Meeting Security Demands with SPARC and Sun x86 Servers
-
Upload
oracle-hardware -
Category
Technology
-
view
640 -
download
0
description
Transcript of Meeting Security Demands with SPARC and Sun x86 Servers
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.1
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.2
Meeting Security Demands with SPARC and Sun x86 ServersGlenn BrunetteRamesh NagappanNancy Swanson
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.3
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.4
Security Topics
Secure Isolation
TopSecurity Issues
Access andAdministration
Data Protection
Monitoringand Auditing
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.5
Secure Isolation
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.6
Oracle Solaris Workload Isolation
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.7
Oracle Solaris 11 Immutable Zones
Lightweight Kernel-MediatedVirtualization
Supporting 4 Distinct Levelsof Immutability
Prevents Accidental andMalicious Changes
Fully Integrated with Solaris(Create, Update, etc.)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.8
Comprehensive Isolation At Every Layer
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.9
DataProtection
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.10
SPARC T3/T2/T1 On Chip Accelerators
Sun CryptoAccelerator 6000Hardware Security Module
SPARC T4 On Core Crypto Instructions
Third Party Accelerators andHardware Security Modules
Oracle Database 11g - Transparent Data Encryption
Oracle Fusion Middleware 11g
Java JCEPKCS#11 Provider
pkcs11_softtoken.so
ApacheWeb Server
OpenSSLShared Libraries
libpkcs11.so
Pluggable Interface libpkcs11_kernel.so
Service Provider Interface
Softtoken Key Store$HOME/.sunw
Application
User
KernelScheduler and Load Balancer
libsoftcrypto.so
Oracle Solaris Cryptographic Framework
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.11
SPARC Hardware Cryptographic Acceleration
Processor / Mechanisms UltraSPARC T2/ T2+ SPARC T3 SPARC T4
Asymmetric / Public Key Encryption
RSA, DSA, ECC RSA, DH, DSA, ECC RSA, DH, DSA, ECC
Symmetric Key / Bulk Encryption
AES, DES, 3DES, RC4AES, DES, 3DES,
KasumiAES, DES, 3DES, Camellia, Kasumi
Message Digest / Hash Functions
MD5, SHA-1, SHA- 256
CRC32c, MD5, SHA-1, SHA-256, SHA-
384, SHA-512
CRC32c, MD5, SHA-1, SHA-224, SHA-
256, SHA-384, SHA-512
Random Number Generation
Supported Supported Supported
APISupport
PKCS#11Standard
PKCS#11 Standard
PKCS#11 Standard, uCrypto API
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.12
SPARC T4 Cryptographic AccelerationSignificant Performance Gains for SSL (Using Hardware)
• Two-way SSL• RSA-2048• AES-256
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.13
End-to-End Security Scenario on SPARC T4
SPARC T4 hardware assisted cryptography can be used to perform most encryption operations automatically:
– Negligible performance overhead
– Solaris PKCS#11 Softtoken acts as a unified key store (Under FIPS evaluation)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.14
End to End Security Performance on SPARC T4Multi-tier Application Security Scenario With Encrypted ZFS File System
1000
1200
1400
1600
# of Requests per Second using Two-way SSL, RSA-1024 (SSL, No KeepAlive), AES-128 (ZFS Crypto)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.15
Fusion Middleware Security On SPARC T4
JAX-WS Application, WS-SecurityPolicy – Basic256, Two-way SSL (SSL Cipher - TLS_RSA_WITH_AES_128_CBC_SHA)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.16
Intel AES-NI: WebLogic SSL PerformanceSSL Performance Gains With Oracle Solaris 11 on Intel
CPU Utilization (Software SSL vs Solaris PKCS#11)
CPU (%)
SSL vs. No SSL
Requests/sec
• Oracle WebLogic 10.3.4 (Solaris 11 GA)• JDK 6u26 (Java PKCS#11 provider)• Two-way SSL w. RSA-2048 & AES-256• Oracle Sun X4270 server
1 2 3 4 5 6 7 8 90
20
40
60
80
100
120
140
No SSL
SSL (Intel AES-NI/Solaris X64)
1 2 3 4 5 6 7 8 90%
2%
4%
6%
8%
10%
12%
14%
Software SSL
SSL (Intel AES-NI/Solaris X64)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.17
Access andAdministration
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.18
Oracle Solaris Role-based Access Control
Rights Profiles
Authorizations
solaris.system.shutdown
Commands (/usr/sbin/ipf:privs=sys_ip_config)
POSIX Permissions
Real and EffectiveUIDs and GIDs
Privileges
file_dac_read, net_access
Solaris Users Solaris Roles
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.19
Auditing and Monitoring
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.20
Oracle Solaris Auditing
<record version="2” event="sudo(1M) execution” host="pleiades” iso8601="2011-11-21 15:01:30.050 -05:00”> <subject audit-uid="gbrunett” uid="root" gid="staff” ruid="gbrunett" rgid="101” pid="27014" sid="2127539483” tid="4082 5632 192.168.1.1"/> <exec_args> <arg>pkg</arg> <arg>image-update</arg></exec_args> <return errval="success" retval="0"/></record>
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.21
Non-Global Zone
Oracle Solaris 11 Defense in Depth
A
Binaries and Libraries
Configuration Files
Temporary and Log Files
Application Data
ZFS EncryptedData Set(s)
A
Delegated Application Administration
Secure by Default / OS Hardening
Service Hardening,Encrypted Comms,Limited Privileges
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.22
Oracle Solaris 11 Defense in Depth
Encrypted Root
Limited Resources
Delegated Admin.
Monitoring / Auditing
Network Security
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.23
Oracle Solaris 11 Defense in Depth
Virtual Networking (w/QoS and Data Link Protection)
Encrypted Root
Limited Resources
Delegated Admin.
Monitoring / Auditing
Network Security
Encrypted Root
Limited Resources
Delegated Admin.
Monitoring / Auditing
Network Security
Encrypted Root
Limited Resources
Delegated Admin.
Monitoring / Auditing
Network Security
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.24
Solaris 11 Instance (Global Zone)
Oracle Solaris 11 Defense in Depth
Monitoring / Auditing
Delegated Administration
Hardware Accel. Cryptography
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.25
Oracle Sun SPARC SuperCluster T4-4
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.26
SPARC SuperCluster T4-4 Security
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.27
For More Information
SPARC SuperCluster Security Principles and Capabilitieshttp://www.oracle.com/technetwork/articles/servers-storage-admin/supercluster-security-1723872.html
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.28
Questions
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.29
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.30