 |
 |
|
| Home > | Next > |
| | | | | ||||||||||||||||||||||||||||
|
|
|
Fast Track to the Solaris 10 OS Adoption: SecurityGeneral InformationPlease click on a question below or download a pdf version.
Q: When is the official release of the Solaris 10 OS? A: January 31st, is the Release date, but if you want to try it now, you can go to http://www.sun.com/software/solaris/solaris-express/ A: Many new features are included in the Solaris 10 OS, including a new crypto framework, breakthrough process and user rights management, strong password encryption, new minimization routines, and the incredible Solaris Containers, for process and security-breach containment. Please see the full the Solaris 10 OS Security Net Talk, available at www.sun.com/nettalk/ A: There are many differences, which we discussed in the NetTalk last month. You might want to take a look at www.sun.com/nettalk/ and see the security presentation. A: With the Solaris 10 OS, you will have access to Process Rights Management, which is a more sophisticated approach to assigning security privileges, eliminating the need for "root" system access. Learn more at sun.com/software/solaris/10/ds/security.jsp A: Sendmail 8.13, and both BIND 9.2 and 8.4.2 . Q: What is Sun's involvement in the various security standards bodies? A: Sun is extremely involved in everything from W3C, IETF, TCG, WSI, and many other security bodies. Normally we are very active, as an editor, chair, or heavy contributor. A: Solaris Volume Manager (SVM) is being adopted rapidly by our customers. They see it as an excellent replacement for competing third-party products such as VxVM. We will continue working on adding new features to SVM. It is NOT being replaced, nor is it being stalled. The latest SVM features are: Cluster Volume Manager functionality; support for simultaneous disk access from multiple Sun Cluster nodes; compatibility with Oracle 9i Real Application Clusters (RAC) and Oracle 10g; improved manageability of Solaris Volume Manager, which now includes import/export of "disksets," which allows customers to use the Solaris Volume Manager to create a single disk volume from multiple physical disks. This feature makes it simple to move the disks between host systems. A: In the Solaris 9 OS, we added multi-threaded performance for the BSM audit system as well as a "system files" filter (or option) that automatically excludes read and open access to system-owned read-only style files. This is mostly considered unnecessary log entries by most customers. Also, the Solaris 9 OS introduced the XML output capability so that customers can parse it to their specific needs. The Solaris 10 OS continues these traits forward. Q: Will security be the same across all architectures supported by the Solaris OS? A: Yes, it will be exactly the same. Q: Does CDE still exist in the Solaris 10 OS? A: Yes, but with the Solaris 10 OS you'll have the choice to use CDE or Java Desktop System 3. A: We have not committed to any backporting of those features into the Solaris 8 OS or before, and we probably will not. Q: Is PAM still available on the Solaris 10 OS? A: Yes, it is available in the Solaris 10 OS. Q: When will Sun stop supporting the Solaris 8 OS? A: End of support for a given release is five years after end of ship. The Solaris 8 OS is still shipping, and per the Solaris lifecycle model (see http://sun.com/solaris/fcc/lifecycle.html), we'll announce the end of ship dates for the Solaris 8 OS sometime after the Solaris 10 OS is released. A: Actually, security policy in general applies to any sort of device, from external SSL accelerators to routers, to telephones. Sun sees customers at all ends of the spectrum, and we encourage customers to deploy a "defense-in-depth" policy to security. That is, even though a customer may use something like a firewall appliance to connect to the Internet, they should still evaluate the possible need to have a firewall on every host or every server to protect from internal attacks. Indeed, encryption inside of an enterprise (through built-in IPsec/IKE) is becoming necessary within data centers due to regulatory requirements. All customers need to find the balance based on their changing business requirements. Q: What additional RBAC features are in the Solaris 10 OS vs. the Solaris 8 OS? A: We've integrated RBAC with the new privilege system (Process Rights Management) so that you can associate privileges with each user's shell (and thus the processes the user runs). This allows even more granular controls over the rights given to processes associated with a partially privileged user. Q: Can you discuss more on the Solaris Containers technology? A: The Solaris 10 OS delivers the next step in the Solaris Containers roadmap. Solaris Containers technology was first available in the Solaris 9 OS, and the Solaris 10 OS