Wednesday Dec 02, 2009

NEW: OpenSolaris VPC Gateway Tool v0.1

On August 26th, 2009, Amazon Web Services launched their new Virtual Private Cloud (VPC) service. According to Amazon, this service:
[...] is a secure and seamless bridge between a company’s existing IT infrastructure and the AWS cloud. Amazon VPC enables enterprises to connect their existing infrastructure to a set of isolated AWS compute resources via a Virtual Private Network (VPN) connection, and to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their AWS resources. Amazon VPC integrates today with Amazon EC2, and will integrate with other AWS services in the future.

Sounds pretty cool, right? Well, I thought so. Back then, this announcement peaked by interest and I wanted to dive in and give it a try. Unfortunately, the VPC documentation leans more heavily toward configurations where a Cisco or Juniper device acts as my Customer Gateway to the VPC. That is certainly a problem as I do not have access to either of those kinds of devices. That got me to thinking...

Wouldn't be cool if we could just use OpenSolaris as a VPC Customer Gateway?

Even more interesting would be if I could create and access a VPC from OpenSolaris running inside of VirtualBox on my MacBook Pro! That way, I could have an on-demand virtual data center in the Cloud that I could access from anywhere!

It was from this concept, that I reached out to Dan McDonald and Dileep Kumar. Forming this virtual team, we applied our respective skills to this challenge. As things started to heat up, we pulled in Sebastien Roy and Sowmini Varadhan who provided invaluable support and architectural guidance without which we would still be in troubleshooting hell. (Thank you guys!)

So, where do things stand? (Drum roll, please!)

As it turns out... Yes, we were able to configure OpenSolaris (without any new development required!) to act as a Customer Gateway as part of an AWS VPC configuration. Our initial configuration used a dedicated system with an Internet routable, static IP address per the AWS VPC guidelines. So, question #1 is answered - yes, you can use OpenSolaris as a VPC Customer Gateway! W00t!

With this completed, I was still left wondering about by second question - getting this all to work from OpenSolaris running in VirtualBox on my laptop (or other non-dedicated system). As it turns out, it can be made to work as well - which is pretty cool, but since it is not supported by AWS at this time, it is not a configuration that I would recommend or support. That said, it is pretty cool to see this working (if even only in a "playground" sense).

Would you like to give this a try? Do you have VPC access but do not have a Cisco or Juniper device at your disposal? Well, fear not! Use OpenSolaris FTW!

Today, we are happy to announce the availability of the OpenSolaris VPC Gateway tool (version 0.1). As we stepped through getting everything to work, it was clear that nearly every aspect of the VPC configuration and creation process could be automated - so we automated it! The OpenSolaris VPC Gateway tool requires just a small bit of configuration after which you can quickly and easily establish a basic VPC configuration (with one subnet and one instance). You can customize the tool to make things more complex, but this is left as an exercise to the reader.

The OpenSolaris VPC Gateway tool is publicly available from the Kenai repository complete with installation, configuration and usage documentation.

Note that this is still preview-quality software with all of the necessary caveats that go along with it, but I would encourage those interested in OpenSolaris, VPCs, and especially in both to give it a try and send us your feedback! Thanks in advance and take care!

P.S. Looking for a good default instance to create? Try an OpenSolaris 2009.06 Immutable Service Container!

Technorati Tag:

Monday Nov 30, 2009

UPDATE: OpenSolaris ISC Construction Kit v1.3

I have been writing about the Immutable Service Container project for quite some time. Since this project was publicly launched earlier this year, we have produced a number of updates, several presentations and podcasts, as well as images that people could use on Amazon EC2 or with VirtualBox. All of these updates had a singular goal - to highlight what is possible when we refactor our existing strategies and processes to pre-integrate greater security capabilities by default into our operating system configurations. While our original goal was to focus on Cloud Computing and virtual machine image security, these concepts really apply more universally. Whether used in a traditional data center or the Cloud, there are significant benefits that can be realized when we begin to put all of the pieces into place. Certainly, I mean more than just patching or hardening, but looking at virtual machine security more comprehensively.

