Glenn Brunette's Security Weblog


Immutable Service Containers Updates

Tuesday Jul 07, 2009

In my last post, I discussed the Immutable Service Container project and announced the availability of an ISC Construction Kit to automate the creation of OpenSolaris-based ISCs.

Today, I wanted to provide a few updates. Specifically, I would like to announce:

  • a new Immutable Service Container presentation (ODP, PDF) that provides a technical overview of the ISC approach, design goals, and the OpenSolaris implementation available today.
  • an updated Private Virtual Network architecture page highlighting additional network topologies that implement different network isolation strategies. These are a few of the models that are being considered for future ISC Construction Kit updates.
  • an updated Autonomic security architecture page that provides a number of use cases showing ISCs as an essential building block for these kinds of architectures.

Additional architectural content is in development and as always I am very interested in your feedback and ideas.

Take care!

Technorati Tag:

[2] Comments

Share and Enjoy! reddit stumbleupon
Posted at 10:26AM Jul 07, 2009 by gbrunett in Cloud Computing Tags:
Comments:

Wow, Glenn. You figured out how to mount things read-only in a zone, and you renamed Mandatory Access Controls (MAC). Very impressive. You're a security god.

Posted by 69.253.170.95 on July 09, 2009 at 08:42 AM EDT #

Love the sarcasm, keep it coming! ;-) Actually, if you look further into this project, you will find that it is a whole lot more than read-only mounts. It focuses on building images that pre-integrate a majority of security features/capabilities from the OS including hardening, auditing, packet filtering/NAT, zones, encrypted LOFI (for swap/scratch), and more all for the singular purposes of secure service delivery. Further, I continue to work with our engineering teams to identify new capabilities and will be integrating those as they are made available in an OpenSolaris release. Further, I am looking at how to expand this notion to other virtualization platforms including VirtualBox. So, while I appreciate your comment, I have to say that you are completely off base with your conclusion.

Posted by Glenn Brunette on July 09, 2009 at 08:58 AM EDT #

Post a Comment:
Comments are closed for this entry.