rebellion would break out in February, with
Salazar decreeing "To Angola and in force!"; then to Timor,
where problems also arose.

          The brigadier presents himself dolefully to the
          Ministry of Defence. Since April -- following the
          failed coup d'etat of General Botelho Moniz -- the
          minister is Salazar himself, who adds this to his
          Presidential duties. "But the Toninho da Calçad
          (Salazar's nickname?) did not receive him. To
          Salazar, there was no war in India, to which there
          was no need for reinforcements".

With a wave of the hand, there is only one solution to the
military command: improve on the Plano Sentinela (Sentry
Plan). It is a plan of resistance to any foreseen aggression.

The strategy progresses to concentrate forces in the
peninsula of Mormugão, and there, to defend at all costs.

"It was a totally unrealistic and unachievable plan, which
was quite incomplete", verifies Azaredo. "It was based on
exchange of ground with time. But, for this purpose, portable
communication equipment was necessary". There was none available.

In the meanwhile, the "Freedom Fighters" continue to do their
bit. "To the contrary to what is being said, the most evolved
guerilla warfare which our Armed Forces encountered was in
Goa. I know what I'm talking about, because I also fought in
Angola and in Guiné. In 1961 alone, until December, around
80 policemen died". Azaredo however, advises: "The major part
of the terrorists of Azad Gomantak Dal were not Goans. Many
had fought in the British Army, under General Montgomery,
against the Germans. And the majority of the satyagrahis were
not peasants and poor rural people, hungry in search for
something to eat".

The Eastern frontier is the easiest for penetration.

Delimited by the range of the Western Ghats, it is zone of
high contours, and the means available to the police are ill
suited to the terrain. During the monarchy, horses had taken
care of such situations. Why not make use of the experience?

"In November, we went to Pakistan to buy horses". A group of
officers, accompanied by a veterinary doctor, journey to
Lahore, Rawalpindi, and Peshawar. The idea is to purchase
thirty mounts, to equip a platoon in Valpoi. "The British had
selected a fantastic pure-blooded breed. We even made a
purchase, but it was too late!".

On the 17th of November, an incident takes place on the
island of Angediva, South of Goa. The Portuguese garrison
opens fire on the passenger ship "Sabarmati". An enchanting
place, which had received the ships of Vasco da Gama on his
first voyage to India, Angediva would come into history as
the famous "isle of love" sung by Camões in "Os Lusiadas".

Now the luxuriant isle has been transformed into an eager
pretext for military intervention. As one reads in the
introduction to the Indian Military report, "the tension
exploded" at Angediva "and India decided to liberate the
territories by force".

New Delhi orders the Army Staff1 to finalise the plan of
attack. The liberation of Goa from colonialism is a trump
card capable of alleviating pressure on Nehru, who had
serious problems on his hands with China in Tibet and
Pakistan in Kashmir. The military option is particularly
cherished by the Defence Minister, Krishna Menon, a radical
who is preparing to contest elections in his constituency.

"Operation Vijay" is the code name given to the plan of
liberation of Goa, Damão and Diu. Of the Army, the 17th
Division and the 50th Paratroop Brigade are mobilised, among
others. The naval resources include the aircraft carrier
"Vikrant", three frigates, two cruisers many other torpedo
boats and a submarine.

We are certainly unaware of the air support used, but it is
known that the aircraft carrier had 21 aircraft consisting of
fighters (Hunter, Vampire, Mystere) and bombers (Liberators
and Canberra). The foreseen strategy of New Delhi is that the
combat should last, at a maximum, three days -- meanwhile
Lisbon would ask Vassalo e Silva to resist for a minimum of
eight days.

The Commander-in-Chief of "Operation Vijay" is Major-General
Chaudhuri, whereas another General K. P. Kandeth directs
operations in Goa. The command of the Air Force is given to a
Goan, Vice-Marshal Pinto do Rosário. Another Goan is Francis
Rodrigues, 28 years old, who had attended the Military
Academy North of Delhi, and accompanied the operation,
although he did not participate in it.

A gentleman of a remarkable background, Rodrigues would
attain generalship, having held the post of Chief of Staff of
the Army between 1990 and 1993 - the highest post in the
Indian military hierarchy. Originating from a Catholic family
"that provided five priests but only one general", he never
learnt Portuguese. The family, like many others had retreated
to Bombay. "My father was a journalist, who wrote some
articles against the Portuguese and was denied entry into
Goa. At this time, I was only nine years old". The general
only came to settle in Goa when he retired, aged 60.

The ex-Chief of Staff of the Indian Army receives us at his
residence, in Alto de Porvorim. The two generals, both
retired, wish each other with courtesy and respect. The
Portuguese is from the Cavalry, the Indian from Artillery.

The dialogue is in English. Azaredo, always a gentleman, has
words of praise for the behaviour of Indian Armed Forces
during the invasion. Rodrigues prefers to speak of liberation
and, surprised by the praise, gives a hearty laugh, with a
mixture of satisfaction and pride. "Really, the Indian Army
is a good Army".

A conceited Francis Rodrigues prefers to talk of himself and
his achievements, not forgetting his meetings with Pope John
Paul II and Colin Powell. At leave-taking, a photograph is
taken of the enemies of forty years ago.

          December arrives with only one doubt: the date of
          the invasion. The preparations are dramatic. On the
          12th, women and children (of the military
          personnel) are evacuated. The operation is not
          approved by Lisbon, being against the national
          interest, but Vassalo e Silva does not forgo the
          need to look after the safety of the families of
          his men. Having a capacity of carrying 105
          passengers, the ship "India" departs Mormugão with
          650.

Having declared a state of emergency, on the 14th the
Governor-General receives a radio message from Salazar. It is
a text intended for the History of the Empire. "I advise and
expect", writes Salazar, a "total sacrifice", "the only way
by which we can maintain the height of our traditions and
provide the greatest service to the future of the Nation".

The dictator does not want the least doubt to exist: "I do
not foresee the possibility of any truce, nor Portuguese
prisoners, as there will not be any ships surrendered, since
I feel that there can only be victorious soldiers and sailors
or those killed in battle".

The message largely surpasses the previous command dispatch
of the governor, according to which resistance should be
"conducted until all ammunition and provisions are
exhausted". With the end in sight, Salazar demands
destruction and prepares for a turn of the page.

Orders are received from the Ministry for Overseas Affairs to
transfer the relics of St. Francis Xavier to Lisbon. Another
message recommends the destruction of the varied non-military
heritage, including the palace. Vassalo refuses to comply
with either of the orders, which Azaredo attributes "to the
criminal unscrupulousness and the insanity of Salazar, who
preferred the politics of a country in flames -- as had
happened months before, in São João Baptista de Ajudá.
"No! I cannot destroy the evidence of our greatness in the
Orient", he told me, when he ordered me to remove the petrol
containers which were near the Idalcão", says Azaredo.

On the 17th December, the territories of Goa, Damão and Diu
are surrounded by the members of the Indian armed forces. The
imbalance, of men and resources, is shocking.

A comparison made by Col. Carlos Morais ("A Queda da India
Portuguesa- Crónica da Invasão e do Cativeiro" - "The fall
of Portuguese India -- A Chronicle of the Invasion and
Captivity") is eloquent: on the Indian side, "a total of
45,000 men plus 25,000 reservists, using combat vehicles of
the latest model, artillery, air-transported troops,
amphibious units, technical support, modern aviation, etc";
on the Portuguese side, "around 3,500 men ill-equipped with
arms and ammunition, without armoured cars or anti-tank
weapons, no air support, and practically without any
artillery".

Knowing the great advantage and confident in the efficiency
of his aircraft, Vice-Marshall Pinto do Rosário bets he
would have a drink of Portuguese beer in the main market of
Panjim on the day following the attack. The bet is partially
won, as P. N. Khera notes "When they reached the market, all
the shops were closed and there wasn't a single bottle of
beer available".

In the morning, Azaredo is called to the governor, who
nominates him as the coordinating officer of the Security
Forces (Inspection Guards and Police). The rest of the day is
spent at the headquarters.

"I slept in a semblance of emergency mode. All of us slept.
We were on alert since the 11th or 12th". Early in the night,
a TAP plane lands at the airport in Dabolim, having come from
Karachi. It was expected that it would bring an urgent order
of the required grenades "Instalaza", destined to reinforce
the poorly equipped anti-tank artillery. The boxes are opened
anxiously, but no one can believe the incredible sight:
sausages, instead of grenades, sent by Lisbon in the spirit
of campaigning "The Soldier's Christmas"!

The invasion begins in the first minutes of the 18th. From
the North, South and East, it is quickly announced by All
India Radio.

"It must have been around 6:30am when I presented myself at
the Palace". Soon after, the telecommunications centre, at
Bambolim, is the target of aerial bombardment. "As there were
no transmissions, the governor sent me there to find out what
was happening. I went in a black Volkswagen. The centre and
the generators had been attacked with bombs and rockets. They
killed an ensign -- I even saw him, with brains spilling out
of his head". Goa would be cut off from the exterior --
neither Lisbon, nor Damão, nor Diu.

With the invasion in progress, it is up to the
Commander-in-Chief1 to activate the "Plano Sentinela" (Sentry
Plan). A few minutes pass after 8:00am when the Governor
abandons the capital and heads towards the naval shipyards,
in the Mormugão peninsula

"Having been dispensed with, I went to take command of the
troops forming the second line of defence". The formation
goes from the isle of São Jacinto to Issoroim, cutting
across the isthmus of the peninsula, selected as the last
bastion of resistance.

"It was 10:30am when I arrived there. In all, I would have
around 500 men under my command -- troops that were coming
from other positions, in retreat. We dug some trenches
rapidly, which we strengthened with coconut trunks". The
weapons are a little more than ridiculous: two light Lewis
machine guns and ancient rifles. Ahead, the first line was
composed of forces from the light Infantry Company 3.

Now and then, due to lack of communications equipment,
Azaredo goes by car to the Commander-in-Chief1, "some two
kilometres behind". During one of these incursions, when he
had reached a high position, he witnesses the combat between
"Afonso de Albuquerque" and the Indian Navy -- three frigates
and two torpedo boats.

"Our vessel was in anchorage at Dona Paula, the other side of
River Zuari. By around midday, on being targeted, it left its
moorings and manoeuvred with the intention of taking to the
high seas. The enemy artillery was using anti-personnel
Shrapnel bombs, One could distinctively hear the explosions
and see the clouds they left. One of them exploded directly
above the ship", killing a cabin boy and seriously injuring
the commander Cunha Aragão. The ship then "swerved 180
degrees and ran aground by the bows on Bambolim beach. I saw
the crew set fire to it and disembarking directly on to the
beach". The official version, maintained for years, would
exalt the heroic stand of "Afonso de Albuquerque" -- to the
extent of stating that it was sunk. "All tales! I state with
the authority of one who directly witnessed the hostilities".

At 15:00, there is a new setback. The small garrison, which
would remain in Panjim, gives itself up without further ado.
Having attained the other side of River Mandovi, "the enemy
placed various battle tanks with their cannons pointing to
the city, whilst the air force was circling overhead,
threateningly. On the other hand, we had did not have a
single piece of artillery. The older officers got together
and decided to surrender". Vassalo came to know later -- "He
was furious".

          Night falls, with the end of the war virtually
          planned out. Worn out, Capt. Azaredo cannot
          reconcile himself to sleep. "I thought countless
          times that, for many of us, it would be the last
          night". In remembering his wife and three children,
          somewhere on the way to Lisbon, cannot hold back
          tears of sadness. Then, he retreats into a prayer.
          "In the peace of the night, I raised my thoughts to
          the Creator and prepared my soul for a death."

At 4:30am of the 19th, the lines of defence are inspected by
the Governor. "He confirmed our weakest positions. Even then,
he gave me a friendly pat on my shoulder: "Azaredo,
everything is alright".

He does not talk of surrendering and proceeds in the
direction of the first line. The destruction of many
strategic bridges is incapable of holding up the unstoppable
advance of the enemy. The centres of resistance are fleeing
and reduce themselves to a little more than the fort at
Aguada, the island of Angediva the post at Doromarogo.

The general Headquarters, set up at the shipyards, is almost
constantly receiving discouraging news: defeats, casualties,
surrenders, running out of ammunition, desertions. The
Patriarch for the Indies, D. José Vieira Alvernaz, insists
with the Governor to prevent the massacre of military and
civilian personnel, and makes a desperate appeal to
surrender. Vassalo e Silva evaluates the military panel.

Situated at Mormugão, he is literally surrounded by land,
sea and air. Without neither resources nor men, a
counter-offensive would be absolutely suicidal. A simple
resistance would give an opportunity for a useless carnage.

Surrender appears to be inevitable. Colonel Carlos Morais, in
his book, records the historic moment: 12:15 of the 19th
December. The commanders present are informed of the
decision, which is transmitted at 14:00, in writing, to the
Indian commander: "I request your Excellency for a cease-fire
between our forces, as of this moment".

At 15:00, Azaredo is called to the command post. "Profoundly
dejected, the Governor ordered me to assemble the troops at
the headquarters at Alparqueiros", the entrance to the city
of Vasco da Gama, "because there was a truce to hold talks".

Returning to his position, "I handed over command of the S.
Jacinto sector to Lt Máximo, sat in my Volkswagen to go to
Issoroim to inform Lt Melo Gomes of the order to retreat". On
his return to S. Jacinto, he is taken by surprise on the road
by an enemy patrol, commanded by an officer , who orders him
to stop. Alone and being unable to resist, he gives himself up.

"A Sargent took possession of my pistol, a 9mm Parabello, and
the officer sat in the car, with me driving and two armed
soldiers behind". On arriving Alparqueiros, already under
control of Indian troops, Azaredo gets out of the car in
which his captor disappears. "The first thing I saw on
entering the Headquarters was a mound of weapons on the
ground, on which the Portuguese (soldiers) were placing as
soon as they were taken prisoner". The formal surrender of
Vassalo e Silva is received at 18:00 by Brig K.S. Dhillon, of
the 6th Brigade of the Sikh Infantry.

In all, 4668 prisoners are taken, including military and
civilian personnel, Portuguese, Africans and Indians (Goans)
-- numbers as given in the "Operation Vijay" report; 3412 in
Goa, 853 in Damão, 403 in Diu. Concentrated in Goa, they are
divided into four camps: Navelim (subsequently closed, so bad
it was), Aguada, Pondá and Alparqueiros. This is the
largest, with almost 2,000 detainees, among whom is Vassalo e
Silva.

It is here that the now ex-Governor receives, on the 20th, a
visit from the enemy commander, General Chaudhury. "He came
by helicopter -- it was the first time that I saw one, I
believe it was an Alouette 1". Azaredo is in the General's
room. "He had asked to borrow a washed shirt -- the only one
I had slipped into my canvas bag. He wanted to present
himself properly. As he was broader than me, the shirt was a
bit tight for him". The General does not speak English, and
requests the captain to be the interpreter.

          Chaudhury makes it a point to enter alone into the
          cell. "Vassalo wanted to stand up to compliment the
          Indian, but the latter rested his hand on his
          shoulder and did not let him. He pulled up a chair
          and sat down". The Portuguese refuses preferential
          treatment offered to him and thanks for the
          courtesy shown for the well being of his wife.

"Then, Chaudhury congratulated the ex-Governor for the action
of the Portuguese troops in the 'valiant skirmishe' engaged
in Mapuça, Bicholim, Damão and Diu, where they reacted very
well". At the end, the victor puts himself at the disposal of
the vanquished "for whatever that was necessary. He gave a
cordial hand-grip and withdrew".