With this as a backdrop, I am very happy to announce the availability of version 1.3 of the OpenSolaris Immutable Service Container Construction Kit! Prior to this update, the Kit was able to automate the creation of a configuration that included:

  • built upon the OpenSolaris 2009.06 release
  • (optional) loose minimization support to help those building and sharing images
  • security hardening of the operating system - based upon the OpenSolaris Security Hardening project
  • non-executable stack functionality enabled (on systems supporting this functionality)
  • encrypted swap enabled
  • encrypted scratch space enabled - default size is 100 Mbytes (customize as needed)
  • kernel-level auditing enabled - default policy audits login/logouts, administrative events, and all commands executed on the system, audit syslog plugin configured (/var/log/auditlog)
  • stateful packet filtering enabled - packet filtering syslog plugin configured (/var/log/ipflog), in-bound network access denied by default (except SSH), out-bound network access permitted by default (customize as needed)
  • a single non-global zone installed (although others can be installed as needed):
    • gzip compressed non-global zone root file system
    • building upon default non-global zone security capabilities
    • unique VNIC limiting visibility of unintended network traffic
    • encrypted scratch space
    • stateful packet filtering and NAT to restrict network-access
    • in-bound network access denied by default (customize for your service)
    • out-bound network access permitted by default (customize as needed)
    • DNS and auditing configurations inherited from the global zone

The v1.3 update goes beyond this foundation to incorporate new capabilities including:

  • configurable virtual network architecture. Non-global zones can be installed into the same or different virtual networks. This capability is required in order to begin constructing ISC configurations that implement more advanced network compartmentalization configurations. Administrators can define to which network a non-global zone should be attached using the -N option to the iscadm.ksh tool.
  • anti-spoofing protection. Each of the non-global zones are configured to leverage the MAC and IP address anti-spoofing protections enabled by Crossbow 1.3 (builds 126 and newer).
  • default resource controls. Non-global zones are configured to have a maximum lightweight process resource control installed (default: 300). This setting helps to mitigate against the effects of certain denial of service attacks. The actual limit can be adjusted using the ISC_MAX_LWPS parameter.
  • default file system quotas. Non-global zone root file systems are configured to have a specific ZFS quota (default: 1G) and reservation (default: 512M). Since ISC nodes (non-global zones) share a common ZFS data set, it is important to have this restriction to prevent one node from exhausting capacity being used by other nodes. The default values can be changed using the ISC_QUOTA and ISC_RESERVATION parameters.
  • site variable override. A new file (isc/etc/site.conf) is used to store any variables that are specific to a site or implementation. This file is not delivered by default and therefore will not be overwritten upon update (preserving any site-specific parameters). This file is intended to be used to store local (site specific) variables such as those listed above.
In addition to these new features and capabilities, several bugs were squashed and the code was generally cleaned up to make it easier to read and extend in future updates. This update was tested using OpenSolaris 2009.06 as well as OpenSolaris 2010.03 (build 127).

It is worth noting that the OpenSolaris ISC Construction Kit uses a modular architecture. Let's say you did not want all of the functionality described above - you just want to harden an OpenSolaris global zone. Well, that can be easily done using the following steps:

$ env ISC_SVCS_DOCK="lockdown" pfexec isc/bin/iscadm.ksh -d

Similarly, if you just wanted just to try out encrypted scratch space and encrypted swap, you could use the command:

$ env ISC_SVCS_DOCK="encrypted_scratch encrypted_swap" pfexec isc/bin/iscadm.ksh -d

The goal of the Kit is to provide a fast, automated, and easy way to implement strong security protections for your systems and virtual machines, but we also recognize that requirements do differ so customization must be a core part of the software architecture.

As always, we would love to hear from you! Let's us know what works and what doesn't! What would you like to see in a future update? Is there anything that you would like to see changed? Here is your chance - speak up!

Take care!

Technorati Tag:

Wednesday Nov 04, 2009

Update: Recent Cloud Security Happenings

I have to say that it has been a very busy couple of weeks. That said, I am happy to say that there is a lot to show for everyone's effort however. We have been able to publish quite a lot of new and updated content, and I figured that it might be a good time to shine a spotlight on some of the more interesting items. Without further ado...

Going forward, we are going to try and bring together all of the Cloud Computing security content on our brand new Sun.COM Cloud Security home page. Be sure to check it out regularly!

More is coming, don't miss it!

