Jim Laurent's Weblog

Each year the Defense Information Systems Agency hosts a customer conference all their customers.  DISA is responsible for hosting, designing and operating DoD datacenters, networks and critical command and control programs. The DISA customer conference is attended each year by 3000-4000 IT professionals throughout the US DoD and other countries. This year's conference is in sunny Orlando and Sun Federal will again be attending to demonstrate some of our advanced technologies for desktop virtualization, security, identity management and more. Here's a preview of what you will see when you visit our booth (or in case you can't come to the conference).  The Sun team at the booth will be happy to answer any questions you have about this or any of Sun's products and services.  Among the things you need to know about Sun is that we are the largest commercial contributor to the open source software communities. Come visit us May 5-8 at booth # 331.

Sun Ray Ultra-Thin Client Technology

This innovative solution to current desktop cost and management issues can significantly reduce costs while increasing user flexibility, mobility and security.  Weighing less than a pound and with no moving parts Sun Ray is ecologically better than a PC.  It last longer, uses less energy, makes less noise and fills fewer landfills. The Sun Ray DTU can be used to display a Solaris, Windows, Linux or mainframe desktop environment.  Sun Rays have been deployed by the thousands at Sun, US Navy, Verizon and as part of the DoDIIS Trusted Workstation program among many other customers.

Trusted, multi-level Operating System 

Do you need to share confidential data while knowing exactly who has access? Sun's award winning open source Solaris 10 operating system with Trusted Extensions provides a robust, scalable security solution for customers with multiple levels or compartments of data access.  Sun, HP, IBM and Dell platforms (Sparc or X64) are fully supported.  Dell, Fujitsu and IBM are OEMs for Solaris on their platforms. Solaris 10 is Common Criteria evaluated.

Screenshot: Solaris 10 displaying MS Windows and Red Hat 5 in windows of different classifications on the same screen.

 

Identity management implementing the DoD 2875 process

The 2875 demonstration was created to show the feasibility of using the Sun Java Systems Identity Manager Suite to manage the SYSTEM AUTHORIZATION ACCESS REQUEST (SAAR) process. This process is used through out the Federal Government as a method for end users requesting access to systems. Sun IDM automates, audits and simplifies the process.

Sun Modular DataCenter

The Sun Modular Datacenter is a low cost, quick deploying solution for those who are running out of data center space and need additional computing power quickly with lower real estate, power and cooling costs.  Although the actual Modular Datacenter truck will not be here, we will have a scale model for you to enjoy.

Photo: The Sun Modular Datacenter on tour at the Pentagon in April with a small contingent of the Sun Federal Sales and Marketing team. 

Windows/Linux interoperability

Sun is a full OEM for MS Windows and Red Hat operating systems.  We sell and support both OSes on our market leading Intel and AMD based servers.  As a licensee of MS technologies, Solaris interoperates well with your existing desktop infrastructure. 

Capacity based computing

Sun is one of the winners in the DISA Capacity Computing contract awarded in 2006.  Using this contract, DISA purchases Solaris computing cycles as a managed service based upon actual metered utilization. Sun provides systems and capacity management in DISA datacenters while speeding procurement cycles, reducing capital expenditures and consolidating applications. Ask us about how this contract can work for you.

Partners joining Sun in our booth include:

Mitel is a leading provider of communications solutions for a range of organizations.  Their integration of Sun's Ultra-thin client with a VOIP telephone handset can significantly reduce desktop device costs while increasing flexibility, security and user mobility.  This intelligent phone ties your phone session and you desktop computing session to your identity and smart card for increased convenience.

BlueSpace - sponsored by Sterling Computers. BlueSpace is an enterprise software company based in Austin, Texas, that provides electronic messaging and mail software as well as multi-level secure (MLS) middleware to enable MLS applications. TransMail Trusted Edition is a version of TransMail specifically designed for the defense and intelligence communities. It integrates with Solaris 10 with Trusted Extensions to provide label security support, while providing the user with a single, multi-level inbox. TransMail Trusted Edition is the first commercial-off-the-shelf (COTS) end user, multi-level secure application.

Dynamic Systems is an information technology infrastructure expert and Sun Microsystems Value Added Reseller.  Dynamic Systems holds the SSTEW contract which offers extended warranty, maintenance, education, and professional services for all Sun Microsystems® products. The extended warranty and maintenance covered in this contract includes flexible and comprehensive hardware and software support ranging from basic to mission-critical service.This 8(a) set aside Blanket Purchase Agreement that offers time and money saving options through order consolidation and volume discounts. SSTEW is an Enterprise Software Agreement (ESA) under the DoD Enterprise Software Initiative (ESI).

We're looking forward to seeing you in Orlando. 

The Sun Modular Data Center (aka Project Blackbox) is on a nationwide tour.  It spent part of last week in the Washington D. C area.  It had stops in northwest DC, two days at the Pentagon and Sun's Annapolis Junction office (near Ft. Meade and the National Security Agency).  This week it's traveling to Ft. Monmouth.

Check out the tour schedule to see if it's coming to a world-wide location near you.  It also won an award at the Federal Office System Exhibition for Best in show (category: Other, I guess there was no specific category for large transportable data centers ;>)

They don't like you taking pictures of the Pentagon.  Because I respect guards with large caliber weapons, these photos are taken with my back to the Pentagon south wall.  The truck (with its operational data center, chiller and generator) were parked in the south parking lot within a couple hundred feet of the building.  We had quite a few visitors over two days including a 3-star general.  At least once we saw the SecDef drive by, and I heard on the news that the President was in the building that day being briefed by the Joint Chiefs of Staff.  He didn't stop by to say "Hi," however.

We received some powerful feedback including comments such as, "I could have used about 30 of these at the beginning of the war and save a lot of money." 

