1   Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Meeting Security Demandswith SPARC and Sun x86ServersGlenn BrunetteRamesh NagappanNancy Swanson2   Copyright © 2012, Oracl...
The following is intended to outline our general productdirection. It is intended for information purposes only, andmay no...
Security Topics                                                       Secure                          Access and          ...
Secure Isolation5   Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Oracle Solaris Workload Isolation                                                                                    Datab...
Oracle Solaris 11 Immutable Zones                                                                                       /,...
Comprehensive Isolation At Every Layer                                                                                    ...
Data                                                                      Protection9   Copyright © 2012, Oracle and/or it...
Oracle Solaris Cryptographic Framework                        Oracle Database 11g -                                       ...
SPARC Hardware Cryptographic Acceleration     Processor / Mechanisms                                                 Ultra...
SPARC T4 Cryptographic Acceleration         Significant Performance Gains for SSL (Using Hardware)                        ...
End-to-End Security Scenario on SPARC T4     SPARC T4 hardware assisted cryptography can be used to perform     most encry...
End to End Security Performance on SPARC T4         Multi-tier Application Security Scenario With Encrypted ZFS File Syste...
Fusion Middleware Security On SPARC T4                   JAX-WS Application, WS-SecurityPolicy – Basic256, Two-way SSL (SS...
Intel AES-NI: WebLogic SSL Performance          SSL Performance Gains With Oracle Solaris 11 on IntelCPU Utilization (Soft...
Access and                                               Administration17   Copyright © 2012, Oracle and/or its affiliates...
Oracle Solaris Role-based Access Control        Authorizations        solaris.system.          shutdown                   ...
Auditing and                                                          Monitoring19   Copyright © 2012, Oracle and/or its a...
Oracle Solaris Auditing                                                                              <record version="2”  ...
Oracle Solaris 11 Defense in Depth     Service Hardening,                                                            Non-G...
Oracle Solaris 11 Defense in Depth                                                                              Encrypted ...
Oracle Solaris 11 Defense in Depth                       Encrypted Root                                         Encrypted ...
Oracle Solaris 11 Defense in Depth                                                                                  Monito...
Oracle Sun SPARC                SuperCluster T4-425   Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
SPARC SuperCluster T4-4 Security                              Client                                                      ...
For More Information            SPARC SuperCluster Security Principles and Capabilities                http://www.oracle....
Questions28   Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
29   Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
30   Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Upcoming SlideShare
Loading in …5
×

Meeting Security Demands with SPARC and Sun x86 Servers

940 views

Published on

Security concerns continue to be a top CIO priority. Oracle’s SPARC and Sun x86 servers and engineered systems deliver highly integrated technologies that directly address these concerns. In this session, you will learn how advanced security, virtualization, and integrated management features are built into Oracle servers and engineered systems to enable secure processing at the highest levels of performance.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
940
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Meeting Security Demands with SPARC and Sun x86 Servers

