tug
Volume 3, Number 26 -- July 20, 2006

IBM Gets High Security Marks for Mainframe, Unix Virtualization

Published: July 20, 2006

by Timothy Prickett Morgan

IBM will today announce that the server virtualization technologies behind its System z mainframes and pSeries Unix servers have received high security ratings based on the Common Criteria specifications that are becoming a standard in the IT industry.

The Common Criteria certification process is an important hurdle to get over for certain IT acquisitions in the financial services industry and among governments, particularly for defense contracts. The specifications involve getting an Evaluation Assurance Level (EAL) numerical rating. Most server/operating system combinations get an EAL4 or EAL4+ level now, which means operating systems are not only certified as being secure, but that auditors and security experts have examined the source code of the software to really be sure that it is rock-solid.

The EAL5 rating on the logical partitions of the System z9 EC mainframes is meant to prove that the new mainframes are as good as the prior generation. So far, only IBM's mainframe partitions have attained an EAL5 rating. This is by no means the first time that IBM has tested operating systems running inside logical partitions. IBM has already EAL4 certification on logical partitions running on Power4-based pSeries 630, 650, and 690 servers from several years ago and on zSeries 800, 900, and 990 mainframes, which also date from several years ago.

As of this week, the System z9 EC 109 sever running z/OS and the PR/SM LPAR hypervisor was rated at EAL5, while pSeries 630, 650, and 690 servers using Power4 processors and running AIX 5.1 and 5.2 were certified at the EAL4+ level. Both machines use a remote Hardware Management Console--basically a glorified PC running Linux and a chunk of the hypervisor microcode--to link into a service processor on the mainframe or Unix server and to allocate hard and soft resources to logical partitions.

The reason why getting high EAL certification for logical as well as physical machines is important but a subtle one, according to Rich Lechner, vice president of virtualization solutions at IBM. When companies virtualize servers with first-generation logical or virtual machine hypervisors, they tend to carve up a machine and put similar workloads--Web servers, print and file servers, application servers, or database servers--all on the same machine. While this helps with server consolidation and drives up utilization, it doesn't drive utilization as high as you might think because for any given workload, in an evenly distributed setup, the peaks and valleys will be the same. If your databases are generally busy at a certain time, for instance, then four copies running on the same machine will be busy at the same time--and un-busy other times. The real value of virtualization will come when companies do what mainframe and OS/400 shops (and some Unix shops to a limited extent) do: Mix workloads that used to run across different types of servers onto a single machine. That way, you can mix transactional and batch work, production and development work, Web front-end and database back-end work, all on the same machine. "You can get utilization rates of 70, 80, or 90 percent on a mainframe because it has been able to mix workloads like this for a long time."

Of course, if you start bringing in what used to be vertically isolated servers into a virtualized environment, now you have security issues. The logical or virtual machine hypervisor, which sometimes runs inside an operating system and increasingly below the operating system and hooked tightly into hardware (as it has been done in mainframes for a long time and in Power-based servers for several years), are now a security risk like an operating system is. "We have to be able to guarantee the same security and availability as if these different tiers and their workloads were running on physically separate machines," says Lechner. Hence, IBM's Common Criteria testing.

It is interesting to note that VMware has only certified its prior-generation ESX Server 2.5 and VirtualCenter 1.2 management console for X86 and X64 servers at the EAL2 level. You can bet that VMware is working to get the new ESX Server 3 and its related tools certified at a much higher level. Sun Microsystems reached EAL 4 on Solaris 8 on its Sparc servers almost four years ago and on Solaris 9 in January last year; Hewlett-Packard hit EAL4 on its PA-RISC servers running HP-UX 11i in September 2001, which put it way ahead of its rivals. IBM certified AIX 5L 5.2 at the EAL4 level on its Power4 servers in September 2002. Back in August, the System i5 line running i5/OS V5R3 was certified at EAL4, too.

