Monday Apr 15, 2013

FAQ: Is Solaris 11 "approved for use" in the US DoD?

Because of my work with the US DoD and Defense Information Systems Agency (DISA), I get asked this question all the time from Oracle employees as well as customers.

  • Is Oracle XYZ server or operating system on the DISA approved products list?

MYTH

There is a single organization in the Government/DoD that approves products for use.

REALITY

Although DISA has a Unified Capabilites Certification Office (UCCO), I asked them the question directly and their response was: "Although there is a Category Holder for Servers on the UC APL webpage, Servers do not fall into the scope of the UCR nor do they fall into an existing product category.  This product can be purchased without an UC APL listing; however site certification and accreditation for IA must be met in the field."

Each customer or funded program goes through its own approval and accreditation process.  There is no single approver.  A program or agency has an assigned DAA (Designated Approving Authority) who's responsible for the security posture of  the entire program.  This includes reviewing the policies, people, products and procedures (4P) that are put in place.  This person signs his name on the line asserting that all reasonable actions have been taken to make the system secure in line with the job that it does.  This may include items like electro-magnetic shielding, encryption, firewalls as well as operating systems, password rules and auditing.  An accounting system gets a different amount of scrutiny than an intelligence gathering or combat system.

I can tell your from personal experience that Solaris 10 and 11 with Zones and Oracle VM for SPARC (aka LDOMs) are currently deployed in the US DoD. 

Why you should care.

Many government contractors or employees believe that they can't use a product unless it's on some approved list.  In most cases products can be used if sufficient rigor is  applied and the DAA can be convinced that the system is secure.  Solaris 10 and 11 provides a wide variety of security features that make this easier today than ever before.


Friday May 11, 2012

Solaris and IPv6

I work with my federal government and US DoD customers, and I'm frequently asked whether Oracle product X is IPv6:

  • Enabled
  • Compliant
  • Certified
  • DoD Certified

This is because the Federal Acquisition Regulations require that the government purchase IPv6 compliant products. 

Unless the agency Chief Information Officer waives the requirement, when acquiring information technology using Internet Protocol, the requirements documents must include reference to the appropriate technical capabilities defined in the USGv6 Profile (NIST Special Publication 500-267) and the corresponding declarations of conformance defined in the USGv6 Test Program.  

 Let's examine each of these adjectives one by one.

  • Enabled is clearly the lowest bar to hurdle.  A vendor could implement one or two RFCs in the IPv6 spectrum and claim that they are "enabled."
  • Compliant is a little more of a problem.  Compliant with what?  There are  many different RFCs related to supporting IPv6.  Are you compliant if you support DHCPv6 but not IKEv2?  Are you compliant if your device is a web server but doesn't support DHCPv6 because it's not applicable?  It appears from the statement above that the FARs require that the CIO of an organization determine WHICH capabilities from the USGv6 profile are required by a particular product. The USGv6 profile ONLY list requirements for hosts, routers and network protection devices.
  • Certified.  By whom? Against what list of RFCs?  How recently and on what versions?  If a version changes from 5.1 to 5.2, is it still certified?
  • DoD Certified.  This would be handy if the DoD, in fact, had an IPv6 certification program.  It did at one time through the Joint Interopability Test Command (JITC), but apparently they determined that attempting to test every OS and device that the DoD might buy was a Sisyphean task. To quote their web page, "DoD no longer requires a stand-alone IPv6 certification." Several years ago Sun paid them a large amount of money, loaned two server and a person in order to receive our certification for Solaris 10. 

At the DISA mission partner conference this week, I attended a presentation by the DoD IPv6 Transition Office.  The slides are available online.  I asked the speaker if there is an "accepted" way of advertising IPv6 compliance and received no answer.  He has promised to get back to me, however. 

Oracle is a very large company with an extensive production encompassing storage, servers, thin clients, databases, middleware and application.  I have found no single resource documenting the IPv6 status of every product.  I can tell you, however, that Solaris 10 and Solaris 11 have successfully completed the USGv6 testing by the UNH Interoperability IPv6 test facility and the results are posted at their site.

As for Oracle Linux, it is fully compatible with Red Hat Linux 5 and 6 which has already been tested by UNH as well. 

Note:  I intended to provide additional references on USGv6 profiles and "Suppliers Declaration of Conformance" but the NIST web page seems to be in disrepair and the pages are not available. 

Tuesday Apr 24, 2012

Oracle at the DISA Partnership conference, May 7-10

Join the Oracle hardware and software team in booth 1323 at the DISA Partnership Conference, May 7-10 in Tampa, FL.  A wide variety of Oracle technology and staff will be available to answer your questions and offer solutions to your information processing problems.

Oracle's President Mark Hurd will deliver a keynote address. 

On display will be:

Come see us across from the DISA pavilion.

Friday Nov 13, 2009

Sun System configurator available

Ever wanted to build your own custom configuration for Sun servers?  Find that the Sun store provides a limited set of preconfigured systems?  Try the Sun Desktop system Configurator. It allows you to build supported configurations of Sun servers, disk, tape, desktop systems and racks.  With a completed configuration you can export to a CSV file that opens in OpenOffice or Excel with standard list pricing.  You can then send this configuration to your favorite Sun reseller for a discounted pricing quote.

It is a Java Webstart Application that support multiple OS platforms that run Java 1.6.  Click on the link and the application will start on your desktop.  

Monday Nov 02, 2009

Meet up at the Government Open Source Conference

I'll be joining a number of government customers and some of my colleagues from Sun at the Government Open Source Conference (GOSCON) this Thursday.  Join me, Dr. Harry Foxwell (published author of "Pro Opensolaris") and Bill Vass (Sun Federal President and COO) at the Reagan Building in downtown Washington D.C on November 5th.

Sun is a leader in open source development communities and we have a wide variety of very popular projects including MySQL, Glassfish, Java, OpenSolaris, OpenOffice and more.

See you there.

Wednesday Jul 22, 2009

Open Source and the US Government

Sun has long been an advocate in the use of Open source software in the government (both US and abroad).  In fact, Sun Federal President and COO Bill Vass has created a series of blog entries about why the government can benefit from open source.  These reasons include:

Now, Sun and a broad array of industry giants have created the Open Source for America Consortium. In addition to Sun, founding members include Oracle, Google, Red Hat, Gnome foundation, Mozilla, Collabnet and others.  The board of advisors includes a number of industry and government luminaries that I've had the pleasure of working with in the past including:

  • Dawn Meyeriecks (formerly of DISA as well as AOL)
  • Marv Langston (former DoD Deputy CIO)
  • Bill Vass
  • Art Money (former DoD CIO)
  • Simon Phipps (Sun's Chief Open Source Officer)
From the OSA web site:

The mission of OSA is to educate decision makers in the U.S. Federal government about the advantages of using free and open source software; to encourage the Federal agencies to give equal priority to procuring free and open source software in all of their procurement decisions; and generally provide an effective voice to the U.S. Federal government on behalf of the open source software community, private industry, academia, and other non-profits. The mission incorporates three goals: (1) to effectuate changes in U.S. Federal government policies and practices so that all the government may more fully benefit from and utilize free and open source software; (2) to help coordinate these communities to collaborate with the Federal government on technology requirements; and (3) to raise awareness and create understanding among federal government leaders in the executive and legislative branches about the values and implications of open source software. OSA may also participate in standards development and other activities that may support its open source mission.

While some consider the "open source" movement to be a religion or political agenda designed to socialize software or kill proprietary vendors, what it really boils down to is simply developing software outside the company firewall so that you can take advantage of the strengths of the community.  To quote Bill Joy (former Sun co-founder), "Innovation often happens elsewhere."