Azaredo stays at Alparqueiros and Vassalo is thereafter
transferred to Pondá. While they are at the same camp, they
have long conversations. "The general would call me now and
then. He was a profoundly drained main. He used to say that
an officer is not the master of his men's lives, to the
extent of sending them to their deaths unnecessarily. He
would never accept the destruction of Goa, which was also
built by the Goans".

In the prison, Azaredo is in the same room with four other
captains. For a mattress, he has "a bit of corrugated
cardboard, on top of the cement floor". Having only one
uniform, "I always had it washed and stretched. I would make
it a point to present myself every day, at the review,
orderly and strict. And I had my shoes polished -- even when,
at the end, they did not even have a sole". The rest of the
day "I used to go about in my underwear". The food is
insufficient "I even lost a good number of kilos".

Of the prison wardens, he has no particular reason to
complain. "Apart from the first days, they were absolutely
correct with me". The daily routine is the same: reading,
chess, mail ("in spite of being censored"), physical
exercises, volleyball or basketball games. He has less than a
hundred men under him -- "what remained of three squadrons of
the Cavalry". Everyday, they carry out a session of "falling
to order", even without weapons, lasting five to ten minutes,
"to maintain discipline and order".

          They have an unexpected company of a langur monkey.
          "It was caught by an ensign at Bicholim, who gave
          it to me. It was silver and had a white chest. It
          was called Krishna, after one of the Hindu gods. I
          took him to Lisbon with me and later on to
          Cabinda". One of his jobs consists of editing the
          reports of the last operations. The order comes
          from Vassalo e Silva, transmitted to him by the
          Jesuit priest Joaquim Ferreira da Silva.

Alparqueiros is situated in a small peninsula at the mouth of
the Zuari, squeezed between the naval shipyards, the city of
Vasco da Gama and the Mormugão dock, from where rich iron
ore is exported -- the main raw material of Goa. Belonging to
the Navy, the headquarters has gained in strategic scope and
importance. There is only one entrance and is liminarmente
prohibited to foreigners -- as one notes, badly resourced,
just one guard. Its only from the dirty fishermen's beach, to
the west that it is possible to have a view, and that too
partially, of the former "Quartel do Batalhão de Infantaria
de Vasco da Gama". As at all military bases, the
authorisation to visit the former prisoner-of-war camp was
not granted in time.

The hard life at the camp is made more pleasant by visits --
Goan friends, acquaintances, or simply anonymous persons. "In
the early days, there were hundreds, even thousands, who
displayed all their kindness and love". Surprised, the
military authorities limit the visits to twice a week and
limit them to only the Red Cross.

          Adélia Costa is one of the rare persons authorised
          to visit Alparqueiros. She is the Director of the
          Psychiatric Hospital Abade Faria. Graduated in
          Lisbon, she would be the first woman in Portugal to
          specialise in Neurology. "When I started to work,
          it used to be called the Mental Hospital. It was a
          horrible thing, they used to beat up the patients
          and all. I encountered various Goan political
          prisoners, with orders from the Police to be
          interned! I stopped all this, with total support
          from Vassalo e Silva".

As Azaredo's neighbour, she went apprehensively to wish the
captain's family goodbye when they were evacuated. It was a
time when she still had illusions,  "I cannot forget my
father, and optimist who would never believe that India would
invade Goa". At the dawn of the 18th, Adélia woke up with
the first explosions and an unexpected visit.

"It was four or five in the morning when Carlos knocked at
the door. In full uniform, he had come to wish me goodbye.
'If I die, I would like you to hand these over to my wife,'
he said, when he thrust two parcels into my hands -- a book
and a transistor radio, I think". It was a very emotional
moment.

The doctor only remembers the officer saying "this is our
work -- we only really work when there is war". And the war
had started. Without losing time, the Director rushed to the
hospital, to protect her patients. She only calmed down after
having covered the roof with white bed-sheets, painted with
large red crosses.

The doctor and the captain meet on Christmas Day. "It was the
first time I could go to Alparqueiros. There was a huge
crowd! The people of Goa, poor as they were, were giving what
they could: cigarettes, biscuits, tea, medicines, money". The
great solidarity is followed by prohibition of visits. "As
only the Red Cross was allowed into the camps, I signed up
immediately".

          Adélia Costa continues to live in Goa. At Panaji,
          she much prefers to spend weekends with her
          brothers and nephews in the enormous manor of
          "Quadros and Costa". It is there that she tells us
          of the unforgettable days, sitting on a comfortable
          wooden chair, between an aromatic coffee and a
          tasty coconut cake baked by her sister. Time seems
          to have come to a standstill at the old manor at
          Loutolim. From the huge columns to the magnificent
          couch, crossing to the astonishing Indo-Portuguese
          prayer-room, they all evoke a rich but distant past.

With respect to repatriation, Adéli's parents convinced her
to go to Lisbon. "I made use of it, and in five months I
specialised in Psychiatry". The doctor did not rest easy
whilst she was away from her parents, who were left alone. "I
returned back on 22nd February 1963". Going back to work at
the hospital was out of the question. "I started a consulting
room where I still practice". She also left the Red Cross.
Instead of a Portuguese passport, she now carries an Indian
one. "This is my country, and this is where I want to live,"
she explains. "It does not stop me from visiting Lisbon".

On the 17th January, a group of prisoners tries an escape,
foiled by an inqualificavel unclassified rumour. Furious, the
2nd Camp Commander, Capt. Naik, calls for an emergency
assembly for a special counting of the prisoners, to ensure
that there were no other escapes.

"When I went slowly past Naik, on the way to the assembly, he
ordered me: "Run! Run!" I grumbled and sent him to hell". In
Portuguese or English, he doesn't know for certain -- the
truth is that the Sikh officer did not like it. "He ordered
five privates to beat me up. When one was pointing a gun at
me, the others started to hit me, some with the butts of
their rifles".

          Fallen on to the ground, he only remembers waking
          up the next morning, full of contusions. "I admit
          that perhaps I deserved the thrashing, but at least
          I had the rare pleasure of sending him to hell!"
          The incident remained in the annals of the camp.
          Many salute to the courage of the brave Capt.
          Azaredo, who does not hesitate to disclose: "It is
          true that Naik was punished -- that only goes in
          favour of the Indian Army, which always respected
          the articles of the Geneva Convention".

The captivity lasts for six months, "thanks to the stupid
stubbornness of Lisbon". The negotiations drag on, even
because Salazar orders the detention of 12,00 Indians in
Mozambique, who come to form an exchange commodity.

Finally, on the 6th of May, repatriation begins: an aerial
bridge until Karachi, and then on one of three ships sent by
the Government. "I left the camp on the 12th May, on board a
French plane, with my canvas bag and my monkey".

When he reached Pakistan, he embarks on board the "Patria",
where he receives a shirt, a vest and a pair of trousers,
"for which later they requested payment or their return".

          The dictatorship, which had not shown any haste in
          liberating the prisoners, also did not show any
          satisfaction in welcoming them. "We arrived at the
          shallows of Tejo at 16:00. We anchored and we were
          only allowed to enter at 2:00 in the morning. In
          the meanwhile, they filled up the ship with
          Military Police pointing machine-pistols at us".

Astounded, the ex-prisoners cannot understand the
justification. "They told us that it was to defend us from
the ire of the populace, who wanted to lynch us for our
cowardice."

At Rocha do Conde de bidos, however, there is neither
violence nor recrimination. There are only hugs and tears,
from family members and friends, who fill up the dock to
welcome the ex-prisoners. The same that the Press of the
regime lamented for not being heroes killed in combat.

A settlement of accounts is inevitable. As a scapegoat for
the loss of the imperial jewel, the behaviour of the military
garrison is analysed in light of a mere Disciplinary
Regulation. Instead of tribunals, lawyers and judges, the
case is handed over to generals and bureaucrats, without
having any rights to defence.

          The verdict is known in March 1963. The sanctions
          are severe: 10 officers are expelled from the Armed
          forces, starting with Vassalo e Silva; compulsory
          retirement for five; half a year's suspension from
          military service for nine. There is no appeal. The
          heavy hand of punishment almost makes other
          officers ignore possible citations and promotions,
          some being posthumous.

Azaredo has never forgotten the humiliation and the
arbitrariness of it all. "All this increased a feeling in me
of profound revolt against Salazar and against his narrow and
anti-national politics" and that leads him to participate in
the coup of 25th April.

In September 1974, Carlos Azaredo comes across Goa again,
this time to preside over the commission to review the "case
of India". In his direct and fearless manner, he proposes the
annulment, pure and simple, of all the punishment imposed and
the reintegration of the military personnel. "It was the only
form of applying justice rapidly". The proposal is approved
of by the democratic agencies in power. The legal decree is
published on 19th December 1974 -- exactly 13 years after the
end of the Portuguese State of India.

For the original story in Portuguese and photographs, please
visit:
http://semanal.expresso.pt/revista/artigos/interior.asp?edicao=1519&id_artigo=ES44188Translator's Notes:1. The military terms used are approximate as they are
unfamiliar to the translator. Any corrections are welcome.

 

Juniper Hardening Procedure

DOWNLOAD – Juniper device hardening

Introduction

Rationale

An out-of-box firewall implementation is not fully secure and needs to be hardened. This document details the various aspects of Juniper firewall security and standards implemented for securing Juniper firewalls.

Purpose

This document is to define a baseline security standard for the Juniper Firewall implementations by firewall administrators.

Scope

These security standards cover the Juniper Firewall Screen OS implementation.

However, for some setups, this minimum requirement and some features of these standards may not be practical for implementation. For exceptions, the system administrators must document the reasons for not complying fully with these standards and request an exemption from the Security department.

Audience

Firewall administrators bear the primary responsibility of implementing these standards. During their reviews and inspections, auditors must use this document to verify standards compliance.

Business managers can read the rationale behind each of the points in the standards to gain an understanding of the importance of applying it to their environments.

Implementation

The Juniper Firewall administrators must use these standards to build the installation and operational procedures.

Juniper Firewall Security Overview

This section gives a very brief overview of various aspects of Juniper Firewall security. The hardening details for each aspect are present in the subsequent sections of the document.

The Juniper Firewall operating security environment consists of various aspects:

  • Device & ScreenOS initial setup

  • Device Configuration

  • Device Management

  • User management

  • Services

  • System access

  • System logging and monitoring

  • Policy logging and monitoring

Device and ScreenOS Setup

The security of a Juniper firewall Screen OS starts with a secure setup. The factors that influence this include using the correct Screen OS version.

Properly Identify Device for Physical Tampering

The outside packaging cannot show damage, or evidence that unauthorized persons have opened it. If the cardboard shows damage that would allow the device to be unpacked or exchanged, this may be evidence of tampering.

Each packed box arrives with custom tape to indicate that Juniper or an authorized manufacturer packaged the device. The tape is unique; with the word, “Juniper” printed repeatedly throughout the tape. If the tape is not present, this may be evidence of tampering.

The internal packaging cannot show damage or evidence of tampering. The plastic bag should not have a large hole and the label that seals the plastic bag should not be detached or missing. Any damage to the bag or the seal may be evidence of tampering.

Verify correct version of hardware and software

To verify that the product received is the correct version of hardware and software, run the following command from the CLI:

get system

The output of this command includes two key items, hardware version and software version. The hardware and software versions must match the common criteria security target to be in full compliance with the common criteria evaluated configuration.

The firewalls come with pre-installed Screen OS software. However, the Screen OS software versions installed on the devices might vary depending on the manufacturing time of the security appliances.

Upgrading a Juniper Firewall

The correct Screen OS software image needs to be loaded on to the security appliance.

Before the Screen OS software image can be loaded, configure the manage interface though which the images can be downloaded from the FTP server to the security appliances. The following commands will configure the zone and IP address for the manage interface.

set interface interface-name zone trust

set interface interface-name ip ip-address

Note: Interface-name should the name of the actual interface connected to the PC serving as FTP firewall; through this interface, the security appliances can communicate with the FTP firewall. For the 5-series devices, interface trust – bound to the security zone trust by default – can be used. For devices Juniper NetScreen-204 and 208, you can use interface ethernet1. For Juniper NetScreen-500, interface ethernet1/1in the security zone trust can be in place of interface-name. On high-level security, appliances including Juniper NetScreen-ISG2000 and ISG1000 interface can use ethernet1/1. Juniper NetScreen-5200 and NetScreen 5400 can use Interface ethernet2/1.

The ip-address should be a valid IP address, which can be in the same or different subnet with the TFTP firewall.

Once configured, use the following commands to download the Screen OS image from the FTP firewall to the security appliance:

save software from tftp tftp-firewall-ip Screen OS-image to flash

where, tftp-firewall-ip is IP address for PC serving as the TFTP firewall where the Screen OS software images reside and, Screen OS-image is relative path to the Screen OS software image file and the name of the file itself.

For example, if the Screen OS image for the device Juniper NetScreen-5GT is “ns5gt.5.4.0r4.0” and resides on FTP firewall (with IP address 10.155.95.253), under the directory /tftpboot/screen OS-image/5.4/, the command should be as the following:

save software from tftp 10.155.95.253 /tftpboot/screen OS-image/5.4/ns5gt.5.4.0r4.0 to flash

The downloading process will take a few minutes. After the downloading process is completed, the security appliance will return to the CLI prompt and requires a reboot. Issue the command reset and provide answers for the questions below to completely load the image to the security appliance and restore the default manufacture configurations.

reset

Configuration modified, save? [y]/n n

System reset, are you sure? y/[n] y

The security appliance will return to the login prompt. At this time, the security appliance has been completely loaded with the proper Screen OS software version.

Screen OS Upgrades

Update the firewalls’ Screen OS with the vendor recommended updates as part of quarterly.

Device Configuration

Restore default settings

Restore the firewall to the default manufacturing operation mode and configurations before putting the appliance in a different operation modes including Transparent Authenticated mode (a.k.a. Transparent VPN mode) or NAT/Route Authenticated mode (a.k.a. NAT/Route VPN mode) or before performing any configurations for any specific testing.

Use the commands unset all and reset along with the following answers to restored the default operation mode and configurations for the appliance.

unset all

Erase all system config, are you sure y/ [n]? Y

reset

Configuration modified, save? [y]/n n

System reset, are you sure? y/[n] y

Set accurate date and time

Enable the following command to ensure that the date and time stamps used on audit messages are accurate:

set clock mm/dd/yyyy hh:mm

Setting the Operation Mode

To determine which operation mode the juniper firewall is, use the following command.

get system

System in NAT/Route mode” indicates it is operating in NAT/Route mode

System in transparent mode” indicates it is operating in transparent mode.

All security appliances are, by default, configured in NAT/Route mode without VPN.

To ensure that a security appliance is in a mode compliant with the Common Criteria EAL4 evaluated configuration, follow one of the following three sets of steps depending on the desired configuration:

Unauthenticated NAT/Route Mode

Authenticated NAT/Route Mode

Route-Based VPN

Policy-Based VPN

Authenticated Transparent Mode

Authenticated NAT/Route Mode

Configure the firewall in authenticated NAT/Route Mode using either a Route-based VPN or Policy-based VPN. You can configure both Route-based VPN and Policy-based VPN in authenticated NAT/Route mode.

Only Manual Key is supported in the Evaluated Configuration, i.e. AutoKey cannot be used. Take care in selecting Manual Key values such that they follow the same rules as administrative passwords. Distribute the manual keys using a secure method to ensure that they are not publicly accessible.

