http://www.gcn.com/vol1_no1/daily-updates/37225-1.html By Joab Jackson GCN Staff 10/06/05 Sun Microsystems Inc. plans to phase out its Trusted Solaris secure operating system and replace it with security extension software that can be used with its Open Solaris operating system, said Mark Thacker, product line manager of Solaris security. Open Solaris and the Solaris Trusted Extensions software will provide the full functionality of Trusted Solaris, according to Thacker. "This product will simply layer on top of Solaris 10. It will run on top of any piece of hardware that Solaris 10 runs on," Thacker said. Trusted Extensions should be available by mid-2006. Long used by agencies with classified and sensitive data networks, the current version of Trusted Solaris, version 8, has been certified to Common Criteria Level 4+ Evaluation Assurance for three different protection profiles. Recently, Sun submitted its Solaris 10 operating system for Common Criteria Evaluation for two of those profiles. The Solaris Trusted Extensions will cover the third profile and will also undergo Common Criteria evaluation starting later this year, Thacker said. The reason behind the rearrangement is to consolidate the code base for Solaris, according to Thacker. Trusted Solaris has a different operating system kernel than the more widely used Solaris 10, though the two are similar. When Sun upgraded Solaris to version 10, it incorporated about 85 percent of the security features in Trusted Solaris. "We took some of the concepts in Trusted Solaris, like process rights management, user rights profiles, [and] process containments and built them into Solaris," Thacker said. The major missing component was a feature called labeled security, which applies a tag identifying the appropriate security level to each data file. Although this feature is not widely used, it is valued by intelligence agencies, Thacker said. It has a set of labels that map directly to sensitivity levels from agencies such as the National Security Agency and the Central Intelligence Agency. The labels allow the operating system to handle the data with appropriate controls. "Because of that classification and their relationships with one another, I can express how data can flow up and down the chain of command," Thacker said. The feature allows computers to handle data from networks with differing security levels. It eliminates the need to keep multiple computers, each for a different security level, for each user's desk. Trusted Extensions will include this labeled security feature. Government users who would have purchased Trusted Solaris will instead purchase Solaris 10 and the Solaris Trusted Extensions software. The National Information Assurance Partnership's Common Criteria Evaluation and Validation Scheme is a collection of Protection Profiles and Evaluation Assurance Levels. A Protection Profile is a list of specifications of what a system should do in a given area. Solaris 10 is currently being evaluated against the Controlled Access Protection Profile and the Role Based Access Control Protection Profile, at Evaluation Assurance Level 4+. CGI Information Systems and Management Consultants Inc. of Ottawa will conduct the evaluations. Last Week, Red Hat Inc. of Raleigh, N.C., announced its Red Hat Enterprise Linux was undergoing Evaluation Assurance Level 4 evaluation for IBM servers. That evaluation will include the Labeled Security Protection Profile, the Controlled Access Protection Profile and Role-Based Access Control Protection Profile. The combination of Solaris 10 and the Trusted Extensions will be available for all the platforms that Sun supports, including its own SPARC line of processors and x86 line of AMD and Intel processors as well, Thacker said. _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Oct 09 2005 - 21:48:21 PDT