Technorati Tag:

Monday Nov 02, 2009

Immutable Service Containers @ Amazon EC2

Just in time for the OpenSolaris Developer Conference, we were able to publish new Immutable Service Containers images directly to the Amazon Web Services Elastic Compute Cloud (EC2) environment. Previously, I talked about creating ISCs using our security enhanced OpenSolaris 2009.06 AMIs. Today, I am happy to announce that we have taken the next logical step by making available AMIs that fully incorporate the ISC changes. If you want to try out this configuration, simply provision an Immutable Service Containers AMI on EC2. We have made AMIs available in both the U.S. (ami-48c32021) and European (ami-78567d0c) regions. As always, we would love to get your feedback on these images and what you would like to see next!

Take care!

Technorati Tag:

Immutable Service Containers @ OSDevCon

Just wanted to let everyone know of a new Immutable Service Containers technical presentation (ODF, PDF) that has been posted. This version was delivered last week in Dresden, Germany at the OpenSolaris Developer Conference. This presentation has all of the latest and greatest information particularly on the OpenSolaris ISC Construction Kit. As always, I would love to hear your comments and feedback!

Take care!

Technorati Tag:

Friday Sep 11, 2009

Immutable Service Containers on Amazon EC2

Back in June, we released the very first security hardened virtual machine images for the Amazon Web Services Elastic Compute Cloud (EC2) environment. These original images were based upon the OpenSolaris 2008.11 release and were configured in accordance with the guidelines published by Sun the Center for Internet Security. Since its initial release, we have provided an update to offer this image in the European Region. In August, we took another step forward with the release of a security-enhanced image based upon the OpenSolaris 2009.06 release. This image went beyond just the simple hardening of its predecessor to add functionality such as encrypted swap, non-executable stacks and auditing that was enabled by default. With such a strong foundation, it should have been no surprise that it was likely to be used as a foundation for layered functionality. Just this month, for example, we announced the release of an image pre-configured with Drupal (v6.10) along with Apache (v2.2), MySQL (v5.0), and PHP (v5.2).

In parallel, the Immutable Service Containers project was announced back in June. This project was focused on the creation of secure execution environments for services. One of the key deliverables from this project has been the OpenSolaris ISC Construction Kit (Preview) that transforms an OpenSolaris 2009.06 system into an ISC configuration. Interestingly, several of the functional elements used today as part of the security-enhanced AMIs actually got their start as part of the ISC Construction Kit.

This brings us to today. For the first time, we have been able to create ISCs in the Cloud on Amazon EC2! Using the OpenSolaris ISC Construction Kit and the security-enhanced OpenSolaris 2009.06 AMI, we have deployed an ISC that exposes a representative service (in this case, a web server).

HELLO WORLD!

The nice thing about this is that the installation process was essentially the same as the one we used to create our pre-configured OVF image. There were two settings that needed to be adjusted in order for the ISC Construction Kit to properly work on EC2:

export ISC_SVCS_DOCK="fs network zone encrypted_scratch"
export ISC_DOCK_NET_IF_NAME="xnf0"

These two parameters had to be set before running the iscadm.ksh command. The first parameter simply removes steps that have already been completed in the base AMI (or are not needed for EC2). The second parameter changes the network interface name from e1000g0 (default) to xnf0 which is needed on EC2. That's all there was to it!

If you are interested in ISCs and how you can use them in your environment, I would love to hear from you! Also, just in case you missed it, I had the pleasure of joining Hal Stern to discuss ISCs on a recent Innovating@Sun podcast. Check it out and send us your feedback! Thanks in advance!

Take care!

Technorati Tag:

Thursday Sep 03, 2009

Cloud Security Summit on September 30!

First things first. I want to offer a big "Thank you" to the 1,000 or so people who joined my webinar earlier this week on the topic of Cloud Computing Security. I was completely amazed by the turnout and sincerely hope that the talk was both entertaining and thought provoking! I also wanted to thank Subra Kumaraswamy, Joel Weise, and Luc Wijns for their herculean efforts answering the fast streaming list of questions from the audience! Clearly, this is a lot of interest out there for Cloud Computing and security! For those who were not able to join the live event, the presentation and replay are both now available. If you have a chance to check them out, please be sure to send along your feedback! We definitely want to hear from you!