A small contingent of the Sun Federal Sales and Marketing team was there to provide tours and information (as well as collect any orders!)  To date, Sun has shipped a number of Modular Data Centers including two to the Stanford Linear Accelerator and one near Moscow. 

If you are interested in deploying data center capacity quickly, at a low cost and in an energy efficient manner, contact us at 703-204-4100.   It's only 20 feet long, 8 feet wide and can accommodate 240 rack units of your favorite Sun or other vendor's equipment.  It can be located nearly anywhere.

 

The spiky things in the background are the recently dedicated US Air Force memorial.

 

The Sun Federal Sales and Marketing team 

 

A view of the back doors during a tour 

 

Last week I attended:

3rd Annual DoD Open Conference
Sponsored by AFEI in McLean VA.  December 11-12th
Sun Attendees:  Jim Laurent, Tom Syster, Bill Vass (Keynote speaker) Paul Tatum
Agenda:  http://www.afei.org/brochure/8a03/index.cfm

This is an annual conference attended by government, industry and consultants (Mitre/IDA) to discuss open source technology, open systems and open development methodologies.  Approximately 100 people in attendance.  The President and COO of Sun Federal Bill Vass was one of the keynote speakers.

It's clear from attending this conference again (this is my third time) that there is no avoiding the use of open source tools in the Federal Government.  Whether it is something as simple as glassfish and openssh or more advanced technologies like the UltraSPARC T1 and T2 processors, open source is everywhere in the DoD.

Nick Guertin, Directory Open Arch. PEO IWS Navy

Discussed the Navy's open architecture designed to achieve modularity, interoperability, standards compliance.
Discussed business issues and licensing issues around open source

Mark Tolliver, President of Palamida SW.  (formerly of Sun Micro)

Palamdia delivers auditing and compliance software that compares your software build to existing DB of open source projects providing you with an audit of which OSS you are using, there versions etc.

His experience in code analysis indicates that most projects consist of 30-50% open source components.  Many of these are often found to be below rev and have security vulnerabilities.  Most projects have 50% to 300% MORE OSS than they think they do.

Primary message:  Control your SW supply chain through:
    Policy
    Education
    Transparency
    Compliance (his SW can help, of course)

Mentioned Solaris/OpenSolaris

Bill Vass discussed the value of OSS and Sun's use of it.

OSS is unstoppable because of:
    Security benefits
    Cost
    No vendor lockin

Bill reviewed Sun's strong position in the open source communities and our benefits derived from open sourcing Solaris, Glassfish, OpenOffice etc.  Handed out complete JES CD kits to all attending.  (Sun was a platinum sponsor for the conference.)

He then lead a panel for Q and A including Dewey Houck of Boeing and Bob Gourley, former CIO of DIA.  Intelligence agencies a big proponent of open source.  There was active participation from the audience.

I received feedback from several people during the breaks at the Sun table that they didn't know Sun was so active and aggressive in the OSS community.

Terry Bollinger ASD/NII discussed open Source Governance including:

Evaluation of OSS
    Creating policy
    Auditing
    Education
    Monitoring

Don Adams of Tibco discussed their Open AJAX toolkit known as Bossie.

Eric Pugh of OpenSource Connections discussed the use of the "Agile Methodology" and open source development for thePathFinder program, NGIC and GCGS-A.   www.agilemanifesto.org

Chris Runge of Red Hat provided two case studies of how open source technologies allowed something to happen that was "impossible otherwise."

NSA dev of SE Linux being incorporated into productions OSes such as RHAT and Suse.  First MLS OS that is part of the standard OS distribution

Real-time Linux enhancements working with IBM, and DDG-1000 (aka DDX program) in the Navy.
RHEL 4 + Real time kernel + IBM RT Java + Blade servers

Coming Soon:  Red Hat MRG = RHEL 5.1 = Messaging toolkit + Real time + Grid technologies
Important in financial/trading communities

Nick Weatherby of the Open Source Software Initiative discussed how industry is trying to facilitate OSS adoption by working with Government.

Created Government Technology Task Force to help accelerate and clear out obstancles in standards, procurement, legal issues.  Working with DISA, DoNavy, Army, AF, OSD, JFCOM, DHS, Justice, etc

Example:  FIPS 140-2 validation of the Open SSH libraries

working on IAVA security validation and Common Criteria process for Open Source

Ball Aerospace rep provided a case study of how they took a GeoSpatial toolkit developed for the government through the process of putting it on a public open source project.  Goal was to increase adoption of their framework thereby increasing their bus. oppty for consulting services.
Obstacles included ITAR approvals, Legal, internal politics, ownership issues.

Ed Beck of CSC in NJ

discussed how they used open source modules to reduce costs and increase speed in their deployment of an AEGIS missile update for Display console and systems management tools
Display console now 60% open source based
Sys. Mgt. tools now 40% OSS based

#1 issue was licensing.  DoD is very sensitive about the fact that using the GPL license might mean giving away technology to the bad guys.  Tools used included tcl/tk, Flex/Bison, XPM, Mozilla, etc

BG Gen. Nick Justice of the US Army

discussed value and benefit of OSS in the DoD including acceleration of mission apps, lower cost, increased security etc.  Mentioned Red Hat several times.  FBPC2 is a huge RH deployment.  Future Combat System (FCS) is apparently also going to RHEL.

General Justice is a very engaging and entertaining speaker.  By all means, if you get a chance to here him speak, do it.  He is one of the few high level military people who runs Linux on is laptop.

Andre Boisvert of Pentaho SW (formerly at Oracle, IBM and SAS institute)

Discussed how he had worked at various proprietary, closed source companies and has invested money in 3 new ventures using only open source.
OSS provides:
    Better Code
    Faster innovation
    Self policing of quality, security

Pentaho provides OSS business intelligence including ETL, OLAP etc
Zenoss provides OSS Systems management based on Python
Compiere for OSS ERP SW
Described OSS as a "disruptive force in the SW industry."

