Thursday Aug 07, 2008
Previously, I promised to do an update since it had been such a long time between postings. Well, wait no longer. Honestly, the last six months or so were fairly light on security work for me. I have continued to work with customers around the world helping them to apply Sun and partner technologies to their business challenges, but my team has continued to deliver on the Sun Systemic Security vision and we have recently started exploring adaptive security architectures. In fact, Joel was published and featured on the cover of the ISSA Journal for his article titled Adaptive Security and Security Architecture (an abridged version was also posted here). You can follow us on this journey at http://blogs.sun.com/adaptive_security.
So if not security, what have I been up to?
Before answering, when you hear the words "High Performance Computing" or HPC, what is the first picture that pops into your head? Does your mind drift immediately towards the hallowed halls of government and research laboratories? Do you think of Top 500 lists or of supercomputers named Ranger? Do you think about exploring the mysteries of weather patterns, "seeing" back into space and time or even keeping tabs on the behaviors of sub-atomic particles? If so, you are not alone, but that is certainly not all there is to HPC.
Today, there is no shortage of computing problems that today are being tackled using high performance computers, interconnects, storage and data visualization, but we need to widen our views, remove our blinders, and begin to see HPC as it exists everywhere.
- structural analysis, computational fluid dynamics, crash and safety simulations
- fraud analysis and detection, anti-money laundering, credit derivatives pricing and hedging
- reservoir simulation and visualization, seismic processing
- media rendering and transcoding
- DNA sequencing, molecular modeling and bio-simulation
Customers employing these processes share common traits. They are all trying to drive better business results, more quickly and efficiently. They have huge data volumes and often short windows in which to derive actionable results. They are trying to reduce their time to market, speed up their ability to make key business decisions and thereby maximize their value to their customers and shareholders. Customers such as these are using IT as a strategic weapon.
Sound cool, right? I thought so! For the last six months or so, I have taken on an additional role of leading a global, virtual team across our Global Systems Engineering organization to focus on these "non-traditional" or "commercial" HPC environments. What is truly fascinating is that this is all just the tip of the iceburg. Wired Magazine noted recently that "The quest for knowledge used to begin with grand theories. Now it begins with massive amounts of data." While perhaps an oversimplification, the idea is dead on. We have collected massive amounts of data and more is collected every day. Just as often new ways are being developed to analyze this data. This is where HPC meets main street. Problems with HPC-like characteristics are all around us and only recently have we been given the (commodity) processing power, storage capacity and network bandwidth to employ HPC-like solutions more broadly from government to industry, from large corporations to small startups, from the data center to the home.
It has been a very cool ride and collectively the GSE HPC Tiger Team (as it is known) delivered remarkable results including millions of dollars in wins, training and education for thousands of people, and the capture of key requirements, use cases and design patterns. With this group solidly running on all cylinders, it is time for me to turn my focus back to security (although HPC will never be rid of me!). In the coming months, you will hear more about our work on adaptive security including some really interesting practical applications you can start trying today. Is that enough of a teaser?
Until next time, take care!
Glenn
Wednesday Aug 06, 2008
I was a little hesitant to write about this as I did not want it to come across as self-promotion, but in the end I felt that it was important for me to say something on behalf of my team. In July 2008, my team and I were awarded with one of the highest honors that Sun can bestow on its technical professionals - the Sun Innovation Award (formerly known as the Chairman's Award for Innovation) for our contributions to the Sun Systemic Security framework. Collectively, these achievements enabled Sun to improve its products to better comply with our customers' security policies and requirements, develop new architectures and best practices that solve key customer security challenges, and position Sun as an architectural and security thought leader across industry and government.
For those unfamiliar with this award, here is a brief summary:
Sun's Innovation Award recognizes those individuals and teams who have made a significant contribution to Sun through innovation. Innovation is a starting point for the Sun Strategy and is key to helping differentiate Sun and attract communities to Sun. Product, process, and project innovations have increased Sun's ability to grow, make money, build our communities, enlist champions, and accelerate our business. The purpose is to reinforce and recognize exceptional performance related to a key pillar of Sun's strategy and one of our key values: Innovation.
