Friday May 11, 2012

Solaris and IPv6

I work with my federal government and US DoD customers, and I'm frequently asked whether Oracle product X is IPv6:

  • Enabled
  • Compliant
  • Certified
  • DoD Certified

This is because the Federal Acquisition Regulations require that the government purchase IPv6 compliant products. 

Unless the agency Chief Information Officer waives the requirement, when acquiring information technology using Internet Protocol, the requirements documents must include reference to the appropriate technical capabilities defined in the USGv6 Profile (NIST Special Publication 500-267) and the corresponding declarations of conformance defined in the USGv6 Test Program.  

 Let's examine each of these adjectives one by one.

  • Enabled is clearly the lowest bar to hurdle.  A vendor could implement one or two RFCs in the IPv6 spectrum and claim that they are "enabled."
  • Compliant is a little more of a problem.  Compliant with what?  There are  many different RFCs related to supporting IPv6.  Are you compliant if you support DHCPv6 but not IKEv2?  Are you compliant if your device is a web server but doesn't support DHCPv6 because it's not applicable?  It appears from the statement above that the FARs require that the CIO of an organization determine WHICH capabilities from the USGv6 profile are required by a particular product. The USGv6 profile ONLY list requirements for hosts, routers and network protection devices.
  • Certified.  By whom? Against what list of RFCs?  How recently and on what versions?  If a version changes from 5.1 to 5.2, is it still certified?
  • DoD Certified.  This would be handy if the DoD, in fact, had an IPv6 certification program.  It did at one time through the Joint Interopability Test Command (JITC), but apparently they determined that attempting to test every OS and device that the DoD might buy was a Sisyphean task. To quote their web page, "DoD no longer requires a stand-alone IPv6 certification." Several years ago Sun paid them a large amount of money, loaned two server and a person in order to receive our certification for Solaris 10. 

At the DISA mission partner conference this week, I attended a presentation by the DoD IPv6 Transition Office.  The slides are available online.  I asked the speaker if there is an "accepted" way of advertising IPv6 compliance and received no answer.  He has promised to get back to me, however. 

Oracle is a very large company with an extensive production encompassing storage, servers, thin clients, databases, middleware and application.  I have found no single resource documenting the IPv6 status of every product.  I can tell you, however, that Solaris 10 and Solaris 11 have successfully completed the USGv6 testing by the UNH Interoperability IPv6 test facility and the results are posted at their site.

As for Oracle Linux, it is fully compatible with Red Hat Linux 5 and 6 which has already been tested by UNH as well. 

Note:  I intended to provide additional references on USGv6 profiles and "Suppliers Declaration of Conformance" but the NIST web page seems to be in disrepair and the pages are not available. 

Tuesday Apr 14, 2009

Sun at the DISA Customer Conference in Anaheim CA

Once again Sun will be showing a variety of our products and services at the DISA customer conference this year being held in Anaheim, CA. Come see us in booth #924

Sun's systems and blades based on Intel's new Nehalem processors

Find the fastest, most cost effective and energy efficient Intel processors that can run Solaris 10, Open Solaris, VMware, MS Windows, Red hat and Suse platforms.

Sun ATCA Blade chassis

As a leader it open systems design, it makes sense that Sun would offer a blade chassis compliant with the Advanced Telecommunications Computing Architecture.  Sun offers Intel, AMD and Sparc chip designs in a single blade chassis.

Here's a photo of the traveling exhibit that we will be bringing.  Learn more about Sun's ATCA products as well as our competitive Blade 6000 products now features the new Intel Nehalem family of processors.

Thin Clients

Our Sun Ray Thin client technology allows you to save money, "be green" and reduce operating costs whether you are runing a Solaris, Linux or Windows environment. Read about the many customers who have deployed thin clients successfully replacing existing PC environments.

Identity Management and SOA software

Sun's Identity Management and SOA solutions allow customers to get a handle on their users, data and programs making them more agile, responsive and secure while helping them comply to government regulations.

This popular, open source database can cost as much as 10% of the traditional vendors, reducing your cost while extending your reach to the internet. Download and try MySQL today.  It installs in less than 15 minutes on all the popular OS platforms.

Sun 7000 Unified Storage System

Sun's newest, network attached storage system, the 7000 series provides high performance, low cost storage with the advantages of solid state disk and detailed analytic tools.

OpenSolaris

Experience the next generation of Solaris technology by downloading OpenSolaris or Solaris 10 today for Sparc, Intel or AMD based platforms.

Dynamic Systems

Dynamic Systems Inc is a Sun partner with the  capability of providing all of Sun's products and service via GSA contract, Enterprise Software Iniative contract or their BPA with DISA known as SSTEW.

CopperEye

CopperEye is a leading provider of enterprise data management solutions that eliminate the economic, technical and operational barriers to storing and accessing massive volumes of data.

And more....

Ask any of our booth personnel (including me) for any information about these or any other Sun products or services in which you are interested.

Wednesday Mar 07, 2007

FAQ: Securing Solaris for use in the US DoD

As an OS Ambassador at Sun who works very closely with the US DoD, I'm frequently asked how one secures Solaris for use in the DoD. The definitive source for this information is the DISA Field Security office "Security Technical Implementation Guide" (aka STIG). DISA owns and operates the data centers and neworks for the US DoD. Security checklists and about 500 pages of documentation are included. 

They can be downloaded at: http://iase.disa.mil/stigs/stig/index.html

In addition, DISA provides "Security Readiness Review" scripts which audit your system and report discrepancies.  They were last updated in January 2007 and include S10 support.  The SRRs are available at: http://iase.disa.mil/stigs/SRR/index.html

Some DoD organizations have created a Solaris Security Toolkit profile which accomplishes about 90% of what the STIGs require. The SST is Sun's supported "security lockdown tool" that is a free download and easily customizable. It typically executes in about 4 minutes drastically reducing the time required to secure a system and providing automated, reproducible  results.  The SST also include "undo" and "audit"  functions. The SST can significantly reduce the time that it take you to reach "Authority to Operate" status on a DoD network.

The DISA STIGs require a wide variety of changes to the Solaris OS including:

  • Solaris auditing enabled with specific items being audited.
  • Basic Auditing and Reporting Tool enabled
  • root home directory changed to /root
  • McAfee antivirus installed (yes, even though it really only checks for Windows viruses)
  • Massive permissions and umask changes
  • TCPwrappers enabled
  • certain services must be disabled (FTP, Telnet etc)
  • Certain commands must be disabled (snooop, rsh, rexec etc)
  • Password history, lockout and construction settings
  • Banner page changes
  • PROM password settings
  • etc.

Other documents that might be of interest for security conscious customers include:

Why should you care?

 The US DoD takes computer security very seriously.  Their STIG documents provide a detailed definition of all the activities required to secure a Sun Solaris system.  Utilization of their tools and method can result in a highly secure data center operation.

The Solaris Security Toolkit can simply this process and make to predictable, repeatable and faster than a manual process.

For the highest level of security (equivalent to the old NSA B1 level) Solaris 10 11/06 includes the capability to at Trusted Extensions to your environment. Solaris Trusted Extensions provide full label aware services to meet the most stringent multi-level OS requirements.


 



About

Jim Laurent is an Oracle Sales consultant based in Reston, Virginia. He supports US DoD customers as part of the North American Public Sector hardware organization. With over 17 years experience at Sun and Oracle, he specializes in Solaris and server technologies. Prior to Oracle, Jim worked 11 years for Gould Computer Systems (later known as Encore).

Search

Archives
« February 2015
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
       
       
Today