What You See Is What You Get Element

Best Practices for Securely Deploying the SPARC SuperCluster T4-4

by Glenn Brunette, Ramesh Nagappan, and Joel Weise

The security capabilities designed into the SPARC SuperCluster, and architectural, deployment, and operational best practices for taking advantage of them


Published July 2012

Product Security Principles
Product Security Capabilities
General Recommendations and Considerations
Conclusion
See Also
About the Authors

OTN is all about helping you become familiar enough with Oracle technologies to make an informed decision. Articles, software downloads, documentation, and more. Join up and get the technical resources you need to do your job.

Oracle's SPARC SuperCluster T4-4 is a high performance, multipurpose engineered system designed, tested, and integrated to run a wide array of enterprise applications. It is well suited to many different tasks including database and application consolidation, running multitier enterprise applications, and multitenant application delivery. To realize secure architectures such as these, the SPARC SuperCluster platform offers a level of security synergy not often found in today's IT architectures. Its engineering innovation and high degree of integration provide a security potential that is truly greater than the sum of its individual components.

This article describes the security principles and capabilities of the SPARC SuperCluster platform and highlights the comprehensive set of security controls that can be employed to meet even the most challenging security demands. Each capability can be layered with the others to create reinforced security postures. Additional architectural, deployment, and operational guidance is also offered to help you understand where and how the SPARC SuperCluster platform can be integrated into an existing IT security environment.

Product Security Principles

Before discussing the individual security capabilities of the SPARC SuperCluster platform, it is important to highlight the principles that guided the development of this engineered system. Survivability, defense in depth, least privilege, and accountability sit at the very heart of the SPARC SuperCluster platform's security architecture. The platform embodies these time-tested principles and delivers a well-integrated collection of security capabilities.

Survivability

Hardware and software platforms for mission-critical workloads must be able to prevent or minimize the damage caused from both accidental and malicious actions performed by internal users or external parties. The SPARC SuperCluster platform supports the principle of survivability by:

  • Ensuring that the platform components have been designed, engineered, and tested to work well together in support of secure deployment architectures. The SPARC SuperCluster platform and its constituent products support secure isolation, access control, cryptographic services, monitoring and auditing, and quality of service as well as secure management.
  • Reducing the default attack surface of its constituent products to help minimize the overall exposure of the platform. You can then customize the security posture of the SPARC SuperCluster platform based upon your policies and needs.
  • Protecting the platform, including its operational and management interfaces, using a complement of open and vetted protocols and APIs capable of supporting the traditional security goals of strong authentication and access control, confidentiality, integrity, and availability.

Defense in Depth

The SPARC SuperCluster platform employs multiple, independent, and mutually reinforcing security controls to help you create a secure operating environment for workloads and data. Properly employed, the principle of defense in depth ensures that a layered set of defenses exist so that secure operations continue even after a vulnerability or the failure of a single security control. The SPARC SuperCluster platform supports the principle of defense in depth by:

  • Offering a strong complement of protections to secure information in transit, in use, and at rest. Security controls are available at the server, storage, network, virtualization, database, and application layers. More importantly, each layer's unique security controls can be integrated with the others to enable the creation of strong, layered security architectures.
  • Supporting the use of well-defined and open standards, protocols, and interfaces. This means that the SPARC SuperCluster platform can be integrated into existing security policies, architectures, practices, and standards. Integration such as this is critical because applications and devices do not exist in isolation, and the security of an IT architecture is only as strong as its weakest component.

Least Privilege

Ensuring that applications, services, and users have access to the capabilities they need to perform their tasks is only one side of the least-privilege coin. It is equally important to ensure that access to unnecessary capabilities, services, and interfaces are limited. The principle of least privilege is rooted in a very simple concept, namely—do not provide capabilities that you do not want someone to use. The SPARC SuperCluster platform promotes the principle of least privilege by:

  • Ensuring that access to individual server, storage, virtualization, operating system, database, and other components is granted based upon the role of each user and administrator. The use of role-based and multifactor access control models with fine-grained privileges ensures that access can be limited to only what is needed.
  • Constraining applications so that their access to information, underlying resources, network communications, and even local or remote service access is restricted based upon need. Whether caused by an accident or malicious attack, applications, too, can misbehave, and without enforcement of least privilege, those applications might be able to cause harm far beyond their intended use.

