Upload File

oracle solaris secure cloud infrastructure

36

Upload: otn-systems-hub

Post on 15-Jan-2017

374 views

Category:

Software


2 download

Report

TRANSCRIPT

Page 1: Oracle Solaris Secure Cloud Infrastructure
Page 2: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015, Oracleand/oritsaffiliates.Allrightsreserved.|

SecureCloudInfrastructureSecure,Compliant,HighestPerforming

ScottLynn&DarrenJMoffatSolarisCoreTechnologiesJanuary2016

Page 3: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

200MExperianMar‘14

150MeBay

May‘14

22MEducationJuly‘14

SABanksOCT‘13

CreditCards

150M+CodeAdobeOct‘13

98MTargetDec‘13

20MCreditBureau

12MTelecom

Jan‘14

56MHomeDepot

Sep‘14

ImmigrationJune’14

PersonalRecords

76MJPMCOct‘14

TheAgeofMegaBreaches

3Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|

53MSonyDec‘14

227M

80MAnthemFeb‘15

Page 4: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

SocialAttacksCommand&

Control

BruteForceHackingMalware

SQLInjectionAttack

StolenCredentials

TypicalAttackVectors

4Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|

Page 5: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

COMMANDSERVER

ATTACKER

DOWNLOADEDMALWARE

PHISHINGATTACK

XSSORSQLINJECTIONATTACK

AnatomyofanAttack– StartswithPhishing

Page 6: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

ESTABLISHMULTIPLEBACKDOORS

DUMPINGPASSWORDSDOMAINCONTROLLER

GATHERINGDATA

AnatomyofanAttack– EstablishesaFoothold

Page 7: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

EXFILTRATEDATAVIASTAGINGSERVER

ANYWHEREINTHEWORLD

AnatomyofanAttack– ExfiltratesData,CoversTracks.

Page 8: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

RisksareOutside;VulnerabilitiesWithin

8

Page 9: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

Threat#1:StolenprivilegedusercredentialsPeople

9

Page 10: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

100%Ofinvestigateddatabreachesinvolvedstolencredentials

10

Source:MandiantThreatReport,2015

Page 11: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|OracleCorporation- Confidential 11OracleCompany Confidential– SharedUnderTermsofOPNNDA 11

HowtheSonyBreachChangedSecurity

Page 12: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

OracleSolarisMitigatesCredentialAbuse/Misuse

DelegationActivity-baseduseraccess

Time-BasedControlControlwhenuserscanperformactions

RemoteAuditing,LoggingandAlertingAuditentriessenttosecureserver;can’tbetampered

12

Page 13: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

Threat#2:UnpatchedandmisconfiguredsystemsPlatform

13

Page 14: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

99.9%OftheexploitedvulnerabilitieswerecompromisedmorethanayearaftertheCVEwaspublished

14

Source:VerizonDataBreach InvestigationsReport,2015

Page 15: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

ExploitedVulnerabilitiesCompromised

15

74%

OFORGANIZATIONSTAKE3MONTHS+

TOPATCH

Source:VerizonDataBreach InvestigationsReport,2015;IIOUGDataSecuritySurvey,2014

Page 16: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

Theageof“Ifitain’tbroke,don’tfixit,”isover!

16

Page 17: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.| 17

It’simportanttopatchquicklyandoften…Patchingonothersystemstakessignificanttimeandmoney.

Firmware

Virtualization

OS

Database

Application OtherSystems:• Differenttools• Differentpatches• Possibleconflicts• Downtimes• ManualRollback

Page 18: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

DramaticallySimplerLifecycleManagementSolvingpatchingandconfigurationvulnerabilities.

1818

Firmware

Virtualization

OS

Database

Application OracleSolaris:• Secure• Pre-tested• Single-sourcepatching.