On the heels of this event, I did want to let you know about another web-based event to be held on September 30, 2009. At this event, Simon Gallagher (a Senior Technical Architect @ ioko) and I will join forces to talk about Cloud Security. The title of our talk will be "Decision Tree: Key questions to ask your Cloud Service Provider". Our focus, as your might guess, is on the key issues and questions that must be addressed before moving to the Cloud. Our goal is to leave you with practical ideas and actual questions that you may want to consider when deciding if/when/and how to move services and data into the Cloud. The announcement includes all of the details.

This event is actually a part of a BrightTalk Cloud Security Summit that will feature talks from several other Cloud Computing vendors, consumers and industry groups such as the Cloud Security Alliance. Should be an information-packed day! Hope to see you (virtually) there!

Take care!

Technorati Tag:

Wednesday Sep 02, 2009

NEW: Security Enhanced OpenSolaris Drupal Stack on EC2

Over the last few months, I have had a number of postings that have talked about security enhanced virtual machine images that we have made available on Amazon Web Services. The goal behind this work was to look at how we could improve baseline security in both virtualized and Cloud Computing computing environments by pre-integrating industry accepted recommended security settings. Organizations leveraging our work would have fewer security steps to undertake as our images were configured to be compliant with the recommendations published by the Center for Internet Security as part of their Solaris Benchmark (adapted for OpenSolaris).

So with this goal in mind, we developed security-enhanced versions of the OpenSolaris 2008.11 and 2009.06 operating systems. The latter went beyond the Center for Internet Security recommendations by also adding support for encrypted swap (as well as enabling auditing and non-executable stacks by default - something that was not done for the 2008.11 version). The next logical step was to validate these images using representative applications and services to illustrate the practiality of having security capabilities pre-integrated into a golden image from which application specific versions can be created.

Building upon the lessons we have learned in the development of the security-enhanced operating system images, today, I am very happy to announce that we have taken a step forward. Using the OpenSolaris 2008.11 image as our foundation, the OpenSolaris on EC2 team with some guidance from Scott Mattoon (all around Drupal Guru!) has installed and pre-configured Drupal (v6.10) along with Apache (v2.2), MySQL (v5.0), and PHP (v5.2). You can read all of the details on the announcement.

There are two things that should be noted about this image. First, no security-relevant changes were necessary to successfully install, configure and test Drupal on this security-enhanced image. While this should likely not come as a surprise, it is an important validation that at least for some (many?) classes of applications, a security tuned golden image can be used as a foundation. This is good news for organizations who are interested in the having a common security baseline for their operating systems. The second thing to note is that MySQL was modified on this image to not listen on the network for connections. This means that the image is compliant with our original security objectives in that it is only exposing required services (e.g., Apache, SSH) and no others by default.

As with all of the others, this is a publicly available AMI (AMI ID: ami-d9ee0eb0) so give it a try and let us know how we can improve it!

Take care!

Technorati Tag:

Monday Aug 31, 2009

Cloud Security Webinar on Tuesday!

Things have definitely been a bit crazy around here lately. In just the last two weeks, we have posted new security enhanced OpenSolaris 2009.06 images to Amazon EC2, published a podcast on Immutable Service Containers, and have updated the OpenSolaris ISC Construction Kit to improve its efficiency, make it easier to customize, and add (preliminary) ZFS crypto support! Not only that, but we continue to work on integrating ISC concepts into the OpenSolaris Just Enough OS (JeOS) project as well as a VirtualBox-based Immutable Service Container implementation strategy.

With all of the things going on, I neglected to mention that I will be delivering a Cloud Computing security webinar this Tuesday! The focus of the talk will be primarily aimed toward the Infrastructure as a Service (IaaS) security space and our goal is to cut through some of the hype and get to some specifics that you can use to improve the security of your Cloud-based implementations. Spoiler alert: the nice thing is that many of the techniques will benefit traditional and virtual implementations as well! Interested? Here is the invitation? Hope to "see" you there!

Safety First: Protecting Your Services in the Cloud

Join us for a free webinar in which we'll explore one of the leading impediments to the widespread adoption of Cloud Computing -- security concerns. Given all of the hyped up claims and gross generalizations flowing across the Net, it's no wonder people are worried.

