Solaris 10 Security

Solaris 10 Security

Technical Overview

Mark ThackerProduct ManagerSun Microsystems, Inc.

Copyright 2006, Sun Microsystems, Inc. # 2

Reduce Application Privileges

• Process Rights Management> Eliminates need to run applications as superuser> Reduces customer exposure to security attacks> Compatible with existing applications> Always turned on


Example: Apache Web Server

• Binding to Port 80 normally requires 'root' on Unix

• Solaris Service Manager controls Apache2> Start as 'webserved' (not 'root')> Run with only net_priv_addr, proc_fork, proc_exec

• Potential risk exposure dramatically reduced

• Solaris How To Guide> “Preventing Web Page Hijacking Using Solaris Security”> www.sun.com/solaris/teachme/


User Rights Management

• Decompose superuser

• Central management

• Rights in profiles

• Profiles to roles

• Roles to users

R R

UUU

RightsS


Access Control & Network Security

Goal : Protect and limit access to network resources

Solution : Solaris 10 built-in security features


Network Protection

• IP Filter firewall> Sun supported stateful firewall> Allows selective access to ports based on IP> Compatible/manageable like open source IPF

• TCP Wrappers> Limit access to TCP/UDP service by domain name> Allow selective access for partners, suppliers


Cryptographic Framework● Standards-based framework

• Same API, software or hardware

• Extensible framework

• 'Unbreakable' cryptographic strength


Remote Access

• Solaris Secure Shell> Standards-based encrypted remote access

• Kerberos Single Sign On> Standards-based enterprise single sign on> Optional encryption of NFSv3 and NFSv4 file shares

• IPSec/IKE> Transparently encrypted communications> Works with existing applications – no modifications> Works with hardware acceleration


Password Management

• Password Complexity Checks

• Password History (0 – 26 passwords)

• Banned Password List (Dictionary)

• Additional controls through LDAP


Solaris System Auditing

• Audits all system events

• Records who did what to what, when and how

• New ability to send data to XML parsers

• Often used by Audit and Compliance Officers


Container Security

Server

OS

Application

Global Zone administration

Filenetworkprocessresourceisolation

8192 Containers Possible


Basic Audit and Reporting Tool (BART)

• How do you know you haven't been hacked ?

• Use 'bart'> Generate checksums; compared periodically

• Solaris Fingerprint Database

• Validate your system today> sunsolve.sun.com


Solaris Secure Execution

• Solaris 10 : Most digitally signed OS on the planet• Manually verify systems today• Future update will verify integrity at load time

• Prevents unauthorized applications and patches• Helps meet auditing requirements


Minimization & Hardening

• Why minimize?> Reduce risk by removing unneeded software

• Why harden?> Reduce exposure by turning off unneeded services> Favor secure connections and behaviors

• Solaris 10 provides the tools needed for both


Reduced Network Metacluster

• Small install of Solaris with no network services> Nothing listening to network to be attacked!

• Basic building block - Turn on only what you want

• Used during manual or Jumpstart install of Solaris


Reduced Network Metacluster

Meta Cluster Size (MB) # Pkgs

191 92

Core 219 139

End User 2100 604

Developer 2900 844

Entire 3000 908

Entire + OEM 3000 988

Reduced Networking


Limited Network Profile - Hardening

• Enhanced Limited Networking Profile

• Turns off many services or sets them to 'local only'

• Uses Solaris Service Manager for per-service config

• Full desktop, Email, Web browsing

• Only Solaris Secure Shell listening to the network


More Options for Securing Solaris• Solaris Security Toolkit v 4.2

• Hardening> Sets secure system parameters> Allows undo of previously applied hardening

• Minimize during install> Uses repeatable profiles> Jumpstart integration

• Download today :www.sun.com/blueprints


What is Solaris Trusted Extensions?

• Labeled Security for Solaris 10

• An integrated feature for Solaris 10 11/06

• Mandatory Access Control based on labels

Benefits :

• Isolate data based on it's sensitivity

• Regulate network data flow more easily

• Comply with data privacy legislation more easily


Adds labeled security to Solaris 10Multi-level networking, printing

Multi-level InterfacesLeverages User & Process RM

Uses ContainersRuns all Solaris applications

High level of certification

Trusted Extensions NEW!


Trusted Extensions Architecture

LabeledLabeled

NetworkingNetworkingLabeledLabeled

DesktopDesktop

Label-Label-AwareAware

ServicesServices

LabeledLabeled

NetworkingNetworkingLabeledLabeled

DesktopDesktop

Label-Label-AwareAware

ServicesServices

TCP/IPTCP/IPProcessProcess

ContainmentContainment[Containers][Containers]

PrivilegesPrivilegesModifiedModified

TCP/IPTCP/IP

ProcessProcessContainmentContainment

[Trusted[TrustedLabels]Labels]

TrustedTrusted

PrivilegesPrivileges

Trusted Solaris 8Trusted Solaris 8 Trusted ExtensionsTrusted Extensions

Solaris 10 kernelSolaris 10 kernel

Solaris 10 11/06Solaris 10 11/06


MAC, Labels, Containers • Labels have relationships; Containers are labeled• Mandatory Access Control enforced in kernel• Patented method for secure file access

Server

OS

LabelInternal Partner Public


Controlling The Flow of Data


NEW!

Trusted Java Desktop System DetailsWorkplace switcher

Task switcher

Trusted stripe and Trusted Path menu


Independent Validation3rd Party Certifications

Tru

sted

So

lari

s 8

Tru

sted

So

lari

s 8

EAL4+ (B1) (CAPP, RBACPP, LSPP)

Su

SE

Su

SE

HP

-UX

H

P-U

X

EAL4 or EAL4+ (C2) (CAPP)

EAL3 or EAL3+

IBM

AIX

IBM

AIX

Win

do

ws

2003

Win

do

ws

2003

Based on data from http://www.commoncriteriaportal.org/

* Solaris 10 3/05 and 11/06 are currently in evaluation

So

lari

s 8

So

lari

s 8

SuSE

SG

I Iri

xS

GI I

rix

Red

Hat

Red

Hat

So

lari

s 9

So

lari

s 9EAL4+ (C2) (CAPP & RBACPP)

So

lari

s 10

*S

ola

ris

10*

So

lari

s 10

w/T

rust

ed

So

lari

s 10

w/T

rust

ed

Ext

ensi

on

s*E

xten

sio

ns*

http://www.commoncriteriaportal.org/


Trusted Extensions vs Trusted Solaris 8

Trusted Extensions Trusted Solaris 8Name Service Files, LDAP Files, NIS+Encoding File -same- -same-

Network Labels CIPSO CIPSO, TSOL, TSIXFile Systems Any UFS

Backups Any Tar & CPIOFlexible Labels Yes Strict

Label API Yes YesIntegrated w/OS Yes Separate

License Fee Free – part of Solaris $1K - $90K

[email protected]

Solaris 10 Security

Technical Overview

Documents

Solaris 10 Security