KS Shanker of IBM Federal

discussed the security aspects of open source and how he took the linux community through the Common Criteria eval process even though they didn't think it mattered originally.

David Wheeler of Institute for Defense Analysis discussed the security aspects of OSS
Vendor lockin = a security problem.
Open design is a fundamental in creating a secure systems
"Would the Trojan Horse have worked if it had been made of glass?"

Not ALL OSS is secure:
    Developers need to have security skills
    Needs to be widely used and reviewed
    Problems must be fixed on demand when found.

When I asked him when IBM was going to release its huge software portfolio (Tivoli, z-OS, ClearCase, AIX, WebSphere) to the open source community, he responded by pointing out that Websphere has incorporated Apache as its web server.  That sound to me like taking from the OSS community rather than giving.

Booz Allen Hamilton rep discussed the use of an Open Source Security Test Methodology.

If you've never heard of our Sun Ray thin client technology, you are missing the opportunity to save some real money while increasing your data security. You can read more about Sun Ray thin clients in my previous blog entry.  You don't have to believe me, however, see for yourself how the Navy's Integrated Warfare Systems Laboratory deployed 270 Sun Rays.

Some of the benefits they experienced include:

• Improved performance over previous X terminal solution
• Exceeded capabilities of existing, aging solution
• Provided a solution that complied with security requirements
• Reduced client deployment time by 80%
• Simplified maintenance, updating only four servers instead of hundreds of desktops
• Reduced cost per client by 50% to approximately $500 with a savings of about $500 per client

Why should you care?

Saves you money.  Enough said! 

 

Recently Scott McNealy spoke to the Sun OS Ambassadors at our semi-annual conference in Menlo Park CA.  He told us that he is frequently asked by customers:

• Why Sun is doing this whole "open source" thing and giving away software for free?
• How can Sun expect to make any money with free software?
• How is this good for customers?
  

He gave us his five reasons.

1. Free means low barrier to entry.  Stated another way, "College students and developers don't pay for software anyway, we want to make sure that the software they're using is Sun's, so why not give it to them." By providing our core OS, developer tools and web infrastructure tools to students, companies and independent developers at no charge, we gain mind share among those people who "join things rather than buy things."  When they move into the enterprise, they will start buying products and support from those companies with which they are familiar.
   
2. Open source as a research and development multiplier.  Sun can multiply our $2 billion in R&D funds by leveraging the R&D of the open source communities.  Open sourcing of Java, OpenOffice, Solaris and other technologies allows us to take advantage of the HUGE R&D budgets of IBM, ATT, Nokia and others.  Not to mention the plentiful resources in the emerging markets in China, India and South America.
   
3. Security. Whitfield Diffie has said, "the secret to strong security: less reliance on secrets."  As an anecdotal example, Java is the single largest platform in the world installed on billions of devices (much more widely deployed than MS Windows).  Yet you would be hard pressed to name a Java virus.  This is due in part to its open, community driven development model.
4. Partnering and proliferation of our technology.  Having the Sparc processor technology easily licensed, for example, has allowed our partner Fujitsu to design their own implementation of the Sparc V9 chip architecture.  As a result, our new M-series servers are available from both Sun and Fujitsu providing a dual-source option for customers.  Products from both companies run Solaris and our other software products.  Since open sourcing the UltraSparc T1 chip design, at least two other implementations have been designed for embedded devices further opening new markets to Sun's intellectual property.
   
5. Low barriers to exit.  By conforming to open document formats and web standards we can ensure our customers that they won't have that "locked-in feeling" they get when they choose Microsoft, Oracle, BEA, z/OS or other proprietary product families.  The cost to exit these proprietary technologies dwarfs the acquisition costs.  Sun can help reduce customers' cost to exit by using open standards and open source implementations.  This also provides customers with more choice.  In the case of ODF, for example, customers can now choose office automation packages from Adobe, Sun, IBM, Google or the free OpenOffice suite rather than having the data held hostage by proprietary MS Office formats. They can choose to run these suites on Windows, MacOS, Solaris, BSD or any of the Linux variants.
   

Why should you care?

To summarize, Sun's strategy of making our products free and open is designed to make the entire planet familiar with Sun's products.  We then have the opportunity to offer support, services, training and systems for their enterprise computing needs. This helps customers by providing them more choices at lower cost and allowing them to move from one vendor to another more easily.

You might remember my earlier blog entry about DoD security guidelines for Solaris.  As a result of Sun Federal's recent contract award from DISA for Capacity Computing services, I've been working to implement the DISA Security Technical Implementation Guidelines (STIGs) using the Solaris Security Toolkit (Wow, what a mouthful).

I started with some customization work that was done by the DISA GCCS program office.  I modified and updated it to meet most of the current STIG requirements.  I've heard many horror stories about how long it takes to secure a system properly and obtain "Authority To Connect" to a DoD network.

 I'm happy to say that the profile I've built runs in about 2 minutes on my Acer Ferrari 3400 laptop.

 First, some background!

What is the Solaris Security Toolkit?

The SST is a toolkit produced and supported by Sun to simplify and automate the process of securing a Solaris system.  The current version 4.2 support Solaris 8, 9 and 10.  It includes audit and undo modes in addition to the hardening mode.  If you plan to use it, make sure that you also apply the latest patch 122608 from sunsolve.sun.com.  It is very customizable for your site requirements.  I have been trying to get the DISA Field Security Office to adopt and customize the SST for over two years but have not yet succeeded.

What are the STIGs?

These are security guidelines provided by the DISA Field Security Office to DoD users for securing Solaris and other Unix/Linux platforms.  Most of the recommendations make sense but there are a few silly ones.  There is a detailed book as well as a checklist and somewhat automated set of Security Readiness Review (SRR) scripts to check the work that you've done.  The scripts are NOT perfect and sometime provide false findings.  More on that later.