Sun offers a wide variety of supported, enterprise class open source projects including MySQL, OpenSolaris, OpenSSO, Glassfish and more.  Download some open source Sun software today and you too can start experiencing the benefits of open source.

Federal Government customers can contact Sun's sales office in McLean VA by calling 703 204 4100.


Tuesday Apr 14, 2009

Sun at the DISA Customer Conference in Anaheim CA

Once again Sun will be showing a variety of our products and services at the DISA customer conference this year being held in Anaheim, CA. Come see us in booth #924

Sun's systems and blades based on Intel's new Nehalem processors

Find the fastest, most cost effective and energy efficient Intel processors that can run Solaris 10, Open Solaris, VMware, MS Windows, Red hat and Suse platforms.

Sun ATCA Blade chassis

As a leader it open systems design, it makes sense that Sun would offer a blade chassis compliant with the Advanced Telecommunications Computing Architecture.  Sun offers Intel, AMD and Sparc chip designs in a single blade chassis.

Here's a photo of the traveling exhibit that we will be bringing.  Learn more about Sun's ATCA products as well as our competitive Blade 6000 products now features the new Intel Nehalem family of processors.

Thin Clients

Our Sun Ray Thin client technology allows you to save money, "be green" and reduce operating costs whether you are runing a Solaris, Linux or Windows environment. Read about the many customers who have deployed thin clients successfully replacing existing PC environments.

Identity Management and SOA software

Sun's Identity Management and SOA solutions allow customers to get a handle on their users, data and programs making them more agile, responsive and secure while helping them comply to government regulations.

This popular, open source database can cost as much as 10% of the traditional vendors, reducing your cost while extending your reach to the internet. Download and try MySQL today.  It installs in less than 15 minutes on all the popular OS platforms.

Sun 7000 Unified Storage System

Sun's newest, network attached storage system, the 7000 series provides high performance, low cost storage with the advantages of solid state disk and detailed analytic tools.

OpenSolaris

Experience the next generation of Solaris technology by downloading OpenSolaris or Solaris 10 today for Sparc, Intel or AMD based platforms.

Dynamic Systems

Dynamic Systems Inc is a Sun partner with the  capability of providing all of Sun's products and service via GSA contract, Enterprise Software Iniative contract or their BPA with DISA known as SSTEW.

CopperEye

CopperEye is a leading provider of enterprise data management solutions that eliminate the economic, technical and operational barriers to storing and accessing massive volumes of data.

And more....

Ask any of our booth personnel (including me) for any information about these or any other Sun products or services in which you are interested.

Friday Oct 31, 2008

Trip Report: DoD Open Conference sponsored by AFEI

Yesterday I attended the DoD Open Technologies conference sponsored by the Association For Enterprise Integration. The presentation slides have been posted. It was a well attended event at the Reagan building in Washington DC.  The keynote address was provided by Sun Federal's president and COO Bill Vass.  Bill pointed out how, during his time working at OSD (before he came to Sun), the intelligence agencies were beginning to adopt open source software for a number of reasons:

  • More secure
  • Higher quality
  • Lower procurement barriers
  • Faster deployment
  • Lower cost to exit
  • Allows government participation and customization

He also pointed out that software (whether open source or proprietary) is developed in Russia, India and China. He left no doubt that the government is using and should continue to use Open Source software throughout their IT programs.  Feel free to review all of Bill's slides.

Mark Tolliver (formerly of Sun) for Alamida software discussed the importance of software component analysis (SCA).  SCA is the process of auditing your software to determine:

  • What OSS components you are using
  • What licenses apply
  • What vulnerabilities might exist

In one example, he used his company's tools to scan a piece of ISV software and found that 65% of it consisted of OSS software.  His experience shows that the industry average is now up to 50%.  This causes a number of issues because licensing issues and vulnerabilities in OSS software become YOUR issues when you deliver a product to your customer.  If you are not fully aware of all of the components, you may be passing on vulnerabilities from older versions of software that have already been fixed in the community.  SCA is important because you can't secure what you don't know that you have.

His recommendations to the government included:

  • Require vendor to document OSS code contents
  • Audit code acquired
  • create a strategy for application security
  • Enforce ongoing training for engineers on how to get the code, vet the code and integrate the OSS code
  • Document the use of all code for future generations of maintainers
  • Use automated scanning tools (his product, of course)
    • Static Analysis
    • Dynamic Analysis
    • Compositional analysis
    • Anti-virus

John Garing CIO of Defense Information Systems Agency (DISA) described how the Hitler had trouble invading Russion because of differences in the train guage standards between the two.  He drew parallels between this and his current personal problem in the DoD where they have contracted with two different Collaboration solutions (to provide competition).  A person chatting in one community can't "see" or interact with a person in the other community.  To summarize, open standards and open interfaces are key to getting services faster to the warfighter.

A panel of government and industry discussed a variety of topics related to open source.

Dan Risacher of OSD/NII reported that a new OSD guidance memo was expected to be released soon.  Dan is a big advocate of open source in the government.

Bdale Garbee of HP is an open source participant in the industry and suggested that government needs to go further to allow both government employees and system integrators to participate and contribute to OSS projects without running afoul of government property rights, employer policies or patent issues.  They also discussed the issues surrounding license and ITAR export control.

The afternoon panel discussed how tactical approaches to open source are being carried out.

Stu Lewin of BAE systems described their detailed creation of a governance board, processes, documentation and training to ensure that the OSS brought into BAE projects is properly vetted, licensed, documented and maintained.

Allan Hardy of Lockheed Martin described how they audit OSS use and perform risk mitigation.  He noted that OSS touches every stage of the software life cycle from proposal through design, test, documentation and support.  He credited a strong process as well as ongoing training of engineers to a successful use of OSS.

Colin Roufer is a lawyer at Boeing and discussed the legal issues surrounding OSS. Important points include:

  • There is no negotiation of a license such as the GPL.  Get over it
  • The GPL does NOT require that you give the source to everyone in the world, one those who receive the binary
  • The recipients of GPL code are bound by the same requirement to pass source code and license down to second level recipients

Peter Vescuso of Black Duck software described a case study of a small company who provided OSS to Broadcom.  The Broadcom chip was in turned built into a Linksys router. Linksys was in turn bought by Cisco.  At this point, Cisco did not know that there was OSS content as was not properly conveying that information to its customers.  OSS management requires a cross-function team including:

  • legal
  • purchasing
  • export control
  • QA
  • Configuration management
  • engineering

Summary

Open source is good for the government.  It can lower costs, improve quality and reduct time to mission accomplishment.  Sun Microsystems is the largest contributor of open source software in the industry.  You can take advantage of OpenSolaris, MySQL, Netbeans, OpenStorage and many other products today at low cost.

 Please join our OpenStorage launch on November 10th to learn more.

Thursday Apr 24, 2008

Sun at the DISA Customer Conference

Each year the Defense Information Systems Agency hosts a customer conference all their customers.  DISA is responsible for hosting, designing and operating DoD datacenters, networks and critical command and control programs. The DISA customer conference is attended each year by 3000-4000 IT professionals throughout the US DoD and other countries. This year's conference is in sunny Orlando and Sun Federal will again be attending to demonstrate some of our advanced technologies for desktop virtualization, security, identity management and more. Here's a preview of what you will see when you visit our booth (or in case you can't come to the conference).  The Sun team at the booth will be happy to answer any questions you have about this or any of Sun's products and services.  Among the things you need to know about Sun is that we are the largest commercial contributor to the open source software communities. Come visit us May 5-8 at booth # 331.

Sun Ray Ultra-Thin Client Technology

This innovative solution to current desktop cost and management issues can significantly reduce costs while increasing user flexibility, mobility and security.  Weighing less than a pound and with no moving parts Sun Ray is ecologically better than a PC.  It last longer, uses less energy, makes less noise and fills fewer landfills. The Sun Ray DTU can be used to display a Solaris, Windows, Linux or mainframe desktop environment. 

