hp secure Linux - Inet-tr
Download
Report
Transcript hp secure Linux - Inet-tr
Trusted OS
and
Application
Security
Utku Ünal
Solution Consultant
HP Consulting
reliability
standard OS offers
performance
availability
flexibility
scalability
but lacks
security
Why firewalls are not enough?
mail server
mail server
Firewall
browser
web server
web server
Database
File Service
Network Management
application code
PointCast
ShockWave
browser
Firewalls cannot detect and block security attacks that are “embedded” in
unauthorized code unless the code has been anticipated
OS Security does contain damage to applications from these programs
OS Security complements firewalls that the organization already has in place
summary of Application &
OS Security issues
Immature E-commerce
applications rushed to market in
“Internet time” put the back-end at
risk
Off the shelf Unix & NT do not
provide sufficient risk reduction
for Web front-ends
Web servers, if compromised,
can provide an easy conduit into
your intranet and mission-critical
applications
• Linux was run on 41.8% of nonMicrosoft sites ran Linux
• January 2001 saw the first
Linux “worm” – ramen
• adore and lion followed
• worms may deface your site
and/or do other damage
so what can
you do?
so, you are concerned
about security and
reliability?
hp secure OS
software for Linux
and VirtualVault
are the solutions
hp OS security
proven protection
• deployed by over 130 of the
world’s largest banks
• protected one customer from
over 300,000 break-in attempts
in one week
• winner of Secure Computing
“Best General Security Product”
for three years
• BITS certified – met strict
criteria for financial institutions
• passed rigorous tests from
private organizations and
government entities
• hp - the first major vendor
involved in Linux development
and introduction
hp secure OS software
security/strength
of mechanisms
VirtualVault
HP-UX Bastille C2
HP-UX C2
HP Webenforcer
HP-UX, Linux
Windows
increase -- ease of use/administration, performance, compatibility – decrease
hp secure linux
what is it?
• a secure platform based on Red Hat
Linux
• flexible tools to configure security
• applications to manage security
• a wide range of services and support
what does it do?
•
•
•
•
•
•
isolates customers and applications
locks down system features
audits all system activities
provides file system protection
eases security administration
protects from most common attacks
what are the benefits?
• provides triple-layer security TM
– prevents attacks
– protects against attacks in
progress
– contains any damage
• protects a server from being:
– attacked
– compromised
– used by others
• maintains availability
how does it work?
•
•
armors standard red hat linux
server with multiple layers of
security
includes prevention,
containment and detection
sealed
compartments
web browser
•
an easy to use secure server
platform that protects key
server components
• includes OS and application
layer
applications
internal
systems
internet
Apache
hp secure Linux
data
review of major
features
• containment
• file system
protection
• system
configuration
lockdown
• auditing
• secure
administration
mode
what is it?
virtualvault
• Commercial version of a trusted,
military-grade operating system
• Securely integrated, industry-leading
Web server
• Strictly partitioned Web runtime
environment
• “Vaulted” Java Virtual Machine, CGI’s
and application gateways
trusted os
• Least privilege mechanism eliminates
the “super-user” root function
• Programs run only with specific
privileges needed for task
• Discrete set of privileges for OS system
call actions
• No inheritance of "power" between
programs--no Trojan
partitioned web runtime
• Webserver and Intranet applications
in separate compartments
• Applications and their resources
partitioned into classes - cannot
interfere with each other
• Trusted Gateway provides secure
communication between the inside
and outside compartments
how does it work?
VIRTUALVAULT
Event
Monitoring
Damage
Control
SYSTEM_HI
OUTSIDE
Back-end Application Server
INSIDE
JVM
WEB
Server
cgi
Gateway
Java Servlets
HTML
Pages
SYSTEM
Clients from Internet
(Web browsers)
application
Scripts &
binaries
review of major
features
Trusted Operating System
Eliminates privileged “root” user access
Applications run with minimum privileges
Blocks the hijacking of privileges by unauthorized code
Strictly Partitioned Web
Runtime Environment
Protects all application files
Segregates client-serving front-end from back-end
business applications
Strictly controls all cross-compartment communications
Prevents unauthorized modification of Web content
Securely Integrated
Web Server
Uses iPlanet Web Server, C2Net Apache, others
Uses minimum operating system privileges
Access to Web applications is strictly controlled
Supports 128-bit authentication, and encryption