Justifying Trusted Solaris
Hola!
For many years now, my organization has been a loyal Solaris customer. And while we still have issues with the default setup we have been able to get by with information from the blueprint articles and the tools (a big thanks to Alex Noordergraaf, Keith Watson, and Glenn Brunette!). In fact, we recently overhauled our data center operational and deployment security standards based on this information.
However, we feel that even with the measures we have taken Solaris is still not adequate to defend against an unhappy insider or a determined hacker. I have been inestigating whether Trusted Soalris should be our OS of choice for key systems (NIS/LDAP, DB, financial). It seems that the muliti-level security is what we need but the configuration complexity perhaps is too great. Let me give the situation. A good sysadmin is hard to find and harder to keep. Clearly, we need to train our sysadmins for Trusted because no one we have is familiar with it. A colleague of mine at another company tried Trusted and told me that initial config is very difficult. We know that Trusted Solaris 8 has Sun management console(SMC?), but frankly we hate it on Solaris 8!
How can I go to my management and ask for money (especially now) to train sysadmins in Trusted Solaris? I need ammo. I can make a good case for the security benefits but not for additional training costs. Also the documentation for Trusted Solaris on docs.sun.com and the Sun Education cleass on Trusted Solaris appear to be geared for the governement/militray. Are there any books or articles on using Trusted Solaris in data center environements?
Please help.
Bobby Flay
[1688 byte] By [
] at [2007-11-25 23:04:11]
# 1
I'm glad that you like our BluePrints please note that there's a new
version of Solaris Security Toolkit (aka JASS) available
http://www.sun.com/security/jass
There's also a very well written BluePrint article about Trusted Solaris:
http://www.sun.com/software/solutions/blueprints/0301/MainNe t.pdf
I believe there are several ways to solve the training issue either
TTT (train the trainer) or we could arrange a on-site training class
for you. I'm more than happy to help you with finding more 'ammo', I'm
as close as your phone or your email.
Regards,
Martin Hack
Martin Hack Product Manager Sun Microsystems Inc.
(650) 786 0211Solaris Security Products901 San Antonio Road
Martin.Hack@Sun.COMUMPK18-211
www.sun.com/security Palo Alto, CA 94303-4900
at 2007-7-5 17:55:52 >
# 2
Bobby, this is the same problem we have been battling for years in the DoD environment. We would love to discuss this further with you and let you know how we have overcome some of these, and other issues, with Trusted Solaris. Trusted Solaris IS the answer to protecting the crown jewels of insider information. We used Digital MLS+ for year and have just recently migrated our entire customer WAN (38 sites world wide/3500 users accounts) to TSOL. Let me know if you want to have a short teleconf.
Regards
at 2007-7-5 17:55:52 >
# 4
Chris,
I'm not sure if you're going to be able to get through to that third contributor.
After all, this thread hasn't been touched in four years <img src="images/smiley_icons/icon_smile.gif" border=0 alt="Smile">
It was pre-9/11
TSOL has likely undergone quite an evolution in that time.
at 2007-7-5 17:55:52 >
# 6
The functionality that was previously in Trusted Solaris 8 has been integrated into OpenSolaris and has been shipping (for free) since last July. IIt has been renamed Solaris Trusted Extensions because it is now part of Solaris. Hopefully you won't have as much difficulty justifying the use of this free OS to your management.
The next update of Solaris 10, Solaris 10 11/06, will include the Solaris Trusted Exensions. There is no extra charge for use of this feature.
For more information see:
http://opensolaris.org/os/community/security/projects/tx/TrustedExtensionsArch. pdf
