Secure Systems Data Management
-
Upload
oracle-hardware -
Category
Technology
-
view
907 -
download
0
description
Transcript of Secure Systems Data Management
1 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Secure Systems and Data Management
Glenn Brunette
CTO, Enterprise Systems Group
Oracle Solaris 11
2 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Agenda
• Secure And Scalable Data Management
• Oracle Solaris ZFS
• What’s New in Oracle Solaris 11
• Related Storage Technologies
• Advanced Systems Protection
• Oracle Solaris Security Features
3 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Administrative Challenges
4 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Administrative Challenges
• Reduce costs and risks
– Manage data efficiently and securely
• Increase availability
– Eliminate data corruption
• Increase your asset protection
– Protect assets and prevent attacks
5 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Agenda
• Secure And Scalable Data Management
• Oracle Solaris ZFS
• What’s New in Oracle Solaris 11
• Related Storage Technologies
• Advanced Systems Protection
• Oracle Solaris Security Features
6 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS: Next Generation File System
Oracle Solaris ZFS supports enterprise
application deployments through focus
on infrastructure qualities: • Scalability
• Virtualization
• Efficiency
• Reliability
• Compatibility
• Security
7 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS: Next Generation File System
• Immense Capacity (128-bit)
• ZFS capacity: 256 quadrillion ZB (1ZB = 1 billion TB)
• Exceeds quantum limit of Earth-based storage.
• Dynamic Metadata
• No limits on files, directory entries, snapshots, etc.
• No tuning parameters to enable expansion.
• Parallel, constant-time directory operations.
• Pooled design – continuous future growth
Scalability
8 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS: Next Generation File System
• Pooled storage design:
• No partitions to manage.
• Integrated volume management.
• Grow/shrink automatically.
• All bandwidth always available, all pool storage shared.
• Parallel Multi-protocol access to the same data.
• Seamlessly absorbs new storage technology
• Hybrid storage pools maximise SSD investment.
• Essential infrastructure for Thin provisioning
Virtualization
9 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS: Next Generation File System
• A primary design goal of ZFS:
• Copy on write design: data never overwritten in place.
• Snapshots: continuous incremental data protection.
• Checksum-protected throughout the data path.
• “Self-healing” ability to replace damaged data from mirrors
• Multiple levels of RAID protection to meet modern capacities.
• ZFS multiple boot environments underpin install & upgrade.
• End to end data integrity.
Reliability/Availability/Serviceability
10 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS: Next Generation File System
• Endian-neutral: Seamlessly move physical storage
between SPARC and x64 platforms.
• Tightly integrated block and file protocols: CIFS, NFS,
iSCSI, FC, …
• Standards compliance
• Support for POSIX and existing and emerging standards.
Compatibility
11 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Agenda
• Secure And Scalable Data Management
• Oracle Solaris ZFS
• What’s New in Oracle Solaris 11
• Related Storage Technologies
• Advanced Systems Protection
• Oracle Solaris Security Features
12 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS: New in Oracle Solaris 11
• ZFS Dataset Encryption
• On-disk, block-level encryption gives protection against theft of
physical storage, SAN man-in-the-middle attacks. Provides for
secure deletion. Activated at file system create time; security
check against passphrase or numeric key when mounting the file
system.
• ZFS Deduplication
• Across the entire storage pool, but can be enable or not for
individual datasets
The default, and only, root file system
13 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS: New in Oracle Solaris 11
• ZFS Shadow Migration
• Move data from legacy file systems in the live environment.
• ZFS Backup with NDMP
• ZFS volumes can now be backed up with the Oracle Solaris
Network Data Management Protocol (NDMP), using zfs send and
zfs receive.
• Temporary ZFS Mounts
• Mount a ZFS file system temporarily at a location other than its
persistent mount point.