Route-Based VPN

Configure the respective security appliance with a Route-based VPN in authenticated NAT/Route mode.

Policy-Based VPN

Configure the respective security appliance with a Policy-based VPN in authenticated NAT/Route mode.

Firewall Naming Convention

Branch Firewalls: (Naming convention not set)

Data Center Firewalls: (Naming convention not set)

Configuring Screen Options

Security appliances must prevent all types of Denial of Service (DoS) and attack signatures on every security zone to prevent these types of attacks from occurring on the network.

To view the default screening options for a particular security zone, issue the following command.

get zone zone-name screen

By default, the screening options enabled for the Untrust/V1-Untrust security zone (and the interfaces in Untrust/V1-Untrust zone) in Screen OS 5.0:

Tear-drop Attack Protection on

SYN Flood Protection (200) on

Alarm Threshold: alarm-threshold

Queue Size: Q-size

Timeout Value: 20

Source Threshold: src-threshold

Destination Threshold: dst-threshold

Drop unknown MAC (transparent mode only): off

Ping-of-Death Protection on

Source Route IP Option Filter on

Land Attack Protection on

Alarm-threshold, Q-size, src-threshold, and dst-threshold are platform dependent as specified in the table below.

For the Trust/V1-Trust and DMZ/V1-DMZ zones (and the interfaces in Trust and DMZ zone), no screen options are enabled by default.

Screen function only generate alarm without dropping packet: OFF

To disable all the default screening option for zone Untrust/V1-Untrust, the following commands are used:

unset zone untrust screen tear-drop

unset zone untrust screen syn-flood

unset zone untrust screen ping-death

unset zone untrust screen ip-filter-src

unset zone untrust screen land

The following displays when the security zone has no screening options enabled:

Screen function only generate alarm without dropping packet: OFF”

The following CLI command enables all screens on a per-zone basis (and is applied to all interfaces within that zone):

set zone zone-name screen block-frag

set zone zone-name screen component-block

set zone zone-name screen fin-no-ack

set zone zone-name screen icmp-flood

set zone zone-name screen icmp-fragment

set zone zone-name screen icmp-large

set zone zone-name screen ip-bad-option

set zone zone-name screen ip-filter-src

set zone zone-name screen ip-loose-src-route

set zone zone-name screen ip-record-route

set zone zone-name screen ip-security-opt

set zone zone-name screen ip-spoofing

set zone zone-name screen ip-stream-opt

set zone zone-name screen ip-strict-src-route

set zone zone-name screen ip-sweep

set zone zone-name screen ip-timestamp-opt

set zone zone-name screen land

set zone zone-name screen limit-session

set zone zone-name screen mal-url code-red

set zone zone-name screen ping-death

set zone zone-name screen port-scan

set zone zone-name screen syn-ack-ack-proxy

set zone zone-name screen syn-fin

set zone zone-name screen syn-flood

set zone zone-name screen syn-frag

set zone zone-name screen tcp-no-flag

set zone zone-name screen tear-drop

set zone zone-name screen udp-flood

set zone zone-name screen unknown-protocol

set zone zone-name screen winnuke

The above commands must run for both the internal and external zones (i.e. Trust and Untrust) to protect the internal and external networks. When security appliance runs in NAT/Route mode, run the above commands for security zones Trust and Untrust.

When the security appliance runs in “Transparent” mode, (including Transparent Authenticated mode), run the above commands for security zones V1-Trust and V1-Untrust.

You must run the same commands (as above) for each additional security zone.

When the security appliance operates in NAT/Route mode, (including NAT/Route Unauthenticated and Nat/Route Authenticated mode) enable dropping packets that have no source IP address, or that have a non-routable source IP address by using the following command.

set zone zone-name screen ip-spoofing drop-no-rpf-route

zone-name” is the name of the security zone such as Trust or Untrust.

For instance, when the security in NAT/Route mode, to turn on dropping packets capability for the security zone trust and untrust, issue the following commands.

set zone trust screen ip-spoofing drop-no-rpf-route

set zone untrust screen ip-spoofing drop-no-rpf-route

Ensure to execute the same command (as above) for any Layer-3 security zones that are used. When changing the HTTP blocking option the changes will only apply to the sessions newly created after this blocking option is set.

Configuring IP Spoofing Protection

Configure IP spoofing protection by the screen option “ip-spoofing” as indicated above in the section, “Configuring Screen Options”. This includes Intrazone configurations where VPN traffic is on the same zone as the decrypted traffic. However depending on the configuration implemented (especially Interzone) the following additional steps are required to be adequately protected against IP spoofing attacks.

The following guidance for Authenticated NAT/Route mode and Authenticated Transparent mode should supplement the guidance provided in the previous section “Setting a Policy to Permit Traffic”.

“IP-Spoofing” Screen is bypassed – a set of addresses and policies need to be defined to allow only traffic permitted, excluding spoofed IP addresses.

When operating in Authenticated NAT/Route mode or Authenticated Transparent mode, the “IP-spoofing” screen option is “bypassed”. Therefore, define a set of addresses and policies to allow traffic, excluding spoofed IP addresses.

Device Management

This sections provides details on securing the firewall device’s management aspects

Securing Administrator Traffic On Device

Four steps are required to secure the device administrator traffic:

  1. Define permitted IP address for client administrator Manager-IP address

  2. Define interface-specific options

    1. Define Manage IP address for interfaces

    2. Turn off unnecessary management services

  3. Change port numbers for administrator services

Disable Internal Commands

The firewall administrator must disable internal commands. The usage of internal commands applies only for troubleshooting and debugging purposes.

To disable internal commands, you must run the following command:

set common-criteria no-internal-commands

To use internal commands (i.e. ‘debug flow basic’ and ‘get dbuf stream’, ‘debug ids sat’) for troubleshooting and debugging purposes, use the following command:

unset common-criteria no-internal-commands

Note: Use the internal commands ‘debug ids sat’ is for ISG-1000, ISG-2000, NS-5200 and NS-5400

Disable Telnet for Device Management

The use of telnet is discouraged on the Juniper firewalls. Use SSH, 2.0 for managing the Juniper firewall:

To do this:

Disable telnet on the management interface

Enable ssh

Control Unauthorized Hardware Resets

To disable recovery via login, use the following command:

unset admin device-reset

To disable recovery via pinhole, use the following command:

unset admin hw-reset

When disabled, a firewall administrator needs to enable the respective reset in order to perform any activity, which requires rebooting the firewall.

Restricting Remote Access

Management access must be limited to the locally connected console port as opposed to the factory default settings.

To limit management access to the console port, the interface that is by default in the V1-Trust or Trust security zone needs to have management access turned off.

All other interfaces have management access turned off by default.

To disable management to the interface, issue the following CLI command:

unset interface interface-name manage

User Management

Security appliance administrators must choose login-names and passwords that not only have the length of at least eight characters and employ as many types of characters as possible. Mixing lower case and upper case is required to ensure proper protection. In addition, easily guessable usernames and passwords are not secure.

Security appliances ship with a default username and password of “netscreen”. Change the default as soon as possible to prevent unauthorized access.

The recommended time between password changes is no longer than 30 days to mitigate the effects of a compromised administrator identity.

Setting/Changing Password Length Restrictions

To ensure that passwords of eight characters or more are always used, you must first set the following command:

set admin password restrict length password-length

where, password-length is a decimal value equal to or greater than 8 and less than or equal to 31. It should also follow password policy.

Setting/Changing Administrator Name and Password

The following CLI commands, in order, are required to set a new administrator name and password:

set admin name name-string

set admin password password-string

where, name-string and password-string should be replaced with actual login name and password of administrator.

Policy Management

Remove Permissive Default Policy

The firewall might have a default policy that allows traffic to traverse the device from the interface in the Trust zone to the interface in the Untrust zone. Delete this default policy to avoid inadvertently allowing information to traverse the device. Use the CLI command:

unset policy id 1

Log Denied Traffic

By default, security appliance will drop any traffic that does not match any “permit” policy. Therefore, add a policy to the end of the policy list to log denied traffic, which matches no policy:

set policy id pol-id from scr-zone to dst-zone any any any deny log

count

where, pol-id is policy ID, scr-zone and dst-zone are, respectively, source zone from which the traffic comes and destination zone to which the traffic arrives.

For every security zone that has a network interface assigned to it, add the above policies to the end of the policy tables to ensure that dropped traffic logging.

set policy id pol-id from trust to untrust any any any deny log count

set policy id pol-id from untrust to trust any any any deny log count

set policy id pol-id from trust to dmz any any any deny log count

set policy id pol-id from dmz to trust any any any deny log count

Setting a Policy To Permit Traffic

Two important steps to take when creating a security policy:

  • Enable counting and logging to maintain audit log information for traffic passing through the device.

  • Must be specific to ensure traffic permitted is intentional and not part of a generic policy.

Use specific source IP address (src-addr), destination IP address (dst-addr), source zone (src-zone), destination zone (dst-zone), protocol, and service (servicename) if feasible. One example where it may not make sense to be specific is for traffic destined for an external network for general web access.

After creating and configuring the source and destination addresses, configure the policy with counting and logging using the following command:

set policy id id-num from src-zone to dst-zone src-addr dst-addr servicename

action log count

where, “id-num”: is the decimal number presenting the policy ID number & “action” can be permit to allow specific service to pass from source address across the security appliance to the destination address; or deny to block service from passing though the security appliance

Ordering Policies

The order of policies is important, as policies match in order beginning with the first one in the policy list and moving through the list. The first matching policy applies to network traffic to determine the action taken. By default, a newly created policy appears at the bottom of a policy list.

There is an option that allows you to position a policy at the top of the list instead. In the CLI, add the key word top to the set policy command:

For example,

set policy id 6 top from trust to untrust trust-HostA untr-NetworkB http

permit log

The newly created policy can also be positioned at any location in the policy list by using the keyword option before to the set policy CLI command.

For example:

set policy id 4 before 98 from untrust to trust untr-NetworkB trust-HostA ftp permit log

If global policies are used then replace the above policy, which executes prior to any Global policy. A Global deny policy can be used which must be added at the end of the Global policy list

set policy global id pol-id any any any deny log count

System Logging and Monitoring

Configuring Syslog

You should configure a Syslog firewall as a backup for security audit information and for long-term audit log storage. This will help prevent a loss in security audit information.

The specific commands required to set up a Syslog firewall are:

set syslog config ip-address facilities local0 local0

set syslog config ip-address port 514

set syslog config ip-address log traffic

set syslog enable

set log module system level level-name destination syslog

where ip-address is the actual IP address of the Syslog firewall and level-name is the severity level of the log

Note: You must enter the set log command once for each message level.

The options for level-name are listed below:

emergency

alert

critical

error

warning

notification

information

debugging

Events to be Logged

The system logs contain historic firewall events and usage information, used for debugging system malfunctions and forensic investigations. Hence, log all critical information. Configure syslog to log the following on each firewall:

  • Each login and logoff

  • Firewall start-up and shutdown

  • Complete session

  • User and group account administration

  • Hardware failures

Log Retention and Archival

Many a times it is required to get a complete audit trail of a process for security investigation or troubleshooting purpose. Hence, locally retain the firewall logs for a defined number of days. There should be enough storage space allotted to handle this. In addition, there must be very strict access control implemented on the stored logs.

The log files must be archived offline. Appropriately protect the archived logs so that unauthorized users do not access them.

Protection of Log Files

If a malicious user manages to modify the log files and remove traces of attack, no investigation can be conclusive. In addition, the log extended periods for audit trail. Hence, protect log files against tampering and stored securely.

Session Activity Logs for Privileged Users

Privileged users have total control over the firewall. Log every activity performed on the firewall by these users.

Periodic Monitoring

For maintaining the security levels on the Juniper firewalls, monitor the firewalls on a regular basis. Perform these monitoring tasks on periodic basis.

Configuring Audit Loss Mitigation

There are cases where more auditable events can occur than the security appliance is able to write to a syslog firewall. The security appliance must stop further auditable events from occurring until the audit trail is able to handle more traffic. An authorized administrator must enable the following command:

set log audit-loss-mitigation

Logging Permitted Packets

To log permitted packets passing through the device enable logging option on all authenticated and/or unauthenticated traffic policies.

In this document, all permitted policies include the keyword log, to create traffic log entries for permitted traffic.

Upon completion of the application session permitted traffic logs are created.

You can use the following command to view the overall traffic logs, or specific policy’s traffic log:

get log traffic

get log traffic policy id

Logging Dropped Packets

To log dropped packets set to terminate on any of the device interfaces, you must enable the following command:

set firewall log-self

To log authenticated dropped packets; you must add the log keyword to the first policy associated with a VPN tunnel. Packets that do not match any of the policies associated with the tunnel are “dropped”. The log entries for these dropped packets linked with the highest priority policy (first in the ‘get policy all’ list) associated with the tunnel and the traffic flow direction.

Firewall Management Idle Timeout

Command Line Interface

Protect Management from the console port by setting an idle timeout. By default, console and Telnet sessions time out after 10 minutes of inactivity. Recommend never to set the timeout value to zero.

To verify execute the command:

get console

Web User Interface (WebUI)

The WebUI timeout, like the console timeout, defaults to 10 minutes. When changing the WebUI timeout, specify a number of minutes (between 1 and 999) of idle time before closing the browser. Enable the option “Enable Web Management Idle Timeout” check box. Do not disable it.

Security Manager

Edit Device > Device Admin > Web Management

Permitted IP Addresses

Configure Juniper Networks devices to accept management requests only from trusted sources. Define a list of permitted IP addresses. Permitted IP addresses include a mask parameter specified as dotted-decimal value. Permitted IP addresses can be a hosts / subnets. NOTE: You are limited to six entries.

CLI

set admin manager-ip address [mask]

WebUI

Configuration >Admin > Permitted IPs

Security Manager

Edit Device > Device Admin > Permitted IPs > Add

Daily Monitoring Tasks

  • Three or more consecutive failed login attempts

  • Syslog events with levels – critical, alert or emergency

  • Unauthorized addition and deletion to user accounts and groups

  • Changes / Unauthorized changes made

  • Unauthorized access attempts

Weekly Monitoring Tasks

  • Correct operation of syslog daemon

  • All resource (CPU, memory) usage exceeding pre-defined thresholds (based on capacity planning figures)

Monthly Monitoring Tasks

  • Firewall patch levels

  • Firewall reboots

  • Disk space usage

  • Account group membership changes

  • Verification of backups

Bi Yearly Monitoring Tasks

  • Perform Physical audit

The Juniper Firewall administrators must perform these monitoring tasks. Notify any discrepancy observed from normal operation to the appropriate department.

Firewall Protection

Disaster Recovery Plan (DRP)

In order to provide protection against system failures, there has to be a tested and approved DRP. This should include the backup policy and contingency arrangements.

The DRP for each Juniper Firewall must be ready at the time the firewall is in production environment.

There must be a planned and bi-yearly Disaster Recovery Drill to ensure that the DRP is maintained and updated.

Physical Security of Juniper Firewall installation

Physical security deals with all the security aspects of the installation premises of the actual firewalls

  • Secure the physical location of the Juniper firewalls to guarantee operational continuity, protection against natural and fabricated disasters, and prevent loss of Information Assets.

  • The Juniper firewalls must have uninterrupted and clean power supply, and operating conditions as recommended by the hardware vendors.

Fault Tolerance

To ensure that failure of one firewall does not halt operations, each Juniper Firewall must use NSRP / HA for redundancy.