The award ceremony was on July 16, 2008 at the Sun Leadership Conferece held in San Jose, CA. The award was presented to the team by both
Greg Papadopolous and
Jonathan Schwartz.
Pictured (left to right): Greg Papadopoulos, Rafat Alvi, Bart Blanquart, Glenn Brunette, Joel Weise, and Jonathan Schwartz
I would like to publicly congratulate my team on winning this award and thank them for all of their hard work, focus, and dedication. Through all of the ups and downs, you never failed to deliver innovative and highly impactful work that has helped customers and partners around the world and teams across this fine company. I could not be more proud of you all. This is a team award and it belongs to each and every one of you, and while we have been able to accomplish quite a lot, I have no doubt there are greater things yet to come. Thank you! Now get back to work! :-)
On behalf of the team, I think that it is important to thank both Jim Baty and Hal Stern for their coaching, leadership, and unwavering support over the years. They have helped to build and sustain an environment where we all can be challenged, where innovation can flourish, and where we can make a difference for Sun and our customers. You have both been invaluable to our success - thank you!
Tuesday Aug 05, 2008
Way back when, I posted an update to the original Solaris 10 Security Deep Dive presentation that included support for Solaris 10 Update 3 (11/06). Well, it has been entirely too long since the last update, so I am happy to say that the wait has ended! A new version of the talk is ready for download! This has been quite a journey and a lot has changed in Solaris since it was first released back in 2005. If you have not taken a look into what Solaris can offer recently, I am sure you will be in for a pleasant surprise. Give it a look, and as always feedback is appreciated!
Take care!
Glenn
Technorati Tag:
OpenSolaris
Solaris
security
Monday Aug 04, 2008
On the heels of the v0.8 release, Clive
King was able to find a new bug introduced as a result of my attempting to make the code a little more in line with Korn Shell conventions. Clive, thank you for reporting the details! I have published an updated version as v0.8.1. As always, you can get all of the details at the OpenSolaris Solaris Package Companion Project Page
As is my tradition when a bug is found, I try and publish a little something extra as a mea cupla. This time is no different. In addition to version 0.8.1 of the Solaris Package Companion, I have also published a testing tool for the same.
The testing tool, called spc-test-v0.1.ksh is also available from the project page. This tool can test multiple versions of the tool against multiple repositories which is pretty cool when checking for regressions. There are currently 48 tests although tests can be easily added or removed as needed. It can optionally display the results to the screen, but by default it records them in a directory where a basic consistency check is performed to detect differences in output (for the same repository) resulting from the use of different versions of the tool. This is not intended to be an all encompassing test suite or even a piece of production code, but rather a basic sanity check to make sure the key functions are working as expected.
Thanks again, Clive!
Keep the suggestions, reports and fixes coming!
Glenn
Technorati Tag:
OpenSolaris
Solaris
security
packaging
installation
minimization
Friday Aug 01, 2008
Wow, has time passed since my last posting. I promise to do a quick update soon as a lot has been happening over the last six months! In the meantime, I wanted to tell you all about a new version of the Solaris Package Companion (version 0.8) that is now available.
For those not familiar with the tool, here is a brief overview:
The Solaris Package Companion is a small Korn shell script that allows you to ask
quite a number of interesting questions about the relationships between Solaris
metaclusters, clusters and packages as well as their respective dependencies. Very
often, answers to these kinds of questions are essential for the construction of
minimized systems as well as more generally for OS golden images.
The goal of the Solaris Package Companion, or SPC for short, is to do all of the
hard work so you don't have to. SPC will create a cache of important facts by mining
information from the various packaging files and directories to allow you to quickly
and easily obtain answers to a variety of questions such as:
* What clusters or packages are contained in a given metacluster?
* What packages are contained in a given cluster?
* What metacluster or cluster contains a given package?
* On what other packages does a given package or cluster depend?
* Which packages depend on a given package?
