IBM Gets High Security Marks for Mainframe, Unix Virtualization

Published: July 25, 2006

by Timothy Prickett Morgan

IBM last week announced that the server virtualization technologies behind its System z mainframes and pSeries Unix servers have received high security ratings based on the Common Criteria specifications that are becoming a standard in the IT industry.

The Common Criteria certification process is an important hurdle to get over for certain IT acquisitions in the financial services industry and among governments, particularly for defense contracts. The specifications involve getting an Evaluation Assurance Level (EAL) numerical rating. Most server/operating system combinations get an EAL4 or EAL4+ level now, which means operating systems are not only certified as being secure, but that auditors and security experts have examined the source code of the software to really be sure that it is rock-solid.

The EAL5 rating on the logical partitions of the System z9 EC mainframes is meant to prove that the new mainframes are as good as the prior generation. So far, only IBM's mainframe partitions have attained an EAL5 rating. This is by no means the first time that IBM has tested operating systems running inside logical partitions. IBM has already EAL4 certification on logical partitions running on Power4-based pSeries 630, 650, and 690 servers from several years ago and on zSeries 800, 900, and 990 mainframes, which also date from several years ago.

As of this week, the System z9 EC 109 sever running z/OS and the PR/SM LPAR hypervisor was rated at EAL5, while pSeries 630, 650, and 690 servers using Power4 processors and running AIX 5.1 and 5.2 were certified at the EAL4+ level. Both machines use a remote Hardware Management Console--basically a glorified PC running Linux and a chunk of the hypervisor microcode--to link into a service processor on the mainframe or Unix server and to allocate hard and soft resources to logical partitions.

The reason why getting high EAL certification for logical as well as physical machines is important but a subtle one, according to Rich Lechner, vice president of virtualization solutions at IBM. When companies virtualize servers with first-generation logical or virtual machine hypervisors, they tend to carve up a machine and put similar workloads--Web servers, print and file servers, application servers, or database servers--all on the same machine. While this helps with server consolidation and drives up utilization, it doesn't drive utilization as high as you might think because for any given workload, in an evenly distributed setup, the peaks and valleys will be the same. If your databases are generally busy at a certain time, for instance, then four copies running on the same machine will be busy at the same time--and un-busy other times. The real value of virtualization will come when companies do what mainframe and OS/400 shops (and some Unix shops to a limited extent) do: Mix workloads that used to run across different types of servers onto a single machine. That way, you can mix transactional and batch work, production and development work, Web front-end and database back-end work, all on the same machine. "You can get utilization rates of 70, 80, or 90 percent on a mainframe because it has been able to mix workloads like this for a long time."

Of course, if you start bringing in what used to be vertically isolated servers into a virtualized environment, now you have security issues. The logical or virtual machine hypervisor, which sometimes runs inside an operating system and increasingly below the operating system and hooked tightly into hardware (as it has been done in mainframes for a long time and in Power-based servers for several years), are now a security risk like an operating system is. "We have to be able to guarantee the same security and availability as if these different tiers and their workloads were running on physically separate machines," says Lechner. Hence, IBM's Common Criteria testing.

It is interesting to note that VMware has only certified its prior-generation ESX Server 2.5 and VirtualCenter 1.2 management console for X86 and X64 servers at the EAL2 level. You can bet that VMware is working to get the new ESX Server 3 and its related tools certified at a much higher level. Sun Microsystems reached EAL 4 on Solaris 8 on its Sparc servers almost four years ago and on Solaris 9 in January last year; Hewlett-Packard hit EAL4 on its PA-RISC servers running HP-UX 11i in September 2001, which put it way ahead of its rivals. IBM certified AIX 5L 5.2 at the EAL4 level on its Power4 servers in September 2002. Back in August, the System i5 line running i5/OS V5R3 was certified at EAL4, too.

A few months ago, IBM and its auditors certified the combination of AIX 5.2 Unix and Unix security software from Argus Systems called PitBull Foundation 5.0 were certified at the EAL4+ level, which provides a little bit more security assurance than EAL4. The PitBull Foundation software provides a layer of multi-level security for AIX operating systems, something that is lacking in AIX and other Unix and Unix-like operating systems. PitBull eliminates vulnerabilities associated with the root or superuser account; the software also protects applications and operating systems from attacks from within a company or outside a firewall. Argus originally developed the product for Solaris, but in November 2004, the program was ported to AIX. Argus also sells a program called PitBull LX, which is a security layer that wraps around Linux or Unix applications and prevents hackers from exploiting known bugs in the application software to gain access to the systems. PitBull LX also protects sensitive information and does not allow hackers to deface Web sites. Both PitBull Foundation and PitBull LX essentially provide a finer granularity to root access than Unix and Linux themselves. PitBull LX was available for Solaris 8 and commercial Linuxes based on the 2.4 and 2.6 kernels, and now it is also available on AIX 5L 5.2. This certification for AIX-PitBull did not include virtualized instances of the software running on the pHype hypervisor at the heart of the System p implementation of the Virtualization Engine hypervisor, which also runs on IBM's System i OS/400-based servers.

Lechner says that IBM is working on getting Common Criteria certification for logical partitions on the System i5 machines, but did not say when it might happen. And presumably, IBM will test its new Power5+ System p servers running a more current AIX soon, too, and try to hit EAL4+ or EAL5.

You can see the full list of IT gear and its EAL certification levels at www.commoncriteriaportal.org/public/.