SecuritySolaris 10 provides advanced features that allow you to secure your systems and consolidate services with peace of mind. HighlightsThe Solaris 10 Operating System, the most secure OS on the planet, provides security features previously only found in Sun's military-grade Trusted Solaris OS. User and Process Rights Management work in conjunction with Solaris Containers to let you securely host thousands of applications and multiple customers on the same system. Security administrators can minimize and harden Solaris even better than before to implement a secure foundation for deploying services. Solaris Trusted Extensions is a standard part of Solaris and allows customers who have specific regulatory or information protection requirements to take advantage of labeling features previously only available in highly specialized operating systems or appliances.
File Integrity and Secure ExecutionSystem administrators can detect possible attacks on their systems by monitoring for changes to file information. In the Solaris 10 OS, binaries are digitally signed, so administrators can track changes easily, and all patches or enhancements are embedded with digital signatures, eliminating the false positives associated with upgrading or patching file integrity-checking software. The Solaris 10 OS also introduces the Basic Audit and Reporting Tool (BART), a file integrity-checking application for data files and customer applications. The BART utility allows a customer to create snapshots of their own data, applications and critical system files and periodically scan for changes to these files. Additionally, the Solaris Fingerprint Database project, hosted by Sun on the SunSolve Web site, provides digital fingerprints for all files shipped in the Solaris OS, spanning many previous generations of the operating system. The Solaris Fingerprint Database offers free online verification utilities that allow you to check the integrity of Solaris files on any existing system to ensure that no hacker has modified critical system files. Used individually or together, these file integrity tools provide powerful, flexible ways to monitor for changes to your operating system platform. User and Process Rights ManagementIn traditional UNIX platform-based operating systems, applications and users often need administrative access to perform their jobs. However, most implementations offer just one level of higher privilege: root or superuser. This means that any user or application given root access has the ability to make major changes to the operating system—and is typically the target of hacking attempts. The Solaris 10 OS offers unique User Rights Management (also known as role-based access control, or RBAC) and Process Rights Management (also known as privileges). Together, User and Process Rights Management technologies reduce risks by granting users and applications only the minimum capabilities needed to perform their duties. Unlike other solutions on the market, no application changes are required to take advantage of these security enhancements. Solaris also offers protection against 'buffer overflow' attacks as well as an extensive audit trail that can be exported into common XML format for further analysis.
Network Service ProtectionThe Solaris 10 OS ships with Solaris IP Filter firewall software preinstalled. This integrated firewall can reduce the number of network services that are exposed to attack and provides protection against maliciously crafted networking packets. Starting in Solaris 10 8/07, the IP Filter firewall can also filter traffic flowing between Solaris Containers when it is configured in the Global Zone. In addition, TCP Wrappers are integrated into the Solaris 10 OS, limiting access to service-based allowed domains. Solaris also provides protection against attack through it's Secure By Default networking configuration. When configured in this manner, a Solaris 10 system retains a usable GUI interface, can browse the Web, send Email and do other outbound communications. Only the Solaris Secure Shell encrypted remote access method is allowed for inbound communication. Cryptographic Services and Encrypted CommunicationFor high-performance, system-wide cryptographic routines, the Solaris Cryptographic Framework adds a standards-based, common API that provides a single point of administration and uniform access to both software and hardware-accelerated, cryptographic functions. The pluggable Solaris Cryptographic Framework can balance loads across accelerators, increasing encrypted network traffic throughput, and it is available to applications written to use Public Key Cryptography Standards (PKCS) #11, Sun Java Enterprise System, NSS, OpenSSL, and Java Cryptographic Extension software. Starting with Solaris 10 8/07, the Solaris Key Management Framework is introduced to assist in managing digital certificates. The Key Management framework provides a single set of administrative commands for digital certificate creation requests, manipulation and loading across the most common formats. Solaris also provides protection against theft of sensitive material by encrypting communications using the IPsec/IKE and Solaris Secure Shell protocols. Solaris IPsec/IKE complies with industry standards to provide encryption of data between two or more systems over the network without any application modification at all. The Solaris Secure Shell protocol is a specific set of utilities that have been modified to allow for encrypted remote access and file transfer between two systems. Flexible Enterprise AuthenticationThe Solaris 10 OS delivers a number of flexible authentication features. At the foundation of Solaris is support for Pluggable Authentication Mechanism (PAM), which make it possible to add authentication services to Solaris dynamically. Sun and third-party vendors provide many PAM modules and customers can create their own to meet specific security needs. The Solaris Kerberos Service delivers Kerberos-enabled remote applications such as rsh, rcp, telnet, Solaris Secure Shell, and NFS file sharing. Kerberos-based protocols allow for enterprise single sign-on (SSO), authorization and encrypted communication. Lightweight Directory Access Protocol (LDAP) client-side authentication and interoperability enhancements enable enterprise-wide, secure, standards-based authentication to your servers and applications. All Solaris User and Process Rights management information can also be stored centrally in through the LDAP-based directory server, allowing for centralized management of users and security role definitions. Local passwords have strong password encryption options, including MD5 and Blowfish, as well as account lockout, password history and complexity checking, and a banned passwords list. By providing strong password encryption, systems are less subject to successful password cracking should a password file ever be lost or stolen. Repeatable Security Hardening and MonitoringNew features in the Solaris 10 OS make it easier than ever to minimize and harden a system. The Reduced Networking Metacluster install option creates a minimized Solaris OS image, ready for administrators to add functionality and services in direct support of their system's purpose. As mentioned previously, Solaris 10 now includes a Secure By Default networking configuration that disables many unused network services, while configuring all other services for local system-only communications. The freely available Solaris Security Toolkit assists in the process of installing and maintaining a minimized and hardened operating system security configuration. The Toolkit also includes an audit mechanism to compare a running system configuration against a site-specified hardening profile. In this way, the Toolkit can be used to both verify and enforce compliance with an organization's OS security standards. Mandatory Access Control and LabelingIf your system requirements include privacy, increased accountability, and reduced risk of security violations, then Solaris Trusted Extensions is for you. As a standard part of Solaris, true multi-level security is available for the first time in a commercial-grade operating system, that runs all your existing applications and is supported on over hundreds of x64/x86 and SPARC platforms. Mandatory Access Control is enforced in Trusted Extensions by the use of User and Process Rights Management as well as Solaris Containers, which have an information sensitive label applied to them. Customers can quickly configure new labels, which protect files, networks, applications and users against inappropriate access, without writing complex, error prone security policy files. Common Criteria CertificationSolaris 10 11/06 is currently in evaluation at EAL4+, one of the highest level of Common Criteria Certification, with three Protection Profiles: Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile (CAPP) and Role-Based Access Control Protection Profile (RBACPP). The CAPP & RBACPP certification is estimated to be completed in August 2007 with the LSPP following in Winter 2007. In addition, Solaris 10 3/05 has completed evaluation at EAL4+ with CAPP and RBACPP. Training
|
|
Related |
|||||||
|