Sun To Roll More Security Into Solaris 9


Solaris 9 will ship with an integrated enterprise-class firewall and role-based security, Sun Microsystems executives said Monday.

Security is a huge push with the operating system, slated to ship next quarter, said Ravi Iyer, product line manager for security and directory services.

In light of increased public awareness around security, Sun is rethinking its past strategy of targeting Trusted Solaris, a highly-secure version of the operating system, just at government, intelligence and military users.

"We've seen enormous interest now from corporate customers.... The thinking seems to be 'If it's good enough for the military it's good enough for us,'" Iyer said.

With Solaris 9, some features of Trusted Solaris are being folded into the generic operating system, but for users requesting still higher levels of security, Trusted Solaris can still be layered on top. "Super secure features still will come with Trusted Solaris--things like mandatory access control and multiple levels of security," he said.

With previous Solaris releases a manager with file and print rights would share the same root password with network administrators and database administrators. That meant that a file administrator might change a routing table inadvertently, which could bring the system down. With Solaris 9's enhanced role-based access control, the system would track changes and audit who makes what changes in order to prevent a user from doing unauthorized things to the system, inadvertently or not.

That security functionality is based on role information stored in the iPlanet directory server, which will also be shipped integrated with Solaris 9, said Bill Moffitt, Solaris product line manager.

Solaris 9 will also ship with an open-source secure shell, which promises more secure remote access and administration, Iyer said.

The operating system will also take on buffer-overflow attacks. Many of these attacks, which have been used to maliciously crack into software and Web sites, are perpetrated by using a legitimate piece of code in the application stack that has been "programmed badly," Iyer said. The Solaris 7 version of the operating system employed a switch that would disable any ability to execute that code. In the upcoming version of the OS, that switch can be activated on a compile-time basis, so an ISV or corporate developer can compile that lock-out into an application, Iyer said.

Moffitt said Solaris 9 for Sun's SPARC microprocessors is still slated to ship this spring. The Intel version remains delayed, although Sun said it still continues to sell and support Solaris 8 on Intel CPUs.