 | |
Solaris Live Transcripts Index August 16, 2001Chat Title: Trusted Solaris This is a moderated chat LizA: Welcome to Solaris Live! Our guests today are Martin Hack, Product Manager, Solaris Core Security, and Glenn Faden architect and technical contributor in the Trusted Solaris group. In addition to his Product Manager duties, Martin oversees the Trusted Solaris Operating Environment. He has 10 years experience in the computer and network security fields and is a key contributor for Sun's overall security strategy. Martin also determines the future directions for security features in the standard Solaris Operating Environment. Glenn has worked as an architect and technical contributor in the Trusted Solaris group at Sun for over 12 years. His emphasis has been on user interfaces and window systems. He designed the multilevel versions of OpenWindows and the Common Desktop Environment, and the trusted administration tools used in Trusted Solaris. Recently, he has been focused on role-based access control (RBAC) and remote administration. Martin and Glenn, let me start by asking you to explain what the difference is between Trusted Solaris and regular Solaris. martinh: Trusted Solaris 8 is based on Solaris 8. The main differences are role-based access control and mandatory access control with security labels. Both are enforced by the operating system...basically these are security extensions regular Solaris doesn't have in this form. Glenn do you want to add something ? glenn: The RBAC implementation in Trusted Solaris is compatible with the Solaris 8 version, but adds support for CDE actions as well as commands, and supports privileges and labels as security attributes. LizA: Can I use Trusted Solaris for my web server? martinh: You certainly can. Actually it's an application where we highly recommend the use of Trusted Solaris. If it's set up the right way, you can mitigate the risk of web page defacing and things like that dramatically. glenn: The multilevel security features of Trusted Solaris support multiple web servers at different labels, while sharing the same port number. Dave Parrish: What is the status of the Common Criteria EAL4 evalutions of Trusted Solaris? martinh: Dave, Actually we are in the final stages of receiving our certification. Trusted Solaris 8 will be evaluated against EAL4 LSPP, RBACPP, and of course CAPP. We expect to ship this version by mid October. dhp: What is the benefit of using Trusted Solaris over a hardened standard Solaris? martinh: dhp, Whenever you have a need to separate data and information on a host level, you might want to consider Trusted Solaris, since it's offering multi-level-security features a regular UNIX® OE simply doesn't have. Joe Kotran: In addition to web servers, what other uses is Trusted Solaris good for without introducing too much administrative burden? What uses are not good for Trusted Solaris? martinh: Joe, Yes it's true that Trusted Solaris (CMW) used to be quite burdensome to administer, however with Trusted Solaris 8 we tried to get closer to the regular Solaris "look and feel", e.g. you can do 90% of the tasks via the Solaris Management Console so you can pretty much use it in every environment where you anticipate a higher need for security. Bob Giannaris: We need to support a large encodings file (~1000 subcompartments). What sort of performance hit can I expect if I'm using multi-bit encodings? glenn: Bob, Large numbers of compartments can be generated in a label encodings file by using multiple bits per compartment. There is no additional overhead for normal operations. However, the GUIs used for adminstration may be a bit slower. A bug in the window manager that affected performance when long labels were rendered has recently been fixed. This fix will be available in the next release. rosado: Is Trusted Solaris compatible with Sun Cluster 3.0? If not, is there a plan for support? martinh: Rosado, That's one of the very few applications that's currently not running with Trusted Solaris 8. We are currently investigating this, but no roadmap, yet. nivas: What are the drawbacks associated with using Trusted Solaris, if any? martinh: Nivas, You do have some additional administration to perform, that's mostly in the initial configuration. Once you're up and running, it's pretty much like a regular Solaris box. However you do have to understand the basic concepts of RBAC, MAC and security labels.
James White: A script that has been added to the glenn: James, The environment that you are using to manually start the service affects the results. I suggest you send this question to the support forum, at http://supportforum.sun.com, with explicit information about the role and profile you are using to do this. kschafer: Does Trusted Solaris add extra mechanisms to authenticate communications between multiple hosts on the same network? glenn: kschafer, No, there are no additional authentication mechanisms. However, all the mechanisms in Solaris, including IPsec, are supported in Trusted Solaris. Cliff Frost: Hi Martin & Glenn, Regarding comparisons of Trusted Solaris and hardened Solaris, don't you think the use of privileges to prevent unauthorized entry and reduction of the power of root is important as well? martinh: Hi Cliff! Most definitely. I'm glad you brought that up. We have a saying here: "No ROOT no cry" and that's what you'll get with Trusted Solaris and the least privilege principle. Catone: What additional tools are included with Trusted Solaris for managing and auditing RBAC and MAC on a system? Anything to allow regular audits by a separate group to maintain "separation of duties" necessary in banking situations, especially tools that can create readable/customizable reports?