Trusted, multi-level Operating System 

Do you need to share confidential data while knowing exactly who has access? Sun's award winning open source Solaris 10 operating system with Trusted Extensions provides a robust, scalable security solution for customers with multiple levels or compartments of data access.  Sun, HP, IBM and Dell platforms (Sparc or X64) are fully supported.  Dell, Fujitsu and IBM are OEMs for Solaris on their platforms. Solaris 10 is Common Criteria evaluated.

Screenshot: Solaris 10 displaying MS Windows and Red Hat 5 in windows of different classifications on the same screen.

Identity management implementing the DoD 2875 process

The 2875 demonstration was created to show the feasibility of using the Sun Java Systems Identity Manager Suite to manage the SYSTEM AUTHORIZATION ACCESS REQUEST (SAAR) process. This process is used through out the Federal Government as a method for end users requesting access to systems. Sun IDM automates, audits and simplifies the process.


Sun Modular DataCenter

The Sun Modular Datacenter is a low cost, quick deploying solution for those who are running out of data center space and need additional computing power quickly with lower real estate, power and cooling costs.  Although the actual Modular Datacenter truck will not be here, we will have a scale model for you to enjoy.

Photo: The Sun Modular Datacenter on tour at the Pentagon in April with a small contingent of the Sun Federal Sales and Marketing team. 


Windows/Linux interoperability

Sun is a full OEM for MS Windows and Red Hat operating systems.  We sell and support both OSes on our market leading Intel and AMD based servers.  As a licensee of MS technologies, Solaris interoperates well with your existing desktop infrastructure. 

Capacity based computing

Sun is one of the winners in the DISA Capacity Computing contract awarded in 2006.  Using this contract, DISA purchases Solaris computing cycles as a managed service based upon actual metered utilization. Sun provides systems and capacity management in DISA datacenters while speeding procurement cycles, reducing capital expenditures and consolidating applications. Ask us about how this contract can work for you.

Partners joining Sun in our booth include:

Mitel is a leading provider of communications solutions for a range of organizations.  Their integration of Sun's Ultra-thin client with a VOIP telephone handset can significantly reduce desktop device costs while increasing flexibility, security and user mobility.  This intelligent phone ties your phone session and you desktop computing session to your identity and smart card for increased convenience.

BlueSpace - sponsored by Sterling Computers. BlueSpace is an enterprise software company based in Austin, Texas, that provides electronic messaging and mail software as well as multi-level secure (MLS) middleware to enable MLS applications. TransMail Trusted Edition is a version of TransMail specifically designed for the defense and intelligence communities. It integrates with Solaris 10 with Trusted Extensions to provide label security support, while providing the user with a single, multi-level inbox. TransMail Trusted Edition is the first commercial-off-the-shelf (COTS) end user, multi-level secure application.

Dynamic Systems is an information technology infrastructure expert and Sun Microsystems Value Added Reseller.  Dynamic Systems holds the SSTEW contract which offers extended warranty, maintenance, education, and professional services for all Sun Microsystems® products. The extended warranty and maintenance covered in this contract includes flexible and comprehensive hardware and software support ranging from basic to mission-critical service.This 8(a) set aside Blanket Purchase Agreement that offers time and money saving options through order consolidation and volume discounts. SSTEW is an Enterprise Software Agreement (ESA) under the DoD Enterprise Software Initiative (ESI).

We're looking forward to seeing you in Orlando. 

Thursday Apr 03, 2008

Sun Modular Data Center (Project Blackbox) visits the Pentagon and the US DoD (with photos)

The Sun Modular Data Center (aka Project Blackbox) is on a nationwide tour.  It spent part of last week in the Washington D. C area.  It had stops in northwest DC, two days at the Pentagon and Sun's Annapolis Junction office (near Ft. Meade and the National Security Agency).  This week it's traveling to Ft. Monmouth.

Check out the tour schedule to see if it's coming to a world-wide location near you.  It also won an award at the Federal Office System Exhibition for Best in show (category: Other, I guess there was no specific category for large transportable data centers ;>)

They don't like you taking pictures of the Pentagon.  Because I respect guards with large caliber weapons, these photos are taken with my back to the Pentagon south wall.  The truck (with its operational data center, chiller and generator) were parked in the south parking lot within a couple hundred feet of the building.  We had quite a few visitors over two days including a 3-star general.  At least once we saw the SecDef drive by, and I heard on the news that the President was in the building that day being briefed by the Joint Chiefs of Staff.  He didn't stop by to say "Hi," however.

We received some powerful feedback including comments such as, "I could have used about 30 of these at the beginning of the war and save a lot of money." 

A small contingent of the Sun Federal Sales and Marketing team was there to provide tours and information (as well as collect any orders!)  To date, Sun has shipped a number of Modular Data Centers including two to the Stanford Linear Accelerator and one near Moscow. 

If you are interested in deploying data center capacity quickly, at a low cost and in an energy efficient manner, contact us at 703-204-4100.   It's only 20 feet long, 8 feet wide and can accommodate 240 rack units of your favorite Sun or other vendor's equipment.  It can be located nearly anywhere.

 

The spiky things in the background are the recently dedicated US Air Force memorial.

 

The Sun Federal Sales and Marketing team 

 

A view of the back doors during a tour 

 

Wednesday Dec 19, 2007

Trip Report: DoD Open Conference sponsored by AFEI

Last week I attended:

3rd Annual DoD Open Conference
Sponsored by AFEI in McLean VA.  December 11-12th
Sun Attendees:  Jim Laurent, Tom Syster, Bill Vass (Keynote speaker) Paul Tatum
Agenda:  http://www.afei.org/brochure/8a03/index.cfm

This is an annual conference attended by government, industry and consultants (Mitre/IDA) to discuss open source technology, open systems and open development methodologies.  Approximately 100 people in attendance.  The President and COO of Sun Federal Bill Vass was one of the keynote speakers.

It's clear from attending this conference again (this is my third time) that there is no avoiding the use of open source tools in the Federal Government.  Whether it is something as simple as glassfish and openssh or more advanced technologies like the UltraSPARC T1 and T2 processors, open source is everywhere in the DoD.

Nick Guertin, Directory Open Arch. PEO IWS Navy

Discussed the Navy's open architecture designed to achieve modularity, interoperability, standards compliance.
Discussed business issues and licensing issues around open source

Mark Tolliver, President of Palamida SW.  (formerly of Sun Micro)

Palamdia delivers auditing and compliance software that compares your software build to existing DB of open source projects providing you with an audit of which OSS you are using, there versions etc.

His experience in code analysis indicates that most projects consist of 30-50% open source components.  Many of these are often found to be below rev and have security vulnerabilities.  Most projects have 50% to 300% MORE OSS than they think they do.

Primary message:  Control your SW supply chain through:
    Policy
    Education
    Transparency
    Compliance (his SW can help, of course)

Mentioned Solaris/OpenSolaris


Bill Vass discussed the value of OSS and Sun's use of it.

OSS is unstoppable because of:
    Security benefits
    Cost
    No vendor lockin

Bill reviewed Sun's strong position in the open source communities and our benefits derived from open sourcing Solaris, Glassfish, OpenOffice etc.  Handed out complete JES CD kits to all attending.  (Sun was a platinum sponsor for the conference.)

He then lead a panel for Q and A including Dewey Houck of Boeing and Bob Gourley, former CIO of DIA.  Intelligence agencies a big proponent of open source.  There was active participation from the audience.

I received feedback from several people during the breaks at the Sun table that they didn't know Sun was so active and aggressive in the OSS community.


