Примечания к выпуску для Cisco Cisco Broadband Access Center for Cable 4.1
13
Release Notes for Cisco Broadband Access Center 4.1.0.1
OL-24085-01
Caveats
Note
Complying to these recommended hardening guidelines does not guarantee the elimination of all
security threats. However, implementing these recommended guidelines will achieve a higher level of
security and help manage unforeseen risks.
security threats. However, implementing these recommended guidelines will achieve a higher level of
security and help manage unforeseen risks.
We recommend that you complete the following activities to harden your systems:
•
Ensure that all Sun Microsystems-recommended OS and Security patches have been applied.
Contact Sun Microsystems Support to download the recommended patches and check for any
applicable updates.
Contact Sun Microsystems Support to download the recommended patches and check for any
applicable updates.
•
Disable all unused network services. At a minimum, run the following Solaris command:
# netservices limited
•
Use the latest version of the Solaris Security Toolkit to assist with system hardening.
•
Disable unused daemons and services, especially services that use network resources; for example:
# svcadm disable svc:/network/smtp:sendmail
# svcadm disable svc:/network/finger:default
•
Uninstall all unused applications.
•
Apply the highest level of password protection to all network applications and services. Ensure that
you change the default passwords.
you change the default passwords.
•
Use HTTPS to access the Cisco BAC administrator user interface and disable the HTTP access.
HTTP access to the administrator user interface (using port 8100) is enabled by default on the RDU.
Currently, there is no way to disable the HTTP service using standard Cisco BAC administrative
methods. You can, however, disable HTTP access using the Tomcat server.xml file, which is located
at BPR_HOME/rdu/tomcat/conf.
HTTP access to the administrator user interface (using port 8100) is enabled by default on the RDU.
Currently, there is no way to disable the HTTP service using standard Cisco BAC administrative
methods. You can, however, disable HTTP access using the Tomcat server.xml file, which is located
at BPR_HOME/rdu/tomcat/conf.
To do this:
a.
Comment out the HTTP/8100 connector directive in the Tomcat server.xml file. For example:
<!-- <Connector port="8100" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="9453" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" /> -->
b.
Reload the Tomcat process to make your changes take effect. For example:
# /etc/init.d/bprAgent restart tomcat
Process [tomcat] has been restarted.
•
If SNMP is not being used to manage the Cisco BAC components, then shut down the SNMP
service. The SNMP service is enabled by default on the RDU and DPEs. This SNMP service uses
UDP port 8001. You can disable this service for the RDU or a DPE using the snmpAgentCfgUtil.sh
stop command from BPR_HOME/snmp/bin. For example:
service. The SNMP service is enabled by default on the RDU and DPEs. This SNMP service uses
UDP port 8001. You can disable this service for the RDU or a DPE using the snmpAgentCfgUtil.sh
stop command from BPR_HOME/snmp/bin. For example:
# ./snmpAgentCfgUtil.sh stop
Process [snmpAgent] has stopped.
Caveats
For information on the complete list of Cisco BAC bugs, see the BAC4101_BugList.html file in the /docs
subdirectory of the Cisco BAC CD-ROM, or at the Cisco BAC software download site on
subdirectory of the Cisco BAC CD-ROM, or at the Cisco BAC software download site on
.