What were your results?

I downloaded and ran the latest DISA SRR scripts from March 2007 before applying the SST and afterward. I also ran the little script below to finish up the final few operations. During the "Manual Review" portion, I answered "Not a finding" for all the questions.  This means that the differences listed here are those detected by the automated portion of the SRR. 

Before
Finding Counts:
CAT I = 5/123, CAT II = 53/340, CAT III = 11/57, CAT IV = 1/5

After:
Finding Counts:
CAT I = 4/123, CAT II = 13/340, CAT III = 4/57, CAT IV = 0/5

Some of the remaining findings are false positives or out of the scope of the toolkit.  Some examples include:

Finding	Category (1 is highest)	Explanation
Recommended patches not installed	2	They are but the script doesn't appear to  detect them properly
Core Dumps not disabled	3	They are but the script doesn't detect properly
inetd disabled	2	It's enabled but the script looks in inetd.conf which is no longer used in Solaris 10
Various Sendmail configuration file issues	1 and 2	Sendmail is disabled with svcadm
IP forwarding should be disabled	2	Script looks for /etc/notrouter which is no longer used.  Solaris 10 uses routeadm.

 Great, I want it now, what do I do?

1. Install Solaris
2. Install the latest recommended patches for Solaris (SunSolve access required)
3. Download and install the Solaris Security toolkit
4. Download and install the SST patch 122608. (SunSolve access required)
   
5. Download this tarball containing the customized files and User Guide (please read the User Guide)
   
6. cd /opt/SUNWjass
7. tar xvf <path to tar file>
   
8. Execute: time /opt/SUNWjass/bin/jass-execute -d /opt/SUNWjass/Drivers/GCCS.secure.driver -o <output file>
9. Reboot your system
10. Run the SRR scripts
    

Caveats

• I have NOT tested this in a production DoD site or run it with a DISA security officer observing.  I have only tested it on my laptop using Solaris 10 11/06.
  
• Use this profile at your own risk.  I am providing it for your convenience and provide no warranty.
• The SST profile cannot automate everything or install anti-virus software as required.
• I have an additional script that does some final items. (see below)
  

Benefits of the Solaris Security toolkit

• Because it is automated, it can produce repeatable, predictable results
• Because is supports Solaris 8, 9 and 10, (on both Sparc and X64/86 platforms) it can be used throughout your enterprise
• Because it is provided, supported and updated by Sun, it can be depended upon to "do the right thing" as Solaris is updated.
• It can be used in the global or non-global zones of Solaris 10.
• It is easily customized for your particular site requirements.
• It has an "undo" feature
• Speed and accuracy.  The toolkit can complete in a few minutes what would normally take hours of error prone text editing.
• Simple.  A single command does all the work.
  

Feedback

I'm interested in your feedback on how it worked for you, where my errors are and what additional capabilities you have given it.  Add a comment below. 

A quick script to do a little more.

Because of a lack of knowledge of the tool and lack of time, this script completes the last few operations

# This script attempts to complete the processes not done by the JASS toolkit
# items here are those documented in the User's guide
# They are here because I have not yet implemented them as part
# of th STIG toolkit
# 12/21/06 jlaurent

# tighten permissions on the Man pages
echo "Current man page permissions"
ls -ld /usr/share/man
ls -ld /usr/share/info
ls -ld /usr/share/infopa
ls -ld /usr/sfw/share/man
echo "Setting man page perms to 644"

find /usr/share/man -type f -exec chmod 644 `{}` \;
find /usr/share/info -type f -exec chmod 644 `{}` \;
find /usr/share/infopa -type f -exec chmod 644 `{}` \;
find /usr/sfw/share/man -type f -exec chmod 644 `{}` \;
echo "New man page permissions"
ls -ld /usr/share/man
ls -ld /usr/share/info
ls -ld /usr/share/infopa
ls -ld /usr/sfw/share/man

#same for various other files and directories
echo "Current /var/audit permissions "
ls -ld /var/audit
echo "Setting /var/audit perms to 700"
chmod 700 /var/audit
echo "New /var/audit permissions "
ls -ld /var/audit

#same for various other files and directories
echo "Current /etc/ftpd/ftpusers permissions"
ls -ld /etc/ftpd/ftpusers
echo "Setting /etc/ftpd/ftpusers perms to 640"
chmod 640 /etc/ftpd/ftpusers
echo "New /etc/ftpd/ftpusers "
ls -ld /etc/ftpd/ftpusers

echo "Current permissions for at.deny, at.allow, cron.deny, cron.allow"
ls -l /etc/cron.d/at.deny /etc/cron.d/at.allow /etc/cron.d/cron.deny /etc/cron.d/cron.allow
echo "Set permissions at.deny, at.allow, cron.deny, cron.allow for to 600"
chmod 600 /etc/cron.d/at.deny /etc/cron.d/at.allow /etc/cron.d/cron.deny /etc/cron.d/cron.allow
echo "New permissions for at.deny, at.allow, cron.deny, cron.allow"
ls -l /etc/cron.d/at.deny /etc/cron.d/at.allow /etc/cron.d/cron.deny /etc/cron.d/cron.allow

echo "Current traceroute permissions "
ls -l /usr/sbin/traceroute
echo "Setting traceroute perms to 4700"
chmod 4700 /usr/sbin/traceroute
echo "New traceroute permissions "
ls -l /usr/sbin/traceroute

echo "Current /etc/inet/inetd.conf permissions "
ls -l /etc/inet/inetd.conf
echo "Setting /etc/inet/inetd.conf perms to 440"
chmod 440 /etc/inet/inetd.conf
echo "New /etc/inet/inetd.conf permissions "
ls -l /etc/inet/inetd.conf

echo "Current /etc/syslog.conf permissions "
ls -l /etc/syslog.conf
echo "Setting /etc/syslog.conf perms to 640"
chmod 640 /etc/syslog.conf
echo "New /etc/syslog.conf permissions "
ls -l /etc/syslog.conf

echo "Current /var/crash permissions "
ls -ld /var/crash
echo "Setting /var/crash perms to 700"
chmod 700 /var/crash
echo "New /var/crash permissions "
ls -ld /var/crash

