Oct 10, 2009

Platform Security – A Comparative Study

Introduction

A security model is used to protect an entire platform and secures the entire span of software or devices on that platform, removing the need to incorporate individual or multiple security measures for different programs on the system. This paper evaluates and compares the platform security features of three most prominent names in the computing industry, HP Integrity NonStop servers, SUN SPARC Enterprise servers and IBM cluster servers. Each of these servers is considered robust and well suited for high availability environments. They have good storage and computing abilities and are efficient for processing online transactions, used mainly in banking, insurance and telecommunication sectors. These sectors most often mandate that the systems be compliant to the industry security standards since they often host large amounts of end user data. Hence, security of the base computing platform is as important as securing the enterprise at the application level. This paper aims at describing the security features offered by each of these platforms and illustrate the advantages of using one over the other for a specified functionality.

Security aspects and comparison

Any platform security model provides three major security capabilities to protect the general user's disk files, subvolumes, and processes:

• Authentication—Verifying a user name and password when a user requests access to the system. As a general user, you can change your password, but you have no additional control over the authentication process, even though it provides the first line of defense against intrusion into your files and the entire system.

• Authorization—Checking access control lists to determine whether another user has authority to access your disk files, subvolumes, and processes. You can designate the specific access authorities that another user may have to your objects.

• Auditing—Recording attempts to access your disk files, subvolumes, and processes.

Authentication

Authentication is any process by which you verify that someone is who they claim they are. This usually involves a username and a password, but can include any other method of demonstrating identity, such as a smart card, retina scan, voice recognition, or fingerprints.

This section describes how the authentication process differs in HP Integrity NonStop servers, SUN SPARC Enterprise servers and IBM cluster servers.

HP Integrity NonStop

HP NonStop Kernel authenticates users by ensuring that only persons who enter a valid user name and associated password can access the system.Verifying a user name and password when a user requests access to the system. As a general user, you can change your password, but you have no additional control over the authentication process, even though it provides the first line of defense against intrusion into your files and the entire system.

  • It allows third-party security process to implement custom measures 1) Authentication 2) Access Control 3) Password management
  • Users have control over the ages of their passwords and within the system limits over their passwords’ characters and length. It uses two password encryption algorithms DES and HMAC.
  • It dose not support for system generated passwords. Instead, third party SEEP can be used as a password generator.
  • No support for PAM - Only password based authentication.
  • No mechanism available for intrusion detection and prevention.
  • Sanctioned privileged logon – allows root-designated programs to be authenticated without passwords.

2.1.2. SUN SPARC Enterprise servers

A SUN SPARC server supports a number of choices for user authentication: by password, or by industry-standard digital certificates, host-based (by the underlying operating system), or third-party based (network authentication services Kerberos, CyberSafe and DCE, token cards, smart cards and biometric devices). They also provide built-in password management facilities to enable administrators to enforce minimal password length, ensure password complexity, and disallow passwords that are easily guessed words.

The SUN Solaris features for authentication include the following:

  • Sun Solaris provides identification and authentication as a built-in feature using the Pluggable Authentication Module (PAM) based on usernames and passwords.
  • It supports Kerberos service - A client-server architecture that provides encryption with authentication.
  • It uses the FIPS-certified random number generator for database encryption.
  • Each password must meet the configured complexity constraints specified in /etc/default/passwd. Solaris provides MD5 algorithms and the Blowfish algorithm which provide more robust password encryption than the UNIX algorithm.
  • Solaris provides the mechanisms for password policy enforcement and the use of containers and zones, profiles, and privileges to limit the use of superuser level commands.
  • Solaris Secure Shell - A secure remote login and transfer protocol that encrypts communications over an insecure network.

IBM cluster servers

IBM supports strong authentication at the database and operating system layers. At the database and operating system levels, IBM supports services such as DCE and Kerberos.

  • AIX provides a default set of system special user accounts (bin, daemon, nobody, root, sys) that prevents the root and system accounts from owning all operating system files and file systems. You can disable a specific account by inserting an asterisk (*) at the beginning of its corresponding line of the /etc/security/passwd file.
  • It has intrusion detection mechanism. Administrators analyze the auditing records that intrusion detection provides to secure the system network. IBM clusters provides monitoring for several commonly used types of intrusion attacks, such as scanning events or SYN flood events.
  • SUN and IBM are turning to Lightweight Directory Access Control (LDAP) directories to centrally store and manage users.
  • IBM supports a new security evaluation scheme called the Common Criteria. Common Criteria was adopted by the International Organization for Standards (ISO) and International Electrotechnical Commission (IEC) as an international standard, ISO/IEC 15408, in 1999.
  • IBM has delivered an introductory database encryption capability. It provides column-level encryption, enabling all values in a column to be encrypted with the same key— an encryption password. The user supplies a password as the encryption key to encrypt and decrypt data.