  1. 1. 1 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  2. 2. Meeting Security Demandswith SPARC and Sun x86ServersGlenn BrunetteRamesh NagappanNancy Swanson2 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  3. 3. The following is intended to outline our general productdirection. It is intended for information purposes only, andmay not be incorporated into any contract. It is not acommitment to deliver any material, code, orfunctionality, and should not be relied upon in makingpurchasing decisions. The development, release, and timingof any features or functionality described for Oracle’sproducts remains at the sole discretion of Oracle.3 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  4. 4. Security Topics Secure Access and Isolation Administration Top Security Issues Data Monitoring Protection and Auditing4 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  5. 5. Secure Isolation5 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  6. 6. Oracle Solaris Workload Isolation Database Database Database Zone A Zone A Database Database Database Database Zone B Zone B SPARC SPARC Domain 1 SPARC Domain 1 SPARC T4-4 T4-4 T4-4 T4-4 Server Server Database Server Server Database Zone C Database Zone C Database Database Database Database Zone D Zone D Domain 1 Domain 1 Domain 2 Domain 2 POSIX Zones Domain Hybrid Isolation Isolation Isolation Isolation Workload Isolation Continuum6 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  7. 7. Oracle Solaris 11 Immutable Zones /, /usr /etc /var other  Lightweight Kernel-Mediated /lib, … Virtualization None Writeable Writeable Writeable Writeable  Supporting 4 Distinct Levels of Immutability Flexible Read Writeable Writeable* Read Only Only  Prevents Accidental and Read Read Read Malicious Changes Fixed Only Only Writeable* Only  Fully Integrated with Solaris Strict Read Only Read Only Read Only Read Only (Create, Update, etc.)7 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  8. 8. Comprehensive Isolation At Every Layer Exadata Storage RDSv3 Tablespace Tablespace Server Client SSL Database A-1 #1 A-1 Service Tablespace Tablespace VLAN A Network Exadata Storage Database Partition Server A-2 Tablespace Tablespace #2 RDSv3 SPARC Tablespace Tablespace Exadata Zone A Storage T4-4 Server Server Domain 1 ASM Disk Groups #3 NFS Client Data Set Data Set B-1 IPsec Application B-1 VLAN B Zone B Service Data Set Data Set Network Sun ZFS Storage Partition Appliance Application C-1 Data Set Data Set #1 NFS Zone C Data Set Data Set Domain 2 ZFS Data Sets8 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  9. 9. Data Protection9 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  10. 10. Oracle Solaris Cryptographic Framework Oracle Database 11g - Apache Oracle Fusion Middleware 11g Transparent Data Encryption Web Server OpenSSL Java JCE Shared Libraries PKCS#11 Provider ApplicationSofttoken Key Store libpkcs11.so $HOME/.sunw pkcs11_softtoken.so Pluggable Interface libpkcs11_kernel.so User libsoftcrypto.so Scheduler and Load Balancer Kernel Service Provider Interface SPARC T4 On Core Crypto SPARC T3/T2/T1 On Chip Sun CryptoAccelerator 6000 Third Party Accelerators and Instructions Accelerators Hardware Security Module Hardware Security Modules 10 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  11. 11. SPARC Hardware Cryptographic Acceleration Processor / Mechanisms UltraSPARC T2/ T2+ SPARC T3 SPARC T4 Asymmetric / RSA, DSA, ECC RSA, DH, DSA, ECC RSA, DH, DSA, ECC Public Key Encryption Symmetric Key / AES, DES, 3DES, AES, DES, 3DES, AES, DES, 3DES, RC4 Bulk Encryption Kasumi Camellia, Kasumi CRC32c, MD5, SHA- CRC32c, MD5, SHA- Message Digest / MD5, SHA-1, SHA- 1, SHA-256, SHA- 1, SHA-224, SHA-256, Hash Functions 256 SHA-384, SHA-512 384, SHA-512 Random Number Supported Supported Supported Generation API PKCS#11 PKCS#11 PKCS#11 Standard, Support Standard Standard uCrypto API11 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  12. 12. SPARC T4 Cryptographic Acceleration Significant Performance Gains for SSL (Using Hardware) • Two-way SSL • RSA-2048 • AES-25612 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  13. 13. End-to-End Security Scenario on SPARC T4 SPARC T4 hardware assisted cryptography can be used to perform most encryption operations automatically: – Negligible performance overhead – Solaris PKCS#11 Softtoken acts as a unified key store (Under FIPS evaluation)13 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  14. 