* … and so on…
New to this release is a tree view display method that allows you to list the contents of metaclusters and clusters in a more eye-friendly tree-view. Thanks to Fredrich Maney for contributing the idea and code! Here are a few examples from the project page showing what this looks like:
To see what packages are included in a cluster, just use the "-t" option:
$ ./spc-v0.8.ksh -v -r ./myrepository -t SUNWCssh
[C] SUNWCssh Secure Shell
[P] SUNWsshcu SSH Common, (Usr)
[P] SUNWsshdr SSH Server, (Root)
[P] SUNWsshdu SSH Server, (Usr)
[P] SUNWsshr SSH Client and utilities, (Root)
[P] SUNWsshu SSH Client and utilities, (Usr)
To see what packages and clusters are included in a metacluster, just use the "-T" option:
$ ./spc-v0.8.ksh -v -r ./myrepository -T SUNWCmreq | head -10
[M] SUNWCmreq Minimal Core System Support
[C] SUNWCfca Sun ISP Fibre Channel Device Drivers
[P] SUNWqlc Qlogic ISP 2200/2202 Fibre Channel Device Driver
[P] SUNWemlxs Emulex-Sun LightPulse Fibre Channel Adapter (FCA) driver (root)
[C] SUNWCfct Sun Fibre Channel Transport Software
[P] SUNWfcsm FCSM driver
[P] SUNWfctl Sun Fibre Channel Transport layer
[P] SUNWfcp Sun FCP SCSI Device Driver
[P] SUNWfcip Sun FCIP IP/ARP over FibreChannel Device Driver
[C] SUNWCfmd Fault Management Daemon and Utilities
[…]
I would also like to thank Peter Pickford for sharing a fix for a bug that resulted in the tool not properly recording all dependencies under certain circumstances. Thank you! While I was at it, I also took a little time to clean up the code a bit.
You can find more information, examples and the source code on the project page.
Keep the suggestions, reports and fixes coming!
Glenn
Technorati Tag:
OpenSolaris
Solaris
security
packaging
installation
minimization
Thursday Jan 31, 2008
Just a quick heads-up note to say that the official Sun location for the Solaris 10 security recommendations
documents has changed. While you can still get to the content from the OpenSolaris Security Community Library page, the new location is on sun.com.
The recommendations documents have been bundled into an archive so that they can be more easily downloaded in a single step. The individual documents are still available and can be downloaded at:
Tuesday Jan 08, 2008
Well, I can hardly believe that three years has passed since the birth of my second son. In keeping with past tradition, today he received his first Sun Ray. Just as his brother before him, he received a Sun Ray 150. Having used his brother's Sun Ray for quite some time, he took to it with ease and had fun playing on some of the typical kids sites. I am sure he will pick things up in no time with his big brother at his side to help him along.
This bet on early access to technology has certainly paid off (not that I had any doubt!). My eldest is very at home with technology and the Internet whether on a Sun Ray, a Ubuntu desktop or even his Wii. He recently even asked if he could watch me next time I "fix" (read: upgrade) the computers so that he could learn how to do it. With Indiana, he may very well be able to do the upgrade next time! Even in school where they are forced to use Microsoft products, he adapts very well switching from MS Paint to gPaint and IE to Firefox, and so on. I am sure his little brother will follow in his technological footsteps.
A few things have changed over the years since we started down this winding road... The original Ultra 10 was upgraded some time ago to an Ultra 20. Solaris 10 gave way to Solaris Nevada (and everything that comes with it), the Sun Ray Server Software was also brought up to date, and more memory was added. Time passes and all things must change. In this case, certainly for the better!
With each new Solaris and SRSS upgrade, the experience becomes easier to install, configure and use. My hats off to both engineering teams who do a remarkable job. I can't wait until we get Indiana and Sun Ray linked up! Special thanks this round to Kent Peacock and P.S.M. Swamiji who helped me work out one last kink in getting rid of some very, very outdated Sun Ray firmware on my last remaining DTUs! Now everything from the DTU firmware, to the Sun Ray software, to the operating system, etc. are all running the very latest and greatest - at least until Nevada build 81 comes out!
Happy birthday, little one!
Monday Jan 07, 2008
Inspired by Solaris 10 winning a spot on the InfoWorld 2008 Technology of the Year Award list, I decided to write up a list of my own. I hope you forgive this little bit of cheerleading, but I just could not help myself...