Authorization

Authorization is finding out if the person, once identified, is permitted to have the resource. This is usually determined by finding out if that person is a part of a particular group, if that person has paid admission, or has a particular level of security clearance.

Access control consists of protected information resources that specify who can be granted access to such resources.

HP Integrity NonStop

All access controls of NonStop are object-centric: policy is determined by the object being accessed, not the type of requester or form of request. It allows system admins to associate a default protection list with a userid. This protection policy is applied to the files created by that userid.

It has Highly configurable control over levels

  • Combination: first-rule, first-acl, all
  • Direction: e.g. filename-first versus volume-first
  • Check level: each level on or off
  • “ACL-required” (if no ACL, ruling is NO)
  • Security administrators, operator groups help achieve role based access control.
  • Finer-grained access controls - ACLs permit per-user permissions, denials.
  • It also provides Access control auditing and Audit Client processing.
  • NonStop servers are currently being enhanced to support third party firewalls on NonStop Consoles, but no host level intrusion detection system is available.
  • It supports Persistence Feature, which allows system admins to create protection records/ACLs for non-existent files.
  • DAC- discretionary access control governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. (The traditional Unix system of users, groups, and rwx permissions is an example of DAC.) So NSK,SUN and IBM have DAC.
  • Network access between two nodes is authorized by creating user accounts with the same logon name and user ID in the user registries on both nodes and assigning these two accounts matching remote passwords for one or both of the nodes. In order to preserve node autonomy, remote passwords are unidirectional. Unidirectional remote passwords require a system administrator for a given EXPAND node to authorize access to that node from other nodes. A bidirectional network authorization consists of two pairs of matching remote passwords (one pair for each of the two nodes). Remote password validation is an additional check performed prior to evaluating an object’s authorization controls. This additional check can only deny, not grant, access.

SUN SPARC Enterprise servers

The access control attributes associated with an object: ACL, permission bits. The Solaris ACL model allows administrators to grant access rights, to a user or group, specific rights that govern who can access a specific object, a group of properties, or an individual property of an object.

  • It supports MAC- mandatory access control. MAC-enabled systems allow policy administrators to implement organization-wide security policies. Users cannot override or modify this policy, either accidentally or intentionally.
  • Additionally, it also supports role-based access control (RBAC).RBAC is a policy neutral and flexible access control technology sufficiently powerful to simulate DAC[3] and MAC. Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. SUN AND IBM supports it.
  • Object Reuse functionality ensures that memory and other storage and file system objects are cleared of data (i.e. Contain no data) when they are re-allocated or re-used.

Solaris is a highly-configurable UNIX-based operating system. Originally developed to meet the requirements of the C2 class of the U.S. Department of Defence (DoD) Trusted Computer System Evaluation Criteria (TCSEC), it now meets specific equivalent Protection Profiles developed within the Common Criteria Project.

IBM cluster servers

  • IBM cluster servers supports Discretionary Access Control (DAC) which restricts access to objects, such as files and is based on Access Control Lists (ACLs) and the standard UNIX permissions for user, group and others. Access control mechanisms also protect IPC objects from unauthorized access. In addition, AIX supports ACLs on sockets for TCP connections.
  • Base permissions are the traditional file-access modes assigned to the file owner, file group, and other users. The access modes are: read (r), write (w), and execute/search (x).
  • Extended permissions allow the owner of a file to more precisely define access to that file. Extended permissions modify the base file permissions (owner, group, others) by permitting, denying, or specifying access modes for specific individuals, groups, or user and group combinations.

Auditing

A critical aspect of any security policy is maintaining a record of system activity to ensure that users are held accountable for their actions. To address this requirement, both DB2 and Oracle provide extensive audit facilities.

