Secretary Janet Napolitano delivered a special Cybersecurity webcast this past Tuesday that I thought would be a good opportunity to share some advancements in using complementary layers of protection for Internet services. 
The Internet services environments are just as important for Cybersecurity as your personal computing environment, and I often talk about how information assurance may be improved by following some of our recommendations to limit your exposure to attacks by deploying strong countermeasures. When describing our Cybersecurity capabilities, I like when we demonstrate how effective protection can be constructed with a little ingenuity and assembled with readily available components. You may have heard me talking about the use of Mandatory Access Control (MAC) when describing systems that are deployed within the U.S. Federal Government, but I need to explain more frequently that MAC has additional benefits for commercial use in the enterprise for Internet services. Our contributions to The National Cybersecurity Awareness Month emphasize the mandates that everyone, including those who deploy Internet services, must follow - all of the time - for operating safely online.
Recently, I challenged two of our senior researchers to demonstrate how they enforce MAC with virtualization to confine Internet services with simple security configurations using Solaris. The following information comes from John Weeks and John Totah showing MAC enforcement that they configured for some interesting security restrictions they have been testing for commercial use. They also layered the MAC protection with what you would ordinarily expect from using all of the other Solaris security features combined with virtualization, eg. zones, and Internet community sponsored configuration guidelines such as the Center for Internet Security (CIS) benchmarks.
Introduction
Thanks Bill! - We think the use of MAC is a good way to prevent certain kinds of attacks and is also effective for isolating the remote administration for out-of-band management. Traditional implementations for the “zones of trust” concept often relied on the use of network firewall configurations for isolating
Internet services from other network resources in an enterprise. We realized a long time ago that network firewall architectures by themselves are insufficient for securing Internet infrastructure for services and applications. We understand that we must also apply many of the critical security controls that are now defined in the Consensus Audit Guidelines (CAG) to include operating system confinement techniques. We must also enforce more protection so that the communication endpoints for applications also restrict an attacker from gaining administrative access to other parts of the enterprise. The security failures that we must prevent include improper access control, and the failure to prevent an attacker from manipulating configuration files and manipulating other parts of the environment. The idea of attack resistant architectures is not new, but we want to show a few interesting ways to use Solaris with Trusted Extensions (labeling) enabled as a security container for Internet services.
Too often, we define MAC in terms of labeling to enforce a Multi-Level Security (MLS) policy and sometimes we unfortunately overlook the value that MAC can bring to a virtualized environment. In addition to filesystem MAC security, Solaris provides trusted networking to enforce MAC policy for labeled network communications. The trusted networking can be used to restrict network connections to one-way inbound connections and also isolate administrative network access to manage the Internet services such as configuring an application server. The use of MAC for labeled network restrictions is slightly different than only using host-based firewalls, due to the simple association of a label to communication endpoints that are compared for equality by the kernel and only if the label comparison is successful then the firewall rules are applied.
The basic MAC concept to start with is that labels are associated with all IP addresses that the Solaris host is authorized to communicate with. Obviously, this includes the IP addresses that are configured for the Solaris physical NIC adapters, and also the virtual NICs that are plumbed up within the Solaris host, as well as any virtualized guest operating systems virtual NICs. In addition to the labels associated to all the IP addresses, Solaris may be configured to start labeled Solaris zones when trusted extensions is enabled. The labeled zones may start processes, including Internet services for applications that are also associated with the same label of the labeled zone. It is important to understand that if a process inside a labeled zone attempts to initiate a network connection to an IP address of a different label, the connection will not be permitted based on MAC enforcement by the kernel. However, the interesting MAC enforcement that we
have been using with Solaris is based on the configuration of an address for a NIC that uses a different label than the application process that starts in a labeled zone by listening for connections using a construct called a Multi-Level Port (MLP).
The first example is a Sun Glassfish security container using two labeled zones which must be defined with different labels for Solaris to start. The first labeled zone is where we are running a reverse proxy server to control incoming connections destined for the second labeled zone where we have the Glassfish instance running. We restrict remote administration from another network that is specifically designated for out-of-band management. In each of the zones, we use MAC to enforce incoming connections only and we therefore have robust control over the processes that execute in the confined labeled zones.
The second example replaces the Sun Glassfish security container with a Microsoft Internet Information Services (IIS) security container using Sun VirtualBox that is running Windows Server 2008 using the "Core" installation option. The notable differences between the two examples are that Glassfish security container is using a Java Virtual Machine (VM) to execute in the restricted labeled zone and the Microsoft IIS security container is using Sun VirtualBox to execute in a restricted labeled zone.