builds on this functionality. Solaris Containers has been enhanced and extended to include additional tools to further isolate applications from each other while running on the same instance of the Solaris OS. They bring advanced security and application fault isolation as well as additions to the resource management features introduced in the Solaris 9 OS. The key thing is that, in the Solaris 10 OS, Solaris Containers focuses on application/workload management. It delivers tools to "shrink wrap" your application in its own environment that has the right attributes, like CPU and memory quantity and/or IP address, and users. This way it's easier to deploy an application on a shared system. For more information, please check out the Expert Exchange transcript on Solaris Containers. A: The Sun Blade workstations have included smartcard readers for a number of years. Similarly, we include readers in the Sun Ray appliances, so, yes, we believe that smartcards are an important way for users to authenticate and carry keys around as they move. We also include a smartcard framework in the Solaris 8 OS that allows applications a "currently" low level API to interface to these smartcard readers and smartcards (it's at a level similar to PC/SC if you know this interface). In the Solaris 10 OS, we've also included away to use PC/SC Lite API. Q: Does the Solaris 10 OS support c libraries and SSH? A: Yes to both questions. Q: Is an IDS system included with the Solaris 10 OS? A: We have Snort on the Companion CD today for the Solaris 9 OS, and it will also be available for the Solaris 10 OS. (For earlier Solaris OS releases, it's publicly available outside of Sun). A: As with all enhancements to the Solaris 10 OS, we evaluate the possibilities of providing these to prior versions. The Kerberos authentication for Native LDAP is not as likely to be available to prior releases because we have utilized the new Cryptographic Framework, which is only in the Solaris 10 OS. Third parties such as PADL (www.padl.com) may provide another solution. Q: I have never seen the Solaris OS in action. Does Sun have a store where I can go to see it? A: Sun normally does not sell its software through retail outlets. However, we do have a number of large sales offices, and I would encourage you to locate a reseller of Solaris at www.sun.com. A: That's right in line with our strategy, which is to provide firewalling capabilities to secure the system intrinsically in the OS; that's the reason we had SunScreen software included in the first place, rather than to provide perimeter firewalling. With the introduction of technologies such as IP Filter directly into the OS, we no longer need SunScreen software to be in the box to secure the host. For customers who still want SunScreen software, it will remain a component of the Solaris 9 OS, which we intend to continue shipping until the next release after the Solaris 10 OS comes out (that is, for at least the next two-and-a-half years). Q: Will there be a trusted version of the Solaris 10 OS? A: Not as a separate product. If you need the highest degree of security, and/or features not yet included in the Solaris 10 OS, those features will be available as an add-on product. A: As with everything, this is work in progress, and that's what the Beta or Solaris Express program is in place for. After the release date of the Solaris 10 OS, many more new features will be included in it, but what we are currently developing will be there on January 31, 2005. A: We have a Common Criteria target for the Solaris 10 OS of Role Based Access Control Protection Profile (RBACPP) and Controlled Access Protection Profile (CAPP) at EAL 4+. This target will include the networking, graphical interface/administration, and LDAP authentication capabilities. At this time, we are still in the early process of picking an evaluation lab and will have a goal of having the certification completed some 6-8 months after release of the Solaris 10 OS. Q: What security features if any are integrated in ZFS with the Solaris 10 OS? A: ZFS provides Cutting-Edge Data Security and Integrity. ZFS is a copy-on-write file system, and thus the on-disk structure of ZFS is always consistent. If the system is shut down in an unclean manner, upon reboot there is no recovery needed to make ZFS consistent. With ZFS, all data is protected by 64-bit checksums resulting in 99.9999999999999999999 percent error detection and correction. When any data is read, the checksum is verified to ensure that the data which the application wrote is what it gets back. If a checksum error is detected in a mirrored pool, the correct data will be read from the other side of the mirror, and the corrupt data will be repaired. We are making ZFS extensible and so, in the future, additional capabilities will be added such as encryption.
| |