Terry Bollinger ASD/NII discussed open Source Governance including:

Evaluation of OSS
    Creating policy
    Auditing
    Education
    Monitoring

Don Adams of Tibco discussed their Open AJAX toolkit known as Bossie.

Eric Pugh of OpenSource Connections discussed the use of the "Agile Methodology" and open source development for thePathFinder program, NGIC and GCGS-A.   www.agilemanifesto.org

Chris Runge of Red Hat provided two case studies of how open source technologies allowed something to happen that was "impossible otherwise."

NSA dev of SE Linux being incorporated into productions OSes such as RHAT and Suse.  First MLS OS that is part of the standard OS distribution

Real-time Linux enhancements working with IBM, and DDG-1000 (aka DDX program) in the Navy.
RHEL 4 + Real time kernel + IBM RT Java + Blade servers

Coming Soon:  Red Hat MRG = RHEL 5.1 = Messaging toolkit + Real time + Grid technologies
Important in financial/trading communities

Nick Weatherby of the Open Source Software Initiative discussed how industry is trying to facilitate OSS adoption by working with Government.

Created Government Technology Task Force to help accelerate and clear out obstancles in standards, procurement, legal issues.  Working with DISA, DoNavy, Army, AF, OSD, JFCOM, DHS, Justice, etc

Example:  FIPS 140-2 validation of the Open SSH libraries

working on IAVA security validation and Common Criteria process for Open Source

Ball Aerospace rep provided a case study of how they took a GeoSpatial toolkit developed for the government through the process of putting it on a public open source project.  Goal was to increase adoption of their framework thereby increasing their bus. oppty for consulting services.
Obstacles included ITAR approvals, Legal, internal politics, ownership issues.

Ed Beck of CSC in NJ

discussed how they used open source modules to reduce costs and increase speed in their deployment of an AEGIS missile update for Display console and systems management tools
Display console now 60% open source based
Sys. Mgt. tools now 40% OSS based

#1 issue was licensing.  DoD is very sensitive about the fact that using the GPL license might mean giving away technology to the bad guys.  Tools used included tcl/tk, Flex/Bison, XPM, Mozilla, etc

BG Gen. Nick Justice of the US Army

discussed value and benefit of OSS in the DoD including acceleration of mission apps, lower cost, increased security etc.  Mentioned Red Hat several times.  FBPC2 is a huge RH deployment.  Future Combat System (FCS) is apparently also going to RHEL.

General Justice is a very engaging and entertaining speaker.  By all means, if you get a chance to here him speak, do it.  He is one of the few high level military people who runs Linux on is laptop.

Andre Boisvert of Pentaho SW (formerly at Oracle, IBM and SAS institute)

Discussed how he had worked at various proprietary, closed source companies and has invested money in 3 new ventures using only open source.
OSS provides:
    Better Code
    Faster innovation
    Self policing of quality, security
Pentaho provides OSS business intelligence including ETL, OLAP etc
Zenoss provides OSS Systems management based on Python
Compiere for OSS ERP SW
Described OSS as a "disruptive force in the SW industry."

KS Shanker of IBM Federal

discussed the security aspects of open source and how he took the linux community through the Common Criteria eval process even though they didn't think it mattered originally.

David Wheeler of Institute for Defense Analysis discussed the security aspects of OSS
Vendor lockin = a security problem.
Open design is a fundamental in creating a secure systems
"Would the Trojan Horse have worked if it had been made of glass?"

Not ALL OSS is secure:
    Developers need to have security skills
    Needs to be widely used and reviewed
    Problems must be fixed on demand when found.

When I asked him when IBM was going to release its huge software portfolio (Tivoli, z-OS, ClearCase, AIX, WebSphere) to the open source community, he responded by pointing out that Websphere has incorporated Apache as its web server.  That sound to me like taking from the OSS community rather than giving.

Booz Allen Hamilton rep discussed the use of an Open Source Security Test Methodology.

Tuesday Nov 27, 2007

U.S. Navy saves money with Sun Ray thin clients

If you've never heard of our Sun Ray thin client technology, you are missing the opportunity to save some real money while increasing your data security. You can read more about Sun Ray thin clients in my previous blog entry.  You don't have to believe me, however, see for yourself how the Navy's Integrated Warfare Systems Laboratory deployed 270 Sun Rays.

Some of the benefits they experienced include:

  • Improved performance over previous X terminal solution
  • Exceeded capabilities of existing, aging solution
  • Provided a solution that complied with security requirements
  • Reduced client deployment time by 80%
  • Simplified maintenance, updating only four servers instead of hundreds of desktops
  • Reduced cost per client by 50% to approximately $500 with a savings of about $500 per client

Why should you care?

Saves you money.  Enough said! 

Wednesday Oct 03, 2007

Scott McNealy's five reasons that free, open source software is good for Sun and our customers

 

Recently Scott McNealy spoke to the Sun OS Ambassadors at our semi-annual conference in Menlo Park CA.  He told us that he is frequently asked by customers:

  • Why Sun is doing this whole "open source" thing and giving away software for free?
  • How can Sun expect to make any money with free software?
  • How is this good for customers?

He gave us his five reasons.

  1. Free means low barrier to entry.  Stated another way, "College students and developers don't pay for software anyway, we want to make sure that the software they're using is Sun's, so why not give it to them." By providing our core OS, developer tools and web infrastructure tools to students, companies and independent developers at no charge, we gain mind share among those people who "join things rather than buy things."  When they move into the enterprise, they will start buying products and support from those companies with which they are familiar.
  2. Open source as a research and development multiplier.  Sun can multiply our $2 billion in R&D funds by leveraging the R&D of the open source communities.  Open sourcing of Java, OpenOffice, Solaris and other technologies allows us to take advantage of the HUGE R&D budgets of IBM, ATT, Nokia and others.  Not to mention the plentiful resources in the emerging markets in China, India and South America.
  3. Security. Whitfield Diffie has said, "the secret to strong security: less reliance on secrets."  As an anecdotal example, Java is the single largest platform in the world installed on billions of devices (much more widely deployed than MS Windows).  Yet you would be hard pressed to name a Java virus.  This is due in part to its open, community driven development model.
  4. Partnering and proliferation of our technology.  Having the Sparc processor technology easily licensed, for example, has allowed our partner Fujitsu to design their own implementation of the Sparc V9 chip architecture.  As a result, our new M-series servers are available from both Sun and Fujitsu providing a dual-source option for customers.  Products from both companies run Solaris and our other software products.  Since open sourcing the UltraSparc T1 chip design, at least two other implementations have been designed for embedded devices further opening new markets to Sun's intellectual property.
  5. Low barriers to exit.  By conforming to open document formats and web standards we can ensure our customers that they won't have that "locked-in feeling" they get when they choose Microsoft, Oracle, BEA, z/OS or other proprietary product families.  The cost to exit these proprietary technologies dwarfs the acquisition costs.  Sun can help reduce customers' cost to exit by using open standards and open source implementations.  This also provides customers with more choice.  In the case of ODF, for example, customers can now choose office automation packages from Adobe, Sun, IBM, Google or the free OpenOffice suite rather than having the data held hostage by proprietary MS Office formats. They can choose to run these suites on Windows, MacOS, Solaris, BSD or any of the Linux variants.

Why should you care?

To summarize, Sun's strategy of making our products free and open is designed to make the entire planet familiar with Sun's products.  We then have the opportunity to offer support, services, training and systems for their enterprise computing needs. This helps customers by providing them more choices at lower cost and allowing them to move from one vendor to another more easily.