Backup

Ensure that in case of data failure, manipulation or data loss; restore the system operations to previous working state at the earliest.

  • Backup the data on each firewall using the standard operations procedures, to ensure that in case of failure, data recovery must conform to the SLA with the Business.

  • Proper media labeling and protection should be implemented to ensure that media is not accidentally or deliberately overwritten.

  • Verify the backup regularly by doing random restoration checks.

  • The storage and retention of the computer media must be as per the manufacturer’s recommendations.

  • On expiry, the media should be disposed securely, ensuring no data extraction is possible

Separation of test and Production environment

The test and development environment is usually set up with loose security controls. In order to avoid this, separate the Juniper Production firewalls from the test and development setup.

Irrespective of the settings and controls applied on test and development firewalls, the production firewalls must be hardened as per the Juniper Firewall security standards.

Do not create test user accounts on the Production firewalls.

There should be secure connection from test to Production firewalls.

Do not use data passing from production to the test environment without desensitizing it.

Change Management

The Juniper firewalls must also adhere to this CM policy. The system administrators must ensure that every change goes through the appropriate CM process.

Service Level Agreements for Screen OS and hardware support

For continuity of operation, protect the firewalls from extended downtimes due to Screen OS malfunctioning or hardware failure.

Each Juniper Firewall must have an SLA for Screen OS support (patches, troubleshooting etc) from an authorized Juniper Firewall vendor. Ensure that the firewalls are also be supported by an SLA with respective product vendors.

Protection of firewalls not kept in the Data Center

Not all Juniper firewalls are located at the Data Center. Many of them are deployed in remote sites are housed in other locations with lesser protection – like the Lab \ Outstations. Hence, the respective teams must ensure that such firewalls have adequate access control and physical protection implemented.

Documentation

The system administration and operations team must have complete documentation of the Juniper Firewall setup. This must include (but not limited to):

  • Installation procedure

  • Security settings

  • Operating procedures

  • Firewall configurations for each firewall

  • Details of users for each firewall, with access rights

  • Disaster Recovery Procedures for each firewall

  • Regularly update the documentation.

INTRODUCTION
Rationale
An out-of-box firewall implementation is not fully secure and needs to be hardened. This
document details the various aspects of Juniper firewall security and standards implemented
for securing Juniper firewalls.
Purpose
This document is to define a baseline security standard for the Juniper Firewall
implementations by firewall administrators.
Scope
These security standards cover the Juniper Firewall Screen OS implementation.
However, for some setups, this minimum requirement and some features of these standards
may not be practical for implementation. For exceptions, the system administrators must
document the reasons for not complying fully with these standards and request an
exemption from the Security department.
Audience
Firewall administrators bear the primary responsibility of implementing these standards.
During their reviews and inspections, auditors must use this document to verify standards
compliance.
Business managers can read the rationale behind each of the points in the standards to gain
an understanding of the importance of applying it to their environments.
Implementation
The Juniper Firewall administrators must use these standards to build the installation and
operational procedures.
Physical and Environmental Security – Juniper Hardening Procedure
Page 1 of 21Juniper Firewall Security Overview
This section gives a very brief overview of various aspects of Juniper Firewall security. The
hardening details for each aspect are present in the subsequent sections of the document.
The Juniper Firewall operating security environment consists of various aspects:
• Device & ScreenOS initial setup
• Device Configuration
• Device Management
• User management
• Services
• System access
• System logging and monitoring
• Policy logging and monitoring
DEVICE
AND
SCREENOS SETUP
The security of a Juniper firewall Screen OS starts with a secure setup. The factors that
influence this include using the correct Screen OS version.
Properly Identify Device for Physical Tampering
The outside packaging cannot show damage, or evidence that unauthorized persons have
opened it. If the cardboard shows damage that would allow the device to be unpacked or
exchanged, this may be evidence of tampering.
Each packed box arrives with custom tape to indicate that Juniper or an authorized
manufacturer packaged the device. The tape is unique; with the word, “Juniper” printed
repeatedly throughout the tape. If the tape is not present, this may be evidence of
tampering.
The internal packaging cannot show damage or evidence of tampering. The plastic bag
should not have a large hole and the label that seals the plastic bag should not be detached
or missing. Any damage to the bag or the seal may be evidence of tampering.
Verify correct version of hardware and software
To verify that the product received is the correct version of hardware and software, run the
following command from the CLI:
get system
Physical and Environmental Security – Juniper Hardening Procedure
Page 2 of 21The output of this command includes two key items, hardware version and software version.
The hardware and software versions must match the common criteria security target to be
in full compliance with the common criteria evaluated configuration.
The firewalls come with pre-installed Screen OS software. However, the Screen OS software
versions installed on the devices might vary depending on the manufacturing time of the
security appliances.
Upgrading a Juniper Firewall
The correct Screen OS software image needs to be loaded on to the security appliance.
Before the Screen OS software image can be loaded, configure the manage interface though
which the images can be downloaded from the FTP server to the security appliances. The
following commands will configure the zone and IP address for the manage interface.
set interface interface-name zone trust
set interface interface-name ip ip-address
Note: Interface-name should the name of the actual interface connected to the PC serving
as FTP firewall; through this interface, the security appliances can communicate with the
FTP firewall. For the 5-series devices, interface trust – bound to the security zone trust by
default – can be used. For devices Juniper NetScreen-204 and 208, you can use interface
ethernet1. For Juniper NetScreen-500, interface ethernet1/1 in the security zone trust can
be in place of interface-name. On high-level security, appliances including Juniper
NetScreen-ISG2000 and ISG1000 interface can use ethernet1/1. Juniper NetScreen-5200 and
NetScreen 5400 can use Interface ethernet2/1.
The ip-address should be a valid IP address, which can be in the same or different subnet
with the TFTP firewall.
Once configured, use the following commands to download the Screen OS image from the
FTP firewall to the security appliance:
save software from tftp tftp-firewall-ip Screen OS-image to flash
where, tftp-firewall-ip is IP address for PC serving as the TFTP firewall where the Screen OS
software images reside and, Screen OS-image is relative path to the Screen OS software
image file and the name of the file itself.
For
example,
if
the
Screen
OS
image
for
the
device
Juniper
NetScreen-5GT
is
“ns5gt.5.4.0r4.0” and resides on FTP firewall (with IP address 10.155.95.253), under the
directory /tftpboot/screen OS-image/5.4/, the command should be as the following:
Physical and Environmental Security – Juniper Hardening Procedure
Page 3 of 21save
software
from
tftp
10.155.95.253
/tftpboot/screen
OS-image/5.4/ns5gt.5.4.0r4.0 to flash
The downloading process will take a few minutes. After the downloading process is
completed, the security appliance will return to the CLI prompt and requires a reboot. Issue
the command reset and provide answers for the questions below to completely load the
image to the security appliance and restore the default manufacture configurations.
reset
Configuration modified, save? [y]/n n
System reset, are you sure? y/[n] y
The security appliance will return to the login prompt. At this time, the security appliance
has been completely loaded with the proper Screen OS software version.
Screen OS Upgrades
Update the firewalls’ Screen OS with the vendor recommended updates as part of quarterly.
DEVICE CONFIGURATION
Restore default settings
Restore the firewall to the default manufacturing operation mode and configurations before
putting the appliance in a different operation modes including Transparent Authenticated
mode (a.k.a. Transparent VPN mode) or NAT/Route Authenticated mode (a.k.a. NAT/Route
VPN mode) or before performing any configurations for any specific testing.
Use the commands unset all and reset along with the following answers to restored the
default operation mode and configurations for the appliance.
unset all
Erase all system config, are you sure y/ [n]? Y
reset
Configuration modified, save? [y]/n n
Physical and Environmental Security – Juniper Hardening Procedure
Page 4 of 21System reset, are you sure? y/[n] y
Set accurate date and time
Enable the following command to ensure that the date and time stamps used on audit
messages are accurate:
set clock mm/dd/yyyy hh:mm
Setting the Operation Mode
To determine which operation mode the juniper firewall is, use the following command.
get system
“System in NAT/Route mode” indicates it is operating in NAT/Route mode
“System in transparent mode” indicates it is operating in transparent mode.
All security appliances are, by default, configured in NAT/Route mode without VPN.
To ensure that a security appliance is in a mode compliant with the Common Criteria EAL4
evaluated configuration, follow one of the following three sets of steps depending on the
desired configuration:
Unauthenticated NAT/Route Mode
Authenticated NAT/Route Mode
Route-Based VPN
Policy-Based VPN
Authenticated Transparent Mode
Authenticated NAT/Route Mode
Configure the firewall in authenticated NAT/Route Mode using either a Route-based VPN or
Policy-based VPN. You can configure both Route-based VPN and Policy-based VPN in
authenticated NAT/Route mode.
Only Manual Key is supported in the Evaluated Configuration, i.e. AutoKey cannot be used.
Take care in selecting Manual Key values such that they follow the same rules as
administrative passwords. Distribute the manual keys using a secure method to ensure that
they are not publicly accessible.
Route-Based VPN
Configure the respective security appliance with a Route-based VPN in authenticated
NAT/Route mode.
Policy-Based VPN
Physical and Environmental Security – Juniper Hardening Procedure
Page 5 of 21Configure the respective security appliance with a Policy-based VPN in authenticated
NAT/Route mode.
Firewall Naming Convention
Branch Firewalls: (Naming convention not set)
Data Center Firewalls: (Naming convention not set)
Configuring Screen Options
Security appliances must prevent all types of Denial of Service (DoS) and attack signatures
on every security zone to prevent these types of attacks from occurring on the network.
To view the default screening options for a particular security zone, issue the following
command.
get zone zone-name screen
By default, the screening options enabled for the Untrust/V1-Untrust security zone (and
the interfaces in Untrust/V1-Untrust zone) in Screen OS 5.0:
Tear-drop Attack Protection on
SYN Flood Protection (200) on
Alarm Threshold: alarm-threshold
Queue Size: Q-size
Timeout Value: 20
Source Threshold: src-threshold
Destination Threshold: dst-threshold
Drop unknown MAC (transparent mode only): off
Ping-of-Death Protection on
Source Route IP Option Filter on
Land Attack Protection on
Physical and Environmental Security – Juniper Hardening Procedure
Page 6 of 21Alarm-threshold, Q-size, src-threshold, and dst-threshold are platform dependent as
specified in the table below.
For the Trust/V1-Trust and DMZ/V1-DMZ zones (and the interfaces in Trust and DMZ
zone), no screen options are enabled by default.
Screen function only generate alarm without dropping packet: OFF
To disable all the default screening option for zone Untrust/V1-Untrust, the following
commands are used:
unset zone untrust screen tear-drop
unset zone untrust screen syn-flood
unset zone untrust screen ping-death
unset zone untrust screen ip-filter-src
Physical and Environmental Security – Juniper Hardening Procedure
Page 7 of 21unset zone untrust screen land
The following displays when the security zone has no screening options enabled:
“Screen function only generate alarm without dropping packet: OFF”
The following CLI command enables all screens on a per-zone basis (and is applied to all
interfaces within that zone):
set zone zone-name screen block-frag
set zone zone-name screen component-block
set zone zone-name screen fin-no-ack
set zone zone-name screen icmp-flood
set zone zone-name screen icmp-fragment
set zone zone-name screen icmp-large
set zone zone-name screen ip-bad-option
set zone zone-name screen ip-filter-src
set zone zone-name screen ip-loose-src-route
set zone zone-name screen ip-record-route
set zone zone-name screen ip-security-opt
set zone zone-name screen ip-spoofing
set zone zone-name screen ip-stream-opt
set zone zone-name screen ip-strict-src-route
set zone zone-name screen ip-sweep
set zone zone-name screen ip-timestamp-opt
set zone zone-name screen land
set zone zone-name screen limit-session
set zone zone-name screen mal-url code-red
set zone zone-name screen ping-death
set zone zone-name screen port-scan
set zone zone-name screen syn-ack-ack-proxy
set zone zone-name screen syn-fin
set zone zone-name screen syn-flood
set zone zone-name screen syn-frag
set zone zone-name screen tcp-no-flag
set zone zone-name screen tear-drop
set zone zone-name screen udp-flood
set zone zone-name screen unknown-protocol
set zone zone-name screen winnuke
Physical and Environmental Security – Juniper Hardening Procedure
Page 8 of 21The above commands must run for both the internal and external zones (i.e. Trust and
Untrust) to protect the internal and external networks. When security appliance runs in
NAT/Route mode, run the above commands for security zones Trust and Untrust.
When the security appliance runs in “Transparent” mode, (including Transparent
Authenticated mode), run the above commands for security zones V1-Trust and
V1-Untrust.
You must run the same commands (as above) for each additional security zone.
When the security appliance operates in NAT/Route mode, (including NAT/Route
Unauthenticated and Nat/Route Authenticated mode) enable dropping packets that have no
source IP address, or that have a non-routable source IP address by using the following
command.
set zone zone-name screen ip-spoofing drop-no-rpf-route
“zone-name” is the name of the security zone such as Trust or Untrust.
For instance, when the security in NAT/Route mode, to turn on dropping packets capability
for the security zone trust and untrust, issue the following commands.
set zone trust screen ip-spoofing drop-no-rpf-route
set zone untrust screen ip-spoofing drop-no-rpf-route
Ensure to execute the same command (as above) for any Layer-3 security zones that are
used. When changing the HTTP blocking option the changes will only apply to the sessions
newly created after this blocking option is set.
Configuring IP Spoofing Protection
Configure IP spoofing protection by the screen option “ip-spoofing” as indicated above in the
section, “Configuring Screen Options”. This includes Intrazone configurations where VPN
traffic is on the same zone as the decrypted traffic. However depending on the configuration
implemented (especially Interzone) the following additional steps are required to be
adequately protected against IP spoofing attacks.
The following guidance for Authenticated NAT/Route mode and Authenticated Transparent
mode should supplement the guidance provided in the previous section “Setting a Policy to
Permit Traffic”.
“IP-Spoofing” Screen is bypassed – a set of addresses and policies need to be defined to
allow only traffic permitted, excluding spoofed IP addresses.
When operating in Authenticated NAT/Route mode or Authenticated Transparent mode, the
“IP-spoofing” screen option is “bypassed”. Therefore, define a set of addresses and policies
to allow traffic, excluding spoofed IP addresses.
DEVICE MANAGEMENT
This sections provides details on securing the firewall device’s management aspects
Physical and Environmental Security – Juniper Hardening Procedure
Page 9 of 21Securing Administrator Traffic On Device
Four steps are required to secure the device administrator traffic:
a) Define permitted IP address for client administrator Manager-IP address
b) Define interface-specific options
i)
Define Manage IP address for interfaces
ii) Turn off unnecessary management services
c) Change port numbers for administrator services
Disable Internal Commands
The firewall administrator must disable internal commands. The usage of internal commands
applies only for troubleshooting and debugging purposes.
To disable internal commands, you must run the following command:
set common-criteria no-internal-commands
To use internal commands (i.e. ‘debug flow basic’ and ‘get dbuf stream’, ‘debug ids sat’)
for troubleshooting and debugging purposes, use the following command:
unset common-criteria no-internal-commands
Note: Use the internal commands ‘debug ids sat’ is for ISG-1000, ISG-2000, NS-5200 and
NS-5400
Physical and Environmental Security – Juniper Hardening Procedure
21
Page 10 ofDisable Telnet for Device Management
The use of telnet is discouraged on the Juniper firewalls. Use SSH, 2.0 for managing the
Juniper firewall:
To do this:
Disable telnet on the management interface
Enable ssh
Control Unauthorized Hardware Resets
To disable recovery via login, use the following command:
unset admin device-reset
To disable recovery via pinhole, use the following command:
unset admin hw-reset
When disabled, a firewall administrator needs to enable the respective reset in order to
perform any activity, which requires rebooting the firewall.
Physical and Environmental Security – Juniper Hardening Procedure
21
Page 11 ofRestricting Remote Access
Management access must be limited to the locally connected console port as opposed to the
factory default settings.
To limit management access to the console port, the interface that is by default in the
V1-Trust or Trust security zone needs to have management access turned off.
All other interfaces have management access turned off by default.
To disable management to the interface, issue the following CLI command:
unset interface interface-name manage
USER MANAGEMENT
Security appliance administrators must choose login-names and passwords that not only
have the length of at least eight characters and employ as many types of characters as
possible. Mixing lower case and upper case is required to ensure proper protection. In
addition, easily guessable usernames and passwords are not secure.
Security appliances ship with a default username and password of “netscreen”. Change the
default as soon as possible to prevent unauthorized access.
The recommended time between password changes is no longer than 30 days to mitigate
the effects of a compromised administrator identity.
Setting/Changing Password Length Restrictions
To ensure that passwords of eight characters or more are always used, you must first set the
following command:
set admin password restrict length password-length
where, password-length is a decimal value equal to or greater than 8 and less than or equal
to 31. It should also follow password policy.
Setting/Changing Administrator Name and Password
The following CLI commands, in order, are required to set a new administrator name and
password:
set admin name name-string
set admin password password-string
where, name-string and password-string should be replaced with actual login name and
password of administrator.
Physical and Environmental Security – Juniper Hardening Procedure
21
Page 12 ofPOLICY MANAGEMENT
Remove Permissive Default Policy
The firewall might have a default policy that allows traffic to traverse the device from the
interface in the Trust zone to the interface in the Untrust zone. Delete this default policy to
avoid inadvertently allowing information to traverse the device. Use the CLI command:
unset policy id 1
Log Denied Traffic
By default, security appliance will drop any traffic that does not match any “permit” policy.
Therefore, add a policy to the end of the policy list to log denied traffic, which matches no
policy:
set policy id pol-id from scr-zone to dst-zone any any any deny log
count
…where, pol-id is policy ID, scr-zone and dst-zone are, respectively, source zone from which
the traffic comes and destination zone to which the traffic arrives.
For every security zone that has a network interface assigned to it, add the above policies to
the end of the policy tables to ensure that dropped traffic logging.
set policy id pol-id from trust to untrust any any any deny log count
set policy id pol-id from untrust to trust any any any deny log count
set policy id pol-id from trust to dmz any any any deny log count
set policy id pol-id from dmz to trust any any any deny log count