The Top 5 Solaris 10 Security Features You Should Be Using!
This list is intended to highlight five security controls found in the Solaris 10 OS that will offer the most direct and immediate value to you and your organization. I stopped the list at five to simply provide a representative list, but you can see from this deep dive presentation that Solaris has a lot more to offer. At any rate, let's get on with the list... (drum roll please)...
5. Auditing.
Yes, Solaris has had its auditing facility in place since Solaris 2.3, but I can't even begin to count how often I talk with people who do not know that it exists. Solaris Auditing is a great facility to figure out what is happening on your systems. As a kernel-based facility, it can see and record everything that is happening - which is absolutely critical for organizations concerned with compliance. Martin has published a nice audit configuration to address the security requirements for the payment card industry. We also have a whitepaper that discusses how Solaris as a whole stacks up in this area, but I digress... Moving on.
4. Privileges.
You are likely using privileges without even knowing it, and that is a good thing. Solaris has implemented the principle of least privilege across many of the default set-uid binaries and system services. By default, many services are granted only those privileges they need (or simply drop those that they do not need). That said, why stop there? This Sun BluePrint describes how to integrate privileges into third-party or even your own applications. Further, for those doing software development, this paper talks about how to integrate privileges directly into your code to bracket your use of privileges - further limiting when your code will run with privileges. Don't know what privileges you need? Check out our privilege debugger - it will show you the way. By running with only those privileges that you need, your window of exposure is significantly reduced - and we can all agree that is a good thing.
3. Role-based Access Control.
Need to limit access to administrative functions? Do you occasionally need to perform privileged operations? Role-based Access Control or RBAC is the answer. Originally integrated in Solaris 8, RBAC has become increasingly more integrated with the rest of the operating system. For example, if you want to allow your operators to restart but not change system services, RBAC can help. Bart has developed a very nice tour of RBAC for those new to the technology. For those wanting something a little more advanced, you can use RBAC to implement a two-person (or four-eyes) access control scenario. Regardless, of whether you just want to want to just delegate root access or you want to implement a sophisticated access control policy, RBAC can scale to meet your needs.
2. Zones.
You knew I would be getting to zones, right? Zones are IMHO one of the most significant security features
in the Solaris 10 OS. Kernel and most user-land forms of root kits are essentially rendered non-effective when running your applications in a sparse-root non-global zone. Zones operate with fewer privileges than their global zone counterpart - making privilege-oriented attacks far more difficult to achieve. More than that, the core OS binaries, libraries and kernel modules are all effectively immutable in the default configuration since they are provided using read-only loopback mounts from the global zone. What does this mean? Simply put, you can't change them. This is a huge win for security, for change control, for IT governance - you name it. You can give access to applications to do their work in a safe environment without risking changes to the underlying OS. That said, if you need to make changes, Solaris is flexible enough to accommodate. You can add devices, file systems, network interfaces, even privileges to zones. You can enforce various resource controls on zones to prevent them from using an unfair share of Solaris resources. What's more - you can personalize your zone with its own hardening configuration, naming and authentication services, audit policy, and much more. You can even do some very interesting things with cooperating zones. Zones offer such compelling security capabilities that they (along with auditing, privileges and RBAC) serve as a cornerstone of Solaris Trusted Extensions, Sun's multi-level operating system that implements mandatory access control.
1. Network Secure by Default.
Last, but certainly not least on this list is Secure by Default or SBD. SBD was introduced in Solaris 10 11/06 as a means of significantly reducing the network-visible attack surface of the Solaris OS - particularly for out of box configurations. Huh? It means that when SBD is selected at installation time, the only Solaris OS service that will be exposed on the network is Secure Shell (rather than a traditionally long list of services that may or may not be used in your deployed environment). SBD can be selected at install time (for initial installs) or post-installation time (for upgrades and when you just want to enable it later). It will either turn off services that were deemed non-critical or set required services to a local-only state where they will respond only to requests coming from the local machine itself. This allows you to start from a more secure default configuration and enable only those services that you actually need. SBD can be configured in the global zone or in any number of non-global zones (since they can have their own configurations). For those wanting a bit more in terms of customization (for which services they want to disable, enable, set local-only, etc.), you may want to consider using the Solaris Security Toolkit where you can set policies against which the system configuration can be assessed or set. Regardless of which tool you choose, you can now more easily lock down your Solaris 10 deployments.
