Monday Nov 30, 2009

UPDATE: OpenSolaris ISC Construction Kit v1.3

I have been writing about the Immutable Service Container project for quite some time. Since this project was publicly launched earlier this year, we have produced a number of updates, several presentations and podcasts, as well as images that people could use on Amazon EC2 or with VirtualBox. All of these updates had a singular goal - to highlight what is possible when we refactor our existing strategies and processes to pre-integrate greater security capabilities by default into our operating system configurations. While our original goal was to focus on Cloud Computing and virtual machine image security, these concepts really apply more universally. Whether used in a traditional data center or the Cloud, there are significant benefits that can be realized when we begin to put all of the pieces into place. Certainly, I mean more than just patching or hardening, but looking at virtual machine security more comprehensively.

With this as a backdrop, I am very happy to announce the availability of version 1.3 of the OpenSolaris Immutable Service Container Construction Kit! Prior to this update, the Kit was able to automate the creation of a configuration that included:

  • built upon the OpenSolaris 2009.06 release
  • (optional) loose minimization support to help those building and sharing images
  • security hardening of the operating system - based upon the OpenSolaris Security Hardening project
  • non-executable stack functionality enabled (on systems supporting this functionality)
  • encrypted swap enabled
  • encrypted scratch space enabled - default size is 100 Mbytes (customize as needed)
  • kernel-level auditing enabled - default policy audits login/logouts, administrative events, and all commands executed on the system, audit syslog plugin configured (/var/log/auditlog)
  • stateful packet filtering enabled - packet filtering syslog plugin configured (/var/log/ipflog), in-bound network access denied by default (except SSH), out-bound network access permitted by default (customize as needed)
  • a single non-global zone installed (although others can be installed as needed):
    • gzip compressed non-global zone root file system
    • building upon default non-global zone security capabilities
    • unique VNIC limiting visibility of unintended network traffic
    • encrypted scratch space
    • stateful packet filtering and NAT to restrict network-access
    • in-bound network access denied by default (customize for your service)
    • out-bound network access permitted by default (customize as needed)
    • DNS and auditing configurations inherited from the global zone

The v1.3 update goes beyond this foundation to incorporate new capabilities including:

  • configurable virtual network architecture. Non-global zones can be installed into the same or different virtual networks. This capability is required in order to begin constructing ISC configurations that implement more advanced network compartmentalization configurations. Administrators can define to which network a non-global zone should be attached using the -N option to the iscadm.ksh tool.
  • anti-spoofing protection. Each of the non-global zones are configured to leverage the MAC and IP address anti-spoofing protections enabled by Crossbow 1.3 (builds 126 and newer).
  • default resource controls. Non-global zones are configured to have a maximum lightweight process resource control installed (default: 300). This setting helps to mitigate against the effects of certain denial of service attacks. The actual limit can be adjusted using the ISC_MAX_LWPS parameter.
  • default file system quotas. Non-global zone root file systems are configured to have a specific ZFS quota (default: 1G) and reservation (default: 512M). Since ISC nodes (non-global zones) share a common ZFS data set, it is important to have this restriction to prevent one node from exhausting capacity being used by other nodes. The default values can be changed using the ISC_QUOTA and ISC_RESERVATION parameters.
  • site variable override. A new file (isc/etc/site.conf) is used to store any variables that are specific to a site or implementation. This file is not delivered by default and therefore will not be overwritten upon update (preserving any site-specific parameters). This file is intended to be used to store local (site specific) variables such as those listed above.
In addition to these new features and capabilities, several bugs were squashed and the code was generally cleaned up to make it easier to read and extend in future updates. This update was tested using OpenSolaris 2009.06 as well as OpenSolaris 2010.03 (build 127).

It is worth noting that the OpenSolaris ISC Construction Kit uses a modular architecture. Let's say you did not want all of the functionality described above - you just want to harden an OpenSolaris global zone. Well, that can be easily done using the following steps:

$ env ISC_SVCS_DOCK="lockdown" pfexec isc/bin/iscadm.ksh -d

Similarly, if you just wanted just to try out encrypted scratch space and encrypted swap, you could use the command:

$ env ISC_SVCS_DOCK="encrypted_scratch encrypted_swap" pfexec isc/bin/iscadm.ksh -d

The goal of the Kit is to provide a fast, automated, and easy way to implement strong security protections for your systems and virtual machines, but we also recognize that requirements do differ so customization must be a core part of the software architecture.