A few months ago, IBM and its auditors certified the combination of AIX 5.2 Unix and Unix security software from Argus Systems called PitBull Foundation 5.0 were certified at the EAL4+ level, which provides a little bit more security assurance than EAL4. The PitBull Foundation software provides a layer of multi-level security for AIX operating systems, something that is lacking in AIX and other Unix and Unix-like operating systems. PitBull eliminates vulnerabilities associated with the root or superuser account; the software also protects applications and operating systems from attacks from within a company or outside a firewall. Argus originally developed the product for Solaris, but in November 2004, the program was ported to AIX. Argus also sells a program called PitBull LX, which is a security layer that wraps around Linux or Unix applications and prevents hackers from exploiting known bugs in the application software to gain access to the systems. PitBull LX also protects sensitive information and does not allow hackers to deface Web sites. Both PitBull Foundation and PitBull LX essentially provide a finer granularity to root access than Unix and Linux themselves. PitBull LX was available for Solaris 8 and commercial Linuxes based on the 2.4 and 2.6 kernels, and now it is also available on AIX 5L 5.2. This certification for AIX-PitBull did not include virtualized instances of the software running on the pHype hypervisor at the heart of the System p implementation of the Virtualization Engine hypervisor, which also runs on IBM's System i OS/400-based servers.

Lechner says that IBM is working on getting Common Criteria certification for logical partitions on the System i5 machines, but did not say when it might happen. And presumably, IBM will test its new Power5+ System p servers running a more current AIX soon, too, and try to hit EAL4+ or EAL5.

You can see the full list of IT gear and its EAL certification levels at www.commoncriteriaportal.org/public/.

Sponsored By
FREEBSD

Free Unix!
It Is, With FreeBSD

FreeBSD is an advanced OS for X86 and X64, Alpha/AXP, IA-64, PC-98, and Sparc architectures. Its features include advanced networking, security, and compatibility, and it's an ideal Internet or Intranet server. Best of all, FreeBSD is free!

FreeBSD needs your help.
If you can make improvements, submit your changes to the FreeBSD Project.

Email bod@FreeBSDFoundation.org or
visit FreeBSD.org for more information.
Editor: Timothy Prickett Morgan
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

MKS:  Meet your compliance goals with iSeries and cross-platform application lifecycle management
OpenSolaris:  If you want OpenSolaris to thrive, get involved
COMMON:  Join us at the Fall 2006 conference, September 17-21, in Miami Beach, Florida

 
THIS ISSUE SPONSORED BY:

World Data Products
Canvas Systems
Arkeia
Egenera
FreeBSD



TABLE OF CONTENTS
Intel Aims Dual-Core Itaniums at RISC, Mainframe Servers

HP Gears Up for Montecito Itanium Shipments

IBM Has Its Financial Ups and Downs in Q2

As I See It: The Great Disconnect

But Wait, There's More:

VMware Delivers Eponymous Freebie Hypervisor, Sets Support Prices . . . IBM Gets High Security Marks for Mainframe, Unix Virtualization . . . VMware's Sales Grow 73 Percent in the Second Quarter . . . Midrange IT Professionals Working Overtime, Bigtime . . . JDA Completes Manugistics Deal, Warns of Weaker Second Quarter Results . . . Freescale Claims Breakthrough in MRAM Memory . . .

The Unix Guardian

BACK ISSUES

The Four Hundred
Sundry Summer Announcements for the System i5

A Closer Look at the Economics of the Solution Edition for JDE

Time Sharing: An Old Concept That's Still With Us

As I See It: The Donking Life

The Linux Beacon
Novell Aggressively Launches SUSE Linux Enterprise Server 10

Sun Fleshes Out Galaxy Opteron Server Line

Fabric7 Tweaks Opteron Servers, Adds Windows and Solaris Support

VMware Delivers Eponymous Freebie Hypervisor, Sets Support Prices

Big Iron
Mainframe Shops Charged Big Bucks for SLES 10 Linux

Top Mainframe Stories and Vendor Announcements

Chats, Webinars, Seminars, Shows, and Other Happenings

The Windows Observer
Microsoft Taps Xen to Help Build Longhorn's Hypervisor

Intel Aims Dual-Core Itaniums at RISC, Mainframe Servers

Microsoft Reports Growth in SaaS Delivery Model

VMware Delivers Eponymous Freebie Hypervisor, Sets Support Prices


 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement