Meeting Security Demands with SPARC and Sun x86 Servers


Meeting Security Demands with SPARC and Sun x86 ServersGlenn BrunetteRamesh NagappanNancy Swanson


The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


Security Topics

Secure Isolation

TopSecurity Issues

Access andAdministration

Data Protection

Monitoringand Auditing


Secure Isolation


Oracle Solaris Workload Isolation


Oracle Solaris 11 Immutable Zones

Lightweight Kernel-MediatedVirtualization

Supporting 4 Distinct Levelsof Immutability

Prevents Accidental andMalicious Changes

Fully Integrated with Solaris(Create, Update, etc.)


Comprehensive Isolation At Every Layer


DataProtection


SPARC T3/T2/T1 On Chip Accelerators

Sun CryptoAccelerator 6000Hardware Security Module

SPARC T4 On Core Crypto Instructions

Third Party Accelerators andHardware Security Modules

Oracle Database 11g - Transparent Data Encryption

Oracle Fusion Middleware 11g

Java JCEPKCS#11 Provider

pkcs11_softtoken.so

ApacheWeb Server

OpenSSLShared Libraries

libpkcs11.so

Pluggable Interface libpkcs11_kernel.so

Service Provider Interface

Softtoken Key Store$HOME/.sunw

Application

User

KernelScheduler and Load Balancer

libsoftcrypto.so

Oracle Solaris Cryptographic Framework


SPARC Hardware Cryptographic Acceleration

Processor / Mechanisms UltraSPARC T2/ T2+ SPARC T3 SPARC T4

Asymmetric / Public Key Encryption

RSA, DSA, ECC RSA, DH, DSA, ECC RSA, DH, DSA, ECC

Symmetric Key / Bulk Encryption

AES, DES, 3DES, RC4AES, DES, 3DES,

KasumiAES, DES, 3DES, Camellia, Kasumi

Message Digest / Hash Functions

MD5, SHA-1, SHA- 256

CRC32c, MD5, SHA-1, SHA-256, SHA-

384, SHA-512

CRC32c, MD5, SHA-1, SHA-224, SHA-

256, SHA-384, SHA-512

Random Number Generation

Supported Supported Supported

APISupport

PKCS#11Standard

PKCS#11 Standard

PKCS#11 Standard, uCrypto API


SPARC T4 Cryptographic AccelerationSignificant Performance Gains for SSL (Using Hardware)

• Two-way SSL• RSA-2048• AES-256


End-to-End Security Scenario on SPARC T4

SPARC T4 hardware assisted cryptography can be used to perform most encryption operations automatically:

– Negligible performance overhead

– Solaris PKCS#11 Softtoken acts as a unified key store (Under FIPS evaluation)


End to End Security Performance on SPARC T4Multi-tier Application Security Scenario With Encrypted ZFS File System

1000

1200

1400

1600

# of Requests per Second using Two-way SSL, RSA-1024 (SSL, No KeepAlive), AES-128 (ZFS Crypto)


Fusion Middleware Security On SPARC T4

JAX-WS Application, WS-SecurityPolicy – Basic256, Two-way SSL (SSL Cipher - TLS_RSA_WITH_AES_128_CBC_SHA)


Intel AES-NI: WebLogic SSL PerformanceSSL Performance Gains With Oracle Solaris 11 on Intel

CPU Utilization (Software SSL vs Solaris PKCS#11)

CPU (%)

SSL vs. No SSL

Requests/sec

• Oracle WebLogic 10.3.4 (Solaris 11 GA)• JDK 6u26 (Java PKCS#11 provider)• Two-way SSL w. RSA-2048 & AES-256• Oracle Sun X4270 server

1 2 3 4 5 6 7 8 90

20

40

60

80

100

120

140

No SSL

SSL (Intel AES-NI/Solaris X64)

1 2 3 4 5 6 7 8 90%

2%

4%

6%

8%

10%

12%

14%

Software SSL

SSL (Intel AES-NI/Solaris X64)


Access andAdministration


Oracle Solaris Role-based Access Control

Rights Profiles

Authorizations

solaris.system.shutdown

Commands (/usr/sbin/ipf:privs=sys_ip_config)

POSIX Permissions

Real and EffectiveUIDs and GIDs

Privileges

file_dac_read, net_access

Solaris Users Solaris Roles


Auditing and Monitoring


Oracle Solaris Auditing

<record version="2” event="sudo(1M) execution” host="pleiades” iso8601="2011-11-21 15:01:30.050 -05:00”> <subject audit-uid="gbrunett” uid="root" gid="staff” ruid="gbrunett" rgid="101” pid="27014" sid="2127539483” tid="4082 5632 192.168.1.1"/> <exec_args> <arg>pkg</arg> <arg>image-update</arg></exec_args> <return errval="success" retval="0"/></record>


Non-Global Zone

Oracle Solaris 11 Defense in Depth

A

Binaries and Libraries

Configuration Files

Temporary and Log Files

Application Data

ZFS EncryptedData Set(s)

A

Delegated Application Administration

Secure by Default / OS Hardening

Service Hardening,Encrypted Comms,Limited Privileges



Encrypted Root

Limited Resources

Delegated Admin.

Monitoring / Auditing

Network Security



Virtual Networking (w/QoS and Data Link Protection)

Encrypted Root

Limited Resources

Delegated Admin.


Network Security

Encrypted Root

Limited Resources

Delegated Admin.


Network Security

Encrypted Root

Limited Resources

Delegated Admin.


Network Security


Solaris 11 Instance (Global Zone)



Delegated Administration

Hardware Accel. Cryptography


Oracle Sun SPARC SuperCluster T4-4


SPARC SuperCluster T4-4 Security


For More Information

SPARC SuperCluster Security Principles and Capabilitieshttp://www.oracle.com/technetwork/articles/servers-storage-admin/supercluster-security-1723872.html

http://www.oracle.com/technetwork/articles/servers-storage-admin/supercluster-security-1723872.html




Questions

Meeting Security Demands with SPARC and Sun x86 Servers

Technology

Transcript of Meeting Security Demands with SPARC and Sun x86 Servers