Today, I am very happy to announce the availability of a new Solaris 10 Security Deep Dive training. This version has been updated for Solaris 10 10/2009 (also known as Update 8). From a security perspective, there have only been a few updates since my last posted version, but it is always good to be current. Items added in this new version include: ZFS user and group quotas, ZFS pre-defined ACL sets, NTPv4, and nss_ldap shadowAccount support. In addition, there was a bit of cleanup throughout and a new example was added for Trusted Extensions.
As usual, I have made this content available in both OpenDocument Format (ODF) and PDF. If you are using Microsoft Office, you can use the Sun MS Office ODF Plugin to read the source document.
For those of you who have downloaded one of the previous versions, thank you! There have been nearly 8,000 downloads of this presentation so far! If you have not had a chance, I would encourage you to download and check out a copy today. It is really amazing how many new and updated security features and capabilities there are in Solaris 10. If you have been away from Solaris (even Solaris 10) for a while, I am sure you will be shocked with what you can do today! As always, feedback is greatly appreciated!
Just in time for the OpenSolaris Developer Conference, we were able to publish new Immutable Service Containers images directly to
the Amazon Web ServicesElastic Compute Cloud (EC2) environment. Previously, I talked about creating ISCs using our security enhanced OpenSolaris 2009.06 AMIs. Today, I am happy to announce that we have taken the next logical step by making available AMIs that fully incorporate the ISC changes. If you want to try out this configuration, simply provision an Immutable Service Containers AMI on EC2. We have made AMIs available in both the U.S. (ami-48c32021) and European (ami-78567d0c) regions. As always, we would love to get your feedback on these images and what you would like to see next!
Just wanted to let everyone know of a new Immutable Service Containers technical presentation (ODF, PDF) that has been posted. This version was delivered last week in Dresden, Germany at the OpenSolaris Developer Conference. This presentation has all of the latest and greatest information particularly on the OpenSolaris ISC Construction Kit. As always, I would love to hear your comments and feedback!
Back in June, we released the very first security hardened virtual machine images for the Amazon Web ServicesElastic Compute Cloud (EC2) environment. These original images were based upon the OpenSolaris 2008.11 release and were configured in accordance with the guidelines published by Sun the Center for Internet Security.
Since its initial release, we have provided an update to offer this image in the European Region. In August, we took another step forward with the release of a security-enhanced image based upon the OpenSolaris 2009.06 release. This image went beyond just the simple hardening of its predecessor to add functionality such as encrypted swap, non-executable stacks and auditing that was enabled by default. With such a strong foundation, it should have been no surprise that it was likely to be used as a foundation for layered functionality. Just this month, for example, we announced the release of an image pre-configured with Drupal (v6.10) along with Apache (v2.2), MySQL (v5.0), and PHP (v5.2).
In parallel, the Immutable Service Containers project was announced back in June. This project was focused on the creation of secure execution environments for services. One of the key deliverables from this project has been the OpenSolaris ISC Construction Kit (Preview) that transforms an OpenSolaris 2009.06 system into an ISC configuration. Interestingly, several of the functional elements used today as part of the security-enhanced AMIs actually got their start as part of the ISC Construction Kit.
This brings us to today. For the first time, we have been able to create ISCs in the Cloud on Amazon EC2! Using the OpenSolaris ISC Construction Kit and the security-enhanced OpenSolaris 2009.06 AMI, we have deployed an ISC that exposes a representative service (in this case, a web server).
HELLO WORLD!
The nice thing about this is that the installation process was essentially the same as the one we used to create our pre-configured OVF image. There were two settings that needed to be adjusted in order for the ISC Construction Kit to properly work on EC2:
export ISC_SVCS_DOCK="fs network zone encrypted_scratch"
export ISC_DOCK_NET_IF_NAME="xnf0"
These two parameters had to be set before running the iscadm.ksh command. The first parameter simply removes steps that have already been completed in the base AMI (or are not needed for EC2). The second parameter changes the network interface name from e1000g0 (default) to xnf0 which is needed on EC2. That's all there was to it!
If you are interested in ISCs and how you can use them in your environment, I would love to hear from you! Also, just in case you missed it, I had the pleasure of joining Hal Stern to discuss ISCs on a recent Innovating@Sun podcast. Check it out and send us your feedback! Thanks in advance!
Over the last few months, I have had a numberofpostings that have talked about security enhanced virtual machine images that we have made available on Amazon Web Services. The goal behind this work was to look at how we could improve baseline security in both virtualized and Cloud Computing computing environments by pre-integrating industry accepted recommended security settings. Organizations leveraging our work would have fewer security steps to undertake as our images were configured to be compliant with the recommendations published by the Center for Internet Security as part of their Solaris Benchmark (adapted for OpenSolaris).