I hope you enjoyed this look at the Top 5 Solaris 10 Security Features You Should Be Using. If you want to learn more about what capabilities Solaris 10 has to offer, you have a wealth of options to help you get up to speed:
Until next time...
Glenn
Technorati Tag:
OpenSolaris
Solaris
security
Friday Jan 04, 2008
Every six months or so, I try to do a run of my fuzz tests against the Solaris OS. The first test was conducted a year ago with build 42 followed by a test during our summer break on build 68 of Nevada. It should come as no shock then that I conducted another test during the winter break on build 80.
The tools and methodology are the same (although there are still some kinks to be worked out to make it fully automated), but for those who have not read my earlier post, I will summarize. The tests were conducted on a fresh installation of Nevada build 80 built with the SUNWXCall (Entire + OEM) installation cluster. A sparse-root, non-global zone (called "fuzz") was created for the tests and the software was loaded into the zone. Next, the names of all of the ELF binaries were collected, using the make-exec-list script run from within in the non-global zone. Next, the make-fuzz-tests script was run to generate the 36 different fuzz files to be used as input for each binary tested. Lastly, the test was kicked off using the exec-fuzz-tests script. The script pretty much runs unattended except when I need to kill off runaway processes. I still need to add some code to kill off anything started at the end of each test so you do not end up with tons of extra processes running and consuming memory.
At any rate, the test run completed and I have posted my results in Bugster and the bugs are also available in the OpenSolaris Bug Database Search using the keyword fuzz. The programs impacted can be viewed using
this query.
While I tend to do this kind of work for fun as a holiday distraction, it does have real benefit. Programs that fail during a fuzz test (usually core dumping although a runaway or two have also been found) fail due to unvalidated input that leads to a buffer overflow or arithmetic exception of some kind. Input validation is not to be taken lightly and should be performed by every program and service. In fact, on the CERT Top 10 Secure Coding Practices list, validate input is item #1 and with good reason.
Take care,
Glenn
Technorati Tag:
OpenSolaris
Solaris
fuzz
security
Friday Jan 04, 2008
On Monday, December 24th, 2007, Jonathan said:
Christmas Day is a day of massively high load for Sun's customers across the world. This year will undoubtedly set a pile of new records. Millions upon millions of network enabled gifts will be given in December, and a huge chunk will be unwrapped and turned on tomorrow. Digital still and video cameras will start pumping content to photo/video sharing services. Mobile phones will need to be provisioned, and will start downloading and sharing content (on a global basis, the network load from New Year's Eve MMS messages goes beyond staggering). Set top boxes, networked picture frames, video game consoles, navigation devices, stuffed animals, sports equipment and automobiles - will all come on-line tomorrow. On the same day. And everyone will (and should) expect flawless service.
and he hit the nail right on the head. Today (thanks to the Associated Press), comes this story: Congestion causes text message slowdown which reads (in part):
Analysts said last month that Americans may have spent more in 2007 for the first time on their cell phones than on land lines and pay phones. And people are using their cell phones in growing ways — for text messages, video messages, e-mail and Web access.
So, we have more people using more phones for more services... I guess you could say that there were more than
a few who were underserved on New Year's Eve.
In fact, so many people tried to send text messages on New Year's Eve that networks got jam-packed and many of the missives arrived hours later — or not at all.
Every day more and more devices are being connected to the network. The more content being shared combined with increasing levels of participation and new capabilities only serves to increase its intrinsic value. The greater its value the more people will want to participate. Every day opens up new opportunity for everyone especially Sun - whose singluar vision "the network is the computer" is even more true today then when it was coined. As the network is flooded with all of these new consumers and devices, will your service be able to keep up? If you have any doubts, give us a ring, I am sure we can help. After all, we have helped many people already and are helping more every day.
Happy new year everyone!