Accountability

In most cases, it is insufficient to simply prevent a security incident. It is equally important to be able to detect the incident, report the event, and understand how it was prevented. Similarly, when an event cannot be prevented, it is imperative to detect that the event occurred so proper responses can be taken. Organizations concerned with accountability seek to answer questions such as "What security event occurred?," "When did it happen?," "Where did it take place?," "Who caused the event?," "Who was the target?," and "What was the outcome?" The SPARC SuperCluster platform supports the principle of accountability in the following ways:

  • Each component used within the SPARC SuperCluster platform supports activity auditing and monitoring, including the ability to record login and logout events, administrative actions, and, often, other events specific to each of the products. Collecting and reviewing this kind of information is an important part of maintaining secure operations and can help with root-cause analysis in the event of a security incident.
  • Two of the products used in the SPARC SuperCluster platform deserve special mention for their extensive ability to audit and monitor activity. Oracle Solaris and Oracle Database both support very fine-grained configurations when it comes to auditing. This allows you to tune audit configurations in response to your standards and goals to ensure that critical information is captured, while at the same time, minimizing the "noise" of unnecessary or inappropriate audit events.

The SPARC SuperCluster platform is an excellent option for deploying mission-critical services due to its ability to deliver on each of these security principles and others, including "secure by default" and "reduced attack surface."

Product Security Capabilities

The SPARC SuperCluster platform is a multipurpose engineered system that combines the computing power of Oracle's SPARC T4 processor, the efficient virtualization capabilities of Oracle VM Server for SPARC, the performance and scalability of Oracle Solaris, the optimized database performance of Oracle Database integrated with Oracle Exadata Storage Servers, and the innovative network-attached storage capabilities of Oracle's Sun ZFS Storage Appliance. Each of these core components is connected over a redundant InfiniBand fabric that enables low latency and high-performance network communication among all the components. In addition, a 10-Gb/sec Ethernet network is employed allowing clients to access services running on the SPARC SuperCluster platform. A 1-Gb/sec Ethernet network provides the conduit through which you can manage all the SPARC SuperCluster components. For more information on the SPARC SuperCluster architecture, see the Oracle white paper titled "A Technical Overview of the Oracle SPARC SuperCluster T4-4."

The SPARC SuperCluster platform supports a variety of full- and half-rack deployment options. Figure 1 illustrates one possible full-rack configuration.

Figure 1 - Example Full-Rack Configuration of SPARC SuperCluster

Figure 1. Example Full-Rack Configuration of SPARC SuperCluster

 

It is important to have an appreciation for the security capabilities that are exposed by each of the core components engineered into the SPARC SuperCluster architecture. To simplify the presentation of these capabilities, they have been grouped into six distinct categories, namely: secure isolation, access control, cryptographic services, monitoring and auditing, quality of service, and secure management. This list is not exhaustive, but rather it is intended to highlight the security capabilities most often employed for a layered security strategy.

Secure Isolation

Isolating services, users, data, communications, and storage is important for consolidating IT infrastructure, implementing shared service architectures, and delivering secure multitenant services. The SPARC SuperCluster platform enables secure isolation at the workload, network, database, and storage levels, giving you the flexibility to implement various isolation policies and strategies based upon your needs.

Workload Isolation

Oracle VM Server for SPARC is a classic Type 1 hypervisor that operates on bare metal and mediates access to hardware resources ensuring strong isolation between individual logical domains (domains) running on the platform. Oracle VM Server for SPARC is used to create hard partitions configured as either Oracle Database 11g Release 2 domains or general-purpose domains. Each general-purpose domain has its own virtualized CPU, memory, storage, and console as well as its own instance of an operating system. General-purpose domains can run applications supported on either the Oracle Solaris 10 or 11 operating systems (including business applications, middleware, and even databases), whereas Oracle Database 11g Release 2 domains must run Oracle Database 11g Release 2 on Oracle Solaris 11.