Cloud Computing and security both are multi-faceted areas, and it's high time we stopped thinking of them as a single entity. If you want to take a serious look at Cloud Computing, then it is time to inject a little sanity and context into the security discussion.

Join us for this free webinar to learn how to begin using Cloud Computing -- securely.

In this webinar, we will discuss:

  • Key questions to ask your cloud provider
  • Security issues to consider before moving to the cloud
  • Steps you can take today to protect yourself in the cloud
Event: Safety First: Protecting Your Services in the Cloud
Date: Tuesday, September 1, 2009
Time: 10:00 am PDT / 1:00 pm EDT / 19.00 CET

Speaker: Glenn Brunette, Distinguished Engineer and Chief Security Architect at Sun Microsystems

For over 15 years, Glenn has designed and delivered security architectures and solutions supporting a wide array of global customers. Currently, he has focused his efforts on improving security for cloud computing and other highly dynamic and scalable architectures.

  • Bring your questions to the live Q&A.
  • Even if you can't make the live event, sign up anyway so we can send you the replay information.

Take care!

Technorati Tag:

Tuesday Aug 25, 2009

NEW: Immutable Service Container Podcast

Things have certainly been busy around here lately! Over the last two months, we have announced the Immutable Service Container project, published an OpenSolaris-based ISC Construction Kit (Preview) and a corresponding pre-configured OVF image, shared a number of network architecture and autonomic security models leveraging the ISC concept, and even published an ISC Technical Overview presentation. Well, as it turns out, we are not done yet!

A few weeks back, I received an invitation from Marianne Salciccia to record an Innovation@Sun interview with Hal Stern (Distinguished Engineer and VP, Global Systems Engineering) where we would talk about Immutable Service Containers. I am happy to say that as of yesterday, the podcast is live!

Hal and I had a great chat where we discussed topics such as:

  • micro-virtualization: how adding a thin management layer between the hypervisor and the service lends reliability to security enforcement and monitoring controls
  • how "immutable" Immutable Service Containers are
  • how ISCs implement defense in depth measures
  • current implementations with Solaris and OpenSolaris
  • what's next for ISCs, including building core concepts into projects such as OpenSolaris on EC2, OpenSolaris Just Enough OS (JeOS); potential VirtualBox implementations; and integration of autonomic security techniques

If these topics sound interesting, please give the podcast a listen and let us know what you think! Work continues on the ISC architectural strategies and implementation models, so this is a great time to share your ideas, concerns, and requirements.

Hope to hear from you soon! Take care!

Technorati Tag:

Friday Aug 14, 2009

NEW: Security Enhanced OpenSolaris 2009.06 on Amazon EC2

It is with great pleasure that I can announce the availability of security enhanced OpenSolaris 2009.06 on Amazon EC2! This release builds upon the work previously completed for the hardened OpenSolaris 2008.11 images as well as recent advances from the Immutable Service Container project. The end result is a OpenSolaris 2009.06 virtual machine image that is hardened, leverages a non-executable stack, encrypted swap as well as auditing enabled and pre-configured to record administrative events, logins, logouts, and all command executions. Just as with the OpenSolaris 2008.11 images, the hardening configuration of these new images complies with the recommendations published by Sun, the Center for Internet Security as well as the U.S. National Security Agency. This really cool thing is that they are all have the exact same guidance! I wonder how that happened?

Want to give it a spin? Check out the release announcement for more details. The AMI identifier is ami-e56e8f8c! Please send us your feedback!

As always, this work would not have been possible without the extensive support of the OpenSolaris on EC2 team. You are the greatest! Thank you so much for all of your help and support in making these images a reality!

Technorati Tag:

Thursday Jul 09, 2009

Encrypted ZFS using Amazon EBS and OpenSolaris 2009.06

Recently, I had the pleasure of exchanging e-mail with István Soós who had contacted our OpenSolaris on EC2 team asking how he could use OpenSolaris along with Amazon's Elastic Compute Cloud (EC2) and Elastic Block Stores (EBS) to create a subversion-based source code control system. Sounds simple, right? Well, István threw us a curve ball. He wanted the revision control system to run on OpenSolaris and be stored on an encrypted, mirrored ZFS file system backed by EBS. Now, you have to admit, that is pretty cool!

