This was a great weekend for WiFi on OpenSolaris (and thus future releases of Solaris and Solaris Express) [build 64]. Not only did we get a driver for the Intel Centrino 3945 chipset but more importantly (well at least in the eyes of a security geek like me) we got support for WPA-PSK. I've been working with the project team, not as a core developer - mostly design advice and codereview, on this for quite some time now and I'm really glad to see it integrated I'm really pleased with the architecture and the implementation.

Yeah I know lots of other operating systems had this already and now we do to! This combined with NWAM which integrated its first deliverables into build 62 and we are really going somewhere with usability and security for Solaris on laptops.

Now I can put WPA-PSK on my home router again instead of relying on WEP, not brodcasting my ssid and MAC address restrictions. Meanwhile the project team are now off developing WPA Enterprise support, I expect to work with them a little as they design and implement that support.

- Darren

tags: opensolaris slotd wifi wpa

Permalink | Comments [2]

I attended InfoSec Europe at Olympia in London earlier this week. I find this show generally a little to "PC" biased sometimes so I wasn't expecting to get too much out of it. I spent most of the time looking around for encrypted storage solutions and products. Last year I found an excellent hardware only encrypting disk drive that is approved for UK government use.

This year I found a device by a company called SafeBoot. Initially I almost discounted this device because I was expecting it to be Windows only. The device is a small USB flash drive with a fingerprint reader to access the data, I think it is their phantom product that I saw. While the device can only be configured from Windows the lock/unlock functionality works on any system. We tried it out under the MacOS X laptop we had with us (this ensures there are no drivers needed for this) and it works just fine. What was even nicer is that a simple software eject under MacOS caused the drive to relock again. So I fully expect this to work just the same under Solaris. Under MacOS X the encrypted part of the device that you need your fingerprint to unlock appears as a removable drive that doesn't have the media in it - until you swipe your fingerprint.

Pretty cool little device, I don't have one at the moment to try it out but it looks promising. I can even see some uses for this in a primarily Solaris based solution, so you might see this or something like it in the future....

Apparently the device can also allow the crypto functionality to be used by the host OS, but only Windows. I wonder if I can get them to write (or collaborate with us to do so) a driver for the OpenSolaris cryptographic framework.

- Darren

tags: crypto slotd storage

Permalink | Comments [0]

Permalink | Comments [0]

OK - so I was at a very interesting customer today, and conversation swung around to "defense-in-depth" and that bastion of IT security, the firewall.[1]

We were in the midst of some on-the-fly rearchitecture discussion (read: "if we replumb it all in a more elegant fashion, what needs to be fixed or added in order to make it safe?") and it turned out that an extra firewall to demarcate a line between some public and private machines, would make matters a lot more secure.

"It'll cost a lot, this new firewall", says their long-haired sysadmin.

"Why", says I?

"Firewall license" says he, and names a largeish four-figure number. Eek. That's more than the hardware!

So one of the things I've never understood - and I've told him this - is why the "Cult Of Firewall" is such that only a "dedicated box or appliance" running "genuine firewall software" for which $$$$$$ are paid, is what people go running towards whenever firewalls are mentioned.

Sure, in an enterprise context where people bandy words like "five nines" (ie: 99.999% uptime) - or "extreme(ly) high availability", or where you need "management consoles" - then do buy an enterprise solution where you might be able to sue the vendor if it blows up.

But if you are a small-to-medium organisation with your own in-house pet geeks, then why not take advantage of general-purpose functionality of general-purpose operating systems and deploy Solaris, Linux or *BSD as a firewall? Consider your choice carefully, minimise it to the utmost, but it'd be a lot cheaper and often perfectly adequate and more than adequately performant.

I started at Sun in 1992 and if I had had more business sense back then, and if I had had more money, then I would have cottoned on to the number of SparcStation2's that I was buying, to act as "routers" for our intranet. This observation might have led me to invest in Cisco and its dedicated routers, and made me a tidy profit. Oh well.

But the thing about IT security is that "what goes around, comes around". Maybe it's time for the comeback of the general-purpose operating system, in tiny tasks, on more-than-adequately-powerful hardware?

- alec

--
[1] yes, this is an intentional pun. :-)

tags: ipfilter security slotd solaris sun

Permalink | Comments [3]

Permalink | Comments [0]

A bit of an experiment for you today - Last night I fired up iMovie and talked into my webcam about Web2.0 and the future challenges of security, and edited the results into a short video. The results are included below, and more context - including links to the referred-to paper from 1997 - is available in the original blog posting.

Click To Play

I hope to do one of these videos - filming colleagues, asking questions - about every other week, and perhaps weekly once we get some experience.