So with this goal in mind, we developed security-enhanced versions of the OpenSolaris 2008.11 and 2009.06 operating systems. The latter went beyond the Center for Internet Security recommendations by also adding support for encrypted swap (as well as enabling auditing and non-executable stacks by default - something that was not done for the 2008.11 version). The next logical step was to validate these images using representative applications and services to illustrate the practiality of having security capabilities pre-integrated into a golden image from which application specific versions can be created.
Building upon the lessons we have learned in the development of the security-enhanced operating system images, today, I am very happy to announce that we have taken a step forward. Using the OpenSolaris 2008.11 image as our foundation, the OpenSolaris on EC2 team with some guidance from Scott Mattoon (all around Drupal Guru!) has installed and pre-configured Drupal (v6.10) along with Apache (v2.2), MySQL (v5.0), and PHP (v5.2). You can read all of the details on the announcement.
There are two things that should be noted about this image. First, no security-relevant changes were necessary to successfully install, configure and test Drupal on this security-enhanced image. While this should likely not come as a surprise, it is an important validation that at least for some (many?) classes of applications, a security tuned golden image can be used as a foundation. This is good news for organizations who are interested in the having a common security baseline for their operating systems. The second thing to note is that MySQL was modified on this image to not listen on the network for connections. This means that the image is compliant with our original security objectives in that it is only exposing required services (e.g., Apache, SSH) and no others by default.
As with all of the others, this is a publicly available AMI (AMI ID: ami-d9ee0eb0) so give it a try and let us know how we can improve it!
Want to give it a spin? Check out the release announcement for more details. The AMI identifier is ami-e56e8f8c! Please send us your feedback!
As always, this work would not have been possible without the extensive support of the OpenSolaris on EC2 team. You are the greatest! Thank you so much for all of your help and support in making these images a reality!
Today, I wanted to provide a few updates. Specifically, I would like to announce:
a new Immutable Service Container presentation (ODP, PDF) that provides a technical overview of the ISC approach, design goals, and the OpenSolaris implementation available today.
an updated Private Virtual Network architecture page highlighting additional network topologies that implement different network isolation strategies. These are a few of the models that are being considered for future ISC Construction Kit updates.
an updated Autonomic security architecture page that provides a number of use cases showing ISCs as an essential building block for these kinds of architectures.
Additional architectural content is in development and as always I am very interested in your feedback and ideas.
While the need for security and integrity is well-recognized, it is less often
well-implemented. Security assessments and industry reports regularly show
how sporadic and inconsistent security configurations become for organizations
both large and small. Published recommended security practices and settings
remain unused in many environments and existing, once secured, deployments
suffer from atrophy due to neglect.
Why is this? There is no one answer. Some organizations are simply unaware of
the security recommendations, tools, and techniques available to them. Others
lack the necessary skill and experience to implement the guidance and maintain
secured configurations. It is not uncommon for these organizations to feel
overwhelmed by the sheer number of recommendations, settings and options. Still
others may feel that security is not an issue in their environment. The list goes
on and on, yet the need for security and integrity has never been more important.
Interestingly, the evolution and convergence of technology is
cultivating new ideas and solutions to help organizations better protect their
services and data. One such idea is being demonstrated by the Immutable Service Container
(ISC) project. Immutable Service Containers are an architectural deployment pattern
used to describe a platform for highly secure service delivery. Building upon concepts
and functionality enabled by operating systems, hypervisors, virtualization, and
networking, ISCs provide a secured container into which a service or set of
services is deployed. Each ISC embodies at its core the key principles inherent
in the Sun Systemic
Security framework including: self-preservation, defense in depth, least
privilege, compartmentalization and proportionality. Further, ISC design borrows
from Cloud Computing principles such as service abstraction, micro-virtualization,
automation, and "fail in place".
By designing service delivery platforms using the Immutable Service Containers mode,
a number of significant security benefits:
For application owners:
ISCs help to protect applications and services from tampering
ISCs provide a consistent set of security interfaces and resources for applications
and services to use
For system administrators:
ISCs isolate services from one another to avoid contamination
ISCs separate service delivery from security enforcement/monitoring
ISCs can be (mostly) pre-configured by security experts
For IT managers:
ISCs creation can be automated, pre-integrating security functionality making them
faster and easier to build and deploy
ISCs leverage industry accepted security practices making them easier to audit and
support
It is expected that Immutable Service Containers will form the most basic
architectural building block for more complex,
highly
dynamic and autonomic
architectures. The goal of the ISC project is to more fully describe the architecture
and attributes of ISCs, their inherent benefits, their construction as well as to
document practical examples using various software applications.
