Secure Systems Data Management

1 Copyright © 2011, Oracle and/or its affiliates. All rights

reserved.

Secure Systems and Data Management

Glenn Brunette

CTO, Enterprise Systems Group

Oracle Solaris 11


reserved.

Agenda

• Secure And Scalable Data Management

• Oracle Solaris ZFS

• What’s New in Oracle Solaris 11

• Related Storage Technologies

• Advanced Systems Protection

• Oracle Solaris Security Features


reserved.

Administrative Challenges


reserved.

Administrative Challenges

• Reduce costs and risks

– Manage data efficiently and securely

• Increase availability

– Eliminate data corruption

• Increase your asset protection

– Protect assets and prevent attacks


reserved.

Agenda








reserved.

ZFS: Next Generation File System

Oracle Solaris ZFS supports enterprise

application deployments through focus

on infrastructure qualities: • Scalability

• Virtualization

• Efficiency

• Reliability

• Compatibility

• Security


reserved.


• Immense Capacity (128-bit)

• ZFS capacity: 256 quadrillion ZB (1ZB = 1 billion TB)

• Exceeds quantum limit of Earth-based storage.

• Dynamic Metadata

• No limits on files, directory entries, snapshots, etc.

• No tuning parameters to enable expansion.

• Parallel, constant-time directory operations.

• Pooled design – continuous future growth

Scalability


reserved.


• Pooled storage design:

• No partitions to manage.

• Integrated volume management.

• Grow/shrink automatically.

• All bandwidth always available, all pool storage shared.

• Parallel Multi-protocol access to the same data.

• Seamlessly absorbs new storage technology

• Hybrid storage pools maximise SSD investment.

• Essential infrastructure for Thin provisioning

Virtualization


reserved.


• A primary design goal of ZFS:

• Copy on write design: data never overwritten in place.

• Snapshots: continuous incremental data protection.

• Checksum-protected throughout the data path.

• “Self-healing” ability to replace damaged data from mirrors

• Multiple levels of RAID protection to meet modern capacities.

• ZFS multiple boot environments underpin install & upgrade.

• End to end data integrity.

Reliability/Availability/Serviceability


reserved.


• Endian-neutral: Seamlessly move physical storage

between SPARC and x64 platforms.

• Tightly integrated block and file protocols: CIFS, NFS,

iSCSI, FC, …

• Standards compliance

• Support for POSIX and existing and emerging standards.

Compatibility


reserved.

Agenda








reserved.

ZFS: New in Oracle Solaris 11

• ZFS Dataset Encryption

• On-disk, block-level encryption gives protection against theft of

physical storage, SAN man-in-the-middle attacks. Provides for

secure deletion. Activated at file system create time; security

check against passphrase or numeric key when mounting the file

system.

• ZFS Deduplication

• Across the entire storage pool, but can be enable or not for

individual datasets

The default, and only, root file system


reserved.


• ZFS Shadow Migration

• Move data from legacy file systems in the live environment.

• ZFS Backup with NDMP

• ZFS volumes can now be backed up with the Oracle Solaris

Network Data Management Protocol (NDMP), using zfs send and

zfs receive.

• Temporary ZFS Mounts

• Mount a ZFS file system temporarily at a location other than its

persistent mount point.



reserved.


• zfs snap

• A convenient alias for snapshot

• zfs diff

• List differences between ZFS snapshots

• Recursive ZFS send

• zfs send a ZFS dataset and its descendants



reserved.

Agenda








reserved.

Other Data Management

• Many other file systems are supported as non root file

systems

– UFS, Oracle ASM, NFS, VxFS, and many others…

• Symantec Netbackup is already supported as a solution

• The COMSTAR (Common Multiprotocol SCSI Target)

framework allows for sharing of many storage protocols

– These include iSCSI & iSER, FCoE, SRP, and FCoIB

– All built on the ZFS foundation and it’s services


reserved.

Agenda








reserved.

Advanced Protection

• Integrated with all the other Solaris features

– Zones, ZFS, SMF, Networking,

Automated Install, IPS, many others

– Install and boot secure by default

– The layered defense in depth give the highest levels

of containment

• Protect – protect data and the access to it

• Prevent – contain user and application actions

• Manage – manage and log security settings

• Assure – providing an enterprise platform to

deploy application securely with confidence

Oracle Solaris Security


reserved.