This is the point in the story where István met. After going over the requirements, it appeared as though the encrypted scratch space work that had been done for the Immutable Service Container project was a near fit except that persistence was needed. So, I provided István with links to this work which of course linked to Darren's original article on ZFS encryption using LOFI. Just a day later, István replied that his environment was up and running! Talk about speed and agility in the Cloud Computing world!

I would definitely encourage you to check out all of the details on István's blog. I especially want to thank István for sharing this great article that I hope will encourage others to try new things and keep pushing the OpenSolaris envelope forward!

Take care!

Technorati Tag:

Tuesday Jul 07, 2009

Immutable Service Containers Updates

In my last post, I discussed the Immutable Service Container project and announced the availability of an ISC Construction Kit to automate the creation of OpenSolaris-based ISCs.

Today, I wanted to provide a few updates. Specifically, I would like to announce:

  • a new Immutable Service Container presentation (ODP, PDF) that provides a technical overview of the ISC approach, design goals, and the OpenSolaris implementation available today.
  • an updated Private Virtual Network architecture page highlighting additional network topologies that implement different network isolation strategies. These are a few of the models that are being considered for future ISC Construction Kit updates.
  • an updated Autonomic security architecture page that provides a number of use cases showing ISCs as an essential building block for these kinds of architectures.

Additional architectural content is in development and as always I am very interested in your feedback and ideas.

Take care!

Technorati Tag:

Wednesday Jul 01, 2009

NEW: OpenSolaris Immutable Service Containers

While the need for security and integrity is well-recognized, it is less often well-implemented. Security assessments and industry reports regularly show how sporadic and inconsistent security configurations become for organizations both large and small. Published recommended security practices and settings remain unused in many environments and existing, once secured, deployments suffer from atrophy due to neglect.

Why is this? There is no one answer. Some organizations are simply unaware of the security recommendations, tools, and techniques available to them. Others lack the necessary skill and experience to implement the guidance and maintain secured configurations. It is not uncommon for these organizations to feel overwhelmed by the sheer number of recommendations, settings and options. Still others may feel that security is not an issue in their environment. The list goes on and on, yet the need for security and integrity has never been more important.

Interestingly, the evolution and convergence of technology is cultivating new ideas and solutions to help organizations better protect their services and data. One such idea is being demonstrated by the Immutable Service Container (ISC) project. Immutable Service Containers are an architectural deployment pattern used to describe a platform for highly secure service delivery. Building upon concepts and functionality enabled by operating systems, hypervisors, virtualization, and networking, ISCs provide a secured container into which a service or set of services is deployed. Each ISC embodies at its core the key principles inherent in the Sun Systemic Security framework including: self-preservation, defense in depth, least privilege, compartmentalization and proportionality. Further, ISC design borrows from Cloud Computing principles such as service abstraction, micro-virtualization, automation, and "fail in place".

By designing service delivery platforms using the Immutable Service Containers mode, a number of significant security benefits:

  • For application owners:
    • ISCs help to protect applications and services from tampering
    • ISCs provide a consistent set of security interfaces and resources for applications and services to use
  • For system administrators:
    • ISCs isolate services from one another to avoid contamination
    • ISCs separate service delivery from security enforcement/monitoring
    • ISCs can be (mostly) pre-configured by security experts
  • For IT managers:
    • ISCs creation can be automated, pre-integrating security functionality making them faster and easier to build and deploy
    • ISCs leverage industry accepted security practices making them easier to audit and support

It is expected that Immutable Service Containers will form the most basic architectural building block for more complex, highly dynamic and autonomic architectures. The goal of the ISC project is to more fully describe the architecture and attributes of ISCs, their inherent benefits, their construction as well as to document practical examples using various software applications.

While the notion of ISCs is not based upon any one product or technology, an instantiation has been recently developed using OpenSolaris 2009.06. This instantiation offers a pre-integrated configuration leveraging OpenSolaris security recommended practices and settings. With ISCs, you are not starting from a blank slate, but rather you can now build upon the security expertise of others. Let's look at the OpenSolaris-based ISC more closely.

In an ISC configuration, the global zone is treated as a system controller and exposed services are deployed (only) into their own non-global zones. From a networking perspective, however, the entire environment is viewed as a single entity (one IP address) where the global zone acts as a security monitoring and arbitration point for all of the services running in non-global zones.

