[ISN] Sun takes Solaris Security To Next Level

From: mea culpa (jerichoat_private)
Date: Thu Dec 24 1998 - 20:43:19 PST

  • Next message: mea culpa: "[ISN] Controversial Adult Website Hacked"

    By Jim Kerstetter and Scott Berinato, PC Week Online
    December 22, 1998 9:00 AM ET
    Sun Microsystems Inc. is taking security to the heart of its Solaris
    operating system. 
    Over the next six months, Sun plans to augment Solaris with security
    capabilities including PKI (public-key infrastructure), IP Security-based
    virtual private networking and more tightly integrated firewalls. 
    Sun (Nasdaq:SUNW) wants to make it easier for IT administrators to
    implement and manage security while pulling new technologies such as
    public-key encryption into the mainstream. 
    The company is targeting the much-publicized security features slated for
    Microsoft Corp.'s (Nasdaq:MSFT) Windows 2000, which is expected by the
    middle of next year. Both companies, however, are taking a different tack
    from vendors such as Novell Inc. (Nasdaq:NOVL), which believes security
    features are best kept separate from the core operating system. 
    Some IT managers would prefer to see security embedded directly into the
    operating system. 
    "It's harder to get around security if it's part of the OS," said Marc
    Hollander, vice president of software development at MovieFone Inc., in
    New York. "If someone is trying to get in, this makes it harder to defeat
    the security." 
    Embedded security also makes it easier for IT managers to implement
    security functions properly, said Dan Kusnetzky, an analyst at
    International Data Corp., in Framingham, Mass. 
    "If security is part of your OS, you'll at least start thinking about
    formulating a security strategy," Kusnetzky said. "Now, many security
    breaches occur because some feature isn't turned on.  Bringing features
    like PKI into the OS--suddenly they're not so mysterious." 
    Sun will embed PKI support into Solaris by next summer via new AMI
    (Authentication Management Infrastructure) technology, making such a
    complex, digital certificate-based authentication system considerably
    easier to roll out and manage. Users will be able to generate public keys
    from AMI, which will also be sold as a stand-alone package, said Walt
    O'Malley, a group marketing manager for Sun's Solaris division, in Santa
    Clara, Calif. 
    Using Solaris' Lightweight Directory Access Protocol support, an
    administrator can still tie in PKI capabilities from third-party vendors.
    The Solaris PKI will also support smart cards for authentication. 
    Sun also will support in Solaris the IPSec specification for VPNs (virtual
    private networks). IPSec has been a touchy subject for Sun, which
    initially refused to support the protocol's IKE (Internet Key Exchange)
    method for exchanging encryption keys. Sun had a competing protocol called
    SKIP (Simple Key management for Internet Protocols) that it claimed
    performed faster than IKE. 
                                             SKIPing with IPSec
    Sun's planned support for the complete IPSec specification for VPNs is a
    dramatic turnaround, considering that Sun: 
      * Released its SKIP specification nearly three years ago
      * Embedded SKIP in Solaris in 1996
      * Submitted SKIP to the Internet Engineering Task Force for standard
        consideration in 1996 but lost to Internet Security Association Key
        Management Protocol/Oakley, now called IKE
      * Initially refused to adopt IKE and in February launched a campaign to
        market SKIP over IKE
    But Sun has changed its tune, enabling Solaris to support both SKIP and
    IKE. This will allow companies to use SKIP while keeping the door open to
    IPSec interoperability, said Stephen Borcich, Sun's director of product
    For firewall support within Solaris, Sun is planning a major overhaul of
    its SPF-200 and EFS (Encryption Firewall Server) SunScreen firewalls.
    Version 3.0 of the products, due next summer, will be more tightly
    integrated with Solaris and with each other, Borcich said. 
    Sun plans to sell Solaris with both SPF-200 and EFS; users will have the
    option of running SPF-200 on a dedicated server or with Solaris and EFS,
    which offers much better performance. 
    "A lot of companies have remote sites that could be running firewalls or
    setting up a VPN to send data back to the main office if they had it right
    there on the OS," Sun's O'Malley said. 
    The stealth features of SPF-200 also improve Solaris' security; the
    product doesn't have its own IP address, which makes it hard for hackers
    to locate the server on which it's running. SPF-200 also inspects IP
    packets as they come through the firewall, a process similar to the
    stateful inspection technology of Check Point Software Technologies Ltd.'s
    Firewall-1. Sun will add new failover capabilities so that if one firewall
    crashes, the other takes over. Sun will also provide a central management
    application for firewall farms at major companies, O'Malley said. 
    All these security features, to be released in Solaris 7.x over the coming
    year, will match the security features Microsoft is building into Windows
    2000. For nearly a year, Microsoft officials have been evangelizing
    Windows 2000's security benefits, including PKI and IPSec support and
    smart-card integration. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:14:31 PDT