Top Banner
36

Oracle Solaris Secure Cloud Infrastructure

Jan 15, 2017

Download

Software

OTN Systems Hub
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Oracle Solaris Secure Cloud Infrastructure
Page 2: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015, Oracleand/oritsaffiliates.Allrightsreserved.|

SecureCloudInfrastructureSecure,Compliant,HighestPerforming

ScottLynn&DarrenJMoffatSolarisCoreTechnologiesJanuary2016

Page 3: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

200MExperianMar‘14

150MeBay

May‘14

22MEducationJuly‘14

SABanksOCT‘13

CreditCards

150M+CodeAdobeOct‘13

98MTargetDec‘13

20MCreditBureau

12MTelecom

Jan‘14

56MHomeDepot

Sep‘14

ImmigrationJune’14

PersonalRecords

76MJPMCOct‘14

TheAgeofMegaBreaches

3Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|

53MSonyDec‘14

227M

80MAnthemFeb‘15

Page 4: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

SocialAttacksCommand&

Control

BruteForceHackingMalware

SQLInjectionAttack

StolenCredentials

TypicalAttackVectors

4Copyright©2015,Oracleand/oritsaffiliates.Allrightsreserved.|

Page 5: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

COMMANDSERVER

ATTACKER

DOWNLOADEDMALWARE

PHISHINGATTACK

XSSORSQLINJECTIONATTACK

AnatomyofanAttack– StartswithPhishing

Page 6: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

ESTABLISHMULTIPLEBACKDOORS

DUMPINGPASSWORDSDOMAINCONTROLLER

GATHERINGDATA

AnatomyofanAttack– EstablishesaFoothold

Page 7: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

EXFILTRATEDATAVIASTAGINGSERVER

ANYWHEREINTHEWORLD

AnatomyofanAttack– ExfiltratesData,CoversTracks.

Page 8: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

RisksareOutside;VulnerabilitiesWithin

8

Page 9: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

Threat#1:StolenprivilegedusercredentialsPeople

9

Page 10: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

100%Ofinvestigateddatabreachesinvolvedstolencredentials

10

Source:MandiantThreatReport,2015

Page 11: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|OracleCorporation- Confidential 11OracleCompany Confidential– SharedUnderTermsofOPNNDA 11

HowtheSonyBreachChangedSecurity

Page 12: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

OracleSolarisMitigatesCredentialAbuse/Misuse

DelegationActivity-baseduseraccess

Time-BasedControlControlwhenuserscanperformactions

RemoteAuditing,LoggingandAlertingAuditentriessenttosecureserver;can’tbetampered

12

Page 13: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

Threat#2:UnpatchedandmisconfiguredsystemsPlatform

13

Page 14: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

99.9%OftheexploitedvulnerabilitieswerecompromisedmorethanayearaftertheCVEwaspublished

14

Source:VerizonDataBreach InvestigationsReport,2015

Page 15: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

ExploitedVulnerabilitiesCompromised

15

74%

OFORGANIZATIONSTAKE3MONTHS+

TOPATCH

Source:VerizonDataBreach InvestigationsReport,2015;IIOUGDataSecuritySurvey,2014

Page 16: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

Theageof“Ifitain’tbroke,don’tfixit,”isover!

16

Page 17: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.| 17

It’simportanttopatchquicklyandoften…Patchingonothersystemstakessignificanttimeandmoney.

Firmware

Virtualization

OS

Database

Application OtherSystems:• Differenttools• Differentpatches• Possibleconflicts• Downtimes• ManualRollback

Page 18: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

DramaticallySimplerLifecycleManagementSolvingpatchingandconfigurationvulnerabilities.

1818

Firmware

Virtualization

OS

Database

Application OracleSolaris:• Secure• Pre-tested• Single-sourcepatching.