Monday Jul 30, 2007

Using the Solaris Security toolkit to implement DISA security guidelines

Update: 8/16/12  This is a very old blog entry. However, I've had several requests to update the link for my Security Toolkit profile for Solaris 10.  Caveat.  This is based on a very old version of the DISA STIG and older versions of Solaris.  I do not warrant that this will make your system STIG compliant with the current STIG but it can be a baseline for your own customizations.  The Toolkit itself must be downloaded from My Oracle Support. (document ID 1004565.1)

Download my SST profile from 2007

You might remember my earlier blog entry about DoD security guidelines for Solaris.  As a result of Sun Federal's recent contract award from DISA for Capacity Computing services, I've been working to implement the DISA Security Technical Implementation Guidelines (STIGs) using the Solaris Security Toolkit (Wow, what a mouthful).

I started with some customization work that was done by the DISA GCCS program office.  I modified and updated it to meet most of the current STIG requirements.  I've heard many horror stories about how long it takes to secure a system properly and obtain "Authority To Connect" to a DoD network.

 I'm happy to say that the profile I've built runs in about 2 minutes on my Acer Ferrari 3400 laptop.

 First, some background!

What is the Solaris Security Toolkit?

The SST is a toolkit produced and supported by Sun to simplify and automate the process of securing a Solaris system.  The current version 4.2 support Solaris 8, 9 and 10.  It includes audit and undo modes in addition to the hardening mode.  If you plan to use it, make sure that you also apply the latest patch 122608 from sunsolve.sun.com.  It is very customizable for your site requirements.  I have been trying to get the DISA Field Security Office to adopt and customize the SST for over two years but have not yet succeeded.

What are the STIGs?

These are security guidelines provided by the DISA Field Security Office to DoD users for securing Solaris and other Unix/Linux platforms.  Most of the recommendations make sense but there are a few silly ones.  There is a detailed book as well as a checklist and somewhat automated set of Security Readiness Review (SRR) scripts to check the work that you've done.  The scripts are NOT perfect and sometime provide false findings.  More on that later.

What were your results?

I downloaded and ran the latest DISA SRR scripts from March 2007 before applying the SST and afterward. I also ran the little script below to finish up the final few operations. During the "Manual Review" portion, I answered "Not a finding" for all the questions.  This means that the differences listed here are those detected by the automated portion of the SRR. 

Before
Finding Counts:
CAT I = 5/123, CAT II = 53/340, CAT III = 11/57, CAT IV = 1/5

After:
Finding Counts:
CAT I = 4/123, CAT II = 13/340, CAT III = 4/57, CAT IV = 0/5

Some of the remaining findings are false positives or out of the scope of the toolkit.  Some examples include:

 

 Finding Category (1 is highest)
Explanation
 Recommended patches not installed
2
They are but the script doesn't appear to  detect them properly
Core Dumps not disabled
3
They are but the script doesn't detect properly
inetd disabled
2
It's enabled but the script looks in inetd.conf which is no longer used in Solaris 10
Various Sendmail configuration file issues
1 and 2
Sendmail is disabled with svcadm
IP forwarding should be disabled
2
Script looks for /etc/notrouter which is no longer used.  Solaris 10 uses routeadm.

 

 Great, I want it now, what do I do?

  1. Install Solaris
  2. Install the latest recommended patches for Solaris (SunSolve access required)
  3. Download and install the Solaris Security toolkit
  4. Download and install the SST patch 122608. (SunSolve access required)
  5. Download this tarball containing the customized files and User Guide (please read the User Guide)
  6. cd /opt/SUNWjass
  7. tar xvf <path to tar file>
  8. Execute: time /opt/SUNWjass/bin/jass-execute -d /opt/SUNWjass/Drivers/GCCS.secure.driver -o <output file>
  9. Reboot your system
  10. Run the SRR scripts

Caveats

  • I have NOT tested this in a production DoD site or run it with a DISA security officer observing.  I have only tested it on my laptop using Solaris 10 11/06.
  • Use this profile at your own risk.  I am providing it for your convenience and provide no warranty.
  • The SST profile cannot automate everything or install anti-virus software as required.
  • I have an additional script that does some final items. (see below)

Benefits of the Solaris Security toolkit

  • Because it is automated, it can produce repeatable, predictable results
  • Because is supports Solaris 8, 9 and 10, (on both Sparc and X64/86 platforms) it can be used throughout your enterprise
  • Because it is provided, supported and updated by Sun, it can be depended upon to "do the right thing" as Solaris is updated.
  • It can be used in the global or non-global zones of Solaris 10.
  • It is easily customized for your particular site requirements.
  • It has an "undo" feature
  • Speed and accuracy.  The toolkit can complete in a few minutes what would normally take hours of error prone text editing.
  • Simple.  A single command does all the work.

Feedback

I'm interested in your feedback on how it worked for you, where my errors are and what additional capabilities you have given it.  Add a comment below. 

A quick script to do a little more.

Because of a lack of knowledge of the tool and lack of time, this script completes the last few operations

# This script attempts to complete the processes not done by the JASS toolkit
# items here are those documented in the User's guide
# They are here because I have not yet implemented them as part
# of th STIG toolkit
# 12/21/06 jlaurent

# tighten permissions on the Man pages
echo "Current man page permissions"
ls -ld /usr/share/man
ls -ld /usr/share/info
ls -ld /usr/share/infopa
ls -ld /usr/sfw/share/man
echo "Setting man page perms to 644"

find /usr/share/man -type f -exec chmod 644 `{}` \\;
find /usr/share/info -type f -exec chmod 644 `{}` \\;
find /usr/share/infopa -type f -exec chmod 644 `{}` \\;
find /usr/sfw/share/man -type f -exec chmod 644 `{}` \\;
echo "New man page permissions"
ls -ld /usr/share/man
ls -ld /usr/share/info
ls -ld /usr/share/infopa
ls -ld /usr/sfw/share/man

#same for various other files and directories
echo "Current /var/audit permissions "
ls -ld /var/audit
echo "Setting /var/audit perms to 700"
chmod 700 /var/audit
echo "New /var/audit permissions "
ls -ld /var/audit

#same for various other files and directories
echo "Current /etc/ftpd/ftpusers permissions"
ls -ld /etc/ftpd/ftpusers
echo "Setting /etc/ftpd/ftpusers perms to 640"
chmod 640 /etc/ftpd/ftpusers
echo "New /etc/ftpd/ftpusers "
ls -ld /etc/ftpd/ftpusers

echo "Current permissions for at.deny, at.allow, cron.deny, cron.allow"
ls -l /etc/cron.d/at.deny /etc/cron.d/at.allow /etc/cron.d/cron.deny /etc/cron.d/cron.allow
echo "Set permissions at.deny, at.allow, cron.deny, cron.allow for to 600"
chmod 600 /etc/cron.d/at.deny /etc/cron.d/at.allow /etc/cron.d/cron.deny /etc/cron.d/cron.allow
echo "New permissions for at.deny, at.allow, cron.deny, cron.allow"
ls -l /etc/cron.d/at.deny /etc/cron.d/at.allow /etc/cron.d/cron.deny /etc/cron.d/cron.allow

echo "Current traceroute permissions "
ls -l /usr/sbin/traceroute
echo "Setting traceroute perms to 4700"
chmod 4700 /usr/sbin/traceroute
echo "New traceroute permissions "
ls -l /usr/sbin/traceroute

echo "Current /etc/inet/inetd.conf permissions "
ls -l /etc/inet/inetd.conf
echo "Setting /etc/inet/inetd.conf perms to 440"
chmod 440 /etc/inet/inetd.conf
echo "New /etc/inet/inetd.conf permissions "
ls -l /etc/inet/inetd.conf

echo "Current /etc/syslog.conf permissions "
ls -l /etc/syslog.conf
echo "Setting /etc/syslog.conf perms to 640"
chmod 640 /etc/syslog.conf
echo "New /etc/syslog.conf permissions "
ls -l /etc/syslog.conf

echo "Current /var/crash permissions "
ls -ld /var/crash
echo "Setting /var/crash perms to 700"
chmod 700 /var/crash
echo "New /var/crash permissions "
ls -ld /var/crash

# changing root umask to 077 in /root/.profile and /root/.cshrc
echo "Changing root umask to 077 in /root/.profile and /root/.cshrc"
cat /root/.profile |sed "s/umask .../umask 077/g" > /root/.profile.tmp
mv /root/.profile.tmp /root/.profile
cat /root/.cshrc |sed "s/umask .../umask 077/g" > /root/.cshrc.tmp
mv  /root/.cshrc.tmp /root/.cshrc

echo "Please review the umask for .profile"
grep umask /root/.profile
echo "Please review the umask for .cshrc"
grep umask /root/.cshrc


# disable core dumps
echo "Original core configuration"
coreadm

echo "Disabling core dumps"
coreadm -d global
echo "New core configuration"
coreadm


Why should you care?