Physical and Environmental Security – Juniper Hardening Procedure
21
Page 13 ofSetting a Policy To Permit Traffic
Two important steps to take when creating a security policy:

Enable counting and logging to maintain audit log information for traffic passing
through the device.

Must be specific to ensure traffic permitted is intentional and not part of a generic
policy.
Use specific source IP address (src-addr), destination IP address (dst-addr), source zone
(src-zone), destination zone (dst-zone), protocol, and service (servicename) if feasible. One
example where it may not make sense to be specific is for traffic destined for an external
network for general web access.
After creating and configuring the source and destination addresses, configure the policy
with counting and logging using the following command:
set policy id id-num from src-zone to dst-zone src-addr dst-addr servicename
action log count
…where, “id-num”: is the decimal number presenting the policy ID number & “action” can
be permit to allow specific service to pass from source address across the security
appliance to the destination address; or deny to block service from passing though the
security appliance
Ordering Policies
The order of policies is important, as policies match in order beginning with the first one in
the policy list and moving through the list. The first matching policy applies to network
traffic to determine the action taken. By default, a newly created policy appears at the
bottom of a policy list.
There is an option that allows you to position a policy at the top of the list instead. In the CLI,
add the key word top to the set policy command:
For example,
set policy id 6 top from trust to untrust trust-HostA untr-NetworkB http
permit log
The newly created policy can also be positioned at any location in the policy list by using the
keyword option before to the set policy CLI command.
For example:
Physical and Environmental Security – Juniper Hardening Procedure
21
Page 14 ofset policy id 4 before 98 from untrust to trust untr-NetworkB trust-HostA ftp
permit log
If global policies are used then replace the above policy, which executes prior to any Global
policy. A Global deny policy can be used which must be added at the end of the Global
policy list
set policy global id pol-id any any any deny log count
SYSTEM LOGGING
AND
MONITORING
Configuring Syslog
You should configure a Syslog firewall as a backup for security audit information and for
long-term audit log storage. This will help prevent a loss in security audit information.
The specific commands required to set up a Syslog firewall are:
set syslog config ip-address facilities local0 local0
set syslog config ip-address port 514
set syslog config ip-address log traffic
set syslog enable
set log module system level level-name destination syslog
where ip-address is the actual IP address of the Syslog firewall and level-name is the
severity level of the log
Note: You must enter the set log command once for each message level.
The options for level-name are listed below:
emergency
alert
critical
error
warning
notification
Physical and Environmental Security – Juniper Hardening Procedure
21
Page 15 ofinformation
debugging
Events to be Logged
The system logs contain historic firewall events and usage information, used for debugging
system malfunctions and forensic investigations. Hence, log all critical information.
Configure syslog to log the following on each firewall:
• Each login and logoff
• Firewall start-up and shutdown
• Complete session
• User and group account administration
• Hardware failures
Log Retention and Archival
Many a times it is required to get a complete audit trail of a process for security
investigation or troubleshooting purpose. Hence, locally retain the firewall logs for a defined
number of days. There should be enough storage space allotted to handle this. In addition,
there must be very strict access control implemented on the stored logs.
The log files must be archived offline. Appropriately protect the archived logs so that
unauthorized users do not access them.
Protection of Log Files
If a malicious user manages to modify the log files and remove traces of attack, no
investigation can be conclusive. In addition, the log extended periods for audit trail. Hence,
protect log files against tampering and stored securely.
Session Activity Logs for Privileged Users
Privileged users have total control over the firewall. Log every activity performed on the
firewall by these users.
Periodic Monitoring
For maintaining the security levels on the Juniper firewalls, monitor the firewalls on a regular
basis. Perform these monitoring tasks on periodic basis.
CONFIGURING AUDIT LOSS MITIGATION
There are cases where more auditable events can occur than the security appliance is able
to write to a syslog firewall. The security appliance must stop further auditable events from
Physical and Environmental Security – Juniper Hardening Procedure
21
Page 16 ofoccurring until the audit trail is able to handle more traffic. An authorized administrator must
enable the following command:
set log audit-loss-mitigation
Logging Permitted Packets
To log permitted packets passing through the device enable logging option on all
authenticated and/or unauthenticated traffic policies.
In this document, all permitted policies include the keyword log, to create traffic log entries
for permitted traffic.
Upon completion of the application session permitted traffic logs are created.
You can use the following command to view the overall traffic logs, or specific policy’s traffic
log:
get log traffic
get log traffic policy id
Logging Dropped Packets
To log dropped packets set to terminate on any of the device interfaces, you must enable
the following command:
set firewall log-self
To log authenticated dropped packets; you must add the log keyword to the first policy
associated with a VPN tunnel. Packets that do not match any of the policies associated with
the tunnel are “dropped”. The log entries for these dropped packets linked with the highest
priority policy (first in the ‘get policy all’ list) associated with the tunnel and the traffic flow
direction.
Physical and Environmental Security – Juniper Hardening Procedure
21
Page 17 ofFirewall Management Idle Timeout
Command Line Interface
Protect Management from the console port by setting an idle timeout. By default,
console and Telnet sessions time out after 10 minutes of inactivity. Recommend never to
set the timeout value to zero.
To verify execute the command:
get console
Web User Interface (WebUI)
The WebUI timeout, like the console timeout, defaults to 10 minutes. When changing the
WebUI timeout, specify a number of minutes (between 1 and 999) of idle time before
closing the browser. Enable the option “Enable Web Management Idle Timeout” check
box. Do not disable it.
Security Manager
Edit Device > Device Admin > Web Management
Permitted IP Addresses
Configure Juniper Networks devices to accept management requests only from trusted
sources. Define a list of permitted IP addresses. Permitted IP addresses include a mask
parameter specified as dotted-decimal value. Permitted IP addresses can be a hosts /
subnets. NOTE: You are limited to six entries.
CLI
set admin manager-ip address [mask]
WebUI
Configuration >Admin > Permitted IPs
Security Manager
Edit Device > Device Admin > Permitted IPs > Add
Physical and Environmental Security – Juniper Hardening Procedure
21
Page 18 ofDaily Monitoring Tasks
• Three or more consecutive failed login attempts
• Syslog events with levels – critical, alert or emergency
• Unauthorized addition and deletion to user accounts and groups
• Changes / Unauthorized changes made
• Unauthorized access attempts
Weekly Monitoring Tasks
• Correct operation of syslog daemon
• All resource (CPU, memory) usage exceeding pre-defined thresholds (based on
capacity planning figures)
Monthly Monitoring Tasks
• Firewall patch levels
• Firewall reboots
• Disk space usage
• Account group membership changes
• Verification of backups
Bi Yearly Monitoring Tasks

Perform Physical audit
The Juniper Firewall administrators must perform these monitoring tasks. Notify any
discrepancy observed from normal operation to the appropriate department.
FIREWALL PROTECTION
Disaster Recovery Plan (DRP)
In order to provide protection against system failures, there has to be a tested and approved
DRP. This should include the backup policy and contingency arrangements.
The DRP for each Juniper Firewall must be ready at the time the firewall is in production
environment.
There must be a planned and bi-yearly Disaster Recovery Drill to ensure that the DRP is
maintained and updated.
Physical Security of Juniper Firewall installation
Physical security deals with all the security aspects of the installation premises of the actual
firewalls

Secure the physical location of the Juniper firewalls to guarantee operational continuity,
protection against natural and fabricated disasters, and prevent loss of Information
Assets.
Physical and Environmental Security – Juniper Hardening Procedure
21
Page 19 of•
The Juniper firewalls must have uninterrupted and clean power supply, and operating
conditions as recommended by the hardware vendors.
Fault Tolerance
To ensure that failure of one firewall does not halt operations, each Juniper Firewall must use
NSRP / HA for redundancy.
Backup
Ensure that in case of data failure, manipulation or data loss; restore the system operations
to previous working state at the earliest.
• Backup the data on each firewall using the standard operations procedures, to ensure
that in case of failure, data recovery must conform to the SLA with the Business.
• Proper media labeling and protection should be implemented to ensure that media is not
accidentally or deliberately overwritten.
• Verify the backup regularly by doing random restoration checks.
• The storage and retention of the computer media must be as per the manufacturer’s
recommendations.
• On expiry, the media should be disposed securely, ensuring no data extraction is
possible
Separation of test and Production environment
The test and development environment is usually set up with loose security controls. In
order to avoid this, separate the Juniper Production firewalls from the test and development
setup.
Irrespective of the settings and controls applied on test and development firewalls, the
production firewalls must be hardened as per the Juniper Firewall security standards.
Do not create test user accounts on the Production firewalls.
There should be secure connection from test to Production firewalls.
Do not use data passing from production to the test environment without desensitizing it.
Change Management
The Juniper firewalls must also adhere to this CM policy. The system administrators must
ensure that every change goes through the appropriate CM process.
Service Level Agreements for Screen OS and hardware support
For continuity of operation, protect the firewalls from extended downtimes due to Screen OS
malfunctioning or hardware failure.
Each Juniper Firewall must have an SLA for Screen OS support (patches, troubleshooting etc)
from an authorized Juniper Firewall vendor. Ensure that the firewalls are also be supported
by an SLA with respective product vendors.
Protection of firewalls not kept in the Data Center
Not all Juniper firewalls are located at the Data Center. Many of them are deployed in remote
sites are housed in other locations with lesser protection – like the Lab \ Outstations. Hence,
the respective teams must ensure that such firewalls have adequate access control and
physical protection implemented.
Physical and Environmental Security – Juniper Hardening Procedure
21
Page 20 ofDocumentation
The system administration and operations team must have complete documentation of the
Juniper Firewall setup. This must include (but not limited to):
• Installation procedure
• Security settings
• Operating procedures
• Firewall configurations for each firewall
• Details of users for each firewall, with access rights
• Disaster Recovery Procedures for each firewall
• Regularly update the documentation.
Physical and Environmental Security – Juniper Hardening Procedure
21
Page 21 of

Hardening Procedure for Solaris Systems

DOWNLOAD – Hardening Procedure for Solaris Systems

 

 

Procedure Statement

The hardening policies are defined as follows:

  • Database server hardening procedure.

  • Web server hardening procedure

  • Application server hardening procedure

  • Utility server hardening procedure

    On every case, 4 security components are involved:

  • JASS

  • BSM

  • RSA

  • Tripwire

In those cases where Solaris Containers are implemented, the same security mechanisms are utilized with the virtualized instances of the operating system.

 

 

Table of Contents

Procedure Statement………………………………………………………1

Table of Contents………………………………………………………….1

JASS Implementation……………………………………………………..2

Driver………………………………………………………………………2

BSM Implementation………………………………………………………5

Audit Configuration……………………………………………………….5

RSA Implementation………………………………………………………6

Tripwire Implementation………………………………………………….6

Solaris Containers (Virtualization)………………………………………..7

Bibliography………………………………………………………………11

Revision References……………………………………………………….11

Appendix A: Examples……………………………………………………12

Scripts..………………………………………..………………..12

Password……………………………………………………..…17

Audit…………….…………………………………………..….21

JASS Implementation:

The Solaris Security Toolkit, formerly known as the JumpStart Architecture and Security Scripts (JASS) toolkit, provides a flexible and extensible mechanism to harden and audit Solaris Operating Systems (OSs). The Solaris Security Toolkit simplifies and automates the process of securing Solaris Operating Systems and is based on proven security best practices and practical customer site experience gathered over many years. This toolkit can be used to secure SPARC-based and x86/x64-based systems.

 

 

Driver

JASS provides a set of templates to customize the security profiles. The one utilized is secure.driver.

No scripts are customized (user.init) but some of the scripts in the hardening.driver file, are disabled or enabled to fit the requirements in the environment.

Below are the template being used and a brief description of which scripts are intentionally disabled/enabled.

 

JASS_SCRIPTS=”

 

disable-ab2.fin

 

disable-apache.fin

 

disable-apache2.fin

 

disable-appserv.fin

 

disable-asppp.fin

 

disable-autoinst.fin

 

disable-automount.fin

 

disable-dhcpd.fin

 

disable-directory.fin

 

disable-dmi.fin

 

disable-dtlogin.fin

 

disable-face-log.fin

 

disable-ipv6.fin

 

disable-IIim.fin

 

disable-kdc.fin

 

disable-keyboard-abort.fin ### This script was intentionally enabled.