- alec

ps: when we were setting up the security community blog, I made a point of saying that it "shouldn't and won't be filled with pictures of cats - the postings will stay on topic"; please note that the cat in the video therefore is an incidental cat, rather than the focus of the commentary. :-)

tags: security slotd web2.0

Permalink | Comments [1]

This is a really quick one - keep an eye on Darren's blog; he's posted the first installment in a series which will discuss the relative configurations and merits of "sudo" versus RBAC in Solaris, and is attracting the attentions of Powerbroker users, and perhaps others who are intrigued at the notion of delegating small parts of root privilege to ordinary users.

The number of times I've dealt with customer queries about that sort of thing, I feel that I'll soon be citing his blog like holy writ.

-alec

tags: security slotd solaris sudo

Permalink | Comments [0]

Permalink | Comments [0]

Before Solaris 10 11/06, a standard out-of-the-box build of Solaris had all services associated with installed packages enabled by default; thus, many applications bound listeners to a system's IP addresses, and a port scan using tools such as nmap revealed a large number of open sockets to connect to.

The usual (and supported) way to address this situation was to harden the system using the Solaris Security Toolkit, which among many other capabilities, would disable the listeners for services which were not required for a system to perform its business function and be managed. In addition, in many cases some per-service configurations could be set, or host-based firewalling could be configured, to prohibit connections to services other than on the interfaces on which they were supposed to listen.

The 11/06 (aka "Update 3") release of Solaris 10 extends the functionality of SMF to include definitions of interfaces which are required to be listened on; thus, on a system for which this profile is configured, only the Solaris Secure Shell binds a listener to a non-loopback address; a port scan shows that only 22/tcp is listening. Full details on the service definition modifications can be found in Scott Rotondo's presentation here.

It is also worth noting that, while "Secure By Default" is actually the default install profile in OpenSolaris and Solaris Express, it is not the default profile for Solaris 10 11/06 (although it can be selected either manually or my Jumpstart profile variable); this is down to the reasoning that if a customer was to use LiveUpgrade or similar to move from an earlier release of Solaris 10 to 11/06, we wouldn't want to unexpectedly remove service listeners.

As Scott's presentation shows, the netservices(1M) command allows the default profile to be changed anyway, and where specific Security Toolkit profiles have been deployed, these continue to work from both a hardening-mode and audit-mode perspective provided patch 122608-3 (or later) is installed. -Dave Permalink | Comments [1]

Historically, Trusted Solaris was a completely separate environment from "regular" Solaris. The Solaris 10 11/06 production release finally broke the mould, when Trusted Extensions integrated into the main Solaris release. Granted, the packages which need to be installed on the top of an unlabelled Solaris 10 install still need to be installed using an extra install tool, but you'll nonetheless find them on the regular distribution media under the Solaris_10/ExtraValue/CoBundled directory, right alongside the SunVTS hardware validation test suite.

Configuring everything once the packages are in place is a more interesting proposition, but there's a good recipe here (for laptops).

We make no bones about the fact that Trusted Solaris began life as an engineering project for the US Government, first went live 17 years ago, and has seen little use in the commercial world (with one or two notable exceptions) by its nature as a separate product with military heritage ever since - however, now that it's no longer a separate product, we believe that the time is right for commercial adoption.

To this effect, we've been looking at some of the areas in the commercial world where its capabilities have a natural fit. So far, the partial list looks like:

• Grid segregation: Where a multi-tenant grid within an organisation or consortium is required, such that data associated with one set of users is very rigorously segregated from data associated with another set of users. Have a label per tenant organisation, and run Grid Engine within the zones associated with the labels. Academia may find this interesting, as may some areas of Financial Services (eg where Chinese walls have to be maintained).
• Datacentre Base Services consolidation: Trusted Extensions makes the perfect multi-client-organisation NTP server (see http://blogs.sun.com/davew/entry/tempus_fugit_addendum) - apply "labels" as "zones" :-). Given the way that both DNS and NTP work (in terms of "client fails gracefully to next nominated server if previous is unavailable"), clustering wouldn't be a concern - or DNS could be load-balanced in the network. Co-location service providers would find this interesting, especially where separation of services between customers is required to be rigorous.
• Laptop security: Consider the well-known issues of open-access wireless for folk working "out in the world" who nonetheless need to communicate with the office. Walk into your nearest Starbucks, connect to the untrusted wireless at PUBLIC, establish a VPN over the top of that at CONFIDENTIAL (or whatever label you want your corporate intranet to be treated as), job done. I gather Glenn Faden already works this way; Darren also suggested the elegant further finessing of making the PUBLIC zone whole-root so that the VPN packages could be removed from it :-). Such a solution would likely find interest with "everybody who carries sensitive data on a laptop and uses third-party networks".
• Segregation of CCTV server feeds and archives: We have a solution in trials for using our servers as an aggregation and analysis point for good-sized numbers of IP-based CCTV feeds. I think Trusted Extensions could have a valuable part to play in terms of segregating feeds associated with multiple businesses from eachother, and tightly controlling which users are allowed to see feeds from which cameras.

