New Sun BluePrint entitled Security Advantages of the Solaris Zones Software
By user9159837 on Dec 11, 2008
Check out my new Sun Blueprint (pdf) entitled Security Advantages of the Solaris Zones Software. It provides a hands-on introduction to the Solaris Zones architecture and discusses in details some of the security advantages of OS virtualization in the context of Solaris zones.
Schuba, Christoph. Security Advantages of the Solaris Zones Software. Sun BluePrints Online, Part No 820-7136-10. December 2008.
The table of contents:
Chapter 1. Introduction
Chapter 2. Solaris Zones Architecture
- Branded Zones
- Labeled Zones
- Zones and Networking
- Shared-IP Zones
- Exclusive-IP Zones
- Zone Identity, CPU Visibility, and Packaging
- Zones and Devices
Chapter 3. Getting Started with Zones
- Zones Administration
- Creating, Installing, and Booting a Zone for Apache HTTP Server
Chapter 4. The Security Advantages of OS Virtualization
- Isolation and Encapsulation
- Offering Replicated or Redundant Services Using Zones
- Hardening a Web-Facing Web Server Using Solaris Zones
- A Reduced Set of Privileges for Non-Global Zones
- Benefits of Exclusive IP Stack Instances
- Monitoring Events in Zones
- Auditing Events in Non-Global Zones
Chapter 5. For More Information
- About the Author
- Ordering Sun Documents
Accessing Sun Documentation Online
And the abstract for the article:
Virtualization is emerging as an important tool as organizations look to consolidate redundant and aging infrastructure and create a more agile and cost-effective datacenter. Indeed, virtualization technologies can help organizations quickly recover from disasters, reduce time to market for new services, and better utilize existing infrastructure to reduce space, power, and cooling requirements. It can help increase service levels while delivering security that once required the use of individual servers.
In particular, operating system (OS) level virtualization allows multiple applications to share the same operating system instance while providing separate security domains for each application. In an OS virtualized environment, the kernel provides multiple isolated user space instances. In the Solaris™ Operating System (Solaris OS) and OpenSolaris™ operating system, such instances are called Solaris Zones. A zone is a virtual operating system abstraction that provides a protected environment in which applications run isolated from other applications on the system. Zones look and feel to users and administrators like separate operating system instances. Fine-grained resource management limits the amount of resources applications within zones are allowed to consume. Such application containment provides a variety of security advantages.
• Damage caused by an application isolated in a zone remains contained within that zone, as if the application ran on a dedicated machine. In other words, applications are protected from each other to provide software fault isolation.
• Applications that execute in zones have little ability to interact with privileged system processes or resources, as a limited set of privileges are available to them.
• Different Internet Protocol Security (IPSec), packet ﬁltering, and virtual LAN (VLAN) access policies can be employed for applications in different zones on the same machine using exclusive Internet Protocol (IP) stack instances.
• Zones are the primary mechanism used to implement data separation in Solaris Trusted Extensions, an advanced security feature that implements labels to protect data and applications based on their sensitivity level, not just on who owns or runs them.
• Virtual machine-based introspection is enabled from the administrative global zone, the place where the kernel runs, and from where the system is controlled and conﬁgured.
This Sun BluePrints™ article explains zone technology and provides detailed examples for conﬁguration and exploration.