Oracle Solaris Zones are supported on general-purpose domains allowing you to further isolate applications running under the same operating system kernel. By design, zones offer unique capabilities that effectively and efficiently sandbox different applications running on the same operating system, protecting them from unintentional or malicious activities happening in other zones. Despite running on the same kernel, each zone has its own identity and enjoys security, resource, namespace, and process isolation. Essentially, zones provide built-in virtualization with strong isolation and flexible resource controls in a smaller CPU and memory footprint than traditional virtual machines running on Type 1 hypervisors.

While Oracle VM Server for SPARC and Oracle Solaris Zones both support application isolation goals, you are encouraged to view them as complementary technologies. Oracle VM Server for SPARC is used to isolate operating systems (into different domains), whereas Oracle Solaris Zones technology is used to isolate groups of processes. While these technologies can be used independently, their value is compounded when they are used to together to deploy application workloads securely and efficiently.

Network Isolation

At the physical network level, client access is isolated from both device management and interdevice communication. Client access is provided over a redundant 10-Gb/sec Ethernet network that ensures reliable, high-speed access to services running on the platform. Similarly, management access is provided over a physically separate 1-Gb/sec Ethernet network, allowing you to create a hard separation between operational and management networks. Finally, interdevice communication is achieved over a redundant InfiniBand network to create a high-performance, low-latency backplane through which the individual devices can communicate.

To improve the isolation of network communications over the client-access Ethernet network, you are encouraged to leverage a strategy of physical isolation as well as the use of virtual LANs (VLANs) in order to compartmentalize network traffic. Similarly, when using InfiniBand, partitions can be used to achieve isolation comparable to VLANs on Ethernet. By default, the SPARC SuperCluster platform is configured with a number of InfiniBand partitions to promote isolation between database domains, network-based storage, and private clustering interconnects. Additional partitions can be used, or existing ones can be adapted, to achieve site-specific isolation goals. Further, the use of encrypted protocols over InfiniBand partitions and VLANs is recommended when confidentiality and integrity of communications must be ensured.

Both Oracle VM Server for SPARC and Oracle Solaris 11 support the notion of virtual switches and network interfaces that can be configured to provide network access to both domains and zones. In the case of Oracle VM Server for SPARC, network access is mediated by the hypervisor. Similarly, for Oracle Solaris, the use of exclusive network stacks and integrated virtual network switching, enforced by the operating system kernel, ensures that access to networks is in compliance with policy. For example, this ensures that services running in one zone are not able to snoop on the network traffic flowing in and out of other zones. In either case, the degree to which domains and zones have access to shared networks is a matter of configuration. Further, both physical and virtual network elements can be linked with existing Ethernet VLANs and IP over InfiniBand partitions integrating these physical and virtual worlds into a holistic network architecture.

Database Isolation

There are a variety of ways that database isolation can be achieved. Physical separation is generally viewed as one of the best methods and can be achieved by dedicating a single physical system to run an Oracle Database 11g Release 2 domain. Hypervisor-mediated isolation using Oracle VM Server for SPARC is a great option when database workloads must securely share physical resources with other workloads running on the same physical platform.

Another isolation strategy involves the operation of multiple database instances within the same operating system image. Multi-instance database isolation is achieved through a combination of database- and operating system-level controls, including dedicated credentials (for example, users, groups, roles, and so on), dedicated tablespaces, and resource controls.

The Oracle Database Vault option includes a mandatory access control model to enforce isolation using logical realms within a single database. Logical realms form a protective boundary around existing application tables by blocking administrative accounts from having ad-hoc access to application data. Similarly, Oracle Database Vault command rules enable policy-based controls that limit when, where, how, and by whom the database and application data are accessed, creating a trusted path to application data. Oracle Database Vault factors can be employed to further restrict access based upon time of access, source IP address, and other criteria.

The Oracle Virtual Private Database capability enables the creation of policies that enforce fine-grained access to database tables and views at the row and column levels. Oracle Virtual Private Database provides security portability because policies are associated with database objects and are automatically applied no matter how the data is accessed. Oracle Virtual Private Database can, therefore, be used to provide isolation at the database tablespace level.