So, that's my short list as it stands today - Glenn Faden has prototypes already for safe web browsing (which is ideal for the laptop case above), and is working on multilevel mail.

Update:

If we extend this a little further, we have:

Any organisation where leakage of internal data is an issue could benefit from having a simple, two-label system of "Public" dominated by "Internal", where "Public" is the Internet connection and "Internal" is the Intranet. If all users are (as is the default) denied permission to downgrade data, then it becomes much more unlikely that internal data will leak. Giving users the ability to upgrade data by default still allows external data to be brought internal. This works well even when organisations do not differentiate between classifications of internal materials, and the Safe Browsing mechanism comes into its own, when web sites on the intranet need to make pointers to materials in the wider world.Press Officer and Auditor roles could also be created, which would potentially be the only roles allowed to downgrade data as part of the external release process.

In educational establishments, denying the ability to upgrade and downgrade data means that while a number of websites can readily be viewed (assuming filtering software is already in place on the Internet link), data can't readily be plagiarised using cut and paste from external sources into essays, etc. Also, if Public and Internal zones are installed as whole-root rather than sparse-root zones, such that careful use of pkgrm can subsequently be used to deny access to internal tools (such as IM) in an external context, so cyber-bullying could be more readily tracked; bullies wouldn't be able to create anonymous / pseudonymous external accounts "on the fly" from which to abuse their victims.

As well as co-location facilities, law firms may wish to extend their "duty of care" capability, in terms of ensuring segregation of client data, by having a compartmented label per client.

If you have some more ideas, please add them in a comment :-)

-Dave

tags: extensions security slotd solaris trusted

Permalink | Comments [0]

One of the great, obvious, simple ideas which went into Solaris 10 was the Reduced Networking Cluster; after fragmenting and massaging the core Solaris packages a bit, it became possible to offer a clean, minimal, even spartan installation of Solaris, a lightweight foundation upon which software could be added as and when only necessary, leading to a very tiny and yet supported machine configuration.

A colleague recently asked me for more information about the Reduced Networking Cluster, and frankly I was stumped, and then Glenn Brunette piped up that he'd written all about it back in 2004:-

The topic for this article is the Solaris 10 Reduced Networking Software Group (also commonly known as the Solaris 10 Reduced Networking Meta Cluster). This software group is new and joins the five existing software groups available in Solaris today: Core, End User, Developer, Entire and Entire + OEM software groups. The Reduced Networking Software Group is positioned as a subset of Core and represents the smallest amount of Solaris that can or should be installed and have a working and supported system. Note that for support reasons, it is not advised to remove packages installed by the Reduced Networking Software Group.

To install the Reduced Networking Software Group, simply select it from the list when doing a graphical installation. If you are using JumpStart, then you should use the cluster keyword with the new value SUNWCrnet. The following is a sample JumpStart profile that uses the Reduced Networking Software Group. This profile was also used to build the system used as an example in this article.

[...]

Yes, it's true - the size of this installation is just a little over 150-Mbytes. Note that this size is based on the build of Solaris 10 that I was using and will certainly change before Solaris 10 is finalized, but I did want to mention it as an example of how small a Solaris installation can be.

...etc; it's quite a long article but worthwhile, since it's one of the sadly few documents which look at this feature from an architectural perspective.

So, folks, if you are into Minimized Solaris Configurations, you want to start with "SUNWCrnet". Less really is more, and it costs you nothing. :-)

-Alec

tags: minimisation minimised minimization minimized security slotd solaris sunwcrnet

Permalink | Comments [0]

Today's link comes straight from Robin Wilton:

UK's first 'bandwidth theft' arrests

Yesterday's radio news carried this BBC story about two arrests in Worcestershire for theft of network access. Two individuals, in separate incidents, were apparently seen using laptops in parked cars, and subsequently cautioned for the offence of 'dishonestly obtaining electronic communication services with intent to avoid payment'.

I know there are some householders who see this as a 'victimless' activity, and who are happy to leave their wireless access points open for others to access. In some cases I'm sure it is a harmless and indeed neighbourly thing to do... but it's worth reflecting for a moment on some of the other possibilities this opens up.

At the root of it is the fact that this is a form of identity theft.

(continues)...

It strikes me that this is only a step away from prosecuting people for running kismet or even just scanning for local hotspots; of course the law is rarely so starkly black and white ("you scanned for a wireless network to attach to, you're going down...") but it would not surprise me for someone to try and whamp this up to be the next great threat to society...

Databases of registered MAC addresses, anyone?

tags: bandwidth security wireless

Permalink | Comments [0]

Permalink | Comments [0]

Permalink | Comments [0]

Permalink | Comments [0]