HP Integrity NonStop

NonStop can create audit records of attempts to access the objects. When a user attempts to access an object for which auditing is specified, it records the attempt in an audit file. Records in the audit files contain information such as the name of the object, the date and time of the access attempt, and the user ID of the user attempting the access. Security administrators can use the audit files to detect any attempts to access an object. NSK can also audit attempts to access or change the authorization records for subjects or objects.

  • NSK implements two levels of control on the grouping of events and users. System global audit configuration and user level audit flags together constitutes the audit control of operations done by specific user.
  • Provides Selective auditing at user, object, success, failure levels.
  • On NSK audit trails are binary files. There is no data compression. Audit clear on purge clears data on the disk while deleting audit files.

SUN SPARC Enterprise servers

Auditing is not enabled by default in standard Solaris Operating Environment. In order to configure auditing, system has to be started in run level 1; that is BSM (Basic Security Module) and in BSM turn on audit module. Audit daemon starts execution after reboot. Auditing cannot be suspended in standard mode. Auditing can be disabled using BSM only.

  • Solaris provides auditing of selected events of specific users. It provides Fine-grained auditing, which allows organizations to define audit policies, which specify the data access conditions that trigger the audit event. Administrators can use a flexible event handler to notify them that the triggering event has occurred. For example, an organization may allow HR clerks to access employee salary information, but audits access when salaries greater than $500K are accessed. The audit policy ("where SALARY > 500000") is applied to the EMPLOYEES table through an audit policy interface (a PL/SQL package). In addition, the event handler sets a triggering audit event to be written to a special audit table for further analysis, or it could activate a pager for the security administrator. IBM and HP offer no support for such granular and customizable auditing.
  • Object (file) level auditing can not be configured in Solaris Operating Environment.
  • No data compression

IBM cluster servers

Audit subsystem is part of AIX operating system. AIX provides auditing of selected events of specific users. On AIX, object level auditing can be enabled by /etc/security/audit/objects file.

  • Audit data in the binary format can be compressed. Compression is done through Huffman encoding.
  • It is the task of the administrator to ensure that the audit files as well as the audit configuration files are protected appropriately. The access control to audit files within AIX is regulated by the discretionary access control of AIX.

Summary Report

Supported Security Features

HP

SUN

IBM

password encryption algorithms

HMAC256, DES

MD5 and Blowfish

DES

Authentication methods

Only OS level

OS level , PAM

OS level, PAM

Kerberos Support

NOT SUPPORTED

SUPPORTED

SUPPORTED

Remote access methods

Loosely coupled clusters, supports enforcement of user – defined policy

RSH,SSH,RLOGIN

RSH,RCP,RLOGIN

Database encryption Method

Not Supported

Random number generator

Password Encryption

Key

Access Control mechanisms

DAC, third party legacy authorization mechanism

DAC,MAC,RBAC

DAC

Common Criteria certified

NO

YES

YES

LDAP

NOT SUPPORTED

SUPPORTED

SUPPORTED

Network Security features

SSL, IP-sec

X.509v3 digital certificates and integrating with third-party network authentication services (including Kerberos, DCE and CyberSafe), token cards,

biometrics, and smart cards

Kerberos Network Authentication Service, SSL, IP-sec

Intrusion detection and prevention

Does not support host-based Intrusion detection and prevention mechanism

SUPPORTED

SUPPORTED

Support for user defined authorization policy

YES

YES (i5 OS)

NO

Fine-grained auditing

NO

YES

NO

Conclusion

The Solaris and AIX platforms clearly outdo the NonStop Kernel in terms of the number of security features they offer. However, the NonStop kernel security subsystem provides high availability and provision to enforce user-defined policy, making it more flexible. Among the two UNIX flavors, Solaris provides better authorization control with its role based access control mechanism. This paper has considered various security parameters for comparison and attempts to highlight the differences between the securities offered by the three chosen platforms.

References

NSK Security features:

1. http://docs.hp.com

SUN SPARC Security features :

2. http://www.sun.com/

IBM Cluster’s Security features :

3. http://www.ibm.com/in/

Security features :

4. http://www.commoncriteriaportal.org

Acronyms

DAC - Discretionary Access Control

MAC - Mandatory Access Control

RBAC - Role-Based Access Control

LDAP - Lightweight Directory Access Control

NSK - NonStop Kernel

ACL – Access Control List

0 comments:

Text Widget

Copyright © Vinay's Blog | Powered by Blogger

Design by | Blogger Theme by