Finally, the Oracle Label Security option is used to classify data and mediate access to that data based upon its classification. You can define classification strategies that best support your needs, whether they are hierarchical or disjoint. This capability allows information stored at different classification levels to be isolated at the row level within a single tablespace.

Storage Isolation

The Oracle Exadata Storage Servers are isolated from the rest of the architecture through InfiniBand partitioning. By default, these cells are assigned to a partition that is accessible only by Oracle Database 11g Release 2 domains. The storage managed by the Oracle Exadata Storage Servers can be further subdivided using Oracle's Automated Storage Management facility to create individual realms that each can have their own security policies.

The Sun ZFS Storage Appliance leverages a similar strategy by using InfiniBand partitions to isolate the domains and zones with which it is able to communicate. By default, the Sun ZFS Storage Appliance is placed into its own InfiniBand partition, separate from the Oracle Exadata Storage Servers. The use of ZFS pools, data sets, and volumes allows you to further carve up storage into more granular units that can have their own security policies.

Access Control

Controlling access to systems, services, and information is paramount. You need to be able to define flexible access policies to ensure that users and administrators have the right levels of access available to them at the right time. To protect application data, workloads, and the underlying infrastructure on which it all runs, the SPARC SuperCluster offers comprehensive yet flexible access control capabilities for both users and administrators.

Workload Access Control

Oracle Solaris includes a variety of methods to authenticate users accessing system services. While traditional username and password pairs are still widely used, stronger methods of authentication can be easily integrated using the Oracle Solaris pluggable authentication modules (PAM) architecture, allowing the use of LDAP, Kerberos, and public key authentication. The framework can further be extended to enable the use of smart cards, secure tokens, and other devices, enabling Oracle Solaris to be integrated into an existing identity and access management architecture.

Oracle Solaris supports a comprehensive role-based access control (RBAC) facility that allows you to delegate user and administrative access based upon need. Eliminating the notion of an all-powerful superuser, the RBAC capability in Oracle Solaris enables separation of duty and supports the notion of administrative roles, authorizations, fine-grained privileges, and rights profiles that collectively are used to assign rights to users and administrators. RBAC is integrated with other core Oracle Solaris services, including the Oracle Solaris Service Management Framework and Oracle Solaris Zones, to provide a consistent architecture to support all operating system–level access control needs.

Further, Oracle VM Server for SPARC leverages the RBAC capability in Oracle Solaris as a foundation for its access control architecture, allowing you to manage, control, and audit operating system and virtualization management access from a centralized authority.

Network Access Control

Beyond simple network-level isolation, fine-grained access control policies can be instituted at the device level. All of the devices in the SPARC SuperCluster platform include the ability to limit network access to services either using architectural methods (for example, network isolation) or using packet filtering and/or access control lists to limit communication to, from, and between physical and virtual devices as well as to the services exposed by the platform.

Oracle Solaris support a "secure by default" posture where no network services except Secure Shell are enabled to accept inbound network traffic. Other enabled network services listen internally for requests within the Oracle Solaris operating system (or zone). This ensures that all network services are disabled by default or are set to listen for local system communications only. You are free to customize this configuration based upon your requirements.

When using Ethernet or IP over InfiniBand, Oracle Solaris supports network- and transport-layer (stateful) packet filtering using the Oracle Solaris IP Filter feature. IP Filter offers a wide array of host-based network capabilities including stateful packet filtering, network address translation, and port address translation.

Database Access Control

At the operating system level, it is important to use different accounts to ensure job role separation for database instances and storage administrators, including those supporting Oracle Automatic Storage Management functions. Within Oracle Database, users can be assigned specific privileges and roles to ensure users have access to only those data objects to which they are authorized. This keeps data from being shared across databases or among schemas unless explicitly permitted.

In addition to the password-based authentication available in Oracle Database, the Oracle Advanced Security option enables you to implement strong authentication using public key credentials or by leveraging an existing RADIUS or Kerberos infrastructure. Further, using Oracle Enterprise User Security, the database can also be integrated with existing LDAP repositories for authentication and authorization. Collectively, these capabilities can be used to provide higher assurance of the identity of users connecting to the database.

