Glenn Brunette on Immutable Service Containers

Delivering the service by a zone in conjunction with denying write access to the binaries or configurations and vastly locking down the privileges results in a really secure environment -- in a word "Immutable Service Containers (ISC)," writes Sun Distinguished Engineer Glenn Brunette, adding, an ISC embodies at its core the key principles inherent in the Sun Systemic Security framework including: self-preservation, defense in depth, least privilege, compartmentalization and proportionality. In his posting at wikis.sun.com Brunette discusses ISCs based on Solaris Zones.

The author says that, while ISCs can be built with a variety of products and technologies, his focus is on the design, construction and deployment of ISCs based on both the Solaris 10 and the OpenSolaris operating systems.

Brunette presents several diagrams, including both functional view and layered view architectural diagrams, and then illustrates several deployment models including:

Solaris Global Zone Gateway

With this model, Brunette writes, the system is configured to receive traffic on a public IP address mapped to the global zone. Secure Shell (TCP/22) services are exposed by the global zone, allowing administrators to access the global zone directly (and from there any of the ISCs that may be running). Web traffic (TCP/80 and TCP/443) is redirected from the global zone to the web zone using the network address translation capabilities of IP Filter. IP Filter is also implementing packet filtering to allow the global zone to initiate outbound communications (any port). The web zone is permitted to initiate outbound communications only for ports TCP/80. Clearly, this is configurable and the actual ports permitted inbound or outbound will be based upon actual deployment requirements.

Again, with this model, as the Web, cache, and database ISCs share a common private network, they can communicate with each other without restriction, Brunette continues. As they are ISCs however, they are configured to only expose those services required for their function, namely (cache: TCP/11211, database: TCP/3306). The cache and database ISCs have no means however of communicating with the global zone (restricted by IP Filter) or the public network (no interface or route). In this way, they are configured to be isolated from the public network and reachable only through the Web ISC.

Isolated Solaris Global Zone

Here, Brunette notes, the system is configured with an isolated Solaris Global Zone. The only means of accessing the Solaris Global Zone is through a zone configured to act as a bastion host.

He also presents, without comment, models of:

Solaris Global Zone Gateway with Isolated ISC Networks
Solaris Global Zone Gateway with GZ Mediated ISC Networks

More Information

Understanding the Security Capabilities of Solaris Zones Software (white paper (password protected site)

"Immutable Service Containers" (pdf)

Solaris Containers (Zones) [...read more...]

Keywords:

fullsource

Current

Profile

Archive

Blog

Generate newsletter

Other articles in the Solaris section of Volume 133, Issue 4:

Upgrading from OpenSolaris 2008.05 to 2008.11
Glenn Brunette on Immutable Service Containers (this article)
DLight Tutorial Provides Instrumentation for Using DTrace in Solaris and OpenSolaris

See all archived articles in the Solaris section.

Top 10 Most Popular Articles in Current Issue (Vol 168, Issue 1)
Sun ZFS Storage Appliances Earn Highest Ratings for Enterprise and Midrange NAS Systems SPARC T4 Server Momentum Expands Demand for SPARC System Oracle Sun Ray 3 Series Clients Capture 2011 Good Design Award SPARC T4 Servers Find Favor with Telecommunications Service Providers Oracle Ships Over 1 Exabyte of Media for StorageTek T10000C Tape Drives	How to Manage the ZFS Storage Appliance with JavaScript: Three Approaches Exactly What Is Big Data? Building a Secure Cloud with Identity Management Oracle Secure Global Desktop Allows Simplified, Anywhere, Access to Applications Migrating from SUSE Linux to Oracle Linux 5.5