 

disable-keyserv-uid-nobody.fin

 

disable-ldap-client.fin

 

disable-lp.fin

 

disable-mipagent.fin

 

disable-named.fin

 

disable-nfs-client.fin

 

disable-nfs-server.fin

 

disable-nscd-caching.fin

 

# disable-picld.fin

 

disable-ppp.fin

 

disable-preserve.fin

 

disable-power-mgmt.fin

 

disable-remote-root-login.fin

 

disable-rhosts.fin

 

disable-routing.fin

 

disable-rpc.fin

 

disable-samba.fin

 

disable-sendmail.fin

 

disable-slp.fin

 

disable-sma.fin

 

disable-smcwebserver.fin

 

disable-snmp.fin

 

disable-spc.fin

 

disable-ssh-root-login.fin

 

disable-syslogd-listen.fin

 

disable-system-accounts.fin

 

disable-uucp.fin

 

disable-vold.fin

 

disable-wbem.fin

 

disable-xfs.fin

 

disable-xserver-listen.fin

 

enable-account-lockout.fin

 

enable-coreadm.fin

 

# enable-ftpaccess.fin ### This script was intentionally disabled.

 

enable-ftp-syslog.fin

 

enable-inetd-syslog.fin

 

# enable-ipfilter.fin ### This script was intentionally disabled.

 

enable-password-history.fin

 

enable-priv-nfs-ports.fin

 

# enable-process-accounting.fin ### This script was intentionally disabled.

 

enable-rfc1948.fin

 

enable-stack-protection.fin

 

enable-tcpwrappers.fin

 

install-at-allow.fin

 

install-ftpusers.fin

 

install-loginlog.fin

 

install-md5.fin

 

install-nddconfig.fin

 

install-newaliases.fin

 

install-sadmind-options.fin

 

install-security-mode.fin

 

install-shells.fin

 

install-sulog.fin

 

print-rhosts.fin ### This script was intentionally enabled.

 

remove-unneeded-accounts.fin

 

set-banner-dtlogin.fin

 

set-banner-ftpd.fin

 

set-banner-sendmail.fin

 

set-banner-sshd.fin

 

set-banner-telnetd.fin

 

set-flexible-crypt.fin

 

set-ftpd-umask.fin

 

set-login-retries.fin

 

set-power-restrictions.fin

 

set-rmmount-nosuid.fin

 

set-root-group.fin

 

set-strict-password-checks.fin

 

set-sys-suspend-restrictions.fin

 

set-system-umask.fin

 

set-tmpfs-limit.fin

 

set-user-password-reqs.fin

 

set-user-umask.fin

 

update-at-deny.fin

 

update-cron-allow.fin

 

update-cron-deny.fin

 

update-cron-log-size.fin

 

update-inetd-conf.fin

 

enable-bsm.fin ### This script was intentionally enabled.

 

install-fix-modes.fin

 

install-strong-permissions.fin ### This script was intentionally enabled.

 

# enable-bart.fin ### This script was intentionally disabled.

 

# print-sgid-files

 

# print-suid-files

 

# print-unowned-objects

 

# print-world-writable-objects

 

 

The scripts which are commented out won’t be executed.

 

Brief description of some outstanding scripts:

 

enable-account-lockout.fin: This is to enable lock accounting.

 

enable-coreadm.fin: This enable the core environment.

 

enable-ftpaccess.fin: We set the ftp access disabled, also blocked on IPFilters.

 

enable-ftp-syslog.fin: Also trace ftp activity in syslog.

 

enable-inetd-syslog.fin: This script configures the Internet Services Daemon (INETD) to log all incoming connections.

 

enable-ipfilter.fin: This enable IPFilters environment (with no active rules by default).

 

enable-password-history.fin: Enable password history.

 

enable-priv-nfs-ports.fin: This is to allow NFS to accept connections from privileged ports only (below port 1024).

 

enable-process-accounting.fin: We don’t enable process accounting as it is not useful in our environment.

 

enable-rfc1948.fin: This script will create/modify the /etc/default/inetinit file to enable support of RFC 1948. This RFC defines unique-per-connection ID sequence number generation. For more information, refer to # http://RF.Cx/rfc1948.html.

 

enable-stack-protection.fin: Enable stack and logging protection.

 

enable-tcpwrappers.fin: Create hosts.allow and hosts.deny files to wrap all TCP connections.

 

BSM Implementation

Audit Configuration

The Basic Security Module (BSM) provides two security features. The first feature is an auditing mechanism, which includes tools to assist with the analysis of the auditing data. The second feature is a device-allocation mechanism, which provides the required object-reuse characteristics for removable devices or assignable devices.

The auditing mechanism helps you detect potential security breaches by revealing suspicious or abnormal patterns of system usage. The auditing mechanism also provides a means to trace suspect actions back to a particular user, thus serving as a deterrent. If users know that their activities are likely to be audited, they might be less likely to attempt malicious activities.

The audit subsystem is configured to log the audit activity locally and in a remote Syslog server.

Audit Control file:

dir:/var/audit

flags:lo,ex

minfree:20

naflags:lo,ex

plugin: name=audit_syslog.so;p_flags=lo,ex

Audit Startup file:

/usr/sbin/auditconfig -setpolicy +cnt

/usr/sbin/auditconfig -setpolicy +zonename

/usr/sbin/auditconfig -setpolicy +argv

/usr/sbin/auditconfig -conf

/usr/sbin/auditconfig -aconf

Entry on the /etc/syslog.conf

audit.notice;auth.debug @dc5sfsecsyslog01

RSA Implementation

Authentication is only provided in the Solaris box is by using RSA. Steps to be followed for implementing RSA is as following:

  • Get latest sdconf.rec file

  • Download the latest RSA Agent software

  • Copy sdconf.rec file under /var/ace

  • Unzip RSA Agent software

  • Run the script install.sh (from the tar file) > Accept > Enter

 

 

Tripwire Implementation

Tripwire is a browser-based configuration audit and control tool which monitors file servers. It baseline’s the files using a set of rules that specify what directories, files should be monitored. The data collected as a result of running the rules becomes the benchmark against which future checks are measured.

Steps to install TWeagent  (Tripwire Enterprise Agent   (INTEL) 7.1.0) in Solaris box are as following:

  • Copy the files from tomcat:/backup (SPARC or x86) to the proper servers

  • Log into the server and uncompress the file

  • Install the package

  • Start the agent

 

 

 

Solaris Containers

A zone is a single instance of the Solaris Operating System, in which processes are isolated from the rest of the system.

There are two types of zones: global zone and non-global zone. Every Solaris system contains a global zone. The global zone is the only zone from which a non-global zone can be configured, installed, managed, or uninstalled. Only the global zone is bootable from the system hardware.

A non-global zone can be thought of as a box. To enforce basic process isolation, a process can see only those processes that exist in the same zone. Basic communication between zones is accomplished by giving each zone at least one logical network interface. An application running in one zone cannot observe the network traffic of another zone. This isolation is maintained even though the respective streams of packets travel through the same physical interface.

Each zone is given a portion of the file system hierarchy. Because each zone is confined to its subtree of the file system hierarchy, a workload running in a particular zone cannot access the on-disk data of another workload running in a different zone.

There are two types of non-global zone root file system models: sparse and whole root. The whole root zone model provides the maximum configurability. All of the required and any selected optional Solaris packages are installed into the private file systems of the zone. The sparse root zone model has only a subset of the root packages are installed

We run most applications in non-global zones except the databases. Zones are hardened to ensure high-level security. The practices are:

  1. Whole root zones(Non-global) with shared network interface

We will apply the hardening methods to the zones accordingly

  1. JASS: global zone 0, zone1, zone2

  2. RSA: global zone 0, zone1, zone2

  3. BSM: global zone 0

  1. Whole root zones(Non-global) with exclusive network interface

We will apply the hardening methods to the zones accordingly

  1. JASS: global zone 0, zone1, zone2

  2. RSA: global zone 0, zone1, zone2

  3. BSM: global zone 0

  1. Sparse root zones(Non-global) with shared network interface

We will apply the hardening methods to the zones accordingly

  1. JASS: global zone 0, zone1, zone2

  2. RSA: global zone 0, zone1, zone2

  3. BSM: global zone 0

  1. Sparse root zones(Non-global) with exclusive network interface

We will apply the hardening methods to the zones accordingly

  1. JASS: global zone 0, zone1, zone2

  2. RSA: global zone 0, zone1, zone2

  3. BSM: global zone 0

  • Example of a zone configuration file from a sparse zone with shared network.

<?xml version=”1.0″ encoding=”UTF-8″?>

<!DOCTYPE zone PUBLIC “-//Sun Microsystems Inc//DTD Zones//EN” “file:///usr/share/lib/xml/dtd/zonecfg.dtd.1”>

<!–

DO NOT EDIT THIS FILE. Use zonecfg(1M) instead.

–>

<zone name=”dc5sfapp01a” zonepath=”/zones/dc5sfapp01a” autoboot=”true”>

<inherited-pkg-dir directory=”/lib”/>

<inherited-pkg-dir directory=”/platform”/>

<inherited-pkg-dir directory=”/sbin”/>

<inherited-pkg-dir directory=”/usr”/>

<inherited-pkg-dir directory=”/usr/sfw”/>

<inherited-pkg-dir directory=”/export/home/apache-ant-1.6.1″/>

<inherited-pkg-dir directory=”/export/home/jdk1.6.0_13″/>

<network address=”10.5.30.14″ physical=”nge0″/>

</zone>

  • Example of a zone configuration file from a root zone with shared network.

<?xml version=”1.0″ encoding=”UTF-8″?>

<!DOCTYPE zone PUBLIC “-//Sun Microsystems Inc//DTD Zones//EN” “file:///usr/share/lib/xml/dtd/zonecfg.dtd.1”>

<!–

DO NOT EDIT THIS FILE. Use zonecfg(1M) instead.

–>

<zone name=”dc5sfsmnsageapp01″ zonepath=”/zones/dc5sfsmnsageapp01″ autoboot=”true”>

<network address=”10.5.35.14″ physical=”nge0″/>

</zone>

  • Example of a zone configuration file from a root zone with a dedicated network interface.

<?xml version=”1.0″ encoding=”UTF-8″?>

<!DOCTYPE zone PUBLIC “-//Sun Microsystems Inc//DTD Zones//EN” “file:///usr/share/lib/xml/dtd/zonecfg.dtd.1”>

<!–

DO NOT EDIT THIS FILE. Use zonecfg(1M) instead.

–>

<zone name=”dc5sfsmnsageweb01″ zonepath=”/zones/dc5sfsmnsageweb01″ autoboot=”true” ip-type=”exclusive”>

<network address=”” physical=”nge2″/>

</zone>

Bibliography

International Standard ISO/IEC 17799

Information Technology – Security Techniques – Code Of Practice For Information Security Management

 

 

Appendix A: Examples

 

 

Scripts

 

/opt/SUNWjass/Finish # ls -lrt

 

total 834

 

-r–r–r– 1 root root 697 Jul 26 2005 disable-ab2.fin

 

-r–r–r– 1 root root 892 Jul 26 2005 disable-IIim.fin

 

-r–r–r– 1 root root 1103 Jul 26 2005 disable-directory.fin

 

-r–r–r– 1 root root 1560 Jul 26 2005 disable-dhcpd.fin

 

-r–r–r– 1 root root 888 Jul 26 2005 disable-automount.fin

 

-r–r–r– 1 root root 1023 Jul 26 2005 disable-asppp.fin

 

-r–r–r– 1 root root 566 Jul 26 2005 disable-appserv.fin

 

-r–r–r– 1 root root 532 Jul 26 2005 disable-apache2.fin

 

-r–r–r– 1 root root 1159 Jul 26 2005 disable-apache.fin

 

-r–r–r– 1 root root 644 Jul 26 2005 disable-named.fin

 

-r–r–r– 1 root root 1013 Jul 26 2005 disable-mipagent.fin

 

-r–r–r– 1 root root 999 Jul 26 2005 disable-ldap-client.fin

 

-r–r–r– 1 root root 2460 Jul 26 2005 disable-keyserv-uid-nobody.fin

 

-r–r–r– 1 root root 1850 Jul 26 2005 disable-kdc.fin

 

-r–r–r– 1 root root 797 Jul 26 2005 disable-ipv6.fin

 

-r–r–r– 1 root root 935 Jul 26 2005 disable-face-log.fin

 

-r–r–r– 1 root root 1869 Jul 26 2005 disable-routing.fin

 

-r–r–r– 1 root root 1454 Jul 26 2005 disable-rhosts.fin

 

-r–r–r– 1 root root 1361 Jul 26 2005 disable-preserve.fin

 

-r–r–r– 1 root root 1070 Jul 26 2005 disable-ppp.fin

 

-r–r–r– 1 root root 2229 Jul 26 2005 disable-power-mgmt.fin

 

-r–r–r– 1 root root 847 Jul 26 2005 disable-picld.fin

 

-r–r–r– 1 root root 1865 Jul 26 2005 disable-nscd-caching.fin

 

-r–r–r– 1 root root 984 Jul 26 2005 disable-nfs-server.fin

 

-r–r–r– 1 root root 825 Jul 26 2005 disable-spc.fin

 

-r–r–r– 1 root root 949 Jul 26 2005 disable-slp.fin

 

-r–r–r– 1 root root 1854 Jul 26 2005 enable-password-history.fin

 

-r–r–r– 1 root root 2823 Jul 26 2005 enable-inetd-syslog.fin

 

-r–r–r– 1 root root 1352 Jul 26 2005 enable-ftpaccess.fin

 

-r–r–r– 1 root root 1124 Jul 26 2005 enable-ftp-syslog.fin

 

-r–r–r– 1 root root 2166 Jul 26 2005 enable-bart.fin

 

-r–r–r– 1 root root 2639 Jul 26 2005 enable-account-lockout.fin

 

-r–r–r– 1 root root 1165 Jul 26 2005 enable-32bit-kernel.fin

 

-r–r–r– 1 root root 434 Jul 26 2005 disable-xfs.fin

 

-r–r–r– 1 root root 2253 Jul 26 2005 install-ftpusers.fin

 

-r–r–r– 1 root root 4418 Jul 26 2005 install-fix-modes.fin

 

-r–r–r– 1 root root 1570 Jul 26 2005 install-at-allow.fin

 

-r–r–r– 1 root root 1290 Jul 26 2005 install-Sun_ONE-WS.fin

 

-r–r–r– 1 root root 2104 Jul 26 2005 enable-tcpwrappers.fin

 

-r–r–r– 1 root root 1572 Jul 26 2005 enable-priv-nfs-ports.fin

 

-r–r–r– 1 root root 1374 Jul 26 2005 install-shells.fin

 

-r–r–r– 1 root root 1965 Jul 26 2005 install-sadmind-options.fin

 

-r–r–r– 1 root root 1959 Jul 26 2005 install-recommended-patches.fin

 

-r–r–r– 1 root root 1911 Jul 26 2005 install-openssh.fin

 

-r–r–r– 1 root root 1040 Jul 26 2005 install-newaliases.fin

 

-r–r–r– 1 root root 3073 Jul 26 2005 install-md5.fin

 

-r–r–r– 1 root root 1330 Jul 26 2005 print-unowned-objects.fin

 

-r–r–r– 1 root root 1188 Jul 26 2005 print-suid-files.fin

 

-r–r–r– 1 root root 1188 Jul 26 2005 print-sgid-files.fin

 

-r–r–r– 1 root root 3942 Jul 26 2005 minimize-Sun_ONE-WS.fin

 

-r–r–r– 1 root root 570 Jul 26 2005 install-templates.fin

 

-r–r–r– 1 root root 2329 Jul 26 2005 set-banner-dtlogin.fin

 

-r–r–r– 1 root root 1122 Jul 26 2005 remove-unneeded-accounts.fin

 

-r–r–r– 1 root root 1564 Jul 26 2005 print-world-writable-objects.fin

 

-r–r–r– 1 root root 1877 Jul 26 2005 set-term-type.fin

 

