Sun Distinguished Engineer Glenn Brunette introduces Immutable Service Containers (ISC) as a new method for organizations to better protect their services and data. ISCs are expected to become one of the most basic architectural building blocks for more complex, highly adaptive and autonomic security architectures, he writes, offering some insight into the project and details on its instantiation in the OpenSolaris community.

Defined as an architectural deployment pattern used to describe a platform for highly secure service delivery, ISCs provide a security-reinforced container into which a service or set of services is deployed. These containers are not tied to any one product or technology so they can be implemented in many different ways. OpenSolaris has its own ISC initially developed using version 2009.06.

Brunette explains that each ISC embodies key principles inherent in the Sun Systemic Security framework, namely, self-preservation, defense in depth, least privilege, compartmentalization and proportionality. Its design also takes on the cloud computing principles of service abstraction, micro-virtualization, automation and "fail in place," Brunette says. He offers what he sees as significant security benefits gained from using ISCs when designing service delivery platforms:

For application owners

• ISCs help to protect applications and services from tampering
• ISCs provide a consistent set of security interfaces and resources for applications and services to use

For system administrators

• ISCs isolate services from one another to avoid contamination
• ISCs separate service delivery from security enforcement/monitoring
• ISCs can be (mostly) pre-configured by security experts

For IT managers

• ISCs creation can be automated, pre-integrating security functionality making them faster and easier to build and deploy
• ISCs leverage industry accepted security practices making them easier to audit and support

Brunette then discusses the OpenSolaris ISC implementation. An ISC construction kit developed allows users to take an OpenSolaris 2009.06 system and convert it to the ISC model with a single command.

In the OpenSolaris ISC, the global zone is treated as a system controller and exposed services are deployed only into their own non-global zones. Brunette explains that from a networking perspective, the entire environment is viewed as a single entity or one IP address, where the global zone acts as a security monitoring and arbitration point for all of the services running in non-global zones.

He details how the default version of OpenSolaris ISC uses non-global zones, Solaris auditing, private virtual network, Solaris IP NAT and Solaris IP Filter with information on each of these along with a diagram showing how all parts fit within the ISC architecture.

"Using the ISC model, you can deploy your services in a micro-virtualized environment that offers protection against kernel-based root kits (and some forms of user-land root kits), offers flexible file system immutability (based upon read-only file systems mounted into the non-global zone), can take advantage of process least privilege and resource controls, and is operated in a hardened environment where there is a packet filtering, NAT and auditing policy that is effectively out of the reach of the deployed service," he writes. "This means that should a service be compromised in a non-global zone, it will not be able to impact the integrity or validity of the auditing, packet filtering, and NAT configuration or logs."

More Information

NEW: OpenSolaris Immutable Service Containers: - Glenn Brunette's blog entry

ISC Project on the Project Kenai site

OpenSolaris ISC - includes the construction kit download

Sun BluePrints on Sun Systemic Security [...read more...]

		fullsource
Print Email Current Profile Archive Blog Generate newsletter