Solaris 10 with Trusted Extensions Readied for 11/06 Update
Published: September 21, 2006
by Timothy Prickett Morgan
As part of its server and storage announcements last week, Sun Microsystems said that it finally would be delivering the Trusted Solaris Extensions to its Solaris 10 Unix platform. Trusted Extensions is an add-on to Solaris 10 that gives it beefed up security and makes the platform more attractive to defense contractors, financial services firms, and any other organization that is fervent about security.
The Trusted Solaris Extensions were originally supposed to be delivered in mid-to-late 2005 with a different update to Solaris 10, but for some reason, that didn't happen.
Since Solaris 8, Sun has offered a more ruggedized version of its Solaris platform for those who need extra security. With Solaris 8, which ran on both Sparc and X86 platforms, Sun called this variant the Trusted Solaris 8 Operating Environment. Trusted Solaris 8 was a fork off the Solaris 8 tree, where Sun stopped adding features to Solaris 8 and then set about to provide hardened features in the kernel and access methods in the Unix platform. Trusted Solaris 8 offered mandatory access control for end users, role-based access control for system administrators, fine-grained rights profiles that allow administrators to give end users specific access to operating system and application features without inadvertently giving them access to any other features. The software also had features to allocate and de-allocate real devices (peripherals) and virtual devices (drivers that simulate devices) attached to any Sparc or X86 system. It also could disable the copying or printing of information retrieved from application databases and posted on their screens. The reason why some organizations loved Trusted Solaris 8 is that it was binary compatible with the real Solaris 8, but added a lot of features that, six years on now, seem perfectly normal. But such tight security was exotic back then.
With Solaris 9, which was launched in May 2002, Sun's server business was tanking and it yanked support for X86 boxes; the company also did not make a Trusted Solaris 9 variant. Sun kept updating trusted Solaris 8, adding support for new processors and peripherals, but the lag in feature support compared to Solaris 9 was quite large. Despite that lag, during the Solaris 8 and 9 generations, Trusted Solaris made up approximately 10 to 15 percent of shipments. Some companies really want security.
With Solaris 10, Sun figured out that it would be far easier to move a lot of this security functionality into the actual Solaris and stop forking the platform and then hardening it. This is precisely what Sun did. However, some of the features that were in Trusted Solaris need to be added to Solaris 10, and that is what the Trusted Solaris Extensions do.
Sun has not explained the delays in bringing the Trusted Solaris Extensions to market, but it has been in beta for quite a bit of time, and, despite Sun's efforts to the contrary, still has come to market with a big lag between the real Solaris 10 and the more secure version. Whatever Sun tried to do to speed the process either didn't work, or something about taking Solaris 10 open source slowed it down.
Sun is pretty confident that it will make Trusted Solaris Extensions available in the 11/06 Update, presumably due in November, and that it will have the highest security ratings available through the Common Criteria, which has become the de facto standard for assessing the security of hardware and software. Sun announced last week that it would be chasing the EAL4+ security rating on Solaris 10 11/06 with the Trusted Solaris Extensions. The company said that it would be providing certifications on Sparc and Opteron servers. The testing on this software actually began in June, and Sun expects that CGI Information Systems and Management Consultants, based in Ottawa, Ontario, would be performing the testing. Sun said further that it could take 12 to 18 months to complete the testing.
The reason Sun announced that it was doing the testing is because vendors rarely announce they are going to do a test unless they are sure that they can pass a test. This practice is a bit of a wink and a nod to the server market, which allows Sun to sell gear and organizations to buy gear that is not yet certified and feel safe about it.
Sun is going for the Common Criteria trifecta in its testing. The plain vanilla Solaris 10 platform is being evaluated at the EAL4+ level for three different profiles: Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile (CAPP), and Role-Based Access Control Protection Profile (RBACPP). Solaris 10 11/06 with Trusted Solaris Extensions is being evaluated for the LSPP; Sun did not say which level, but presumably it will be higher than EAL4+.
Sun Begins Common Criteria Testing for Solaris 10 and Trusted Extensions
Sun Modifies Its Packaging of Trusted Solaris