OS 2200 Security Update
Download
Report
Transcript OS 2200 Security Update
OS 2200 Security Update
Thursday, February 28, 2008
Dave Crawshaw
Agenda
• OS 2200 security
– Brief overview
– New features
• Wrap up
OS 2200 Security Update -
16/07/2015
Page 2
Introduction: Security Policies
Dorado 400 Security Policy
• Delivered with Dorado 400
• High-level statement of what’s available
on delivery
• Recommendations – subject to
customer’s security policies
• Three sections
– OS 2200 host-related
– Operations-related
– SAIL-related
OS 2200 Security Update -
16/07/2015
Page 3
OS 2200 Security: Overview
Unisys Security Offerings
• Unisys provides security products and services to meet
customer’s needs
– At the site and enterprise level
• Advisory services
• Project based services
• End user services
– At the platform level
• Platform features
• Platform services
OS 2200 Security Update -
16/07/2015
Page 4
OS 2200 Security: New Features
Security Feature Update Areas
• Authentication
• Authorization
• Security event handling
• Encryption
• Java application security
• Future directions
OS 2200 Security Update -
16/07/2015
Page 6
OS 2200 Security
Authentication
• Authentication – verify validity of a user
– User-ids and passwords
– User Authentication (FLEX) product
• Unisys supports Kerberos and NTLM
• Site supplied authorization module
– Configurable hacker frustration
• Maximum sign-on attempts
• Delayed sign-on solicitation
OS 2200 Security Update -
16/07/2015
Page 7
OS 2200 Security
Enhanced User-id Timeout Tracking
• User-id is disabled after preconfigured period of inactivity
• Previously, only DEMAND/TIP signons were tracked
• Now any logon authentication (e.g., from batch or CIFS or
application using Flexible Authentication (FLEX)) keeps
the user-id from timing out
• Display products authenticating the userid
– Via Security Manager or SIMAN
– Useful during security audits of the system
• Authentication success/failure (17006) log entry
OS 2200 Security Update -
16/07/2015
Page 9
OS 2200 Security
Authorization
• Authorization – defines what legitimate users are
allowed to do
– Access control to files, applications,
transactions, database components
– Fine grained user controls using groups,
security levels, compartments, permissions
– Mandatory access control (MAC)
– Discretionary access control (DAC) includes
Access Control Records (ACRs)
OS 2200 Security Update -
16/07/2015
Page 10
OS 2200 Security
Security Event Handling
• Security event logging and
auditing
– Authentication attempts
– File access attempts
– Inbound connect requests
– Etc.
• Event escalation
– Notify operator
– Send email
– Raise pager alert
• Real time
OS 2200 Security Update -
16/07/2015
Page 13
OS 2200 Security
CpFTP SSL and Security Logging
• Type 810 (Sign-on Validation) log entry contains the IP address
of the FTP client
• This facilitates tracking FTP use
• SSL protocol support
• In CpFTP 3R3
OS 2200 Security Update -
16/07/2015
Page 14
OS 2200 Security
Intrusion Detection
Intrusion detection is the art of detecting
and responding to computer misuse.
Intrusion
Detection
~ Paul E. Proctor, The Practical Intrusion Detection Handbook
• Monitor security events in real time
– Detect security violations
Monitor
Correlate
– Detect unusual or unexpected behavior
• Correlate events
– Distill information from system,
communications, Web & client services
Notify
– Recognize security violation patterns
• Notify appropriate administrators
– Report security violations as they occur
– Document violations
Stop the intruder
Comply with regulations
Satisfy auditors
OS 2200 Security Update -
16/07/2015
Page 15
OS 2200 Security
Types of Intrusion Detection Systems
• Network-based IDS
– Pro - Monitoring of entire network
– Pro - Strong outsider detection and deterrence
– Con - Not viable with VPNs
– Con - Violations within host/server not visible
• Host-based IDS
– Pro - Visibility to all activity within host
– Pro - Addresses the 80% of actual losses due to computer misuse
– Pro - Good at trending and detecting suspicious behavior patterns
– Con - Each host requires protection
• Best protection uses both
OS 2200 Security Update -
16/07/2015
Page 16
OS 2200 Security
Data Encryption Capabilities
• Cipher API
• SSL/TLS in CPComm
• Tape encryption
• SSH in Operations Sentinel
• OPCONN/XPS
OS 2200 Security Update -
16/07/2015
Page 20
OS 2200 Security
Cipher API
• OS 2200 based
• An interface for transactions and
programs to encode plaintext and
decode ciphertext data
• Supports industry standard
cryptography algorithms
• Compatible with other platforms