While the notion of ISCs is not based upon any one product or technology, an
instantiation has been recently developed using
OpenSolaris 2009.06. This instantiation offers a pre-integrated configuration
leveraging OpenSolaris security recommended practices and settings. With ISCs,
you are not starting from a blank slate, but rather you can now build upon the
security expertise of others. Let's look at the OpenSolaris-based ISC more closely.
In an ISC configuration, the global zone is treated as a system controller and
exposed services are deployed (only) into their own non-global zones. From a
networking perspective, however, the entire environment is viewed as a single
entity (one IP address) where the global zone acts as a security monitoring and
arbitration point for all of the services running in non-global zones.
As a foundation, this highly optimized environment is pre-configured with:
Non-Global Zone. Exposed services are deployed in a non-global zone. There they can take advantage of the core security benefits enabled by OpenSolaris non-global zones such as restricted access to the kernel, memory, devices, etc. For more information on non-global zone security capabilities, see the Sun BluePrint titled "Understanding the Security Capabilities of Solaris Zones Software". Using a fresh ISC, you can simply install your service into the provided non
-global zone as you normally would.
Further in the ISC model, each non-global zone has its own encrypted scratch space (w/its own ephemeral key), its own persistent storage location, as well as a pre-configured auditing and networking configuration that matches that of the global zone. You do not need to use the
encrypted scratch space or persistent storage, but it is there if you want to take advantage of it. Obviously, additional resource controls (CPU, memory, etc.) can be added as necessary. These are not pre-configured due to the variability of service payloads.
Solaris Auditing. A default audit policy is implemented in the global zone and all non-global zones that tracks login and logout events, administrative events as well as all commands (and command line arguments) executed on the system. The audit configuration and audit trail are kept in the global zone where they cannot be accessed by any of the non-global zones. The audit trail is also pre-configure
d to be delivered by SYSLOG (by default this information is captured in /var/log/auditlog).
Private Virtual Network. A private virtual network is configured by default for all of the non-global zones. This network isolates each non-global zone to its own virtual NIC. By default, the global and non-global zones can freely initiate external communications, although this can be restricted if needed. A non-global zone is not permitted to accept connections, by default. Non-global zone service
s can be exposed through the global zone IP address by adjusting the IP Filter and IP NAT policies (below).
Solaris IP NAT. Each non-global zone is pre-configured to have a private address assigned to its virtual NIC. To allow the non
-global zone to communicate with external systems and networks, an IP NAT policy is implemented. Outgoing connections are masked using the
IP address of the global zone. Incoming connections are redirected based upon the port used to communicate. Beyond simple hardening of the non-global zone (a state which can be altered from within the non-global zone itself), this mechanism ensures that the global zone can control which services are exposed by the non-global zone and on which ports.
Solaris IP Filter. A default packet filtering policy is implemented in the global zone allowing only DHCP (for the exposed network interface) and SSH (to the global zone). Additional rules are available (but disabled) to allow access to non-global zones on an as-needed basis. Further, rules are implemented to deny external access to any non-global zone that has changed its pre-assigned (private) IP address. Packet filtering is pre-configured to log packets to SYSLOG (by default this information is captured in /var/log/ipflog).
So what does all of this really mean? Using the ISC model, you can deploy your services in a micro-virtualized environment that offers protection against kernel-based root kits (and some forms of user-land root kits), offers flexible file system immutability (based upon read-only file systems mounted into the non-global zone), can take advantage of process least privilege and resource controls, and is operated in
a hardened environment where there is a packet filtering, NAT and auditing policy that is effectively out of the reach of the deployed service. This means that should a service be compromised in a non-global zone, it will not be able to impact the integrity or validity of the auditing, packet filtering, and NAT configuration or logs. While you may not be able to stop every form of attack, having reliable audit trails can significantly help to determine the extent of the breach and facilitate recovery.
The following diagram puts all of the pieces together:
Additional private virtual networking models are also being considered. All in all, the ISC model offers a very compelling deployment model. The accessiblity and attractiveness of this model is further enhanced by the availability of an ISC construction kit that allows you to take an OpenSolaris 2009.06 system and convert it to the ISC model with a single command. Sound interesting? Give it a try, come join the project and be sure to send along your feedback
!