glenn: Catone, Auditing and MAC labels can be configured in the Trusted Solaris version of the Solaris Management Console. Auditing reports have to be run manually using Dave Parrish: Are there any export restrictions on Trusted Solaris? martinh: Dave, Just as with regular Solaris, the only countries we can't export it to are the T7. lars: Is Trusted Solaris 8 available on the Sun Blade platform? If not, when do you plan on this being available? martinh: Lars, Trusted Solaris 8 4/01 will support SunBlade. It will be available by mid October. Dave Parrish: What are the main differences between the standard XSUN X11 server and the trusted X-11 server in Trusted Solaris? glenn: Dave Parrish, The Trusted Solaris version of the X server uses trusted networking to determine the label and uid of each client. It then enforces MAC and DAC policies on each X resource, including windows, pixmaps, properties, colormaps, etc. It also interprets fine-grained privileges for overriding the policies so that the window manager and the session manager can perform in a multi-level fashion. nivas: Based on the answer to the Sun Cluster question, am I correct in assuming that not all applications that are supported by the Solaris 8 operating environment are automatically supported by Trusted Solaris 8.0 ? If so, is the full suite of VERITAS products currently supported? martinh: nivas, Basically Trusted Solaris supports all the +5,000 apps that run on regular Solaris, unless the application causes dramatic changes to the kernel or the file system. VERITAS has it's own file system, so it won't work. Linda: Is there a significant difference in system admin training between Trusted Solaris 2.5.1 and 8? martinh: Linda, Actually we do have quite a few changes between Trusted Solaris 2.5.1 and Trusted Solaris 8. From my own experience I'd say that Trusted Solaris 8 is much easier to maintain, so there are definitely differences in the class. Dave Parrish: Glenn, Does that also mean that IPSec implemented in Trusted Solaris allows for encryption? glenn: Dave Parrish, Yes, IPsec supports encryption but requires manual key exchange. J.R. Swartz: Earlier, there was a posting about large encodings files. We are using a semi-large encodings (100 compartments). We don't see a performance hit at the 100 mark. However, strange enough, we have seen a bug where at a specific number of compartments in a string (41 compartments) the window label fails to show the class level and associated compartments.
glenn: J.R. Swartz, There was a problem with label clipping in fatcat: Is there any prospect of putting the IPSEC package through FIPS140-1 approval so it can be implemented within DOD uses? martinh: fatcat, As a matter of fact, we are currently investigating the evaluation process around IPSEC and FIPS140-1. However, evaluations are usually a lengthy process as you might know, but we do investigate the issue around IPSEC and FIPS evaluation. Cliff Frost: I noticed that the Printer manager is one of the very few applications that is not part of SMC. Do you have plans to incorporate it as well? glenn: Cliff, Trusted Solaris uses the same Printer Manager as Solaris. More tools are being planned for future versions of the Solaris Management Console. jchia: We are in the middle of a Trusted Solaris admin class today. One of our labs is to configure two Trusted Solaris hosts to communicate with each other. It just happened that one was running 2.51 and one was running 8. As a result, 8 was able to telnet into 2.51, but 2.51 was refused the connection by 8. Is this a known problem? Cliff Frost: Hi Martin and Glenn, I can help with the training question. There is a significant change in the database and administration formats as well as the advent of multiple nameservices, the Solaris Management Console administrative GUI, and the loss of Information Labels. In the end, 8 is much easier to maintain than the 2.5.1 version. James White: In response to the differences that you listed between Xserver on regular Solaris and on Trusted Solaris, would it be safe to say that if a process that had previously led to the start up of an Xsession does not work with the same process on Trusted Solaris, that it is probably relevant to the MAC and DAC policies? glenn: James, You may need to apply one or more window privileges to get the application to work. I suggest you post a question on the support forum providing more detail. J.R. Swartz: We would be interested in hearing about support for the Sun Blade as well. martinh: Hi JR, Yes we'll support Sun Blade in our upcoming Trusted Solaris 8 4/01 version. Cliff Frost: I really like the ability of the Solaris Management Console to manage multiple nameservice environments. Do you have plans to support LDAP? martinh: Cliff, with Trusted Solaris 8 you'll get the same support for LDAP that regular Solaris 8 offers. If you need a full blown LDAP/CMS I can recommend the iPlanet Directory in combination with their certificate mgmt. system.