• Included in 11.2 UOE and IOE for
Dorado 400
OS 2200 Security Update -
16/07/2015
Page 21
OS 2200 Security
Cipher API Cryptography Algorithms
• Symmetric cryptography algorithms supported
– Data Encryption Standard (DES)
– Triple DES (3DES)
– Advanced Encryption Standard (AES)
– Various key lengths
– ECB and CBC modes
• MD5 one-way message digest algorithm supported
• Implemented according to Federal Information Processing
Standards (FIPS) requirements
– NIST Certification #372 for AES
– NIST Certification #418 for 3DES
OS 2200 Security Update -
16/07/2015
Page 22
OS 2200 Security
Cipher API Hardware Accelerator
• Increased performance for bulk cryptographic requirements
– Typically 5X improvement for AES on Dorado 300
– Typically 840X improvement for 3DES on Dorado 300
– Ratio depends on data size and format
• Full-height industry standard PCI compliant 3.3V card
• Supports AES and 3DES algorithms in CBC mode
• Supported on Dorao100 and 200 families via SCIOP
OS 2200 Security Update -
16/07/2015
Page 23
OS 2200 Security
Secure Socket Layer (SSL)
• SSL data protection protocol uses encryption
– Protect the confidentiality of data
– Verify the message received is the message sent
– Authenticate the end points
• SSL in a server satisfies regulatory requirements for endto-end protection of data
OS 2200 Security Update -
16/07/2015
Page 26
OS 2200 Security
OS 2200 Communications SSL
• CPComm 2200 SSL supports SSLv3 and TLS 1.0
• 2200 SSL can be used with existing applications without
changing the applications
• SSL APIs mimic previous TCP APIs relatively easy to
upgrade applications to use secure communications
• SSL feature includes utility programs used to administer
the SSL configuration
• Implementation is based on the Internet standard RFCs
– Encryption algorithms NIST certified: RSA, DSA, RNG, 3DES,
AES, HMAC and SHA1
– Additional algorithms: RC4, DES, MD5,and Diffie-Hellman
OS 2200 Security Update -
16/07/2015
Page 27
OS 2200 Security
Tape Encryption
• Sun StorageTek T10000 Encryption Drive
– Supports 256-bit AES encryption
– 120 MBps throughput
– Performance degradation ~1% with compression and encryption
• Sun StorageTek Crypto Key Management Station
– Tokens contain keys
– Token bay makes keys available to drives
– Keys always encrypted during transport
• Considering release via kit for CP OS 11.x
OS 2200 Security Update -
16/07/2015
Page 28
OS 2200 Security
JVM 3R2 Security Enhancements
• Kerberos Login Module (an option in
addition to the cleartext login module)
provides a means to authenticate users using
the Kerberos network authentication protocol
• JVM provides OS 2200-specific
authentication using existing OS 2200 user-id
records, including group membership
• All authentication attempts can be recorded
in the OS 2200 system log
– Successful logins
– Failed user-id logins
– Failed password logins
– Logouts
OS 2200 Security Update -
16/07/2015
Page 31
OS 2200 Security
Unisys Application Defender
• Instruments Java Enterprise Edition Web applications to
protect against vulnerabilities
– Works with JBoss and Tomcat
– For new or existing applications
– No source code changes required
– Binary code can be protected using aspect-oriented
programming (AOP)
– No application or server configuration changes are required
• Cross-platform product
• Included in all ClearPath OS 2200 operating
environment packages starting with Release 11.1
OS 2200 Security Update -
16/07/2015
Page 32
OS 2200 Security
Symantec:
Unisys’ Web Server, J2EE Environment,
and Application Defender Products Meet
Industry Best Practices
The Unisys OS 2200 Java environment
is designed with “a security
architecture that maps to industry
A similar assessment by
best practice standards.”
Furthermore, “The security
features implemented within the
OS 2200’s Java/JBoss/Tomcat
environment allow customers to
deploy applications on OS 2200
systems with confidence.”
Symantec on the Unisys
Application Defender also
yielded an “industry best
practices” rating
OS 2200 Security Update -
16/07/2015
Page 35
OS 2200 Security
Future Directions
• BIS use of Cipher API
• IPv6
• IPsec
• RDMS column-by-column encryption
• Tape encryption enhancements
• Encryption key management
• Cipher API included in all IOEs (for CP OS 12 and above)
• Web Services protection and more in Application Defender 2.0
OS 2200 Security Update -
16/07/2015
Page 36
Security in OS 2200 Series Systems
• Is real
• Is effective
• Is increasing
Uncompromising
security from the
very beginning
OS 2200 Security Update -
16/07/2015
Page 37
unisys
OS 2200 Security Update -
16/07/2015
Page 38