It has sure been a busy month and really it has just begun. Today, I am happy to announce the availability of my Solaris 10 Security Deep Dive presentation, updated for the just released Solaris 10 05/2009 (Update 7). From a security perspective, there have only been a few updates since my last posted version, for Solaris 10 10/2008 (Update 6), but it is always good to be current. Of particular interest is a new slide focused on IPsec and IKE. As usual, I have made this content available in both OpenDocument Format (ODF) and PDF. If you are using Microsoft Office, you can use the Sun MS Office ODF Plugin to read the source document.
For those of you who have downloaded one of the previous versions, thank you! There have been nearly 5,000 downloads of this presentation so far! If you have not had a chance, I would encourage you to download and check out a copy today. It is really amazing how many new and updated security features and capabilities there are in Solaris 10. If you have been away from Solaris (even Solaris 10) for a while, I am sure you will be shocked with what you can do today! As always, feedback is greatly appreciated!
Just a few days ago, I announced the availability of a security hardened OpenSolaris AMI for Amazon EC2. Well, the
OpenSolaris on EC2 team has taken the next step by making this image available to our colleagues using the EC2 European Region! This publicly available AMI (AMI ID: ami-d7a189a3) is available today, and just as with the U.S. version, it does not require registration. There is nothing to get in the way of your using them today! Go give it a spin and let us know what you think! Check out the announcement for all of the details.
It is that time again! Work is kicking up over at the Center for Internet Security to update the Solaris 10 security benchmark. As I have previously covered, Sun has been working hand-in-hand with the Center for Internet Security for more than six years to develop best-in-class security hardening guidance for the Solaris operating system.
In recent years, the NSA and DISA have jumped in contributing their time and expertise towards the development of a unified set of Solaris security hardening guidance and best practices. Now is the time for the next step. Over the last several months, these groups have been working to comb through and integrate the recommendations found in the DISA UNIX STIG (Security Technical Implementation Guide) and associated checklist as it relates to Solaris. With this work now complete, an effort has been launched to develop a new draft CIS Solaris 10 Benchmark with these additions.
In addition to this effort, a secondary effort will soon be undertaken to update the Solaris 10 Benchmark for the latest release of the Solaris 10 05/2009 (Update 7). Currently, the Solaris 10 Benchmark supports Solaris 10 11/08 (Update 4). There are not that many things added to Solaris 10 since Solaris 10 11/08 that impact the hardening guide, but there are some items that will impact the Solaris Security Appendix that was published with the last version of the Benchmark.
The reason for my post today, however, is to say that the time is right if you are interested in Solaris, security, and want to get involved! We are always looking for people with a passion to help develop and improve the recommendations and settings in the Solaris 10 Benchmark. Want to learn more? Contact CIS!
As we come to the close of yet another week, I am reminded that this week was different. Unlike most weeks, I was actually off from work, recovering from surgery, and yet at the same time, several of my projects were living lives of their own at CommunityOne West and Java One. Since I could not be there in person to talk about this work, I figured the next best thing was to take a few moments to highlight them here and offer an open invitation to publicly discuss them on their project pages.
There were three Cloud Computing security projects that were discussed and demonstrated this week:
Summary: Sun and the Center for Internet Security have been working together for over six years to promote enterprise-class security best practices for the Solaris OS. Building upon their latest success, the Solaris 10 Security Benchmark, they have adapted its security guidance to the OpenSolaris platform and today are announcing the availability of a virtual machine image pre-configured with these settings.
Key Points: Sun is the first commercial vendor to publish and make freely available a hardened virtual machine image - secured using industry accepted best practices. Images will be made available for both Amazon EC2 and Sun Cloud.
Summary: Security is a key concern for customers everywhere, and the Cloud is no exception. Customers who are concerned about the confidentiality of their information should encrypt their data before sending it to the Cloud. This utility simplifies the process of encrypting files and storing them in the Cloud (as well as decrypting them after they have been retrieved).
Key Points: The tools leverage strong, industry standard encryption (AES 256-bit) but are configurable to accommodate other algorithms and key sizes. The tools can leverage the cryptographic acceleration capabilities of systems configured with Sun's UltraSPARC T2 (Niagara 2) processor enabling ~7x speed improvement over software encryption. The tools support multiple client platforms and multiple cloud providers today including Sun Cloud and Amazon S3.
Summary: Customers often encrypt their backups before sending them off-site for storage, so why should the Cloud be any different. This utility integrates with the OpenSolaris ZFS automatic snapshot service to automatically encrypt the content before storing it into the Cloud. This way, backup data is always stored in an encrypted form in the Cloud and the decryption keys never leave your organization. Recovery is as easy as downloading and decrypting the snapshots (using the Cloud Safety Box tool, for example) and reverting to those snapshots using standard ZFS methods.
