Sun Secures Solaris with Kernel Rewrite, VeriSign Partnership

Sun is rolling out a sweeping set of security enhancements to Solaris, punctuated by a kernel rewrite and a partnership with VeriSign.

In an effort to batten down its operating system, Sun Microsystems Inc. this week will unveil a sweeping set of security enhancements to Solaris, as well as new managed security services.

The moves, which include a rewriting of parts of the Solaris kernel as well as a major partnership with VeriSign Inc., are in large part a response to well-established security initiatives from rivals Microsoft Corp. and IBM.

The advancements are also the latest indicator of how seriously software developers and manufacturers take the issue of security, according to experts.

"Its easier to use security as a selling point in an OS than in an individual security product," said Pete Lindstrom, an analyst at Spire Security LLC, in Malvern, Pa. "This is a shot against the growing discontent with security as well as against [Microsofts] NGSCB [Next-Generation Secure Computing Base]."

To incorporate some of the new security features in Solaris 10, which is due in the fourth quarter, Sun engineers rewrote portions of the Solaris kernel. The move, said company officials in Santa Clara, Calif., will likely prevent competitors from being able to replicate those features.

Solar flare

  • New security offerings from Sun Managed vulnerability assessment, threat monitoring and professional services with VeriSign
  • Reference solutions for Secure Network Access Platform for government and enterprise
  • Security enhancements to Solaris 10, including virtual instances and process rights management

Most of the enhancements due in the operating system are designed to prevent users from escalating privileges or to halt malicious behavior before it leads to a compromise or data loss.

Among the biggest improvements is the addition of Solaris N1 Grid Containers, a technology that lets administrators create virtual instances of Solaris within running versions of the operating system. The instances share common features and capabilities, but each acts as its own copy, complete with an independent naming service.

Even if an administrator has a root account on one instance, known as a zone, he or she wont be able to affect other zones, which limits the damage attackers can do if they obtain root access, Sun officials said. Customers will have the option of installing a stripped-down Solaris 10 with no network services or interfaces available. Users can then turn on whatever they choose.

Sun has also added a technology known as process rights management to Solaris 10. Lifted from Suns military-grade, hardened Trusted Solaris operating system, this concept implements the principle of least privilege, which is common on many sensitive systems.

By assigning each user account and process the lowest level of privileges needed to complete a given task, the technology is able to restrict what actions even highly privileged users can take. For example, a Web server can be bound directly to port 80, preventing it from being used for other purposes by an attacker.

On the services side, Sun is partnering with VeriSign, of Mountain View, Calif., to offer vulnerability assessment, threat monitoring and 24-hour network security management, according to Sun officials. The offerings will be based on VeriSigns Intelligence and Control Services.

The changes to Solaris are significant, given Suns wide lead in the enterprise Unix market. In the third quarter of last year, the company shipped nearly 77,000 copies of Solaris. Hewlett-Packard Co. shipped about 31,000 copies of its version of Unix, while IBM sold 27,000 copies of Unix, according to numbers compiled by market researcher IDC, of Framingham, Mass.