-r–r–r– 1 root root 1699 Jul 26 2005 set-system-umask.fin

 

-r–r–r– 1 root root 4421 Jul 26 2005 set-strict-password-checks.fin

 

-r–r–r– 1 root root 1086 Jul 26 2005 set-root-group.fin

 

-r–r–r– 1 root root 2266 Jul 26 2005 set-rmmount-nosuid.fin

 

-r–r–r– 1 root root 1380 Jul 26 2005 set-login-retries.fin

 

-r–r–r– 1 root root 2087 Jul 26 2005 update-cron-deny.fin

 

-r–r–r– 1 root root 1740 Jul 26 2005 update-cron-allow.fin

 

-r–r–r– 1 root root 1225 Jul 26 2005 suncluster3x-set-nsswitch-conf.fin

 

-r–r–r– 1 root root 2084 Jul 26 2005 set-tmpfs-limit.fin

 

-r–r–r– 1 root root 2048 Aug 22 2008 disable-dtlogin.fin

 

-r–r–r– 1 root root 1286 Aug 22 2008 disable-dmi.fin

 

-r–r–r– 1 root root 1155 Aug 22 2008 disable-autoinst.fin

 

-r–r–r– 1 root root 678 Aug 22 2008 disable-serial-login.fin

 

-r–r–r– 1 root root 6428 Aug 22 2008 disable-sendmail.fin

 

-r–r–r– 1 root root 1102 Aug 22 2008 disable-samba.fin

 

-r–r–r– 1 root root 1636 Aug 22 2008 disable-rpc.fin

 

-r–r–r– 1 root root 1174 Aug 22 2008 disable-remote-root-login.fin

 

-r–r–r– 1 root root 451 Aug 22 2008 disable-nis-client.fin

 

-r–r–r– 1 root root 1369 Aug 22 2008 disable-nfs-client.fin

 

-r–r–r– 1 root root 1018 Aug 22 2008 disable-mesg.fin

 

-r–r–r– 1 root root 2149 Aug 22 2008 disable-lp.fin

 

-r–r–r– 1 root root 1400 Aug 22 2008 disable-keyboard-abort.fin

 

-r–r–r– 1 root root 1948 Aug 22 2008 enable-ssh-root-login.fin

 

-r–r–r– 1 root root 1774 Aug 22 2008 enable-sar.fin

 

-r–r–r– 1 root root 1555 Aug 22 2008 enable-rfc1948.fin

 

-r–r–r– 1 root root 3804 Aug 22 2008 enable-process-accounting.fin

 

-r–r–r– 1 root root 2031 Aug 22 2008 enable-password-changes.fin

 

-r–r–r– 1 root root 690 Aug 22 2008 enable-ldmd.fin

 

-r–r–r– 1 root root 3805 Aug 22 2008 enable-ipfilter.fin

 

-r–r–r– 1 root root 1122 Aug 22 2008 enable-ftp-debuglog.fin

 

-r–r–r– 1 root root 1217 Aug 22 2008 enable-cronlog.fin

 

-r–r–r– 1 root root 3368 Aug 22 2008 enable-coreadm.fin

 

-r–r–r– 1 root root 6862 Aug 22 2008 enable-bsm.fin

 

-r–r–r– 1 root root 2118 Aug 22 2008 disable-xserver-listen.fin

 

-r–r–r– 1 root root 4306 Aug 22 2008 disable-xdmcp.fin

 

-r–r–r– 1 root root 997 Aug 22 2008 disable-wbem.fin

 

-r–r–r– 1 root root 1461 Aug 22 2008 disable-vold.fin

 

-r–r–r– 1 root root 1608 Aug 22 2008 disable-uucp.fin

 

-r–r–r– 1 root root 3851 Aug 22 2008 disable-system-accounts.fin

 

-r–r–r– 1 root root 2986 Aug 22 2008 disable-syslogd-listen.fin

 

-r–r–r– 1 root root 1938 Aug 22 2008 disable-ssh-root-login.fin

 

-r–r–r– 1 root root 1324 Aug 22 2008 disable-snmp.fin

 

-r–r–r– 1 root root 535 Aug 22 2008 disable-smcwebserver.fin

 

-r–r–r– 1 root root 1237 Aug 22 2008 disable-sma.fin

 

-r–r–r– 1 root root 1292 Aug 22 2008 install-loginlog.fin

 

-r–r–r– 1 root root 2084 Aug 22 2008 install-local-syslog.fin

 

-r–r–r– 1 root root 2563 Aug 22 2008 install-ldm.fin

 

-r–r–r– 1 root root 2904 Aug 22 2008 install-jass.fin

 

-r–r–r– 1 root root 1527 Aug 22 2008 install-connlog.fin

 

-r–r–r– 1 root root 1573 Aug 22 2008 install-authlog.fin

 

-r–r–r– 1 root root 3095 Aug 22 2008 enable-xscreensaver.fin

 

-r–r–r– 1 root root 3773 Aug 22 2008 enable-stack-protection.fin

 

-r–r–r– 1 root root 1080 Aug 22 2008 print-rhosts.fin

 

-r–r–r– 1 root root 765 Aug 22 2008 print-package-files.fin

 

-r–r–r– 1 root root 2281 Aug 22 2008 print-jumpstart-environment.fin

 

-r–r–r– 1 root root 3758 Aug 22 2008 print-jass-environment.fin

 

-r–r–r– 1 root root 1151 Aug 22 2008 install-sulog.fin

 

-r–r–r– 1 root root 1384 Aug 22 2008 install-strong-permissions.fin

 

-r–r–r– 1 root root 1897 Aug 22 2008 install-security-mode.fin

 

-r–r–r– 1 root root 1347 Aug 22 2008 install-nddconfig.fin

 

-r–r–r– 1 root root 2089 Aug 22 2008 set-power-restrictions.fin

 

-r–r–r– 1 root root 1642 Aug 22 2008 set-oem-banner.fin

 

-r–r–r– 1 root root 768 Aug 22 2008 set-lp-open.fin

 

-r–r–r– 1 root root 2774 Aug 22 2008 set-lp-localonly.fin

 

-r–r–r– 1 root root 1202 Aug 22 2008 set-log-file-permissions.fin

 

-r–r–r– 1 root root 3144 Aug 22 2008 set-grub-password.fin

 

-r–r–r– 1 root root 4738 Aug 22 2008 set-greeter-warning.fin

 

-r–r–r– 1 root root 2803 Aug 22 2008 set-ftpd-umask.fin

 

-r–r–r– 1 root root 4147 Aug 22 2008 set-flexible-crypt.fin

 

-r–r–r– 1 root root 3437 Aug 22 2008 set-failed-logins.fin

 

-r–r–r– 1 root root 1664 Aug 22 2008 set-dtlogin-open.fin

 

-r–r–r– 1 root root 2642 Aug 22 2008 set-dtlogin-localonly.fin

 

-r–r–r– 1 root root 961 Aug 22 2008 set-calendar-open.fin

 

-r–r–r– 1 root root 1810 Aug 22 2008 set-calendar-localonly.fin

 

-r–r–r– 1 root root 1307 Aug 22 2008 set-banner-telnetd.fin

 

-r–r–r– 1 root root 1829 Aug 22 2008 set-banner-sshd.fin

 

-r–r–r– 1 root root 2027 Aug 22 2008 set-banner-sendmail.fin

 

-r–r–r– 1 root root 4350 Aug 22 2008 set-banner-ftpd.fin

 

-r–r–r– 1 root root 6560 Aug 22 2008 s15k-static-arp.fin

 

-r–r–r– 1 root root 3460 Aug 22 2008 s15k-sms-secure-failover.fin

 

-r–r–r– 1 root root 1329 Aug 22 2008 s15k-sms-override.fin

 

-r–r–r– 1 root root 2010 Aug 22 2008 s15k-exclude-domains.fin

 

-r–r–r– 1 root root 10195 Aug 22 2008 update-inetd-conf.fin

 

-r–r–r– 1 root root 4944 Aug 22 2008 update-cron-log-size.fin

 

-r–r–r– 1 root root 1909 Aug 22 2008 update-at-deny.fin

 

-r–r–r– 1 root root 663 Aug 22 2008 set-wbem-open.fin

 

-r–r–r– 1 root root 1323 Aug 22 2008 set-wbem-localonly.fin

 

-r–r–r– 1 root root 3352 Aug 22 2008 set-user-umask.fin

 

-r–r–r– 1 root root 3049 Aug 22 2008 set-user-password-reqs.fin

 

-r–r–r– 1 root root 974 Aug 22 2008 set-ttdb-open.fin

 

-r–r–r– 1 root root 1635 Aug 22 2008 set-ttdb-localonly.fin

 

-r–r–r– 1 root root 1558 Aug 22 2008 set-sys-suspend-restrictions.fin

 

-r–r–r– 1 root root 2584 Aug 22 2008 set-ssh-config.fin

 

-r–r–r– 1 root root 672 Aug 22 2008 set-smcwebserver-open.fin

 

-r–r–r– 1 root root 910 Aug 22 2008 set-smcwebserver-localonly.fin

 

-r–r–r– 1 root root 909 Aug 22 2008 set-rpc-open.fin

 

-r–r–r– 1 root root 2060 Aug 22 2008 set-rpc-localonly.fin

 

-r–r–r– 1 root root 1673 Aug 22 2008 set-root-password.fin

 

-r–r–r– 1 root root 4734 Aug 22 2008 set-root-home-dir.fin

 

 

Password

 

opt/SUNWjass/Finish # pwd

 

[/opt/SUNWjass/Finish # cat set-user-password-reqs.fin

 

#!/bin/sh

 

#

 

# Copyright 2006 Sun Microsystems, Inc. All rights reserved.

 

# Use is subject to license terms.

 

#

 

# ident “@(#)set-user-password-reqs.fin 3.10 06/10/30 SMI”

 

#

 

# This script installs some basic password requirements for users. Note

 

# that this effects local password policy only.

 

 

logMessage “Installing user password requirements.”

 

echo “”

 

 

PASSWD=${JASS_ROOT_DIR}etc/default/passwd

 

 

if [ ! -f ${PASSWD} ]; then

 

create_a_file -m 0444 -o root:sys ${PASSWD}

 

echo “”

 

fi

 

 

changeToBeMade=”0″

 

 

# Determine the values to be used. If values are

 

# already in place, then use them. Otherwise, use the

 

# defaults that are included below.

 

 

minWeeks=`nawk -F= ‘$1==keyword { print $2 }’ keyword=”MINWEEKS” ${PASSWD}`

 

 

if [ ! -z “${JASS_AGING_MINWEEKS}” ]; then

 

if [ “${JASS_AGING_MINWEEKS}” != “${minWeeks}” ]; then

 

changeToBeMade=”1″

 

if [ -z “${minWeeks}” ]; then

 

minWeeks=”NONE”

 

fi

 

logMessage ‘Changing MINWEEKS setting from ${minWeeks} to ${JASS_AGING_MINWEEKS}.’

 

fi

 

 

minWeeks=”${JASS_AGING_MINWEEKS}”

 

fi

 

 

maxWeeks=`nawk -F= ‘$1==keyword { print $2 }’ keyword=”MAXWEEKS” ${PASSWD}`

 

 

if [ ! -z “${JASS_AGING_MAXWEEKS}” ]; then

 

 

if [ “${JASS_AGING_MAXWEEKS}” != “${maxWeeks}” ]; then

 

changeToBeMade=”1″

 

if [ -z “${maxWeeks}” ]; then

 

maxWeeks=”NONE”

 

fi

 

logMessage ‘Changing MAXWEEKS setting from ${maxWeeks} to ${JASS_AGING_MAXWEEKS}.’

 

fi

 

 

maxWeeks=”${JASS_AGING_MAXWEEKS}”

 

fi

 

 

warnWeeks=`nawk -F= ‘$1==keyword { print $2 }’ keyword=”WARNWEEKS” ${PASSWD}`

 

 

if [ ! -z “${JASS_AGING_WARNWEEKS}” ]; then

 

 

if [ “${JASS_AGING_WARNWEEKS}” != “${warnWeeks}” ]; then

 

changeToBeMade=”1″

 

if [ -z “${warnWeeks}” ]; then

 

warnWeeks=”NONE”

 

fi

 

logMessage ‘Changing WARNWEEKS setting from ${warnWeeks} to ${JASS_AGING_WARNWEEKS}.’

 

fi

 

 

warnWeeks=”${JASS_AGING_WARNWEEKS}”

 

fi

 

 

passLength=`nawk -F= ‘$1==keyword { print $2 }’ keyword=”PASSLENGTH” ${PASSWD}`

 

 

if [ ! -z “${JASS_PASS_LENGTH}” ]; then

 

 

if [ “${JASS_PASS_LENGTH}” != “${passLength}” ]; then

 

changeToBeMade=”1″

 

if [ -z “${passLength}” ]; then

 

passLength=”NONE”

 

fi

 

logMessage ‘Changing PASSLENGTH setting from ${passLength} to ${JASS_PASS_LENGTH}.’

 

fi

 

 

passLength=”${JASS_PASS_LENGTH}”

 

fi

 

 

if [ “${changeToBeMade}” = “1” ]; then

 

 

echo “”

 

backup_file ${PASSWD}

 

 

# Remove the old entries and insert the new ones.

 

 

cat ${PASSWD}.${JASS_SUFFIX} |\

 

egrep -v ‘^MINWEEKS=|^MAXWEEKS=|^WARNWEEKS=|^PASSLENGTH=’ > ${PASSWD}

 

 

if [ ! -z “${JASS_AGING_MINWEEKS}” ]; then

 

echo “MINWEEKS=${minWeeks}” >> ${PASSWD}

 

fi

 

 

if [ ! -z “${JASS_AGING_MAXWEEKS}” ]; then

 

echo “MAXWEEKS=${maxWeeks}” >> ${PASSWD}

 

fi

 

 

if [ ! -z “${JASS_AGING_WARNWEEKS}” ]; then

 

echo “WARNWEEKS=${warnWeeks}” >> ${PASSWD}

 

fi

 

 

if [ ! -z “${JASS_PASS_LENGTH}” ]; then

 

echo “PASSLENGTH=${passLength}” >> ${PASSWD}

 

fi

 

 

change_owner root:sys ${PASSWD}

 

change_default_perms ${PASSWD}

 

 

fi

 

[ ?0 dc5sfshrapp01 root 1 !542 0 22:47:39 ]

 

/opt/SUNWjass/Finish #

 