# changing root umask to 077 in /root/.profile and /root/.cshrc
echo "Changing root umask to 077 in /root/.profile and /root/.cshrc"
cat /root/.profile |sed "s/umask .../umask 077/g" > /root/.profile.tmp
mv /root/.profile.tmp /root/.profile
cat /root/.cshrc |sed "s/umask .../umask 077/g" > /root/.cshrc.tmp
mv  /root/.cshrc.tmp /root/.cshrc

echo "Please review the umask for .profile"
grep umask /root/.profile
echo "Please review the umask for .cshrc"
grep umask /root/.cshrc


# disable core dumps
echo "Original core configuration"
coreadm

echo "Disabling core dumps"
coreadm -d global
echo "New core configuration"
coreadm

Why should you care?

 Securing a computer for use on the DoD networks can be a difficult and time-consuming task.  These tools will help you deliver you mission faster, more reliably and securely.

 

Red Hat and IBM recently announced the completion of an EAL4+ CC evaluation.  Those who follow my blog religiously (I know that you're out there), know that I have discussed the Common Criteria several times before here and here.  What most don't know is that there are a wide range of features that can result in a completed CC evaluation.

RH and IBM indeed have the same certification tests done on paper that Sun plans to achieve for the Open Source Solaris 10 with Trusted Extensions; however, WHAT they tested and WHAT customers can use and be in compliance with the test parameters is NOT AT ALL on par with what we are doing in Solaris 10 with Trusted Extensions.

The most important part of a CC Evaluation is the "Security Target."  The ST defines what will and what will NOT be considered part of the evaluation.  Red Hat and IBM's Security Target eliminates a number of key features and significantly reduces the functions available to the user.

The evaluation doesn't tell the whole story at all. Each evaluation must be looked at very closely to see exactly what was tested and what was claimed.

• Red Hat's LSPP security policy file can be hundreds or thousands of lines long and thus potential prone to more error. Solaris Trusted Extensions uses a series of small, easily verified files and enforcement of the policy always take place, even with administrative processes.
• Solaris Trusted Extensions include the Solaris Management Console GUI for configuration.
  
• Sun's Solaris with Trusted Extensions can be deployed very rapidly using existing applications in a matter of minutes. This keeps the security policy simple and easy to verify and the protection provided is automatic regardless of the application being deployed.
• RHEL 5 with it's LSPP security policy has some serious, practical deployment issues that customers need to be aware of including:
• The GUI and X-Windows components are excluded from the security target.  This is a server and command line offering ONLY.
  
• No multi-level GUI. Solaris with Trusted Extensions provides both Trusted Java Desktop System (GNOME-based) and Trusted CDE
• No multi-level file sharing. Solaris with Trusted Extensions provides multi-level NFS file sharing
• No easy interoperability with other non-labeled OSs, such as MS Windows, Mac OS X, etc. Solaris with Trusted Extensions works in multi-platform environments without issue - we do not require communication only with other 'trusted' OSs.
• No guarantee of application compatibility for non-Label-aware applications. Solaris with Trusted Extensions will run all existing applications, even allowing them to run in a 'multi-level' manner without modification to the code.
• Hot Pluggable storage devices (USB and Firewire) are excluded from the evaluation.  Solaris Trusted Extensions includes these devices in our evaluation.
• Network Printers are excluded.  Solaris Trusted Extensions supports the labeling of network printers.
  
• No use of LDAP as a naming service for centralized management of user identities. Solaris Trusted Extensions supports industry standard LDAP protocols for centrally managing user id and security policy information.
• The RHEL evaluation only applies to IBM hardware.  Sun's certifications include a variety of AMD-64 and Sparc-based plaforms. 
• The RHEL evaluation only supports the ext3 and selinuxfs file systems.  Sun's evaluation for Solaris Trusted Extensions supports UFS, ZFS, PCFS. NFS, lofs, hsfs.  In addition, Solaris allows you to use QFS and VXFS as well although these were not part of the evaluated platform.
  

Sun has achieved CAPP & RBACPP @ EAL 4+ for Solaris 10 3/05 and is about to announce Solaris 10 11/06 has repeated this achievement and we will have our LSPP certification by the end of the CY 07.

For other comparisons, please review these useful links:

Comparing the Multilevel Security Policies of Solaris Trusted Extensions and Red Hat Enterprise Linux
http://www.sun.com/bigadmin/features/hub_articles/mls_trusted_exts.jsp

Sun Solaris Security Web Site :
www.sun.com/solaris/security/

Comparative Study of Containment Technology : a Thesis from Sweden :
http://opensolaris.org/os/community/security/news/20070601-thesis-bs-eriksson-palmroos.pdf

Glenn Faden's Blog : Chief Architect of Solaris Trusted Extensions (and Trusted Solaris 8):
http://blogs.sun.com/gfaden/

Thanks to Mark Thacker and Jane Medefesser for input to this article 

Why should you care?

Sun believes that when you deploy a OS in a secure, multi-level environment, that you will want all the features, third party software and support to be the same as a standard environment.  We believe that Solaris 10 with Trusted Extensions provides a  richer, more capable, easier to use platform for our security minded customers.  It is a deployment platform developed in an open source methodology, that supports a wide variety of Sparc, Intel and AMD based platforms and is freely available.

 

At Sun for the last 7 years, we've known that using Sun Ray ultra thin clients saves customers money while increasing security. We have over 25000 of them deployed and everyone from the CEO on down uses them. Our global mobility configuration allows me to move my running desktop session from my house to my office in McLean VA, to Broomfield, CO to Bejing China by simply taking my smart card with me.  Trust me, the first time you see this work, in appears to be no less that magical.