1-StepSecurityPatching1-StepRollback

Page 19: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

SimpleAdministrationMajorFinancialCustomer’sExperiencesPatchingOracleSolarisvs.RedHat

19

RedHatEnterpriseLinux

Solaris1116XServers/Admin

MANAGE

4000300020001000

250

4000

Machines/Administrator

1-StepSecurityPatching

Page 20: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

Simple&Tailorable ComplianceReporting

20

Page 21: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

StopMalwareBeforeItGetsInImmutableSystemsandVirtualMachines– Can’testablishafoothold– Preventadministratormistakes– Updateeventhoughit’sunwritablebyusersandapplications

TamperEvidentSoftware– FirmwaretoApplications– Installonlyknown,trustedsoftware– Notsigned;won’tinstall– VerifiedBoot

21

Page 22: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

SecureLifecycleDoneRight

Secure• ImmutableSystemsandVirtualMachines

• TamperEvidentSoftware

• VerifiedBoot

Simple• 1-steppatching• Integratedsnapshots• 1-steprollback

Effective• Testedtogether• Fromfirmwaretoapplications

22

Firmware(

Virtualiza.on(

OS(

Database(

Applica.on(

Page 23: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

LargeCityinGermanyAutomaticPatching

23

Page 24: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

Threat#3:DirectdataaccessData

24

Page 25: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

$194*Theaveragecostperrecordstoleninadatabreach.

25

Source:Symantechttp://www.databreachcalculator.com/GetStarted.aspx

Page 26: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

52%

34%

11%

4%

Database

Network

Application

Middleware

ITLayersMostVulnerableToAttacks

67%

15%

15%

3%

Database

Network

Application

Middleware

AllocationofResourcesToSecureITLayer

Source:CSOOnlineMarketPulse,2013

NetworkSecurityisNotEnough:ProtecttheData!

Page 27: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

OnlyPlatformtoProtectApplicationsinMemorySiliconSecuredMemory

• Firsteverhardwarebasedmemoryprotection• Stopsattackersfromaccessingapplicationmemoryinappropriately• Alwaysonwithoutcompromise• Improvedefficiency&moresecureandhigheravailableapplications• Compatiblewithcurrentapplications

27

Application Memory

Pointer“B”GO

M7Processor

Pointer“A”GO

Pointer“Y”

Page 28: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

• Noperformanceloss• Automatically acceleratesJava,OracleDatabase,OpenSSL/TLS,andcustomapplications• Meetcompliancewithhighperformancediskencryption• SPARCM7SiliconSecuredMemory• IntegrateswithOracleKeyManager

28

AffordablyEncryptEverything,Everywhere,AlltheTime

Applications

Java

OracleDatabase

OperatingSystemUtilities

Storage

Virtualization

Firmware

Protectedatrest,inmotion,andinmemory

Page 29: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

NewExploitmitigationfeatures:sxadm(1M)

NXSTACKNonExecutableStack

BeenaroundsinceSolaris2.6butnowcontrolledviasxadm(1M)NowonbydefaultTagatbuildtimewith:-znxstack=enable|disable

NXHEAPNonExecutableHeap

Newin11.3,notenabledbydefaultsincethereareasmallnumberoflegitimateusesforanexecutableHEAP.Tagatbuildtimewith:-znxheap=enable|disable

ASLRAddressSpaceLayoutRandomisation

Added11.1

sxadmget-p Parsablestatusoutputsxadmdelcust GobacktovendordelivereddefaultsInstallTimePolicy svccfg extractsecurity-extensions

29

Page 30: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

ModernisingFirewallinOracleSolaris11.3• OpenBSD PFfirewallportedandintegratedintoOracleSolaris• ChooseeitherIPfilter orPF– onlyonecanbeactive– pkg:/network/firewall– pkg:/network/firewall/ftp-proxy– pkg:/network/firewall/pflog

• Rulesinpf.conf(4)• Loggingisvianewdladm(1M)controlledlinks• SMFsvc:/network/firewall• StartTransition: IPfilter isnowObsolete&mayberemovedinafuturerelease

30

Page 31: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

Modernising SSH• OracleSolaris9addedfirstOpenSSH version,becomeforkedSunSSH overtime.• OpenSSH (+somepatches)inOracleSolaris11.3– GSScredentialstorage– PAMServiceNameperSSHuserauthmethodasperSunSSH (PAMcan’tbedisabled)– DisableBanneroptionforssh client