1-StepSecurityPatching1-StepRollback

Page 19: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

SimpleAdministrationMajorFinancialCustomer’sExperiencesPatchingOracleSolarisvs.RedHat

19

RedHatEnterpriseLinux

Solaris1116XServers/Admin

MANAGE

4000300020001000

250

4000

Machines/Administrator

1-StepSecurityPatching

Page 20: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

Simple&Tailorable ComplianceReporting

20

Page 21: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

StopMalwareBeforeItGetsInImmutableSystemsandVirtualMachines– Can’testablishafoothold– Preventadministratormistakes– Updateeventhoughit’sunwritablebyusersandapplications

TamperEvidentSoftware– FirmwaretoApplications– Installonlyknown,trustedsoftware– Notsigned;won’tinstall– VerifiedBoot

21

Page 22: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

SecureLifecycleDoneRight

Secure• ImmutableSystemsandVirtualMachines

• TamperEvidentSoftware

• VerifiedBoot

Simple• 1-steppatching• Integratedsnapshots• 1-steprollback

Effective• Testedtogether• Fromfirmwaretoapplications

22

Firmware(

Virtualiza.on(

OS(

Database(

Applica.on(

Page 23: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

LargeCityinGermanyAutomaticPatching

23

Page 24: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

Threat#3:DirectdataaccessData

24

Page 25: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

$194*Theaveragecostperrecordstoleninadatabreach.

25

Source:Symantechttp://www.databreachcalculator.com/GetStarted.aspx

Page 26: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

52%

34%

11%

4%

Database

Network

Application

Middleware

ITLayersMostVulnerableToAttacks

67%

15%

15%

3%

Database

Network

Application

Middleware

AllocationofResourcesToSecureITLayer

Source:CSOOnlineMarketPulse,2013

NetworkSecurityisNotEnough:ProtecttheData!

Page 27: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

OnlyPlatformtoProtectApplicationsinMemorySiliconSecuredMemory

• Firsteverhardwarebasedmemoryprotection• Stopsattackersfromaccessingapplicationmemoryinappropriately• Alwaysonwithoutcompromise• Improvedefficiency&moresecureandhigheravailableapplications• Compatiblewithcurrentapplications

27

Application Memory

Pointer“B”GO

M7Processor

Pointer“A”GO

Pointer“Y”

Page 28: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

• Noperformanceloss• Automatically acceleratesJava,OracleDatabase,OpenSSL/TLS,andcustomapplications• Meetcompliancewithhighperformancediskencryption• SPARCM7SiliconSecuredMemory• IntegrateswithOracleKeyManager

28

AffordablyEncryptEverything,Everywhere,AlltheTime

Applications

Java

OracleDatabase

OperatingSystemUtilities

Storage

Virtualization

Firmware

Protectedatrest,inmotion,andinmemory

Page 29: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

NewExploitmitigationfeatures:sxadm(1M)

NXSTACKNonExecutableStack

BeenaroundsinceSolaris2.6butnowcontrolledviasxadm(1M)NowonbydefaultTagatbuildtimewith:-znxstack=enable|disable

NXHEAPNonExecutableHeap

Newin11.3,notenabledbydefaultsincethereareasmallnumberoflegitimateusesforanexecutableHEAP.Tagatbuildtimewith:-znxheap=enable|disable

ASLRAddressSpaceLayoutRandomisation

Added11.1

sxadmget-p Parsablestatusoutputsxadmdelcust GobacktovendordelivereddefaultsInstallTimePolicy svccfg extractsecurity-extensions

29

Page 30: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

ModernisingFirewallinOracleSolaris11.3• OpenBSD PFfirewallportedandintegratedintoOracleSolaris• ChooseeitherIPfilter orPF– onlyonecanbeactive– pkg:/network/firewall– pkg:/network/firewall/ftp-proxy– pkg:/network/firewall/pflog

• Rulesinpf.conf(4)• Loggingisvianewdladm(1M)controlledlinks• SMFsvc:/network/firewall• StartTransition: IPfilter isnowObsolete&mayberemovedinafuturerelease

30

Page 31: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

Modernising SSH• OracleSolaris9addedfirstOpenSSH version,becomeforkedSunSSH overtime.• OpenSSH (+somepatches)inOracleSolaris11.3– GSScredentialstorage– PAMServiceNameperSSHuserauthmethodasperSunSSH (PAMcan’tbedisabled)– DisableBanneroptionforssh client

• InstalleitherSunSSH orOpenSSH orboth– onlyonecanbedefaultssh(1)andsshd(1M),eitherorbothcanbeinstalled– Setdefaultviapkg mediatorwhenbothinstalled

• SMFsvc:/network/openssh• StartTransition:SunSSH isnowObsolete&mayberemovedinafuturerelease