As a foundation, this highly optimized environment is pre-configured with:

Further, the default OpenSolaris ISC uses:

  • Non-Global Zone. Exposed services are deployed in a non-global zone. There they can take advantage of the core security benefits enabled by OpenSolaris non-global zones such as restricted access to the kernel, memory, devices, etc. For more information on non-global zone security capabilities, see the Sun BluePrint titled "Understanding the Security Capabilities of Solaris Zones Software". Using a fresh ISC, you can simply install your service into the provided non -global zone as you normally would.

    Further in the ISC model, each non-global zone has its own encrypted scratch space (w/its own ephemeral key), its own persistent storage location, as well as a pre-configured auditing and networking configuration that matches that of the global zone. You do not need to use the encrypted scratch space or persistent storage, but it is there if you want to take advantage of it. Obviously, additional resource controls (CPU, memory, etc.) can be added as necessary. These are not pre-configured due to the variability of service payloads.

  • Solaris Auditing. A default audit policy is implemented in the global zone and all non-global zones that tracks login and logout events, administrative events as well as all commands (and command line arguments) executed on the system. The audit configuration and audit trail are kept in the global zone where they cannot be accessed by any of the non-global zones. The audit trail is also pre-configure d to be delivered by SYSLOG (by default this information is captured in /var/log/auditlog).
  • Private Virtual Network. A private virtual network is configured by default for all of the non-global zones. This network isolates each non-global zone to its own virtual NIC. By default, the global and non-global zones can freely initiate external communications, although this can be restricted if needed. A non-global zone is not permitted to accept connections, by default. Non-global zone service s can be exposed through the global zone IP address by adjusting the IP Filter and IP NAT policies (below).
  • Solaris IP NAT. Each non-global zone is pre-configured to have a private address assigned to its virtual NIC. To allow the non -global zone to communicate with external systems and networks, an IP NAT policy is implemented. Outgoing connections are masked using the IP address of the global zone. Incoming connections are redirected based upon the port used to communicate. Beyond simple hardening of the non-global zone (a state which can be altered from within the non-global zone itself), this mechanism ensures that the global zone can control which services are exposed by the non-global zone and on which ports.
  • Solaris IP Filter. A default packet filtering policy is implemented in the global zone allowing only DHCP (for the exposed network interface) and SSH (to the global zone). Additional rules are available (but disabled) to allow access to non-global zones on an as-needed basis. Further, rules are implemented to deny external access to any non-global zone that has changed its pre-assigned (private) IP address. Packet filtering is pre-configured to log packets to SYSLOG (by default this information is captured in /var/log/ipflog).

So what does all of this really mean? Using the ISC model, you can deploy your services in a micro-virtualized environment that offers protection against kernel-based root kits (and some forms of user-land root kits), offers flexible file system immutability (based upon read-only file systems mounted into the non-global zone), can take advantage of process least privilege and resource controls, and is operated in a hardened environment where there is a packet filtering, NAT and auditing policy that is effectively out of the reach of the deployed service. This means that should a service be compromised in a non-global zone, it will not be able to impact the integrity or validity of the auditing, packet filtering, and NAT configuration or logs. While you may not be able to stop every form of attack, having reliable audit trails can significantly help to determine the extent of the breach and facilitate recovery.

The following diagram puts all of the pieces together:

Additional private virtual networking models are also being considered. All in all, the ISC model offers a very compelling deployment model. The accessiblity and attractiveness of this model is further enhanced by the availability of an ISC construction kit that allows you to take an OpenSolaris 2009.06 system and convert it to the ISC model with a single command. Sound interesting? Give it a try, come join the project and be sure to send along your feedback !

Technorati Tag:

Thursday Jun 11, 2009

UPDATE: Free Security Hardened Virtual Machine Image

Just a few days ago, I announced the availability of a security hardened OpenSolaris AMI for Amazon EC2. Well, the OpenSolaris on EC2 team has taken the next step by making this image available to our colleagues using the EC2 European Region! This publicly available AMI (AMI ID: ami-d7a189a3) is available today, and just as with the U.S. version, it does not require registration. There is nothing to get in the way of your using them today! Go give it a spin and let us know what you think! Check out the announcement for all of the details.

Technorati Tag:

About

gbrunett

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today