Oracle Database Vault can be used to manage administrative and privileged user access, controlling how, when, and where application data can be accessed. Oracle Database Vault protects against misuse of stolen login credentials, application bypass, and unauthorized changes to applications and data, including attempts to make copies of application data. Oracle Database Vault is transparent to most applications and day-to-day tasks, and it can support multifactor authorization policies, allowing for secure enforcement of policy without disrupting business operations.

Separation of duties is also critical at every layer of the architecture to reduce the risk of collusive behavior and prevent inadvertent errors. Oracle Database Vault has the ability to enforce separation of duties to ensure that account management, security administration, resource management, and other functions are granted only to those users authorized to have those privileges.

Storage Access Control

To minimize the attack surface, the Oracle Exadata Storage Servers and the Sun ZFS Storage Appliance do not support administration or customization outside of their management interfaces. There are no users defined on these systems, and it is expected that these devices will be viewed as fixed-function appliances that have been optimized and hardened for their specific purpose.

Oracle Automatic Storage Management, available on the Oracle Exadata Storage Servers, supports three access control modes: open security, Oracle Automatic Storage Management–scoped security, and database-scoped security.

Open security, as the name suggests, allows any database to access any of the disks managed by Oracle Automatic Storage Management. Oracle Automatic Storage Management–scoped security, on the other hand, allows multiple databases assigned to one or more Oracle Automatic Storage Management clusters to share specific disks. Database-scoped security, the most fine-grained level of access control, ensures that only specific databases are able to access specific disks. While you are encouraged to select the most appropriate model for your situation, it should be noted that it is not recommended to mix Oracle Automatic Storage Management–scoped and database-scoped security in the same environment.

In addition to its overall access control mode, Oracle Automatic Storage Management also supports the assignment of access controls at the disk group and file level to ensure that access to content stored on disk is available only to authorized users. Of course, if you are concerned about the confidentiality of stored database content, database (tablespace or column-level) encryption should be considered.

The Sun ZFS Storage Appliance supports a wide array of access control policies that can be applied at the data set and volume level for individual users and groups. Further, when storage is shared by the Sun ZFS Storage Appliance, additional access controls implemented by the sharing protocol (for example, NFS) can also be applied to further limit access to authorized systems, services, and users.

Cryptographic Services

The requirement to protect and validate information at rest, in transit, and in use often is grounded upon the use of cryptographic services. From encryption and decryption to digital fingerprint and certificate validation, cryptography is one of the most widely deployed security controls in modern IT organizations. The SPARC SuperCluster includes a wealth of capabilities to deliver complete, efficient, and high-performance end-to-end cryptography.

Workload Cryptographic Services

The SPARC T4 processor has been designed with integrated on-chip cryptographic acceleration to enable strong cryptographic services without sacrificing performance. The SPARC T4 processor can accelerate the performance of 16 industry-standard cryptographic algorithms in addition to securely generating random numbers. These capabilities can be delivered to operating systems running directly on SPARC T4 processors or passed through individual domains created using Oracle VM Server for SPARC.

Oracle Solaris, by default, takes advantage of the SPARC T4 processor (directly or virtually through Oracle VM Server for SPARC) for highly efficient cryptographic operations processed through the Oracle Solaris Cryptographic Framework. This shared framework is a gathering point for services providing or using cryptography in Oracle Solaris. Using the Oracle Solaris Cryptographic Framework, users, applications, and services can be assured that they are not only using the most optimized algorithms but that they also seamlessly leverage hardware cryptographic acceleration as well as hardware security modules (when used). Oracle Solaris supports a full complement of cryptographic services including Secure Shell, IPsec/IKE, Kerberos, and ZFS encryption. It also includes integrations that allow applications using OpenSSL or Java to use this common framework, including any available cryptographic acceleration.

Network Cryptographic Services

While InfiniBand partitioning is supported by Oracle Solaris for network isolation, the confidentiality and integrity of communications over an InfiniBand partition should be protected using a cryptographically secure protocol. For example, Secure Shell provides secure administrative access to systems and ILOMs, IPsec/IKE (using IP over InfiniBand) can protect communications between domains or zones, and SSL/TLS can enable secure communications between applications and other services.