The US Intelligence community saves a huge amount of money every year using Sun Ray thin clients along with our Trusted Solaris operating system to replace multiple workstations with a single display.  That program, known as the DoDIIS Trusted Workstation has deployed thousands of Sun Rays.

 "In the Defense Intelligence Community, we have been using the Sun Ray environment for the last three years now," noted Dr. Ryan Durante, the DTW Program Manager at the Air Force Research Laboratory. "The dual head capability, combined with the security of fiber to the desktop, sets Sun's newest offering apart from anything else on the market. We expect to save $5.6 Million over the next two years by migrating to the SunRay 2FS."

Most recently Verizon has installed over 5000 Sun Rays in their call centers and find it reduces their power bill, management costs while making them more "green."  According to the article in Network World:

Verizon has seen a 60% to 70% drop in desktop problems and a 30% decline in electrical use at each center.Generally, Verizon had four dedicated tech staff members per 1,000 seats to handle desktop trouble tickets. With the Sun Rays, that’s been cut to one staffer.

How does the Sun Ray help the environment?

• Lower power and cooling usage. 4-7 watts vs. over 100 for the typical PC.
• Reduced waste.  A Sun Ray has no disk drive, DVD drive or fans.  When discarded it has a significantly smaller circuit board, enclosure and power supply than a typical PC.  Our basic Sun Ray 2 weighs less than one pound.
  
• Improve real estate usage.  At Sun we have reduced our real estate significantly because of the "hot-desking" feature of the Sun Ray thin client.  We can allocate 2-3 mobile workers to one cube.  This reduces waste, power, cooling and other factors.
• Improved resource utilization.  Processors can be shared among users.  No longer is a 3 Ghz processor locked up in a box in the cube next to you while that person is out of the office or on vacation.  In this shared environment, many users can be allocated to a small number of processors. 
  

 The Sun Ray thin client also helps to control costs in a number of ways:

• No patching required.
• No local software installation on each device.
  
• No reason to replace it every three years.  We have Sun Ray devices over 7 years old.  Think of it as a VT100 terminal on steroids.
• Reduced system administration costs through centralized management.
• Upgrades for hardware  (CPU, Memory, Disk) and Software (Word processing, mail, etc) occur in a centralized location rather than on the desktop.  A single a central Sun Ray server provides additional power to all of its users.
• Reduced cost to move an employee.  Simply pull out your smart card and switch to any cubicle available.
• Reduced data loss and backup issues.  All data is kept in centrally managed and backed up data centers by professionals.
  

The Sun Ray can also increase your security posture for a variety of reasons:

• No hard disk drive, floppy or CD-RW device to be stolen, lost or to extract data
• USB ports can be disabled to prevent the injection of viruses or removal of data via flash memory drives
• No operating system means that it's virus free and doesn't require constant monitoring, securing and patching
• Smart Card authentication provides two factor security.
  

These are just a few of the benefits of the Sun Ray thin clients.  DISA management has stated that they plan to move to a thin client architecture when they move their HQ from VA to Ft. Meade, MD.

Thin implementations have also taken hold in the United States. One of its advocates is CDR W. Stevenson Bowman, who is the officer in charge of the San Diego detachment of SPAWAR, the Space and Naval Warfare Systems Center in Norfolk, Va. Bowman was involved with a thin-client implementation at the data center of the Defense Information Systems Agency (DISA) in San Diego, where they were able to eliminate their help desk completely.

"The whole idea was to get rid of all the thick clients and the cost associated with them," Bowman said. They moved from Wintel PCs to Solaris running on a Citrix server. The agency first went from seven to two support personnel, then eliminated them completely.

 Whether you are a Solaris, Linux or even Microsoft Windows shop we have many more success stories of Sun Ray deployments around the world.

If you would like to know how to take advantage of Sun's thin client computing computing technologies, call our Sun Federal headquarters at 703 204 4100.
 

Recently, the US DoD introduced an updated version of their "Security Technical Implementation Guide" Checklist (aka STIG) for Unix platforms.  They added a requirement for Anti-Virus software to be installed and rated it as a Category I (highest) requirement.  Within the DoD, you must follow this checklist in order to get "Authority to Connect" to the network.  It is EXTREMELY difficult to get a waiver to ignore a Category I finding.

To quote the most recent (March 2007) checklist:

GEN006640 – Virus Protection Software

Check for the existence of the Mcafee command line scan tool to be executed weekly in the cron file.  The Mcafee command line scanner is available for most Unix/Linux operating systems.  Additional tools specific for each operating system are also available and will have to be manually reviewed if they are installed.  In addition, the defintions file should not be older than 14 days.

 I have been researching the offerings of  major (and minor) AV vendors.  Please feel free to make corrections or additions to this list via the "Comments" feature of blogs.sun.com

• TrendMicro
• No host-based anti-virus software for Solaris (either platform)
  
• Symantec
• No host-based anti-virus software for Solaris (either platform)
  
• McAfee
• Command Line anti-virus for Solaris 10 (Sparc) and plans for X64 platform
• F-Prot
• Has anti-virus for Solaris on Sparc and X64 platforms.  F-Prot is based in Iceland. I'm not sure if the DoD can use their software.
• CA
• Web site claims support for Sun Solaris 8 and greater.  Unclear on Sparc/X64 platforms.
• Central Command
• Reports supporting Sun Solaris 9 or SunOS 5.9 on Sparc only
• Avast
• Reports having anti-virus scanner for Solaris 8-10 on Sparc and X64 platforms.  Based in Prague, Czech Republic.
  
• Clam AV Open source project.  Now owned by SourceFire.
  