Key Points: The tool leverages strong, industry standard encryption (AES 256-bit) but is configurable to accommodate other algorithms and key sizes. The tool can leverage the cryptographic acceleration capabilities of systems configured with Sun's UltraSPARC T2 (Niagara 2) processor enabling ~7x speed improvement over software encryption. The tool supports multiple cloud providers today including Sun Cloud and Amazon S3.
Each of these projects were also highlighted during the Cloud Computing keynote delivered by Lew Tucker (VP/CTO, Cloud Computing) as shown in the replay, starting about 2:18 seconds into this video:
In addition, the Cloud Safety Box and ZFS Encrypted Backups projects were demonstrated at the Sun Cloud demonstrations pods and were featured prominently on both the Sun Cloud Computing landing page as well as on Project Kenai. Click the snapshots below for larger versions:
If you have not already, please give these projects a look and send me feedback! Cloud Computing security is in its infancy in many ways, and these projects are just a start down a long and winding road. I remain convinced as ever that Cloud Computing will have a role to play in raising the information security bar for everyone, but we still have work to do! As a teaser, I would say that this is just the beginning and we have quite a number of other tricks still up our sleeves! So stay tuned and send along your ideas and feedback!
Perhaps I am a bit sensitive to the topic of security, but I could not let a "first" go by without comment. Back in 1999 and 2000, Sun was _the_ first commercial operating system vendor to publish not only detailed security guidance but also a tool that allowed organizations to harden the security configuration of their systems in accordance with Sun's best practices and their own policies. That tool, known as the Solaris Security Toolkit, continued to be enhanced and evolve for nearly a decade supporting new versions of the Solaris OS and adding new capabilities such as auditing. Recently, it has taken its next step forward as an OpenSolaris project. Best of luck to Jason (the new project leader)!
But, this was not the _first_ that compelled me to write today. Yes, there has been another!
Building upon this solid foundation, this week, Sun and the Center for Internet Security are proud to announce a new _first_. We have collaborated to adapt the security recommendations published in the Solaris 10 Benchmark to the OpenSolaris operating system. This alone may be an interesting _first_, but we have gone farther. We have adapted the recommendations to meet the needs of virtual machine images running in Cloud Computing environments. All of our findings and recommendations are freely available and can be found at the Sun OpenSolaris AMI Hardening Wiki. But that is not all!
We have worked with the Sun's OpenSolaris on EC2 team to develop the _first_ vendor-provided machine image that has been hardened based upon industry-accepted and vendor supported security recommendations. As a further commitment to our "Secure by Default" strategy, we have made this AMI publicly available (AMI ID: ami-35ac4a5c) so that anyone can quickly and easily make use of it without having to apply the security hardening steps manually. Interested? Learn more about this AMI from the OpenSolaris on EC2 announcement. Of course, this will also be available for the Sun Cloud too!
Special thanks to Blake Frantz (CIS), Lew Tucker (Sun), Sujeet Vasudevan (Sun), and Divyen Patel (Sun) - without whom this new _first_ would not have been possible!
It must be that time of year again. At Sun's Customer Engineering Conference this year, I unveiled the latest update to my Solaris 10 Security Deep Dive Presentation. This version has been updated based upon Solaris 10 10/08 (Update 6) which means it is in sync with the most recently shipping version of Solaris 10. This version is in OpenDocument Format. Should you want a PDF version, you can use this copy.
The last update that I had posted was downloaded more than 2,000 times. That is a great number for such a specialized and technical topic. With all of these downloads, however, I have yet to hear from you! Please be sure to send along your feedback! I am particularly interested in things like:
Does the content meet your needs? How can it be improved?
What are your security requirements not met today by Solaris 10? What is your wish list?
Is their content where you would like more detailed information (e.g., a BluePrint)?
As I said in my last Solaris 10 Security Update... If you have not taken a look into what Solaris 10 can offer recently, you really must give it a look! Also, be on the look out for a posting very soon on a project called Immutable Service Containers. With that as a teaser, I will sign off for today...
Take care!
Just a quick heads-up note to say that the official Sun location for the Solaris 10 security recommendations
documents has changed. While you can still get to the content from the OpenSolaris Security Community Library page, the new location is on sun.com.
The recommendations documents have been bundled into an archive so that they can be more easily downloaded in a single step. The individual documents are still available and can be downloaded at:
