By Joab Jackson
Sun Microsystems Inc. plans to phase out its Trusted Solaris secure
operating system and replace it with security extension software that
can be used with its Open Solaris operating system, said Mark Thacker,
product line manager of Solaris security.
Open Solaris and the Solaris Trusted Extensions software will provide
the full functionality of Trusted Solaris, according to Thacker.
"This product will simply layer on top of Solaris 10. It will run on
top of any piece of hardware that Solaris 10 runs on," Thacker said.
Trusted Extensions should be available by mid-2006.
Long used by agencies with classified and sensitive data networks, the
current version of Trusted Solaris, version 8, has been certified to
Common Criteria Level 4+ Evaluation Assurance for three different
Recently, Sun submitted its Solaris 10 operating system for Common
Criteria Evaluation for two of those profiles. The Solaris Trusted
Extensions will cover the third profile and will also undergo Common
Criteria evaluation starting later this year, Thacker said.
The reason behind the rearrangement is to consolidate the code base
for Solaris, according to Thacker. Trusted Solaris has a different
operating system kernel than the more widely used Solaris 10, though
the two are similar.
When Sun upgraded Solaris to version 10, it incorporated about 85
percent of the security features in Trusted Solaris. "We took some of
the concepts in Trusted Solaris, like process rights management, user
rights profiles, [and] process containments and built them into
Solaris," Thacker said.
The major missing component was a feature called labeled security,
which applies a tag identifying the appropriate security level to each
data file. Although this feature is not widely used, it is valued by
intelligence agencies, Thacker said. It has a set of labels that map
directly to sensitivity levels from agencies such as the National
Security Agency and the Central Intelligence Agency. The labels allow
the operating system to handle the data with appropriate controls.
"Because of that classification and their relationships with one
another, I can express how data can flow up and down the chain of
command," Thacker said. The feature allows computers to handle data
from networks with differing security levels. It eliminates the need
to keep multiple computers, each for a different security level, for
each user's desk.
Trusted Extensions will include this labeled security feature.
Government users who would have purchased Trusted Solaris will instead
purchase Solaris 10 and the Solaris Trusted Extensions software.
The National Information Assurance Partnership's Common Criteria
Evaluation and Validation Scheme is a collection of Protection
Profiles and Evaluation Assurance Levels. A Protection Profile is a
list of specifications of what a system should do in a given area.
Solaris 10 is currently being evaluated against the Controlled Access
Protection Profile and the Role Based Access Control Protection
Profile, at Evaluation Assurance Level 4+. CGI Information Systems and
Management Consultants Inc. of Ottawa will conduct the evaluations.
Last Week, Red Hat Inc. of Raleigh, N.C., announced its Red Hat
Enterprise Linux was undergoing Evaluation Assurance Level 4
evaluation for IBM servers. That evaluation will include the Labeled
Security Protection Profile, the Controlled Access Protection Profile
and Role-Based Access Control Protection Profile.
The combination of Solaris 10 and the Trusted Extensions will be
available for all the platforms that Sun supports, including its own
SPARC line of processors and x86 line of AMD and Intel processors as
well, Thacker said.
InfoSec News v2.0 - Coming Soon!