Third party assessment document

Download Blank Third Party Assessment

Type            :             Vendor Assessment
Short Name Question / Description Answer / Value
Name Enter the name
TPA: Project Name Whirlpool project name requesting third party or service provider connection *
TPA: Project Owner Whirlpool project owner requesting third party or service provider connection *
TPA: Business Area Whirlpool business area or process supported by the third party or service provider *
TPA: Service Provider Name Service provider company name *
TPA: Service Provider Contact Service provider or third party contact *
TPA: Target Implementation Date Target implementation date *
TPA: CISO Vendor Chief Information Security Officer (CISO) or equivalent *
TPA: User Directory Choose the user directory used to manage security and provisioning of access on your internal network *
TPA: OS and database List the operating system and database used to manage Whirlpool data Select any number *
Mainframe
Unix
AS400
Windows
Oracle
DB2/UDB
MS SQL
Other
TPA: Datacenter location List the location of the datacenter that hosts Whirlpool data *
Short Name Question / Description Answer / Value Comments
WVA: Organizational Security and Privacy 1 Has a complete and current Information Security policy been established? Yes *
WVA: Organizational Security and Privacy 2 Are retention and destruction requirements documented and followed  for different classifications of data? Yes *
WVA: Organizational Security and Privacy 3 Are  documented guidelines  followed to review relevant laws and regulations; including but not limited to, privacy protection, international privacy law, or data security and their impact to the organizations IS controls? Yes *
WVA: Organizational Security and Privacy 4 Have documented incident management procedures been established to ensure a timely, effective and orderly response to security incidents including coordination with key partners and customers? Yes *
WVA: Organizational Security and Privacy 5 Are documented policies followed for enforcing segregation of duties? Yes *
What types of audits are performed? 2
WVA: Organizational Security and Privacy 6 Are audits performed to ensure compliance of systems with organizational security policies and standards? Yes, external audits are performed on a periodic basis. * SAS-70 , SOX Audit
WVA: Organizational Security and Privacy 7 How often are documented audits/reviews performed of Third Party’s security controls for compliance with service and delivery levels in the agreement? Semi-annually *
WVA: Employment Security 1 Do employees sign a confidentiality (non-disclosure) agreement as part of the initial terms and conditions of employment? Yes *
WVA: Employment Security 2 Are verification (background) investigations conducted on applicants for permanent employment, including third party contractors, vendors, and consultants? Yes for all applicants and is required by contract by any third party vendors *
WVA: Employment Security 3 Are documented guidelines followed for providing security awareness training (SAT) to all personnel? Yes, training is required at least annually *
WVA: Business Continuity 1 Are controls in place  to ensure that back-ups of business information are completed on a regular basis? Yes, full back-ups are performed weekly *
WVA: Business Continuity 2 Are controls in place to ensure that backed-up information, records of the back-up copies, and documented restore procedures be stored in a remote location? Yes, back-up are retained off-site at a distance greater than 15 miles *
WVA: Business Continuity 3 Do policies and procedures exists in to ensure that controls applied to media at the main site are extended to the back-up site? Yes, controls are in place are greater than the main site *
WVA: Physical Security 1 Have controls been established to ensure that physical access to areas with confidential information, and information systems be controlled and restricted to authorized persons only? Yes, documented approval required with physical access controlled by an electronic card key *
WVA: Physical Security 2 Are documented guidelines followed for granting access to visitors? Yes, sign in and data center manager approval required *
When are the audits performed? 2
WVA: Physical Security 3 How often are reviews of access rights to secure areas are conducted? Access rights  are reviewed semi-annually * After Every 6 month(dec and july)
WVA: Physical Security 4 Are controls in place to address the possibility of damage from fire in secure areas? Yes, fire detection in place  with automated fire suppression system in place *
WVA: Physical Security 5 Have controls been established to ensure uninterruptible power supplies (UPS) are put in place to protect critical equipment from power failures? Yes, equipment protected by UPS and generator back-up *
WVA: Software Development 1 Are documented guidelines followed to separate development, test and production (operational) environments? Yes *
WVA: Software Development 2 Are all security requirements identified and justified during the requirements phase of projects? Yes *
WVA: Software Development 3 Are formal procedures and management responsibilities defined and documented to require satisfactory control of all changes to equipment, software or procedures including formal approval, recording, and communication of changes? Yes *
WVA: Software Development 4 Do documented guidelines require static code testing, vulnerability scanning, and web application scanning of applications before migration to production N/A *
WVA: Software Development 5 Do technical compliance checks include static code tests, vulnerability scans, and web application scans for existing systems and applications? Yes, all three types of testing are deployed at every release *
WVA: Software Development 6 Have controls been established to protect the storing of confidential data on local devices ? Yes, local encryption required *
WVA: Security Operations 1 How often are security logs reviewed? Security logs  contain user ID, failed log-ins, and other security events and are reviewed weekly *
WVA: Security Operations 2 Are documented guidelines followed to ensure access controls of mobile devices  (Laptops, PDA’s Etc.) ? Yes, encryption required *
WVA: Security Operations 3 Have all critical systems with real-time clocks had their time set and synchronized with a common Network Time Protocol (NTP) service? Yes *
WVA: Security Operations 4 Are cryptographic systems and techniques used for storage of information that is considered confidential? Yes, for all confidential data *
WVA: Security Operations 5 Have controls been established to ensure the handling of compromised keys? Yes, compromised key is revoked *
WVA: Security Operations 6 How often are security or vulnerability patches applied? Patches are applied more frequently than monthly *
WVA: Security Operations 7 Have controls been established to ensure installation and regular update of anti-virus  software to protect computers on a precautionary or routine basis? Yes, virus definitions are updated daily *
WVA: Security Operations 8 Do the media handling procedures ensure the safe and secure storage of media containing confidential information? Yes *
WVA: Security Operations 9 Do the media handling procedures ensure the safe and secure disposal of electronic media containing confidential information? Yes, media is disposed in a way that renders the data irretrievable *
WVA: Security Operations 10 Do the media handling procedures ensure the safe and secure disposal of paper documents containing confidential information? Yes, media is disposed in a way that renders the document irretrievable *
WVA: Security Operations 11 Is access to the modify job schedules limited to authorized personnel? Yes *
WVA: Security Operations 12 Have mechanisms been implemented to protect electronically published information (web sites, ftp, etc)? Yes, PGP or other enhanced encryption *
WVA: Security Operations 13 Have mechanisms been implemented to protect information on media in transit between organizations (i.e. backup tapes)? Yes, secure package handling controls *
WVA: Security Operations 14 Are the domains with different security needs separated by secure gateways? Yes, DMZ’s exist for internal and external network *
WVA: Security Operations 15 Are documented guidelines followed for the secure exchange of confidential information to prevent  the unauthorized disclosure and misuse? Yes, documented and encryption is always required *
WVA: Security Operations 16 Are documented guidelines followed to safeguard the confidentiality and integrity of data passing over wireless networks? Yes, WEP encryption *
WVA: Security Operations 17 Have mechanisms been implemented to protect confidential information contained in electronic mail (Email) between organizations? Yes, SSL/TLS is required *
WVA: Password Controls 1 Does the authentication method to gain access to the network utilize passwords? Passwords are used *
WVA: Password Controls 2 What is the minimum password length available to end-users? Requires at least 6 characters *
WVA: Password Controls 3 How often are end-users forced to change their passwords? Quarterly *
WVA: Password Controls 4 What are the minimum password complexity requirements being enforced for end-users? Mixed case alphabetic, numeric, and plus special characters *
WVA: Password Controls 5 Are end-users restricted from using previous passwords (password history)? No password re-use restrictions *
WVA: Password Controls 6 Are users forced to change their password during first login? Users are forced to change passwords on first login *
WVA: Password Controls 7 Are passwords hidden during authentication? Passwords characters are masked *
WVA: Password Controls 8 Is a complete & current mechanism in place to report & reset lost or compromised passwords? Secure self service password reset mechanism *
WVA: Infrastructure Access 1 When authentication fails, is the user informed of which portion of the authentication process failed? Message indicates which portion of the authentication process failed *
WVA: Infrastructure Access 2 Are authentication credentials securely communicated across the network? Authentication credentials are securely encrypted using  industry standards *
WVA: Infrastructure Access 3 Are accounts locked after several failed login attempts? Locked after 3 or more failed attempts *
WVA: Infrastructure Access 4 How long before the system automatically re-enables the account after an account lock out? Auto unlock after 30 minutes or more *
WVA: Infrastructure Access 5 How often are accounts reviewed for deactivation (due to inactivity, termination, etc)? Recurring =<6 months *
WVA: Infrastructure Access 6 Have control requirements been established for requesting, establishing, and issuing user accounts? Yes *
WVA: Infrastructure Access 7 How often is a review of  accounts and related privileges conducted? Accounts with access to confidential data are reviewed =<6 months *
WVA: Infrastructure Access 8 Are controls in place to ensure all user activities on IT systems are uniquely identifiable? Yes, all user accounts have unique IDs and are not shared *
WVA: Infrastructure Access 9 Are access rights immediately adjusted for users who have changed jobs? Yes, as requested by management *
WVA: Infrastructure Access 10 Is a documented termination procedure followed which includes the removal of access rights? Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination. *
WVA: Application Password Controls 1 Does the application that houses Whirlpool information conform to the exact access and password controls for your infrastructure? Yes *
WVA: Application Password Controls 2 Does the authentication method to gain access to the application utilize passwords? Passwords are used *
WVA: Application Password Controls 3 What is the minimum password length available to end-users? Requires at least 6 characters *
WVA: Application Password Controls 4 How often are end-users forced to change their passwords for the application? Quarterly *
WVA: Application Password Controls 5 What are the minimum application password complexity requirements being enforced for end-users? Mixed case alphabetic, numeric, and plus special characters *
WVA: Application Password Controls 6 Are end-users restricted from using previous application passwords (password history)? No password re-use restrictions *
WVA: Application Password Controls 7 Are users forced to change their application password during first login? Users are forced to change passwords on first login *
WVA: Application Password Controls 8 Are passwords hidden during authentication? Passwords characters are masked *
WVA: Application Password Controls 9 Is a complete & current mechanism in place to report & reset lost or compromised application passwords? Secure self service password reset mechanism *
WVA: Application Access Controls 1 When the application authentication fails, is the user informed of which portion of the authentication process failed? Message indicates which portion of the authentication process failed *
WVA: Application Access Controls 2 Are application authentication credentials securely communicated across the network? Authentication credentials are securely encrypted using  industry standards *
WVA: Application Access Controls 3 Are application accounts locked after several failed login attempts? Locked after 3 or more failed attempts *
WVA: Application Access Controls 4 How long before the system automatically re-enables the application account after an account lock out? No auto unlock, manual administrator unlock only *
WVA: Application Access Controls 5 How often are application accounts reviewed for deactivation (due to inactivity, termination, etc)? Recurring =<6 months *
WVA: Application Access Controls 6 Have application control requirements been established for requesting, establishing, and issuing user accounts? Yes *
WVA: Application Access Controls 7 How often is a review of  application accounts and related privileges conducted? Accounts with access to confidential data are reviewed =<6 months *
WVA: Application Access Controls 8 Are controls in place to ensure all user activities in the application  are uniquely identifiable? Yes, all user accounts have unique IDs and are not shared *
WVA: Application Access Controls 9 Are application access rights immediately adjusted for users who have changed jobs? Yes, as requested by management *
WVA: Application Access Controls 10 Is a documented termination procedure followed which includes the removal of application access rights? Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination. *
WVA: Vendor Portal Access and Password Control 1 Do you provide access to a web based portal? Yes *
Does is conform with Infrastructure or Application password controls? 2
WVA: Vendor Portal Access and Password Control 2 Does the web portal access and password controls conform to either the infrastructure or application password and access controls? Yes * Yes
WVA: Vendor Portal Access and Password Control 3 Does the authentication method to gain access to the  portal utilize passwords? Passwords are used *
WVA: Vendor Portal Access and Password Control 4 What is the minimum password length available to end-users? Requires at least 6 characters *
WVA: Vendor Portal Access and Password Control 5 How often are end-users forced to change their passwords for the portal ? Quarterly *
WVA: Vendor Portal Access and Password Control 6 What are the minimum portal password complexity requirements being enforced for end-users? Mixed case alphabetic, numeric, and plus special characters *
WVA: Vendor Portal Access and Password Control 7 Are end-users restricted from using previous portal passwords (password history)? No password re-use restrictions *
WVA: Vendor Portal Access and Password Control 8 Are users forced to change their portal password during first login? Users are forced to change passwords on first login *
WVA: Vendor Portal Access and Password Control 9 Are passwords hidden during authentication? Passwords characters are masked *
WVA: Vendor Portal Access and Password Control 10 Is a complete & current mechanism in place to report & reset lost or compromised portal passwords? Secure self service password reset mechanism *
WVA: Vendor Portal Access and Password Control 11 When the portal authentication fails, is the user informed of which portion of the authentication process failed? Message indicates which portion of the authentication process failed *
WVA: Vendor Portal Access and Password Control 12 Are portal authentication credentials securely communicated across the network? Authentication credentials are securely encrypted using  industry standards *
WVA: Vendor Portal Access and Password Control 13 Are portal accounts locked after several failed login attempts? Locked after 3 or more failed attempts *
WVA: Vendor Portal Access and Password Control 14 How long before the system automatically re-enables the portal account after an account lock out? Auto unlock after 30 minutes or more *
WVA: Vendor Portal Access and Password Control 15 How often are portal accounts reviewed for deactivation (due to inactivity, termination, etc)? Recurring =<6 months *
WVA: Vendor Portal Access and Password Control 16 Have portal control requirements been established for requesting, establishing, and issuing user accounts? Yes *
WVA: Vendor Portal Access and Password Control 17 How often is a review of  portal accounts and related privileges conducted? Accounts with access to confidential data are reviewed =<6 months *
WVA: Vendor Portal Access and Password Control 18 Are controls in place to ensure all user activities in the portal are uniquely identifiable? Yes, all user accounts have unique IDs and are not shared *
WVA: Vendor Portal Access and Password Control 19 Are portal access rights immediately adjusted for users who have changed jobs? Yes, as requested by management *
WVA: Vendor Portal Access and Password Control 20 Is a documented termination procedure followed which includes the removal of portal access rights? Yes, process is documented and access is removed within one business day of termination and immediately for emergency termination. *
Short Name Question / Description Answer / Value
Vendor Access to Whirlpool Data Types What type of Whirlpool data does the vendor have access to? Select at least 1 *
Employee Compensation
Country Specific Personal ID (e.g. social security number[US], social insurance number[Canada])
Employee Health Information
Employee Criminal Information
Employee Contact Information
Employee Benefits Information
Employee Performance/Talent Ratings
Employee Emergency Contact Information
Employee Demographic Information
Credit Card Information
X Consumer Contact Information
Customer Service Center Call History
Prospective Customer Information
Consumer Demographic Information
Pre-release Financial Information
Business Development Information
Board and Executive Committee Materials
Restructuring Information
Corporate Strategy
Regional Trade Sensitive Information
Aggregate Corporate Forecast and Planning Information
Historical Earnings Information
Capital Plan and Spend Information
Treasury Information
Tax Information
Internal Audit Information
Supply Chain Cost Information
IS Security Incident Information
IS Vulnerability Information
Application Code and Documentation
System Performance Information
Detailed System Information
Vendor Access to Whirlpool Data What type of access does the vendor have to Whirlpool data? Select at least 1 *
X Systemic
Adhoc or Limited
Read Only Access
Whirlpool Corporation                                                                                                  Page 1 of 1                                                                                                                                        Confidential
No, back-up copies are stored onsite
Yes, DMZ’s exist for internal and external network
Users are not forced to change passwords on first login
Users are forced to change passwords on first login
Manual reset password process via Helpdesk with no user identification mechanism
Manual reset password process via Helpdesk with a mechanism to positively ID user
Ad hoc reviews and updates
Accounts are reviewed on a ad hoc basis
Users are not forced to change passwords on first login
Users are forced to change passwords on first login
Manual reset password process via Helpdesk with no user identification mechanism
Manual reset password process via Helpdesk with a mechanism to positively ID user
Ad hoc reviews and updates
Accounts are reviewed on a ad hoc basis
Users are not forced to change passwords on first login
Users are forced to change passwords on first login
Manual reset password process via Helpdesk with no user identification mechanism
Manual reset password process via Helpdesk with a mechanism to positively ID user
Ad hoc reviews and updates
Accounts are reviewed on a ad hoc basis