Information Technology Reference
In-Depth Information
Service Management Facility (SMF) services are configured separately for
each Container, allowing you to turn off unneeded services in a Container
such as Telnet, FTP, and even SSH, yet still allow secure access from the
platform administrator's environment, called the global zone.
■
Containers have a strict security boundary that prevents direct inter-
Container interaction.
■
The immutability of Solaris binaries in a sparse-root Container prevents
modification of Oracle Solaris via network-based attacks.
■
Privileges granted to a Container are configurable, enabling a platform ad-
ministrator to further restrict the abilities of a Container, or to selectively
enhance the abilities of a Container.
■
Resource management controls can be assigned to each Container, allow-
ing the platform administrator to limit the amount of resources that the
Container can consume.
■
How can this combination provide unique functionality?
By default, Containers are more secure than general-purpose operating sys-
tems in many ways. For example, even the root user of a Container with a default
configuration cannot modify the Container's operating system programs. This
limitation prevents Trojan horse attacks that attempt to replace those programs
with malicious programs. Also, a process running in a Container cannot directly
modify any kernel data, nor can it modify, add, or remove kernel modules such as
device drivers. Containers lack the necessary privileges to modify the operating
system and its kernel, and there is no mechanism to add privileges to a running
Container from within the Container or anywhere else.
By default, a Container cannot modify its own network access. It cannot change
either its IP address or its MAC address, and it cannot bring its network interface
up or down or change other parameters. It cannot modify or even view its own IP
filter rules. Also by default, a Container does not have direct access to devices, nor
can it add device access for its processes. All of those limitations thwart tactics
used by kernel and user-land rootkits, including ARP and IP spoofing, packet
sniffing, and other methods.
Even considering those measures, the ability to selectively remove privileges
can be used to further tighten a Container's security boundary. In addition, the
ability to disable network services prevents almost all network-based attacks.
This feat is very difficult to accomplish in most operating systems without making
the system unusable or unmanageable. Without SSH or Telnet service, how would
you log in to such a system?
Yo u c a n c o m b i n e a l l o f t h o s e l i m i t a t i o n s t o a c h i e v e
defense in depth
—a strat-
egy conceived by the U.S. National Security Agency to defend computers against
Search WWH ::
Custom Search