• Has binary build for Solaris on Sparc and X64 platforms at blastwave.org
• CyberSoft
• VFind has support for Solaris 2.5.1, 2.6, 7, 8, 9 and 10 on Sparc and X64. Based in Conshohocken, PA.

I have also perused their virus databases in an attempt to prove with data what I know in my heart, ie. there are really no damaging Solaris viruses.

• McAfee
• Two "malware" findings.  Each rated as low threat. One requires that telnet port be open which most enterprises close
• Symantec
• 11 Total findings, most of which are vulnerabilities rather than viruses.  These vulnerabilities can all be dealt with via existing Solaris patches.
  
• Trend Micro
  
• 13 finding, most of which were vulnerabilities and DoS warnings some of which were over 7 years old.
• F-Prot
• Lists only 2 Unix viruses that affect Apache on BSD and Linux platforms dated from 2002.
  

 
A similar search of the McAfee "malware" database for Windows XP returned 5300 results.

Apparently this requirement is derived from the NISPOM as evidenced by this email from a customer:

The NISPOM, referenced in the DSS scenario below is the _National Industrial Security Program Operation Manual_ (DoD 5220.22M - Feb 28, 2006)
 
Chapter 8 of the NISPOM deals with Information System (IS) Security.
 
    8-103. The information Systems Security Manager (ISSM) shall:
 
    8-103.f.(5) Implement security features for the detection of malicious code, viruses, and intruders (hackers), as appropriate.
 
    8-305 Malicious Code. Policies and procedures to detect and deter incidents caused by malicious code, such as viruses or unauthorized modification to software shall be implemented.  All files must be checked for viruses before being introduced to an IS and checked for other malicious code as feasible. The use of personal or public domain software is strongly discouraged. Each installation of such software must be approved by the ISSM. 

In my mind, the key portion of this excerpt would be the phrase, "as appropriate."  While it is certainly "appropriate" to install anti-virus software on a MS Windows platform, I can't see where it would be appropriate for a Solaris platform.

 I am doing all of this work in an attempt to get the DISA Field Security Office to eliminate the requirement or at best, reduce its severity.  If you are also running into this issue, please email me or add a comment to my blog.  At this time, I understand that DISA is planning to lower the rating of this finding to Category II.  I don't know when this change might occur.

Solaris has a number of features that can help secure your system without anti-virus software including:

• Signed binaries
• Basic Audit and Reporting Tool (BART)
  
• No stack execution
• Mandatory Access Control (when Trusted Extensions are enabled)
• Solaris Containers
  

A white paper on Solaris security is available.  The Solaris Security Toolkit supports the hardening of Solaris 10.

Why you should care.

Solaris is known for its security.  Placing a requirement for anti-virus software on Solaris is preventing some customers from deploying it because of the paperwork required to get a waiver.  In particular, requiring Solaris users to install software that specifically searches for malware that primarily attacks a competitive platform (Windows) would appear to put Sun at a competitive disadvantage.

Some time ago, I blogged about what the Common Criteria process is all about and how the government (in particular my customer in the US DoD) uses it.  At that time I said:

What's wrong with the current Common Criteria process?

Although the current process is somewhat better than the old NSA process, it still leaves something to be desired.  I have heard it stated in public forums by DoD employees that the CC process does not meet all Government's goals.   Current problems include:

• It still take a long time (about 1 1/2 years) resulting in delays in purchasing state of the art products.
• The process is not designed to actually detect software bugs or vulnerabilities in an OS
• The rules for adoption of the OS are interpreted in a wide variety of ways across organizations.
• It is not flexible in handling OS updates and patches

Apparently, I was not alone.  Recently an article was published in the Government Computer News in which Symantec agrees with me stating:

  “I would say our [DOD] customers are not satisfied with Common Criteria,” said Wesley Higaki, Symantec's director of product certifications, in an interview with GCN. “People on the ground are finding that Common Criteria doesn't help them make their products more secure. It doesn't help them pass accreditation. It's just a procurement hurdle at this point.”

Recently I have been asked if Sun could have our Lights Out Management (LOM) devices CC evaluated because they accept a user name and password.  This feature makes them IA-enabled according to DoD Directive 8500.2.  Nearly every server, tape array and disk array that Sun sells has a LOM interface to facilitate remote management and problem diagnosis.  This requirement could generate a huge cost in dollars and time for Sun while delaying innovation and product development.  In the end it would not create a better product because the market already demands that our products provide a high level of security.

I have heard it said at Sun that, "No CC evaluation has ever changed a line of code."  Although I can't prove this because I have not been directly involved, I certainly believe that CC evaluations are primarily documentation efforts.

If you also see this as a problem, feel free to add your comments here.
 

 

As an OS Ambassador at Sun who works very closely with the US DoD, I'm frequently asked how one secures Solaris for use in the DoD. The definitive source for this information is the DISA Field Security office "Security Technical Implementation Guide" (aka STIG). DISA owns and operates the data centers and neworks for the US DoD. Security checklists and about 500 pages of documentation are included. 

They can be downloaded at: http://iase.disa.mil/stigs/stig/index.html

In addition, DISA provides "Security Readiness Review" scripts which audit your system and report discrepancies.  They were last updated in January 2007 and include S10 support.  The SRRs are available at: http://iase.disa.mil/stigs/SRR/index.html

Some DoD organizations have created a Solaris Security Toolkit profile which accomplishes about 90% of what the STIGs require. The SST is Sun's supported "security lockdown tool" that is a free download and easily customizable. It typically executes in about 4 minutes drastically reducing the time required to secure a system and providing automated, reproducible  results.  The SST also include "undo" and "audit"  functions. The SST can significantly reduce the time that it take you to reach "Authority to Operate" status on a DoD network.

