Secure Systems Data Management
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Secure Systems Data Management

  • 904 views
Uploaded on

Security Presentation given by Glenn Brunette (Oracle CTO for ESG) in the Conshohocken PA, Reston VA, New York and New Jersey Solaris 11 Technology Forum events.

Security Presentation given by Glenn Brunette (Oracle CTO for ESG) in the Conshohocken PA, Reston VA, New York and New Jersey Solaris 11 Technology Forum events.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Latest presentation given by Glenn Brunette at the Conshohocken PA Solaris 11 Technology Forum on May 23.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
904
On Slideshare
904
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
20
Comments
1
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Oracle Solaris 11 Secure Systems and Data Management Glenn Brunette CTO, Enterprise Systems Group1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 2. Agenda • Secure And Scalable Data Management • Oracle Solaris ZFS • What’s New in Oracle Solaris 11 • Related Storage Technologies • Advanced Systems Protection • Oracle Solaris Security Features2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 3. Administrative Challenges3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 4. Administrative Challenges • Reduce costs and risks – Manage data efficiently and securely • Increase availability – Eliminate data corruption • Increase your asset protection – Protect assets and prevent attacks4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 5. Agenda • Secure And Scalable Data Management • Oracle Solaris ZFS • What’s New in Oracle Solaris 11 • Related Storage Technologies • Advanced Systems Protection • Oracle Solaris Security Features5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 6. ZFS: Next Generation File System Oracle Solaris ZFS supports enterprise application deployments through focus on infrastructure qualities: • Scalability • Virtualization • Efficiency • Reliability • Compatibility • Security6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 7. ZFS: Next Generation File System Scalability • Immense Capacity (128-bit) • ZFS capacity: 256 quadrillion ZB (1ZB = 1 billion TB) • Exceeds quantum limit of Earth-based storage. • Dynamic Metadata • No limits on files, directory entries, snapshots, etc. • No tuning parameters to enable expansion. • Parallel, constant-time directory operations. • Pooled design – continuous future growth7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 8. ZFS: Next Generation File System Virtualization • Pooled storage design: • No partitions to manage. • Integrated volume management. • Grow/shrink automatically. • All bandwidth always available, all pool storage shared. • Parallel Multi-protocol access to the same data. • Seamlessly absorbs new storage technology • Hybrid storage pools maximise SSD investment. • Essential infrastructure for Thin provisioning8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 9. ZFS: Next Generation File System Reliability/Availability/Serviceability • A primary design goal of ZFS: • Copy on write design: data never overwritten in place. • Snapshots: continuous incremental data protection. • Checksum-protected throughout the data path. • “Self-healing” ability to replace damaged data from mirrors • Multiple levels of RAID protection to meet modern capacities. • ZFS multiple boot environments underpin install & upgrade. • End to end data integrity.9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 10. ZFS: Next Generation File System Compatibility • Endian-neutral: Seamlessly move physical storage between SPARC and x64 platforms. • Tightly integrated block and file protocols: CIFS, NFS, iSCSI, FC, … • Standards compliance • Support for POSIX and existing and emerging standards.10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 11. Agenda • Secure And Scalable Data Management • Oracle Solaris ZFS • What’s New in Oracle Solaris 11 • Related Storage Technologies • Advanced Systems Protection • Oracle Solaris Security Features11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 12. ZFS: New in Oracle Solaris 11 The default, and only, root file system • ZFS Dataset Encryption • On-disk, block-level encryption gives protection against theft of physical storage, SAN man-in-the-middle attacks. Provides for secure deletion. Activated at file system create time; security check against passphrase or numeric key when mounting the file system. • ZFS Deduplication • Across the entire storage pool, but can be enable or not for individual datasets12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 13. ZFS: New in Oracle Solaris 11 The default, and only, root file system • ZFS Shadow Migration • Move data from legacy file systems in the live environment. • ZFS Backup with NDMP • ZFS volumes can now be backed up with the Oracle Solaris Network Data Management Protocol (NDMP), using zfs send and zfs receive. • Temporary ZFS Mounts • Mount a ZFS file system temporarily at a location other than its persistent mount point.13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 14. ZFS: New in Oracle Solaris 11 The default, and only, root file system • zfs snap • A convenient alias for snapshot • zfs diff • List differences between ZFS snapshots • Recursive ZFS send • zfs send a ZFS dataset and its descendants14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 15. Agenda • Secure And Scalable Data Management • Oracle Solaris ZFS • What’s New in Oracle Solaris 11 • Related Storage Technologies • Advanced Systems Protection • Oracle Solaris Security Features15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 16. Other Data Management • Many other file systems are supported as non root file systems – UFS, Oracle ASM, NFS, VxFS, and many others… • Symantec Netbackup is already supported as a solution • The COMSTAR (Common Multiprotocol SCSI Target) framework allows for sharing of many storage protocols – These include iSCSI & iSER, FCoE, SRP, and FCoIB – All built on the ZFS foundation and it’s services16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 17. Agenda • Secure And Scalable Data Management • Oracle Solaris ZFS • What’s New in Oracle Solaris 11 • Related Storage Technologies • Advanced Systems Protection • Oracle Solaris Security Features17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 18. Advanced Protection Oracle Solaris Security• Integrated with all the other Solaris features – Zones, ZFS, SMF, Networking, Automated Install, IPS, many others – Install and boot secure by default – The layered defense in depth give the highest levels of containment• Protect – protect data and the access to it• Prevent – contain user and application actions• Manage – manage and log security settings• Assure – providing an enterprise platform to deploy application securely with confidence 18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 19. Security in Oracle Solaris 11 Built-in, flexible, transparent, hardware assisted Immutable Zones, Sandboxing: new basic privileges (net_access,file_write, file_read), Application further executable address space reduction. Network data-link & IP anti-spoofing for Runtime Zones. SSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Authentication Root login disabled by default. Role auth via user password, Authentication caching. Audit Auditing on by default, audit policy in SMF, Secure remote audit trail. Sudo with auditing. Fine-grained user/password/RBAC management CLI with LDAP Delegation support. ZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel Data Security security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and Kerberos Realm. Transparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster. Cryptography Trusted Platform Module (TPM) keystore, file integrity scanner Signed binaries & packages, Oracle Key Manager appliance integration19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 20. Tailored Security for Applications Defense in Depth • Audited and delegated administration – Restricted zone access – Service management • Immutable Zones: read-only file systems • Data link and IP-layer protection • Hardware accelerated crypto operations – OpenSSL 5x faster than IBM • Encrypted ZFS for data protection – Remote key management – ZFS encryption on T4 is 3x faster than Intel20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 21. Protect Authentication • Kerberos Server/Client – Kerberized applications – Hardware cryptographic acceleration • LDAP client • Active Directory client • PAM Local authentication • SSH PKI Support21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 22. Protect Application to Disk Encryption • Cryptographic Framework Application • OpenSSL • Automatic hardware cryptographic • Java JCE acceleration – Solaris, OpenSSL, Java, and RSA PKCS#11 Applications • Swap Operating • Kerberos, SASL, GSS-API • High performance cryptography System • Core utilities – 4.3x faster than AIX • Confidentiality of operating system, network, and files on disk • SSH Network • IPsec • Reduce complexity with Solaris • SSL cryptography • No cost ZFS dataset encryption • ZFS Datasets • Integration with Oracle Key Manager Data • Individual files22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 23. Prevent Constrain Users – Restrict Access • Data (ZFS NTFS) – Per file – Per dataset • Network – Firewall – Flow controls • Zone / Virtual Machine • Delegated Administration23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 24. Prevent Constrain Users – Restrict Behavior Role Based Access Control • No anonymous administrators • Administer actions assigned to roles • Users provided roles based on job needs • Stops misuse/abuse24 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 25. Prevent Isolate Application Behavior Application Privileges • White-list application behaviors • Example: Server on port 80 • Granular control of applications • Performance preserving • Backward compatible25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 26. Prevent Isolate Virtual Systems Oracle Solaris Zones • System level isolation • Resource management for cloud deployments • Immutable Zones –Read Only application container –Allows selective sharing of data • Multilevel security with Trusted Extensions26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 27. Prevent Combine Privileges, Roles, Immutable Zones27 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 28. Manage Assist in ComplianceLogging AuditingApplication Kernel defined Controlled• Syslog format • Low impact• Troubleshoot • Audit by default user/application • Secure problems transmission• Log policies • Evidence quality 28 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 29. Assure Deploy with Confidence • Built in security, not bolted on. • Comprehensive process for software assurance – Design, Code, Test, Maintenance • Secure Stack of hardware + firmware + Solaris • Security updates with monthly software release • Open Source software code review29 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 30. For More Information / Try Out Today • Product overview and download – oracle.com/solaris • Oracle Technology Network – oracle.com/technetwork/server-storage/solaris11 • System administrators community – oracle.com/technetwork/systems • @ORCL_Solaris • facebook.com/oraclesolaris • Oracle Solaris Insider30 Copyright © 2011, Oracle and/or its affiliates. All rights 30 reserved.
  • 31. 31 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.