Tuesday Nov 13, 2007
For the Sun CEC 2007 conference this year, I revamped my originalPractical Solaris 10 Security presentation that I had originally mentioned here. The new version of the presentation is titled Hack-Fu - Deconstructing the Security Capabilities of the Solaris 10 OS.
While the title is a little more "catchy", the real change is that the presentation was enhanced to provide a more
complete practical demonstration of Solaris 10 security capabilities. The presentation is structured from the viewpoint of a potential attacker examining the system from the network. As each new capability is discussed, barriers are lifted -- one by one -- until the attacker is given root access inside a Solaris 10 non-global zone.
While I have not had a chance to record the talk putting audio to the slides, you can still follow along as many of the examples in the presentation are based upon Sun BluePrints and HOWTOs that have already been published such as:
and a few others. I am always tuning and tweaking these presentations to address new features, improve their clarity, and make the examples more realistic. So, be sure to give it a look and send along your feedback. Also, don't forget to check out the
OpenSolaris Security Community Presentations Library for other presentations featuring
Solaris 10 and
OpenSolaris content!
Take care,
Glenn
Technorati Tag:
Solaris
security
suncec2007
Friday Nov 02, 2007
This one must have slipped my mind. Please accept my apologies. Back in September (2007), I
published an updated version of the Solaris Package Companion. For those not familiar with the tool, here is a brief overview:
The Solaris Package Companion is a small Korn shell script that allows you to ask
quite a number of interesting questions about the relationships between Solaris
metaclusters, clusters and packages as well as their respective dependencies. Very
often, answers to these kinds of questions are essential for the construction of
minimized systems as well as more generally for OS golden images.
The goal of the Solaris Package Companion, or SPC for short, is to do all of the
hard work so you don't have to. SPC will create a cache of important facts by mining
information from the various packaging files and directories to allow you to quickly
and easily obtain answers to a variety of questions such as:
* What clusters or packages are contained in a given metacluster?
* What packages are contained in a given cluster?
* What metacluster or cluster contains a given package?
* On what other packages does a given package or cluster depend?
* Which packages depend on a given package?
* … and so on…
New to this release is the tag before the item description to inform the user of the type of object being dispayed. [P] indicates a package while [C] is a cluster and [M] is a metacluster. Another new feature is the ability to fold packages back into their respective clusters (where possible). This can be helpful when trying to create a complete list of items for a standard OE image or JumpStart configuration. Essentially, this will report the cluster name in which the package is found. This can be accomplished using the -F (folding) option. The new -Z option will display the list of packages that depend on a specific cluster. There is also an new experimental option -f that will allow you to map a file to a package or cluster (with the -F option). This only works for local files reliably right now. Finally, special thanks to Dave Comay for reporting a bug - that has been fixed in this version too!
You can find more information, examples and the source code on the project page.
Technorati Tag:
OpenSolaris
Solaris
security
minimization
Friday Nov 02, 2007
Various organizations have often asked for more detail regarding the set-uid, set-gid and world writable programs that are shipped by the default in the Solaris OS. Well, the wait is over (at least for Solaris 10 8/07)!
Today, I am happy to announce the public release of an overview document that describes these file system objects in detail. This document is still a draft and could still needs to answer a few questions, but I believe that it is far enough along to open up the discussion and begin getting feedback from all of you! If you are interested and want a copy of the document, you can find it here. Looking forward to your comments!
From the document:
While there are often many files delivered by operating systems and other software
products, organizations are often most concerned with those programs and services
that have or run with special privilege. Unfortunately, there is at times a lack
of information regarding what these programs do and why their privileges are necessary.
The goal of this document is to provide additional information on four special classes
of objects delivered by the Solaris OS: Set-UID Files, Set-GID Files, and World Writable
Directories and Files. With this information, organizations will be able to better
understand the privileged programs, directories and files that exist on their systems.
If you would like to make recommendations or even implement an improvement (such as one of the RFEs listed in the document), please consider joining the OpenSolaris Security Community!