• InstalleitherSunSSH orOpenSSH orboth– onlyonecanbedefaultssh(1)andsshd(1M),eitherorbothcanbeinstalled– Setdefaultviapkg mediatorwhenbothinstalled

• SMFsvc:/network/openssh• StartTransition:SunSSH isnowObsolete&mayberemovedinafuturerelease

31

Page 32: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

OracleSecurityInsideandOutLayersoftheStack

OracleCorporation- Confidential 32

S ECUR I TYS ECUR I TY

S ECUR I TY

S ECUR I TY

S ECUR I TY

S ECUR I TY

S E CUR I T Y

GovernanceRisk&ComplianceAccess&CertificationReview,AnomalyDetection,UserProvisioning,EntitlementsManagementMobileSecurity,PrivilegedUsersDirectoryServices, IdentityGovernanceEntitlementsManagement,AccessManagementEncryption,Masking,Redaction,KeyManagementPrivilegedUserControl,BigDataSecurity,SecureConfigApplication+UserSandboxing,DelegatedAdminAnti-malwaresystem,Data+NetworkProtectionComplianceReporting,SecuredAppLifecycleSecureLiveMigrationImmutableZonesIndependentControlPlaneCryptographicAccelerationApplicationDataIntegrityVerifiedBootDiskEncryption,SecuredBackup,EnterpriseKeyManagement

SPARC/Solaris

Page 33: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.| 33

BUILT-IN SECURITY INSIDE AND OUT SAVES TIME, MONEY AND REDUCES RISK

Mitigatescredentialabuse/misuse

Securelifecycledoneright

Encrypteverything,everywhere,allthetime

Page 34: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

Q&A

34

Page 35: Oracle Solaris Secure Cloud Infrastructure

Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| 35

Page 36: Oracle Solaris Secure Cloud Infrastructure

fcsIntroduction to Oracle® Solaris Zones · Solaris Kernel Zones ” and “Creating and Using Oracle Solaris Zones ”. If you are ready to migrate a system running Oracle Solaris

Oracle Containers 062711 · Oracle White Paper— Best Practices for Running Oracle Databases in Oracle Solaris Containers 2 Oracle Solaris Containers Oracle Solaris Containers, Oracle's

Oracle Solaris Command Reference for Linux Users Solaris Command... · Hostname: solaris solaris console login: {0} ok boot cdrom Oracle Solaris Command Reference for Linux Users

Oracle Solaris 11: What's New for Application …...Oracle Solaris 11: What’s New for Application Developers 3 Oracle Solaris Studio Oracle Solaris Studio provides developers with

Oracle Solaris Cluster Data Service for Agfa IMPAX Guide · Oracle Solaris Cluster Data Service for Agfa IMPAX Guide Author: Oracle Corporation Subject: Oracle Solaris Cluster Data

Oracle Solaris Zones

Transición de Oracle Solaris 10 a Oracle Solaris 11 · FuncionesdelaszonasdeOracleSolaris11.....130 PreparacióndelaszonasconmarcadeOracleSolaris10 .....132

Oracle® Solaris Cluster 4 Compatibility Guide · Oracle Solaris Oracle Solaris Oracle Solaris Oracle Solaris Oracle Solaris Oracle Solaris

Deployment Considerations for Oracle Secure Global … · 4 | DEPLOYMENT CONSIDERATIONS FOR ORACLE SECURE GLOBAL DESKTOP On Oracle Solaris Trusted Extensions platforms, you must install

Oracle Solaris and Oracle Solaris Cluster: Extending Oracle Solaris

Oracle Solaris 11 Customer Maintenance · PDF file Gerry Haskins Director, Software Lifecycle Engineering Oracle Solaris Systems Oracle Solaris 11 Customer Maintenance Lifecycle

webMethods Trading Networks 9.8 on the Oracle Solaris ... 98 Solaris M6_tcm121... · the Oracle Solaris Operating System ... webMethods Trading Networks 9.8 on the Oracle Solaris