14. End to End Security Performance on SPARC T4 Multi-tier Application Security Scenario With Encrypted ZFS File System 1600 1500 1400 1300 1200 1100 1000 No SSL Software SSL SSL & ZFS Crypto (T4 Accelerated) # of Requests per Second using Two-way SSL, RSA-1024 (SSL, No KeepAlive), AES-128 (ZFS Crypto)14 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  15. 15. Fusion Middleware Security On SPARC T4 JAX-WS Application, WS-SecurityPolicy – Basic256, Two-way SSL (SSL Cipher - TLS_RSA_WITH_AES_128_CBC_SHA)15 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  16. 16. Intel AES-NI: WebLogic SSL Performance SSL Performance Gains With Oracle Solaris 11 on IntelCPU Utilization (Software SSL vs Solaris PKCS#11) SSL vs. No SSLCPU (%) Requests/sec 14014% 12012% 10010% 8% Software SSL 80 No SSL 6% 60 SSL (Intel AES- SSL (Intel AES- 4% 40 NI/Solaris X64) NI/Solaris X64) 2% 20 0% 0 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 • Oracle WebLogic 10.3.4 (Solaris 11 GA) • JDK 6u26 (Java PKCS#11 provider) • Two-way SSL w. RSA-2048 & AES-256 • Oracle Sun X4270 server 16 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  17. 17. Access and Administration17 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  18. 18. Oracle Solaris Role-based Access Control Authorizations solaris.system. shutdown Commands (/usr/sbin/ipf:privs=sys_ip_config) Rights Profiles Solaris Users Solaris Roles18 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  19. 19. Auditing and Monitoring19 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  20. 20. Oracle Solaris Auditing <record version="2” event="sudo(1M) execution” host="pleiades” iso8601="2011-11-21 15:01:30.050 -05:00”> <subject audit-uid="gbrunett” uid="root" gid="staff” ruid="gbrunett" rgid="101” pid="27014" sid="2127539483” tid="4082 5632 192.168.1.1"/> <exec_args> <arg>pkg</arg> <arg>image-update</arg></exec_args> <return errval="success" retval="0"/> </record>20 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  21. 21. Oracle Solaris 11 Defense in Depth Service Hardening, Non-Global Zone Encrypted Comms, Limited Privileges Binaries and Libraries Configuration Files A ZFS Encrypted Temporary and Log Files Data Set(s) Application Data Delegated Application Administration Secure by Default / OS Hardening21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  22. 22. Oracle Solaris 11 Defense in Depth Encrypted Root Limited Resources Delegated Admin. Monitoring / Auditing Network Security22 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  23. 23. Oracle Solaris 11 Defense in Depth Encrypted Root Encrypted Root Encrypted Root Limited Resources Limited Resources Limited Resources Delegated Admin. Delegated Admin. Delegated Admin. Monitoring / Auditing Monitoring / Auditing Monitoring / Auditing Network Security Network Security Network Security Virtual Networking (w/QoS and Data Link Protection)23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  24. 24. Oracle Solaris 11 Defense in Depth Monitoring / Auditing Delegated Administration Hardware Accel. Cryptography Solaris 11 Instance (Global Zone)24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  25. 25. Oracle Sun SPARC SuperCluster T4-425 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  26. 26. SPARC SuperCluster T4-4 Security Client Tablespace Tablespace A-1 SSL Oracle Database ASM Database Tablespace Tablespace VLAN A Scoped Security Exadata Backups Storage Server(s) Service Export Files Network SPARC Oracle Solaris Zone Partition Encrypted T4-4 Oracle Database 11gR2 Server Domain ASM Disk Groups Client B-1 SSL Application C Data Set Data Set NFS Shares VLAN C Oracle Solaris Zone Limited to Data Set Data Set Zone B IP Address Sun ZFS Storage Appliance Application D Service Data Set Data Set Network Client Oracle Solaris Zone Partition Data Set Data Set Access Network General Purpose Domain ZFS Data Sets Management Network Oracle Enterprise Oracle Audit Oracle Database Oracle Key Oracle Privileged Manager Vault Firewall Manager Account Manager26 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  27. 27. For More Information  SPARC SuperCluster Security Principles and Capabilities http://www.oracle.com/technetwork/articles/servers-storage- admin/supercluster-security-1723872.html27 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  28. 28. Questions28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  29. 29. 29 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
  30. 30. 30 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

×