 Securing a computer for use on the DoD networks can be a difficult and time-consuming task.  These tools will help you deliver you mission faster, more reliably and securely.

Monday Jun 25, 2007

Solaris Trusted Extensions vs. Red Hat EL 5 and the Common Criteria

Red Hat and IBM recently announced the completion of an EAL4+ CC evaluation.  Those who follow my blog religiously (I know that you're out there), know that I have discussed the Common Criteria several times before here and here.  What most don't know is that there are a wide range of features that can result in a completed CC evaluation.

RH and IBM indeed have the same certification tests done on paper that Sun plans to achieve for the Open Source Solaris 10 with Trusted Extensions; however, WHAT they tested and WHAT customers can use and be in compliance with the test parameters is NOT AT ALL on par with what we are doing in Solaris 10 with Trusted Extensions.

The most important part of a CC Evaluation is the "Security Target."  The ST defines what will and what will NOT be considered part of the evaluation.  Red Hat and IBM's Security Target eliminates a number of key features and significantly reduces the functions available to the user.

The evaluation doesn't tell the whole story at all. Each evaluation must be looked at very closely to see exactly what was tested and what was claimed.

  • Red Hat's LSPP security policy file can be hundreds or thousands of lines long and thus potential prone to more error. Solaris Trusted Extensions uses a series of small, easily verified files and enforcement of the policy always take place, even with administrative processes.
  • Solaris Trusted Extensions include the Solaris Management Console GUI for configuration.
  • Sun's Solaris with Trusted Extensions can be deployed very rapidly using existing applications in a matter of minutes. This keeps the security policy simple and easy to verify and the protection provided is automatic regardless of the application being deployed.
  • RHEL 5 with it's LSPP security policy has some serious, practical deployment issues that customers need to be aware of including:
    • The GUI and X-Windows components are excluded from the security target.  This is a server and command line offering ONLY.
    • No multi-level GUI. Solaris with Trusted Extensions provides both Trusted Java Desktop System (GNOME-based) and Trusted CDE
    • No multi-level file sharing. Solaris with Trusted Extensions provides multi-level NFS file sharing
    • No easy interoperability with other non-labeled OSs, such as MS Windows, Mac OS X, etc. Solaris with Trusted Extensions works in multi-platform environments without issue - we do not require communication only with other 'trusted' OSs.
    • No guarantee of application compatibility for non-Label-aware applications. Solaris with Trusted Extensions will run all existing applications, even allowing them to run in a 'multi-level' manner without modification to the code.
    • Hot Pluggable storage devices (USB and Firewire) are excluded from the evaluation.  Solaris Trusted Extensions includes these devices in our evaluation.
    • Network Printers are excluded.  Solaris Trusted Extensions supports the labeling of network printers.
    • No use of LDAP as a naming service for centralized management of user identities. Solaris Trusted Extensions supports industry standard LDAP protocols for centrally managing user id and security policy information.
    • The RHEL evaluation only applies to IBM hardware.  Sun's certifications include a variety of AMD-64 and Sparc-based plaforms. 
    • The RHEL evaluation only supports the ext3 and selinuxfs file systems.  Sun's evaluation for Solaris Trusted Extensions supports UFS, ZFS, PCFS. NFS, lofs, hsfs.  In addition, Solaris allows you to use QFS and VXFS as well although these were not part of the evaluated platform.

Sun has achieved CAPP & RBACPP @ EAL 4+ for Solaris 10 3/05 and is about to announce Solaris 10 11/06 has repeated this achievement and we will have our LSPP certification by the end of the CY 07.

For other comparisons, please review these useful links:

Comparing the Multilevel Security Policies of Solaris Trusted Extensions and Red Hat Enterprise Linux
http://www.sun.com/bigadmin/features/hub_articles/mls_trusted_exts.jsp

Sun Solaris Security Web Site :
www.sun.com/solaris/security/

Comparative Study of Containment Technology : a Thesis from Sweden :
http://opensolaris.org/os/community/security/news/20070601-thesis-bs-eriksson-palmroos.pdf

Glenn Faden's Blog : Chief Architect of Solaris Trusted Extensions (and Trusted Solaris 8):
http://blogs.sun.com/gfaden/

Thanks to Mark Thacker and Jane Medefesser for input to this article 

Why should you care?

Sun believes that when you deploy a OS in a secure, multi-level environment, that you will want all the features, third party software and support to be the same as a standard environment.  We believe that Solaris 10 with Trusted Extensions provides a  richer, more capable, easier to use platform for our security minded customers.  It is a deployment platform developed in an open source methodology, that supports a wide variety of Sparc, Intel and AMD based platforms and is freely available.

 

Tuesday May 15, 2007

Sun Ray thin client saves customers big bucks and makes them "Green."

At Sun for the last 7 years, we've known that using Sun Ray ultra thin clients saves customers money while increasing security. We have over 25000 of them deployed and everyone from the CEO on down uses them. Our global mobility configuration allows me to move my running desktop session from my house to my office in McLean VA, to Broomfield, CO to Bejing China by simply taking my smart card with me.  Trust me, the first time you see this work, in appears to be no less that magical.

Most recently Verizon has installed over 5000 Sun Rays in their call centers and find it reduces their power bill, management costs while making them more "green."  According to the article in Network World:

Verizon has seen a 60% to 70% drop in desktop problems and a 30% decline in electrical use at each center.Generally, Verizon had four dedicated tech staff members per 1,000 seats to handle desktop trouble tickets. With the Sun Rays, that’s been cut to one staffer.

How does the Sun Ray help the environment?

  • Lower power and cooling usage. 4-7 watts vs. over 100 for the typical PC.
  • Reduced waste.  A Sun Ray has no disk drive, DVD drive or fans.  When discarded it has a significantly smaller circuit board, enclosure and power supply than a typical PC.  Our basic Sun Ray 2 weighs less than one pound.
  • Improve real estate usage.  At Sun we have reduced our real estate significantly because of the "hot-desking" feature of the Sun Ray thin client.  We can allocate 2-3 mobile workers to one cube.  This reduces waste, power, cooling and other factors.
  • Improved resource utilization.  Processors can be shared among users.  No longer is a 3 Ghz processor locked up in a box in the cube next to you while that person is out of the office or on vacation.  In this shared environment, many users can be allocated to a small number of processors. 

 The Sun Ray thin client also helps to control costs in a number of ways:

  • No patching required.
  • No local software installation on each device.
  • No reason to replace it every three years.  We have Sun Ray devices over 7 years old.  Think of it as a VT100 terminal on steroids.
  • Reduced system administration costs through centralized management.
  • Upgrades for hardware  (CPU, Memory, Disk) and Software (Word processing, mail, etc) occur in a centralized location rather than on the desktop.  A single a central Sun Ray server provides additional power to all of its users.
  • Reduced cost to move an employee.  Simply pull out your smart card and switch to any cubicle available.
  • Reduced data loss and backup issues.  All data is kept in centrally managed and backed up data centers by professionals.