Oracle Solaris Overview

Oracle Solaris 11 Overview and Design Guide Solaris 11...- Oracle Solaris 11.3 IPS Repository Installation Guide / IPS Repository (1/2) - Oracle Solaris 11.3 IPS Repository (2/2) ⁃This

Managing Secure Shell Access in Oracle® Solaris 11 · 2017-10-16 · Sharing .ssh/config Files Between Multiple Oracle Solaris Releases ... 6 Managing Secure Shell Access in Oracle

Oracle Solaris Virtualization

Installation and Setup Guide - Fujitsu€¦ · Solaris(TM) 9 Operating System Solaris 9 Solaris or Solaris OS Oracle Solaris 10 Solaris 10 Oracle Solaris 11 Solaris 11 Red Hat(R)

CIS Oracle Solaris 11.2 Benchmark - Enterprise Labsys...This document, CIS Oracle Solaris 11.2 Benchmark, provides prescriptive guidance for establishing a secure configuration posture

Transitioning From Oracle Solaris 10 to Oracle Solaris 11.3

Übergang von Oracle® Solaris 10 zu Oracle Solaris 11 · Oracle Solaris 11.2, das neueste Oracle Solaris-Release, ist integrierender Bestandteil des kombinierten Hardware- und Softwareportfolios

Oracle Solaris 11.1 Administration Oracle Solaris Zones Oracle

Oracle Solaris 11 Hands-on Lab - Made for the · PDF fileIntroduction to Oracle Solaris 11 Hands-on Lab 1 of 3. ... Oracle Solaris 11 System Administration Oracle Solaris 11 Advanced

Leveraging Oracle Solaris Security and Performance ... · PDF fileSolaris11.1 Solaris 11.2 Solaris 11.3 Solaris 11.4 Solaris 11.5

Transitioning From Oracle Solaris 10 to Oracle Solaris 11Preface TransitioningFromOracleSolaris10toOracleSolaris11.1coverstopicsfortransitioningfrom OracleSolaris10toOracleSolaris11.1

Oracle Solaris and Oracle Solaris Cluster White Paper · Oracle White Paper— Oracle Solaris and Oracle Solaris Cluster: Extending Oracle Solaris for Business Continuity Compared

ORACLE SOLARIS 11 11/11 · PDF fileoracle solaris 11 11/11 !"# '“«‹ oracle solaris 11 11/11 !"# 9 . oracle solaris 11 11/11 !"# 11 . oracle

Global Disk Services PRIMECLUSTER FUJITSU Software · -Oracle Solaris 11.1 is abbreviated as Solaris 11.1.-Oracle Solaris Zones is abbreviated as Solaris Zones.-Oracle VM Server for

Oracle Solaris

Oracle® Solaris Studio 12.4: Overview · Oracle Solaris Studio 12.4 Overview 7 Oracle Solaris Studio 12.4 Overview Oracle Solaris Studio software is a set of software development

Introduction to Oracle® Solaris ZonesOracle Solaris Zones Introduction The Oracle Solaris Zones feature in the Oracle Solaris operating system provides an isolated environment in

How to use Oracle Solaris for Linux usersOracle Solaris for Linux users. Notes • Oracle Solaris is sometimes referred to as 'Solaris'. • Oracle VM Server for SPARC is sometimes

Oracle Solaris 10 영역 만들기 및 사용 · 2015. 1. 20. · 1장. Oracle Solaris 10 영역 소개 7 ♦ ♦ ♦ 1 장 1 Oracle Solaris 10 영역 소개 BrandZ는 Oracle™ Solaris

SCC – The Oracle Experts€¦ · SCC – The Oracle Experts ... • Oracle Education and training services on ... • Oracle Solaris 11 System Administration • Oracle Solaris

Oracle Solaris and Oracle Solaris Cluster: Extending Oracle

Oracle Solaris and Oracle Solaris Cluster.pdf