The Experiment
To test the use of MAC to restrict connection initiation from Internet hosted services to an enterprise network computing environment, we built an example configuration in our lab to demonstrate what could be accomplished using off-the-web components without modification to their source code. We decided to try a simple configuration that would easily show the basic concepts described above. We were pleasantly surprised to find out how easy it was to construct the prototype to show Bill some of the unique value of MAC to benefit customers that are outside our typical U.S. Federal Government deployments. We start with a simplified system configuration with one NIC connected to the Internet, and another NIC for remote administration allowing connections from an out-of-band management network. 
Our first test example uses the MAC capabilities of Solaris, the Sun GlassFish Application Server, and the Sun Java System Web Proxy Server running on an Ultra 27 Workstation. We configured a virtual DMZ security container in a dedicated labeled zone where the Sun Server Java Proxy instance is running to control incoming connections destined for web services in other zones. 
What's unique about the MAC configuration of the virtual DMZ zone is that the label of the Internet NIC is
different from the label of the virtual DMZ labeled zone itself. This means that the MAC policy will also allow the Proxy to accept incoming connections, but will not allow the Proxy, or any other process that may run in the virtual DMZ labeled zone, to initiate any outbound connections to applications with listeners using the
NIC IP address or through the NIC to any network endpoints.
We also use Solaris IP Filter with traditional host-based firewall rules for the physical NICs as a typical defense-in-depth measure.
Virtual DMZ/Proxy Security Benefits:
* Contained within a labeled zone
* Configuration prevents any outbound Internet connections
* Remote administration is isolated to strictly allow incoming connections from the out-of-band management network
We then configured a virtual WEBAPP security container in the second labeled zone where the Glassfish instance is running and accepting connections from the reverse proxy server running in the virtual DMZ security container. The next step was to configure a dedicated NIC for the WEBAPP zone that allows access to the GlassFish Application Server Administrative port 4848 from the out-of-band management network.
The resulting configuration allows Internet web browser access through the virtual DMZ labeled zone to the WEBAPP labeled zone, and GlassFish Administrative access from the out-of-band management network. You will notice that the administration of the GlassFish running instance is not accessible from the same network that GlassFish is listening on for the application service, nor is the Glassfish administration accessible from within the WEBAPP labeled zone where GlassFish is running. After having success with the DMZ and WEBAPP configuration, we decided to apply the same concepts and methods to Microsoft IIS. We created a new IIS labeled zone and used VirtualBox to run a Windows image as a guest operating system.
1. Used VBox NAT to redirect listener ports (8090 8091)
2. Prevented Windows/IIS from initiating any connections to network endpoints outside of the
WEBAPP labeled zone
3. Remotely administer Windows via VRDP port
4. Remotely administer IIS using IIS Manager via 8172 from the admin network
As you can see, we utilize MAC network isolation within the system, but all external network interfaces are configured as single-level. This means that you could drop such a configuration into an existing enterprise without the need to support labeled networking using Commercial Internet Protocol Security Option
(CIPSO) anywhere in an enterprise.
Other Common Methods to Secure the System
* Follow the National Institute of Standards and Technology (NIST) guidelines to continually manage risks to the enterprise.
* Follow basic concepts that are described in the Immutable Service Containers project.
* Reducing the effective privileges on web components using Solaris Role Based Access Control (RBAC).
* Use Process Rights Management with roles to manage all web services as a role that can't assume the root role.
* Loopback mounting critical system configuration files (e.g., etc/sshd_config) from the labeled zone back to the global zone making them immutable from with the labeled zones.
* Instrument host based introspection using Solaris Dynamic Tracing (DTrace) and analyzing security events with Solaris Auditing.
* Instrument network deep packet inspection using Packet CAPture (PCAP) library interfaces and high performance techniques.
Conclusions
It's nice to see how MAC can be used for protecting Internet services and we look forward to any questions about how much we can effectively improve information assurance using readily available security components. We will be happy to post more of the internal details as a follow up for those who would like to have a better understanding of how MAC protection can help you.
The additional MAC functionality of the OpenSolaris.org Flexible Mandatory Access Control (FMAC) is extremely effective to impose even tighter (fine-grained) security controls and we also welcome your inquires to see how future FMAC concepts can also be beneficial for commercial use.
For the purpose of our initial tests, we omitted a database and the technical controls that we would apply there. However, if anyone is interested, it may be interesting for us to demonstrate the methods and techniques for improving database security. In addition, we can show how e-mail server environments, naming services and other collaboration systems can be protected with MAC to prevent other types of
attacks that may be launched to target the Internet services environment.
We are also looking forward to seeing Homeland Security Secretary Janet Napolitano this week to learn more about our real world challenges and urgency for significant improvements.
Thanks again Bill for giving us the challenge and posting our findings that should help to protect Internet services using MAC for commercial use.