Security in Oracle Solaris 11

Application

Runtime

Immutable Zones, Sandboxing: new basic privileges (net_access,file_write, file_read),

further executable address space reduction. Network data-link & IP anti-spoofing for

Zones.

Authentication SSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP.

Root login disabled by default. Role auth via user password, Authentication caching.

Audit Auditing on by default, audit policy in SMF, Secure remote audit trail.

Delegation Sudo with auditing. Fine-grained user/password/RBAC management CLI with LDAP

support.

Data Security ZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel

security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and

Kerberos Realm.

Cryptography Transparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster.

Trusted Platform Module (TPM) keystore, file integrity scanner

Signed binaries & packages, Oracle Key Manager appliance integration

Built-in, flexible, transparent, hardware assisted


reserved.

Tailored Security for Applications

• Audited and delegated administration

– Restricted zone access

– Service management

• Immutable Zones: read-only file systems

• Data link and IP-layer protection

• Hardware accelerated crypto operations

– OpenSSL 5x faster than IBM

• Encrypted ZFS for data protection

– Remote key management

– ZFS encryption on T4 is

3x faster than Intel

Defense in Depth


reserved.

Protect

• Kerberos Server/Client

– Kerberized applications

– Hardware cryptographic

acceleration

• LDAP client

• Active Directory client

• PAM Local authentication

• SSH PKI Support

Authentication


reserved.

Protect

• Automatic hardware cryptographic acceleration – Solaris, OpenSSL, Java, and RSA

PKCS#11 Applications

• High performance cryptography – 4.3x faster than AIX

• Confidentiality of operating system, network, and files on disk

• Reduce complexity with Solaris cryptography

• No cost ZFS dataset encryption

• Integration with Oracle Key Manager

Application to Disk Encryption • Cryptographic Framework

• OpenSSL

• Java JCE Application

• Swap

• Kerberos, SASL, GSS-API

• Core utilities

Operating System

• SSH

• IPsec

• SSL Network

• ZFS Datasets

• Individual files Data


reserved.

Prevent

• Data (ZFS NTFS)

– Per file

– Per dataset

• Network

– Firewall

– Flow controls

• Zone / Virtual Machine

• Delegated Administration

Constrain Users – Restrict Access


reserved.

Prevent

Role Based Access Control

• No anonymous

administrators

• Administer actions assigned

to roles

• Users provided roles based

on job needs

• Stops misuse/abuse

Constrain Users – Restrict Behavior


reserved.

Prevent

Application Privileges

• White-list application

behaviors

• Example: Server on port 80

• Granular control of

applications

• Performance preserving

• Backward compatible

Isolate Application Behavior


reserved.

Prevent

Oracle Solaris Zones

• System level isolation

• Resource management for cloud

deployments

• Immutable Zones

–Read Only application container

–Allows selective sharing of data

• Multilevel security with Trusted

Extensions

Isolate Virtual Systems


reserved.

Prevent Combine Privileges, Roles, Immutable Zones


reserved.

Manage

Logging Application

defined

• Syslog format

• Troubleshoot

user/application

problems

• Log policies

Auditing Kernel

Controlled

• Low impact

• Audit by default

• Secure

transmission

• Evidence

quality

Assist in Compliance


reserved.

Assure

• Built in security, not bolted on.

• Comprehensive process for software assurance

– Design, Code, Test, Maintenance

• Secure Stack of hardware + firmware + Solaris

• Security updates with monthly software release

• Open Source software code review

Deploy with Confidence


reserved.

For More Information / Try Out Today

• Product overview and download

– oracle.com/solaris

• Oracle Technology Network

– oracle.com/technetwork/server-storage/solaris11

• System administrators community

– oracle.com/technetwork/systems

• @ORCL_Solaris

• facebook.com/oraclesolaris

• Oracle Solaris Insider

30


reserved.

Secure Systems Data Management

Technology

Transcript of Secure Systems Data Management