As always, we would love to hear from you! Let's us know what works and what doesn't! What would you like to see in a future update? Is there anything that you would like to see changed? Here is your chance - speak up!

Take care!

Technorati Tag:

Wednesday Nov 04, 2009

Update: Recent Cloud Security Happenings

I have to say that it has been a very busy couple of weeks. That said, I am happy to say that there is a lot to show for everyone's effort however. We have been able to publish quite a lot of new and updated content, and I figured that it might be a good time to shine a spotlight on some of the more interesting items. Without further ado...

Going forward, we are going to try and bring together all of the Cloud Computing security content on our brand new Sun.COM Cloud Security home page. Be sure to check it out regularly!

More is coming, don't miss it!

Technorati Tag:

Tuesday Aug 25, 2009

NEW: Immutable Service Container Podcast

Things have certainly been busy around here lately! Over the last two months, we have announced the Immutable Service Container project, published an OpenSolaris-based ISC Construction Kit (Preview) and a corresponding pre-configured OVF image, shared a number of network architecture and autonomic security models leveraging the ISC concept, and even published an ISC Technical Overview presentation. Well, as it turns out, we are not done yet!

A few weeks back, I received an invitation from Marianne Salciccia to record an Innovation@Sun interview with Hal Stern (Distinguished Engineer and VP, Global Systems Engineering) where we would talk about Immutable Service Containers. I am happy to say that as of yesterday, the podcast is live!

Hal and I had a great chat where we discussed topics such as:

  • micro-virtualization: how adding a thin management layer between the hypervisor and the service lends reliability to security enforcement and monitoring controls
  • how "immutable" Immutable Service Containers are
  • how ISCs implement defense in depth measures
  • current implementations with Solaris and OpenSolaris
  • what's next for ISCs, including building core concepts into projects such as OpenSolaris on EC2, OpenSolaris Just Enough OS (JeOS); potential VirtualBox implementations; and integration of autonomic security techniques

If these topics sound interesting, please give the podcast a listen and let us know what you think! Work continues on the ISC architectural strategies and implementation models, so this is a great time to share your ideas, concerns, and requirements.

Hope to hear from you soon! Take care!

Technorati Tag:

Tuesday Oct 09, 2007

Sun SPARC Enterprise T5x20s: A Security Geeks Point of View

What an exciting day! Today, Sun has officially launches the Sun SPARC Enterprise T5120 and T5220 rack-mount systems along with the Sun Blade T6320 blade server, the first to be designed for the UltraSPARC T2 processor. From the point of view of a security geek, there is a lot to be happy about. The UltraSPARC T2 has support for eight (8) cryptographic processing units, each of which supports ten (10) different cryptographic algorithms and a hardware-based random number generator. Lawrence has done a fantastic job of talking about these capabilities and performance if you are interested. It is simply mind blowing.

So, what else is new? Well, we now have actual servers that can leverage the computing power of these chips. This means that companies can now begin to rethink about how they have deployed cryptography in their environments. In particular, it is now much more practical to deploy cryptographic services more widely across an enterprise environment due to the performance gains achieved by offloading the work to the cryptographic processing units. For example, why not ensure that all of your internal web, directory and mail services are fitted for encryption? (Hint: you should be doing this already, but now you can do it while not sacrificing the performance of your CPUs!) Net-net: strong security + excellent performance + eco-friendly is a win-win for everyone.

In addition to enabling the wider use of cryptographic services, I would also encourage any organization to consider how the performance and power benefits of these systems can be applied to their existing environments and workloads. In particular, when used in concert with Sun's Logical Domains (LDoms) technology, organizations can get the benefits of performance, virtualization and security together in one system. Did I mention that today we are also announcing version 1.0.1 of our LDoms technology? Honglin has all the details. Of particular interest to us security geeks is the support for minimized and hardened logical domains! Combine that with the security isolation capabilities of the LDoms hypervisor, a boat-load of crypto performance, and a rock-solid, security, and scalable operating system - you just can't go wrong.

Talk about "zero cost security"! Taken as a whole, you get all of the performance (did I mention the 64 threads?), power and virtualization benefits with security just baked into the design! What's not to like? At least from where this security geek is standing, the view is simply unbeatable. See it all for yourself!


Technorati Tag:




« April 2014