The DISA STIGs require a wide variety of changes to the Solaris OS including:

• Solaris auditing enabled with specific items being audited.
• Basic Auditing and Reporting Tool enabled
• root home directory changed to /root
• McAfee antivirus installed (yes, even though it really only checks for Windows viruses)
  
• Massive permissions and umask changes
• TCPwrappers enabled
  
• certain services must be disabled (FTP, Telnet etc)
• Certain commands must be disabled (snooop, rsh, rexec etc)
  
• Password history, lockout and construction settings
• Banner page changes
• PROM password settings
  
• etc.
  

Other documents that might be of interest for security conscious customers include:

• Center for Internet Security Benchmark for Solaris 10
• Glenn Brunette's security blog
  
• Sun Blueprints on Security
  
• The Open Solaris Security community features code, discussions, presentations and white papers
  
• Glenn Faden's Trusted Solaris Blog
  

Why should you care?

 The US DoD takes computer security very seriously.  Their STIG documents provide a detailed definition of all the activities required to secure a Sun Solaris system.  Utilization of their tools and method can result in a highly secure data center operation.

The Solaris Security Toolkit can simply this process and make to predictable, repeatable and faster than a manual process.

For the highest level of security (equivalent to the old NSA B1 level) Solaris 10 11/06 includes the capability to at Trusted Extensions to your environment. Solaris Trusted Extensions provide full label aware services to meet the most stringent multi-level OS requirements.

 

Over the past 10-15 years, my customer, Defense Information Systems Agency (DISA) has used Solaris as a core component for its Global Command and Control System (GCCS).  GCCS is a mission critical system supporting our warfighters worldwide. To quote their web site:

GCCS-J is the principal foundation for dominant battlespace awareness, providing an integrated, near real-time picture of the battlespace necessary to conduct joint and multinational operations.

DISA chose Solaris as their deployment platform in the early 90s (Solaris 2.3 time frame) because of its open standards compliance, security, wide application availability and stability.  A recent article in Federal Computer Week indicates that Sun's relationship with DISA will continue for years to come.

DISA, according to the agency’s budget documents, plans to buy more than 120 high-powered Sun servers for GCCS-J in the next three years, including Sun Fire 1280, V890, V480, V280 and V240 servers powered by UltraSPARC processors.

As in 1992, Solaris 10 still excels in the same areas.  It is an open source OS, that runs on a wide variety of hardware platforms and provides a stable, secure platform for a wide variety of third party applications.

In addition to developing and deploying the GCCS, DISA owns and operates the DoD networks, Data Centers and other programs that use Sun hardware and software including:

• Global Combat Support System (GCSS)
• Public Key Infrastructure (PKI)
• Service for the Processor Environment
• PAWS
  
• Wide Area Workflow (WAWF)
• And many other mission critical DoD systems
  

Special note

Before you wise guys out there comment that the equipment listed is old and should be retired, I'd like to point out that:

1. Government procurement documents are notoriously out of date due to the multi-year planning process they follow.
2. GCCS is currently upgrading from Solaris 2.5.1 to Solaris 8 but moving to Solaris 10 over the next year.
3. We also now have AMD (and soon Intel) based servers with which to attack the Dell components as well
   

Why should you care?

The US DoD trusts Sun products to deploy its most mission critical programs.  Sun has a long relationship with a wide variety of customer who need the utmost in security, availability and choice in their computing solutions.  Only Solaris can scale from a portable laptop computer to a 144 processor super-server with 1 TB of RAM while providing a single administrative view.

I've updated my blog entry on Common Criteria evaluations with the answers to some of the FAQ that I get inside of Sun and that were posted in the comments section.  Also corrected some rather embarrassing spelling and typing errors!  Why doesn't this blog editor have spell check?

Last week the Defense Information Systems Agency award a multi-year contract to Sun Federal for "Utility Computing."  As the technical lead on the proposal I am very familiar with the requirements of the RFP and Sun's solution.

What DISA wanted.

DISA operates 18 data centers for the US DoD. Their customers include the military services as well as agencies such as DFAS, DLA, NGIA, TransCOM etc.  Typically DISA or the customer would buy a suite of HW, strap some system adminstrators to the side and send it off to one of their hosting sites.  This required voluminous paperwork, time delays, and capital expenditures.  After 3-4 years, they had to do it all over again.

The purpose of the DISA RFP was to streamline the procurement process by issuing a single contract for Solaris computing capacity provided by the vendor on DISA floor.  Sun retains ownership of the equipment, meters usage and bills DISA based on utilization. DISA provides the floor space, power cooling and operations staff as well as the customer applications.  As workload increases or decreases, Sun adds or removes capacity without additional procurement activities or "surplusing" of equipment.  Sun is an active participant in the monitoring and capacity management of the Solaris based workload.

Now that the easy part is done (winning the award), Sun's next step is to actually put our technologies to work in partnership with DISA.

What's cool about it

This is an all Sun solution where we are the prime contractor and vendor. Sun's offering to DISA makes use of a wide variety of Sun products and services including:

• The Solaris 10 operating system where Sun's unique Containers technology will allow virtualization of DISA workload resulting in high utilization and reduced management costs.
• Sun's comprehensive N1 suite of management, deployment, measurement and monitoring tools to ensure responsive performance and deployment of new workloads.
• Sun Spectrum Platinum 7 x 24 on-site maintenance for around the clock hardware and software support.
• Sun'sVariable Cost Infrastructure service is a true "Utility Computing" service which includes capacity management, architectural oversight, application sizing and utilization based billing.
• Sun's complete range of Sparc and AMD based servers including low power UltraSparc T1 as well as industry standard AMD systems.
• Sun Cluster software for highly available applications providing automatic application failover and horizontal scaling.

Why you should care

This is one of a variety of options for Utility computing from Sun that make us easier to do business with, more responsive and a better partner with the Federal Government.

If you are interested in Sun's products and services, call 800-786-0404.  Our Government telesales team there can answer your questions, provide a GSA quote or connect you with your local Sun Sales team.