Fighting the threat within
- By Maggie Biggs
- Mar 25, 2001
It seems that nearly every week there are news reports of Web sites being
vandalized or a new virus making the rounds. Those external threats are
widely covered by the press, but many security breaches actually occur within
an agency's walls. That happens when staff members gain access to resourcesdata, applications, network routingthat are supposed to be off limits.
Sun Microsystems Inc.'s Solaris operating system is used by several
federal agencies and is widely regarded as more secure than many other operating
systems. Trusted Solaris 8, an extended version of the Solaris 8 operating
system, enhances security policies by enforcing multiple sensitivity levels
that limit users' access to information.
Trusted Solaris 8 adds Java tools that enable administrators to manage
Trusted Solaris systems from any computer running Solaris Management Console
2.0 software. Administrators can implement common role-based access control
that lets them manage rights attributes on Solaris 8 and Trusted Solaris
8 clients. Trusted Solaris 8 systems can also be a name server for Solaris
8 or Trusted Solaris 8 clients.
Before beginning an installation of Trusted Solaris 8, we'd recommend
planning your security strategy carefully. You can control all interaction
with programs, files and utilities on a user-by-user basis. The singular
superuser functionality found in the regular version of the Solaris operating
system is divided into multiple roles to make intrusion less likely. What's
more, you can control access to devices.
The installation of Trusted Solaris 8 is straightforward and well documented.
The configuration process will take some time, but step-by-step instructions
are included. This release is supported on both the SPARC and Intel Corp.
architectures as long as you have at least 128M of memory (more is needed
for servers and for systems that run large applications), 1G of disk space
for desktop systems and 2G of disk space for servers. We installed Trusted
Solaris 8 on a SPARC platform that had 256M of memory and 8G of disk space.
Besides the lengthy configuration process that was required to secure our
test network, Trusted Solaris 8 worked wonderfully.
We especially liked the Mandatory Access Control (MAC) functionality.
Our test environment mim-icked activities in a typical financial institution,
where transactions and information must be accessible by people with various
authorization levels. The MAC functionality let us configure account information
so that customer-service representatives and voice-response applications
had access to account balance information, while credit information on customers
was available only to the loan department.
The biggest change for administrators used to managing Solaris systems will
be the move to role-based access control. RBAC splits system management
tasks among several roles, which are quite specific and lessen the chances
of unauthorized personnel assuming superuser rights. Administrators will
need to log in as themselves and then assume one or more roles that they
are authorized to perform. That also provides a better way to audit exactly
who is doing what on the system.
Administrators can provide users with specific rights that may be outside
the normal security policies without giving unnecessary authorities in the
process. You can also combine rights in a hierarchical manner using the
Rights Manager Tool and create profiles that can be assigned to various
users or multiple administrators who perform specific functions.
Also useful is Trusted Solaris 8's support for device allocation. Administrators
can set sensitivity labels for specific devices that allow or deny their
Even windowing activities can be controlled. For example, you might let
some users copy and paste text, graphics or binary data between windows.
They can preview the data being transferred, and you can log all activity
that occurs between windows.
Our work with Trusted Solaris 8 showed that it is flexible enough to
support nearly any security requirement. Careful planning and configuration,
and regular auditswhich are supported within Trusted Solaris 8will
yield a security process that can stand up in even the most sensitive environments.
Biggs (firstname.lastname@example.org) has more than 15 years of business and IT experience
in the financial sector.