31

Page 32: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

OracleSecurityInsideandOutLayersoftheStack

OracleCorporation- Confidential 32

S ECUR I TYS ECUR I TY

S ECUR I TY

S ECUR I TY

S ECUR I TY

S ECUR I TY

S E CUR I T Y

GovernanceRisk&ComplianceAccess&CertificationReview,AnomalyDetection,UserProvisioning,EntitlementsManagementMobileSecurity,PrivilegedUsersDirectoryServices, IdentityGovernanceEntitlementsManagement,AccessManagementEncryption,Masking,Redaction,KeyManagementPrivilegedUserControl,BigDataSecurity,SecureConfigApplication+UserSandboxing,DelegatedAdminAnti-malwaresystem,Data+NetworkProtectionComplianceReporting,SecuredAppLifecycleSecureLiveMigrationImmutableZonesIndependentControlPlaneCryptographicAccelerationApplicationDataIntegrityVerifiedBootDiskEncryption,SecuredBackup,EnterpriseKeyManagement

SPARC/Solaris

Page 33: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.| 33

BUILT-IN SECURITY INSIDE AND OUT SAVES TIME, MONEY AND REDUCES RISK

Mitigatescredentialabuse/misuse

Securelifecycledoneright

Encrypteverything,everywhere,allthetime

Page 34: Oracle Solaris Secure Cloud Infrastructure

Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.|

Q&A

34

Page 35: Oracle Solaris Secure Cloud Infrastructure

Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| 35

Page 36: Oracle Solaris Secure Cloud Infrastructure

Related Documents
CIS Oracle Solaris 11.2 Benchmark - Enterprise Labsys...This document, CIS Oracle Solaris 11.2 Benchmark, provides prescriptive guidance for establishing a secure configuration posture

CIS Oracle Solaris 11.2 Benchmark - Enterprise Labsys...This...

Category: Documents
fcsIntroduction to Oracle® Solaris Zones · Solaris Kernel Zones ” and “Creating and Using Oracle Solaris Zones ”. If you are ready to migrate a system running Oracle Solaris

fcsIntroduction to Oracle® Solaris Zones · Solaris Kernel...

Category: Documents
Oracle Solaris 11: What's New for Application …...Oracle Solaris 11: What’s New for Application Developers 3 Oracle Solaris Studio Oracle Solaris Studio provides developers with

Oracle Solaris 11: What's New for Application …...Oracle.....

Category: Documents
Installation and Setup Guide - Fujitsu€¦ · Solaris(TM) 9 Operating System Solaris 9 Solaris or Solaris OS Oracle Solaris 10 Solaris 10 Oracle Solaris 11 Solaris 11 Red Hat(R)

Installation and Setup Guide - Fujitsu€¦ · Solaris(TM)....

Category: Documents
How to use Oracle Solaris for Linux usersOracle Solaris for Linux users. Notes • Oracle Solaris is sometimes referred to as 'Solaris'. • Oracle VM Server for SPARC is sometimes

How to use Oracle Solaris for Linux usersOracle Solaris for....

Category: Documents
Oracle Solaris Zfs

Oracle Solaris Zfs

Category: Documents
Oracle Solaris Overview

Oracle Solaris Overview

Category: Software
Oracle Solaris 11 Hands-on Lab - Made for the · PDF fileIntroduction to Oracle Solaris 11 Hands-on Lab 1 of 3. ... Oracle Solaris 11 System Administration Oracle Solaris 11 Advanced

Oracle Solaris 11 Hands-on Lab - Made for the · PDF...

Category: Documents
Transición de Oracle Solaris 10 a Oracle Solaris 11 · FuncionesdelaszonasdeOracleSolaris11.....130 PreparacióndelaszonasconmarcadeOracleSolaris10 .....132

Transición de Oracle Solaris 10 a Oracle Solaris 11 ·...

Category: Documents
ORACLE SOLARIS 11 11/11 · PDF fileoracle solaris 11 11/11 !"# '“«‹ oracle solaris 11 11/11 !"# 9 . oracle solaris 11 11/11 !"# 11 . oracle

ORACLE SOLARIS 11 11/11 · PDF fileoracle solaris 11 11/11.....

Category: Documents
webMethods Trading Networks 9.8 on the Oracle Solaris ... 98 Solaris M6_tcm121... · the Oracle Solaris Operating System ... webMethods Trading Networks 9.8 on the Oracle Solaris

webMethods Trading Networks 9.8 on the Oracle Solaris ... 98...

Category: Documents
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Butler)

Making DevOps Secure with Docker on Solaris (Oracle Open...

Category: Technology