Sun Microsystems, Inc.
Home > Next >

      • General Information


      • Documentation & Training


      • Performance Issues


      • Installation & Configuration


      • Compatibility Issues


      • Functionality & Usability Issues

Fast Track to the Solaris 10 OS Adoption: Security

Performance Issues

Please click on a question below or download a pdf version.

  1. How much security protection can the Solaris 10 OS offer against virus and worm denial-of-service attacks, even with the Zones feature?
  2. You said that the Solaris 10 OS provides many security/FW/IDS features, but does it not load the system performance with all these features?
  3. Is there an estimated stateful throughput when using the IP filtering features of the Solaris 10 OS?
  4. In the Solaris 9 OS, if the default password encryption scheme was changed from DES to blowfish or MD5, certain utilities (like SunMC and Diagnostic Reporter) would break. Is this still true in the Solaris 10 OS?
  5. Are the security capabilities of the Solaris 10 OS x86 as robust as on the other platforms?
  6. Are there any major changes to the audit framework?
  7. I was curious about how the Solaris 10 OS will log security events. Will there be detail provided, especially in the process and user rights arena so we will know when user ABC tries to access something they don't have rights to?
  8. Will there be a "logging shell" for root, i.e., a log of all commands executed as root, similar to sudo?

Q: How much security protection can the Solaris 10 OS offer against virus and worm denial-of-service attacks, even with the Zones feature?

A: Zones uses the Process Rights Management feature of the Solaris 10 OS to restrict the capabilities of privileged processes running in a zone. So even if a root process is compromised, the actions it can perform can are limited to affecting the content of the zone, rather than the rest of the machine.

Back to top

Q: You said that the Solaris 10 OS provides many security/FW/IDS features, but does it not load the system performance with all these features?

A: As with any feature of the OS, the load imposed depends on the architecture. For example, Process Rights Management is "on" by default in the Solaris 10 OS, so no real penalty is imposed for using it. Same thing with User Rights Management, which is known as Role Based Access Control in the Solaris 8 and 9 Operating Systems. In fact, with Solaris 8 and 9 OS, customers are already "using" RBAC even if they don't know it. Again, no real penalty. IP Filter can impose a performance overhead depending on the nature of the rule set.

Back to top

Q: Is there an estimated stateful throughput when using the IP filtering features of the Solaris 10 OS?

A: No particular estimate since the IP filter is always "on," though if it doesn't have any rules configured, there is no performance penalty. However, absolute worse case is a 15 percent throughput hit in a corner case. Basically, I would anticipate a very small, if noticeable performance hit when using stateful rules in IP Filter.

Back to top

Q: In the Solaris 9 OS, if the default password encryption scheme was changed from DES to blowfish or MD5, certain utilities (like SunMC and Diagnostic Reporter) would break. Is this still true in the Solaris 10 OS?

A: There are still some utilities, including some third party that just plain assume all UNIX passwords to be in 40-bit crypt format. We are working on these as we can.

Back to top

Q: Are the security capabilities of the Solaris 10 OS x86 as robust as on the other platforms?

A: Yes. Equally robust on all platforms.

Back to top

Q: Are there any major changes to the audit framework?

A: We've included more information in the records, such as the zoneid where the request originated. We've also taken steps to allow the audit daemon to use syslog to remove log audit records and to produce the audit trail in a more parsable format using XML.

Back to top

Q: I was curious about how the Solaris 10 OS will log security events. Will there be detail provided, especially in the process and user rights arena so we will know when user ABC tries to access something they don't have rights to?

A: Solaris OS includes a feature called "Solaris BSM Audit," which allows you to audit all access to files without changes being required to the applications. This provides the information you're asking about, including the zone information where the request originated and the user id. You can set this up to just audit failures or all accesses.

Back to top

Q: Will there be a "logging shell" for root, i.e., a log of all commands executed as root, similar to sudo?

A: The Solaris OS already has capabilities for providing limited access to privileged commands, called Role-Based Access Control (RBAC). RBAC has been in since version 8 in 2000. We have had configurable auditing for longer than that. Although we think RBAC is a more complete solution, we do also include sudo on the Solaris OS companion CD.

Back to top Next >
 
Company Info  |   Contact  |   Terms of Use  |   Privacy  |   Trademarks  |   Copyright 1994-2005 Sun Microsystems, Inc.