Glenn
Technorati Tag:
Solaris
security
Friday Nov 02, 2007
It is with great pleasure that I can (albeit belatedly) announce the arrival of the latest security
guidance from both Sun and the Center for Internet Security. Working together, in concert with representatives from academia, industry and
government, we have published security guidance for Solaris 10 11/06 and 8/07. This content represents the best and most complete form of Solaris security guidance ever produced.
Not only are the recommendations based upon industry consensus but they are also supported by Sun. What is even better is that this material was completed with support and feedback from both the National Security Agency and the Defence Information Systems Agency. I would like to especially thank both organizations for their significant contributions to this material! This iteration brings us (Sun, CIS, NSA and DISA) closer than even toward
a single, consistent set of security recommendations for the Solaris OS.
The Benchmark itself has been restructured. Today, it comes in the form of two documents: (1) the core hardening Benchmark itself and (2) an extended appendix covering additional Solaris security controls with examples and references for more information. Further, the Benchmark itself has been significantly reorganized to improve its correctness and flow. Thanks to Carole, our editor!
Some new elements to the Benchmark include headers for each item that tell you if a given recommendation is a Solaris 10 default value, for what platforms it applies and even what configuration settings you need to implement the recommendation using the Solaris Security Toolkit. Overall the document is a tremendous step forward toward bringing the world the best available insight into how to harden and more generally secure their Solaris systems. There have also
been quite a few updates to account for changes and enhancements in Solaris. The Solaris Security Appendix document is completely new and provides an overview of the security capabilities of the Solaris OS with many examples and references for more information including step-by-step BluePrints and HOWTOS. If you are responsible for managing or securing a Solaris 10 system, these documents are for you!
You can find a copy of these documents at both the CIS web site as well as on OpenSolaris.org (CIS Solaris Benchmark, Solaris Security Appendix). As always, feedback and ideas for future revisions are encouraged! If you are interested in participating in future versions of these documents, please consider joining the CIS Unix Benchmark Team. Contact Dave for more information!
Glenn
Technorati Tag:
Solaris
security
Tuesday Oct 09, 2007
What an exciting day! Today, Sun has officially launches the
Sun SPARC Enterprise T5120 and
T5220 rack-mount systems along with the
Sun Blade T6320 blade server, the first to be designed for the UltraSPARC T2 processor. From the point of
view of a security geek, there is a lot to be happy about. The UltraSPARC T2 has support for eight
(8) cryptographic processing units, each of which supports ten (10) different cryptographic algorithms
and a hardware-based random number generator. Lawrence
has done a fantastic job of talking about these capabilities and performance if you are interested.
It is simply mind blowing.
So, what else is new? Well, we now have actual servers that can leverage the computing power of
these chips. This means that companies can now begin to rethink about how they have deployed
cryptography in their environments. In particular, it is now much more practical to deploy
cryptographic services more widely across an enterprise environment due to the performance gains
achieved by offloading the work to the cryptographic processing units. For example, why not
ensure that all of your internal web, directory and mail services are fitted for encryption?
(Hint: you should be doing this already, but now you can do it while not sacrificing the
performance of your CPUs!) Net-net: strong security + excellent performance + eco-friendly is
a win-win for everyone.
In addition to enabling the wider use of cryptographic services, I would also encourage any
organization to consider how the performance and power benefits of these systems can be
applied to their existing environments and workloads. In particular, when used in concert with
Sun's Logical Domains (LDoms) technology, organizations can get the benefits of performance,
virtualization and security together in one system. Did I mention that today we are also
announcing version 1.0.1 of our LDoms technology? Honglin
has all the details. Of particular interest to us security geeks is the support for minimized
and hardened logical domains! Combine that with the security isolation capabilities of the
LDoms hypervisor, a boat-load of crypto performance, and a
rock-solid, security, and scalable operating system - you just can't go wrong.
Talk about "zero cost security"! Taken as a whole, you get all of the performance (did I
mention the 64 threads?), power and virtualization benefits with security just baked into
the design! What's not to like? At least from where this security geek is standing, the
view is simply unbeatable. See
it all for yourself!
Glenn
Technorati Tag:
UltraSPARC
Niagara
Solaris
security
|
|
|
|
Could you post a PDF version please ?
Sure thing. You can find a PDF version of the pre...