James White: I am currently trying to troubleshoot an issue and have been trying to manipulate processes, either through Solaris Management Console GUI or
glenn: James, Processes are protected by MAC and DAC. If you put all the fatcat: Has work on Trusted Solaris 9 begun? If so, when do you expect to release beta version? martinh: fatcat, Sorry we can't talk about future versions unless there's an NDA in place. J.R. Swartz: Not a question, but rather a statement, we are in the middle of migrating 300+ legacy DEC MLS+ systems to Trusted Solaris v8. MLS+ had so many problems and was forever unstable. We appreciate the stable Trusted Solaris v8 networking! Things are going great for us. martinh: JR, This is great news! Looks like a lot more people are beginning to understand the value of Trusted Solaris. nivas: Is there a web page that lists Trusted Solaris 8.0 supported applications, and possibly a road map for products expected to be supported in the near future?
glenn: nivas, There is no such list because almost everything that runs on Solaris also runs on Trusted Solaris. In the upcoming release we have added support for Solstice SunScreen firewall, SunRay server, and Solaris Resource Manager. There are often special installation and administration procedures required, since there is no superuser in Trusted Solaris. However, two technologies that don't currently work are fatcat: Are you or anyone within this chat aware of some ADA programming tools for Trusted Solaris? martinh: fatcat, It should be the same tools that are available for regular Solaris. (I assume you're referring to the American Disability Act.) Linda: Training: Have current systems running Trusted Solaris 2.5.1, but will be upgraded to 8 in about 6 months. Training in about 3 months - better to request on-site training in Trusted Solaris 2.5.1 or 8? Also, I've already had training in 2.5.1; is it necessary to take another class in Trusted Solaris 8? martinh: Linda, Most people do like on-site training because they can use their experience on their own system. You should have at least a few people who are familiar with the new features of Trusted Solaris 8. TNELAB2: To answer nivas's question, we have a web site with Trusted Solaris 8 apps: http://www.tinfosol.com. nivas: Is Trusted Solaris compatible with the Sun Fire products? How and where can I find whether specific non-Sun hardware products (disk arrays for example) are compatible with Trusted Solaris? Thanks for your time, Martin and Glenn. martinh: nivas, Yes the upcoming version will also support the new Sun Fire platforms. As a general rule, for hardware support for Trusted Solaris, everything that's supported by the equivalent Solaris release e.g. Solaris 4/01, supports Sun Fire, so Trusted Solaris 8 4/01 will support the same hardware. Cliff Frost: I know that the VERITAS products don't work so well on Trusted Solaris. Doesn't Solstice DiskSuite, or is it now Logical Volume Manager, provide the functionality that VERITAS provides? I know a lot of enterprise systems that would require some sort of multiple disk management software. glenn: Cliff, Yes, Solaris Logical Volume Manager provides equivalent functionality and works with Trusted Solaris. J.R. Swartz: Martin/Glenn, We are using NIS+ at present and have seen several instances where users with valid accounts log into the system and are defaulted to UNCLASS. Almost as if the system could not grab their NIS map information. It has only happened about 6 times over the past month. Have you seen this behavior? glenn: J.R. Swartz, We haven't seen the problem with NIS+, and we use a Trusted Solaris NIS+ nameserver for our department. Dave Parrish: Do you have any plans to add additional Trusted Solaris classes from Sun Ed that address higher level, more technical issues? martinh: Dave, there's always the possibility to schedule an on-site class that fits each customer's individual need, and those can be very technical. J.R. Swartz: Will transcripts of this chat session be made available? LizA: J.R., yes, the transcript will be available at http://soldc.sun.com/developer/chat. Thanks for asking! fatcat: Will the Trusted Solaris 8 4/01 Release have improved Intel support with increased device drivers? martinh: fatcat, Yes it'll be the same drivers that have been issued with Solaris 8 4/01 x86.
Cliff Frost: To answer Linda's question, I teach both on-site and in the classroom and on-site definitely is a plus if the equipment is available and a reasonable representation of the live environment is possible, particularly regarding networking and security policy settings with the James White: In response to a previous question, you stated "next release". When would that happen to be? Thanks. martinh: James, Next update of Trusted Solaris 8 is going to be released by mid October. The next "Version", which would be Trusted Solaris 9, is TBD. nivas: Have you been seeing an increase in non-banking, non-government sectors starting to adopt Trusted Solaris? martinh: nivas, We are getting tremondous feedback in the healthcare and service provider market, basically in sectors with a higher need for security. LizA: Glenn and Martin, this has been a great chat...lots of questions answered. Do either of you have final thoughts for our audience? glenn: I have written an article entitled "Authorization Infrastructure in Solaris" which will be posted August 22 on the Solaris Developer Connection at http://soldc.sun.com/articles/ais.html. It describes how to write applications which use authorization in Solaris and Trusted Solaris. martinh: Thanks everyone, I really enjoyed this. It was great "chatting" with you! It shows me that a lot of people are interested in this topic and that motivates us even more... LizA: Thanks to all of you...Martin and Glenn for being our guests and also to all of you who joined us today. Solaris Live! returns Thursday 20 September, 9:30 A.M. PDT, when our guest is Bil Lewis, author of "Multithreaded Programming with Pthreads". Join us then! August 16, 2001 | ||||||||
| |
| ||||||||||||
Print-friendly Version