The Sun Ray can also increase your security posture for a variety of reasons:

  • No hard disk drive, floppy or CD-RW device to be stolen, lost or to extract data
  • USB ports can be disabled to prevent the injection of viruses or removal of data via flash memory drives
  • No operating system means that it's virus free and doesn't require constant monitoring, securing and patching
  • Smart Card authentication provides two factor security.

These are just a few of the benefits of the Sun Ray thin clients.  DISA management has stated that they plan to move to a thin client architecture when they move their HQ from VA to Ft. Meade, MD.

Thin implementations have also taken hold in the United States. One of its advocates is CDR W. Stevenson Bowman, who is the officer in charge of the San Diego detachment of SPAWAR, the Space and Naval Warfare Systems Center in Norfolk, Va. Bowman was involved with a thin-client implementation at the data center of the Defense Information Systems Agency (DISA) in San Diego, where they were able to eliminate their help desk completely.

"The whole idea was to get rid of all the thick clients and the cost associated with them," Bowman said. They moved from Wintel PCs to Solaris running on a Citrix server. The agency first went from seven to two support personnel, then eliminated them completely.

 Whether you are a Solaris, Linux or even Microsoft Windows shop we have many more success stories of Sun Ray deployments around the world.

If you would like to know how to take advantage of Sun's thin client computing computing technologies, call our Sun Federal headquarters at 703 204 4100.

Monday May 14, 2007

Anti virus software for Solaris? What are they thinking?

Recently, the US DoD introduced an updated version of their "Security Technical Implementation Guide" Checklist (aka STIG) for Unix platforms.  They added a requirement for Anti-Virus software to be installed and rated it as a Category I (highest) requirement.  Within the DoD, you must follow this checklist in order to get "Authority to Connect" to the network.  It is EXTREMELY difficult to get a waiver to ignore a Category I finding.

To quote the most recent (March 2007) checklist:

GEN006640 – Virus Protection Software

Check for the existence of the Mcafee command line scan tool to be executed weekly in the cron file.  The Mcafee command line scanner is available for most Unix/Linux operating systems.  Additional tools specific for each operating system are also available and will have to be manually reviewed if they are installed.  In addition, the defintions file should not be older than 14 days.

 I have been researching the offerings of  major (and minor) AV vendors.  Please feel free to make corrections or additions to this list via the "Comments" feature of blogs.sun.com

  • TrendMicro
    • No host-based anti-virus software for Solaris (either platform)
  • Symantec
    • No host-based anti-virus software for Solaris (either platform)
  • McAfee
    • Command Line anti-virus for Solaris 10 (Sparc) and plans for X64 platform
  • F-Prot
    • Has anti-virus for Solaris on Sparc and X64 platforms.  F-Prot is based in Iceland. I'm not sure if the DoD can use their software.
  • CA
    • Web site claims support for Sun Solaris 8 and greater.  Unclear on Sparc/X64 platforms.
  • Central Command
    • Reports supporting Sun Solaris 9 or SunOS 5.9 on Sparc only
  • Avast
    • Reports having anti-virus scanner for Solaris 8-10 on Sparc and X64 platforms.  Based in Prague, Czech Republic.
  • Clam AV Open source project.  Now owned by SourceFire.
    • Has binary build for Solaris on Sparc and X64 platforms at blastwave.org
  • CyberSoft
    • VFind has support for Solaris 2.5.1, 2.6, 7, 8, 9 and 10 on Sparc and X64. Based in Conshohocken, PA.

I have also perused their virus databases in an attempt to prove with data what I know in my heart, ie. there are really no damaging Solaris viruses.

  • McAfee
    • Two "malware" findings.  Each rated as low threat. One requires that telnet port be open which most enterprises close
  • Symantec
    • 11 Total findings, most of which are vulnerabilities rather than viruses.  These vulnerabilities can all be dealt with via existing Solaris patches.
  • Trend Micro
    • 13 finding, most of which were vulnerabilities and DoS warnings some of which were over 7 years old.
  • F-Prot
    • Lists only 2 Unix viruses that affect Apache on BSD and Linux platforms dated from 2002.

 
A similar search of the McAfee "malware" database for Windows XP returned 5300 results.

Apparently this requirement is derived from the NISPOM as evidenced by this email from a customer:

The NISPOM, referenced in the DSS scenario below is the _National Industrial Security Program Operation Manual_ (DoD 5220.22M - Feb 28, 2006)
 
Chapter 8 of the NISPOM deals with Information System (IS) Security.
 
    8-103. The information Systems Security Manager (ISSM) shall:
 
    8-103.f.(5) Implement security features for the detection of malicious code, viruses, and intruders (hackers), as appropriate.
 
    8-305 Malicious Code. Policies and procedures to detect and deter incidents caused by malicious code, such as viruses or unauthorized modification to software shall be implemented.  All files must be checked for viruses before being introduced to an IS and checked for other malicious code as feasible. The use of personal or public domain software is strongly discouraged. Each installation of such software must be approved by the ISSM. 

In my mind, the key portion of this excerpt would be the phrase, "as appropriate."  While it is certainly "appropriate" to install anti-virus software on a MS Windows platform, I can't see where it would be appropriate for a Solaris platform.

 I am doing all of this work in an attempt to get the DISA Field Security Office to eliminate the requirement or at best, reduce its severity.  If you are also running into this issue, please email me or add a comment to my blog.  At this time, I understand that DISA is planning to lower the rating of this finding to Category II.  I don't know when this change might occur.

Solaris has a number of features that can help secure your system without anti-virus software including:

  • Signed binaries
  • Basic Audit and Reporting Tool (BART)
  • No stack execution
  • Mandatory Access Control (when Trusted Extensions are enabled)
  • Solaris Containers
A white paper on Solaris security is available.  The Solaris Security Toolkit supports the hardening of Solaris 10.

Why you should care.

Solaris is known for its security.  Placing a requirement for anti-virus software on Solaris is preventing some customers from deploying it because of the paperwork required to get a waiver.  In particular, requiring Solaris users to install software that specifically searches for malware that primarily attacks a competitive platform (Windows) would appear to put Sun at a competitive disadvantage.

Friday May 04, 2007

Why is Common Criteria bad for government?

Some time ago, I blogged about what the Common Criteria process is all about and how the government (in particular my customer in the US DoD) uses it.  At that time I said:

What's wrong with the current Common Criteria process?

Although the current process is somewhat better than the old NSA process, it still leaves something to be desired.  I have heard it stated in public forums by DoD employees that the CC process does not meet all Government's goals.   Current problems include:

  • It still take a long time (about 1 1/2 years) resulting in delays in purchasing state of the art products.
  • The process is not designed to actually detect software bugs or vulnerabilities in an OS
  • The rules for adoption of the OS are interpreted in a wide variety of ways across organizations.
  • It is not flexible in handling OS updates and patches

Apparently, I was not alone.  Recently an article was published in the Government Computer News in which Symantec agrees with me stating:

  “I would say our [DOD] customers are not satisfied with Common Criteria,” said Wesley Higaki, Symantec's director of product certifications, in an interview with GCN. “People on the ground are finding that Common Criteria doesn't help them make their products more secure. It doesn't help them pass accreditation. It's just a procurement hurdle at this point.”