The default, and only, root file system
14 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS: New in Oracle Solaris 11
• zfs snap
• A convenient alias for snapshot
• zfs diff
• List differences between ZFS snapshots
• Recursive ZFS send
• zfs send a ZFS dataset and its descendants
The default, and only, root file system
15 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Agenda
• Secure And Scalable Data Management
• Oracle Solaris ZFS
• What’s New in Oracle Solaris 11
• Related Storage Technologies
• Advanced Systems Protection
• Oracle Solaris Security Features
16 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Other Data Management
• Many other file systems are supported as non root file
systems
– UFS, Oracle ASM, NFS, VxFS, and many others…
• Symantec Netbackup is already supported as a solution
• The COMSTAR (Common Multiprotocol SCSI Target)
framework allows for sharing of many storage protocols
– These include iSCSI & iSER, FCoE, SRP, and FCoIB
– All built on the ZFS foundation and it’s services
17 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Agenda
• Secure And Scalable Data Management
• Oracle Solaris ZFS
• What’s New in Oracle Solaris 11
• Related Storage Technologies
• Advanced Systems Protection
• Oracle Solaris Security Features
18 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Advanced Protection
• Integrated with all the other Solaris features
– Zones, ZFS, SMF, Networking,
Automated Install, IPS, many others
– Install and boot secure by default
– The layered defense in depth give the highest levels
of containment
• Protect – protect data and the access to it
• Prevent – contain user and application actions
• Manage – manage and log security settings
• Assure – providing an enterprise platform to
deploy application securely with confidence
Oracle Solaris Security
19 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Security in Oracle Solaris 11
Application
Runtime
Immutable Zones, Sandboxing: new basic privileges (net_access,file_write, file_read),
further executable address space reduction. Network data-link & IP anti-spoofing for
Zones.
Authentication SSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP.
Root login disabled by default. Role auth via user password, Authentication caching.
Audit Auditing on by default, audit policy in SMF, Secure remote audit trail.
Delegation Sudo with auditing. Fine-grained user/password/RBAC management CLI with LDAP
support.
Data Security ZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel
security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and
Kerberos Realm.
Cryptography Transparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster.
Trusted Platform Module (TPM) keystore, file integrity scanner
Signed binaries & packages, Oracle Key Manager appliance integration
Built-in, flexible, transparent, hardware assisted
20 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Tailored Security for Applications
• Audited and delegated administration
– Restricted zone access
– Service management
• Immutable Zones: read-only file systems
• Data link and IP-layer protection
• Hardware accelerated crypto operations
– OpenSSL 5x faster than IBM
• Encrypted ZFS for data protection
– Remote key management
– ZFS encryption on T4 is
3x faster than Intel
Defense in Depth
21 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Protect
• Kerberos Server/Client
– Kerberized applications
– Hardware cryptographic
acceleration
• LDAP client
• Active Directory client
• PAM Local authentication
• SSH PKI Support
Authentication
22 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Protect
• Automatic hardware cryptographic acceleration – Solaris, OpenSSL, Java, and RSA
PKCS#11 Applications
• High performance cryptography – 4.3x faster than AIX
• Confidentiality of operating system, network, and files on disk
• Reduce complexity with Solaris cryptography
• No cost ZFS dataset encryption
• Integration with Oracle Key Manager
Application to Disk Encryption • Cryptographic Framework
• OpenSSL
• Java JCE Application
• Swap
• Kerberos, SASL, GSS-API
• Core utilities
Operating System
• SSH
• IPsec
• SSL Network
• ZFS Datasets
• Individual files Data
23 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Prevent
• Data (ZFS NTFS)
– Per file
– Per dataset
• Network
– Firewall
– Flow controls
• Zone / Virtual Machine
• Delegated Administration
Constrain Users – Restrict Access
24 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Prevent
Role Based Access Control
• No anonymous
administrators
• Administer actions assigned
to roles
• Users provided roles based
on job needs
• Stops misuse/abuse
Constrain Users – Restrict Behavior
25 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Prevent
Application Privileges
• White-list application
behaviors
• Example: Server on port 80
• Granular control of
applications
• Performance preserving
• Backward compatible
Isolate Application Behavior
26 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Prevent
Oracle Solaris Zones
• System level isolation
• Resource management for cloud
deployments
• Immutable Zones
–Read Only application container
–Allows selective sharing of data
• Multilevel security with Trusted
Extensions
Isolate Virtual Systems
27 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Prevent Combine Privileges, Roles, Immutable Zones
28 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Manage
Logging Application
defined
• Syslog format
• Troubleshoot
user/application
problems
• Log policies
Auditing Kernel
Controlled
• Low impact
• Audit by default
• Secure
transmission
• Evidence
quality
Assist in Compliance
29 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Assure
• Built in security, not bolted on.
• Comprehensive process for software assurance
– Design, Code, Test, Maintenance
• Secure Stack of hardware + firmware + Solaris
• Security updates with monthly software release
• Open Source software code review
Deploy with Confidence
30 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
For More Information / Try Out Today
• Product overview and download
– oracle.com/solaris
• Oracle Technology Network
– oracle.com/technetwork/server-storage/solaris11
• System administrators community
– oracle.com/technetwork/systems
• @ORCL_Solaris
• facebook.com/oraclesolaris
• Oracle Solaris Insider
30
31 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.