Recently I have been asked if Sun could have our Lights Out Management (LOM) devices CC evaluated because they accept a user name and password.  This feature makes them IA-enabled according to DoD Directive 8500.2Nearly every server, tape array and disk array that Sun sells has a LOM interface to facilitate remote management and problem diagnosis.  This requirement could generate a huge cost in dollars and time for Sun while delaying innovation and product development.  In the end it would not create a better product because the market already demands that our products provide a high level of security.

I have heard it said at Sun that, "No CC evaluation has ever changed a line of code."  Although I can't prove this because I have not been directly involved, I certainly believe that CC evaluations are primarily documentation efforts.

If you also see this as a problem, feel free to add your comments here.
 

 

Wednesday Mar 07, 2007

FAQ: Securing Solaris for use in the US DoD

As an OS Ambassador at Sun who works very closely with the US DoD, I'm frequently asked how one secures Solaris for use in the DoD. The definitive source for this information is the DISA Field Security office "Security Technical Implementation Guide" (aka STIG). DISA owns and operates the data centers and neworks for the US DoD. Security checklists and about 500 pages of documentation are included. 

They can be downloaded at: http://iase.disa.mil/stigs/stig/index.html

In addition, DISA provides "Security Readiness Review" scripts which audit your system and report discrepancies.  They were last updated in January 2007 and include S10 support.  The SRRs are available at: http://iase.disa.mil/stigs/SRR/index.html

Some DoD organizations have created a Solaris Security Toolkit profile which accomplishes about 90% of what the STIGs require. The SST is Sun's supported "security lockdown tool" that is a free download and easily customizable. It typically executes in about 4 minutes drastically reducing the time required to secure a system and providing automated, reproducible  results.  The SST also include "undo" and "audit"  functions. The SST can significantly reduce the time that it take you to reach "Authority to Operate" status on a DoD network.

The DISA STIGs require a wide variety of changes to the Solaris OS including:

  • Solaris auditing enabled with specific items being audited.
  • Basic Auditing and Reporting Tool enabled
  • root home directory changed to /root
  • McAfee antivirus installed (yes, even though it really only checks for Windows viruses)
  • Massive permissions and umask changes
  • TCPwrappers enabled
  • certain services must be disabled (FTP, Telnet etc)
  • Certain commands must be disabled (snooop, rsh, rexec etc)
  • Password history, lockout and construction settings
  • Banner page changes
  • PROM password settings
  • etc.

Other documents that might be of interest for security conscious customers include:

Why should you care?

 The US DoD takes computer security very seriously.  Their STIG documents provide a detailed definition of all the activities required to secure a Sun Solaris system.  Utilization of their tools and method can result in a highly secure data center operation.

The Solaris Security Toolkit can simply this process and make to predictable, repeatable and faster than a manual process.

For the highest level of security (equivalent to the old NSA B1 level) Solaris 10 11/06 includes the capability to at Trusted Extensions to your environment. Solaris Trusted Extensions provide full label aware services to meet the most stringent multi-level OS requirements.


 



Friday Feb 23, 2007

Sun in America's Global Command and Control System

Over the past 10-15 years, my customer, Defense Information Systems Agency (DISA) has used Solaris as a core component for its Global Command and Control System (GCCS).  GCCS is a mission critical system supporting our warfighters worldwide. To quote their web site:

GCCS-J is the principal foundation for dominant battlespace awareness, providing an integrated, near real-time picture of the battlespace necessary to conduct joint and multinational operations.

DISA chose Solaris as their deployment platform in the early 90s (Solaris 2.3 time frame) because of its open standards compliance, security, wide application availability and stability.  A recent article in Federal Computer Week indicates that Sun's relationship with DISA will continue for years to come.

DISA, according to the agency’s budget documents, plans to buy more than 120 high-powered Sun servers for GCCS-J in the next three years, including Sun Fire 1280, V890, V480, V280 and V240 servers powered by UltraSPARC processors.

As in 1992, Solaris 10 still excels in the same areas.  It is an open source OS, that runs on a wide variety of hardware platforms and provides a stable, secure platform for a wide variety of third party applications.

In addition to developing and deploying the GCCS, DISA owns and operates the DoD networks, Data Centers and other programs that use Sun hardware and software including:

Special note

Before you wise guys out there comment that the equipment listed is old and should be retired, I'd like to point out that:

  1. Government procurement documents are notoriously out of date due to the multi-year planning process they follow.
  2. GCCS is currently upgrading from Solaris 2.5.1 to Solaris 8 but moving to Solaris 10 over the next year.
  3. We also now have AMD (and soon Intel) based servers with which to attack the Dell components as well

Why should you care?

The US DoD trusts Sun products to deploy its most mission critical programs.  Sun has a long relationship with a wide variety of customer who need the utmost in security, availability and choice in their computing solutions.  Only Solaris can scale from a portable laptop computer to a 144 processor super-server with 1 TB of RAM while providing a single administrative view.


Wednesday Dec 20, 2006

Updates to: Solaris 10 has achieved Common Criteria evaluation!

I've updated my blog entry on Common Criteria evaluations with the answers to some of the FAQ that I get inside of Sun and that were posted in the comments section.  Also corrected some rather embarrassing spelling and typing errors!  Why doesn't this blog editor have spell check?

Monday Oct 09, 2006

DISA awards contract to Sun Federal

Last week the Defense Information Systems Agency award a multi-year contract to Sun Federal for "Utility Computing."  As the technical lead on the proposal I am very familiar with the requirements of the RFP and Sun's solution.

What DISA wanted.

DISA operates 18 data centers for the US DoD. Their customers include the military services as well as agencies such as DFAS, DLA, NGIA, TransCOM etc.  Typically DISA or the customer would buy a suite of HW, strap some system adminstrators to the side and send it off to one of their hosting sites.  This required voluminous paperwork, time delays, and capital expenditures.  After 3-4 years, they had to do it all over again.

The purpose of the DISA RFP was to streamline the procurement process by issuing a single contract for Solaris computing capacity provided by the vendor on DISA floor.  Sun retains ownership of the equipment, meters usage and bills DISA based on utilization. DISA provides the floor space, power cooling and operations staff as well as the customer applications.  As workload increases or decreases, Sun adds or removes capacity without additional procurement activities or "surplusing" of equipment.  Sun is an active participant in the monitoring and capacity management of the Solaris based workload.

Now that the easy part is done (winning the award), Sun's next step is to actually put our technologies to work in partnership with DISA.

What's cool about it

This is an all Sun solution where we are the prime contractor and vendor. Sun's offering to DISA makes use of a wide variety of Sun products and services including:
  • The Solaris 10 operating system where Sun's unique Containers technology will allow virtualization of DISA workload resulting in high utilization and reduced management costs.
  • Sun's comprehensive N1 suite of management, deployment, measurement and monitoring tools to ensure responsive performance and deployment of new workloads.
  • Sun Spectrum Platinum 7 x 24 on-site maintenance for around the clock hardware and software support.
  • Sun'sVariable Cost Infrastructure service is a true "Utility Computing" service which includes capacity management, architectural oversight, application sizing and utilization based billing.
  • Sun's complete range of Sparc and AMD based servers including low power UltraSparc T1 as well as industry standard AMD systems.
  • Sun Cluster software for highly available applications providing automatic application failover and horizontal scaling.
Why you should care

This is one of a variety of options for Utility computing from Sun that make us easier to do business with, more responsive and a better partner with the Federal Government.

If you are interested in Sun's products and services, call 800-786-0404.  Our Government telesales team there can answer your questions, provide a GSA quote or connect you with your local Sun Sales team.



About

Jim Laurent is an Oracle Sales consultant based in Reston, Virginia. He supports US DoD customers as part of the North American Public Sector hardware organization. With over 17 years experience at Sun and Oracle, he specializes in Solaris and server technologies. Prior to Oracle, Jim worked 11 years for Gould Computer Systems (later known as Encore).

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today