Oracle Solaris includes a kernel-based SSL (KSSL) service that provides a highly optimized SSL proxy for applications running on the platform. KSSL can be used to SSL-enable applications lacking that functionality or as a replacement for functionality within the application that might not be able to yield the same performance benefits. As with everything in Oracle Solaris, KSSL is able to automatically leverage the underlying hardware-assisted cryptographic capabilities of the SPARC T4 processor.

Database Cryptographic Services

The Oracle Advanced Security option encrypts information in the database using its transparent data encryption (TDE) functionality. TDE supports both the encryption of application tablespaces as well as the encryption of individual columns within a table. Data that is stored in temporary tablespaces as well as redo logs is also encrypted. Even when the database is backed up, the data remains encrypted on destination media, protecting information at rest no matter where it is physically stored.

The Oracle Advanced Security option (including TDE) is able to take advantage of the cryptographic acceleration capabilities of the SPARC T4 processor. This allows you to protect to information without having to incur the significant performance penalties typically associated with software-only encryption methods.

The Oracle Advanced Security option can also be used to encrypt SQL*Net and JDBC traffic using either native encryption or SSL to protect information while flowing over a network. Both administrative and application connections can be protected using this mechanism to ensure that data in motion can be protected. The SSL implementation supports the standard set of authentication methods including anonymous authentication (Diffie-Hellman), server-only authentication using X.509 certificates, and mutual (client-server) authentication with X.509.

Monitoring and Auditing

Whether for compliance reporting or incident response, monitoring and auditing is a critical function for gaining increased visibility into an IT environment. The degree to which monitoring and auditing is employed is often based upon the risk or criticality of the environment being protected. The SPARC SuperCluster platform has been designed to offer comprehensive monitoring and auditing functionality at the compute, network, database, and storage layers ensuring that a wealth of information can be made available in support of audit and compliance requirements.

Workload Monitoring and Auditing

Oracle Solaris has a very comprehensive auditing facility that can monitor administrative actions, command-line invocations, and even individual kernel-level system calls. This facility is highly configurable, offering global, per-zone and even per-user auditing policies. When configured to use Oracle Solaris Zones, audit records for each zone can be stored in the global zone to protect them from tampering. Further, Oracle Solaris auditing supports the ability to send audit records to remote collection points using the system log (syslog) facility. Additionally, many commercial intrusion detection and prevention services can consume Oracle Solaris audit records as an additional input for their analysis and reporting.

Oracle VM Server for SPARC leverages the native Oracle Solaris auditing facility to record actions and events associated with virtualization events and domain administration. Similar to how Oracle VM Server for SPARC uses the Oracle Solaris RBAC facility for centralized access management, Oracle Solaris auditing is used to provide a centralized approach for audit record generation, management, and reporting.

Database Monitoring and Auditing

Oracle Database supports the notion of fine-grained auditing, which allows you to establish policies that more selectively determine when audit records are generated. This helps you to focus on more-interesting database activities and reduce the clutter that is often associated with audit activities.

Oracle Audit Vault centralizes the management of database audit settings and automates the consolidation of audit data into a secure repository. Oracle Audit Vault includes built-in reporting to monitor a wide range of activities including privileged user activity and changes to database structures. The reports generated by Oracle Audit Vault enable visibility into various application and administrative database activities and provide detailed information to support accountability of actions.

Oracle Audit Vault also enables the proactive detection and alerting of activities that might indicate attempts of unauthorized access or abuse of system privileges. These alerts can include both system and user-defined events and conditions, such as the creation of privileged user accounts or the modification of tables containing sensitive information.

The Oracle Database Firewall Remote Monitor can reside on an Oracle Database 11g Release 2 domain to provide real-time database security monitoring by interrogating database connections to detect malicious traffic including application bypass, unauthorized activity, SQL injection, and other threats. Using a highly accurate SQL grammar-based approach, Oracle Database Firewall can help you to quickly identify suspicious database activity.

Quality of Service

There are many ways in which applications can be attacked that are not focused simply on breaching a boundary or subverting an access control policy. In fact, the availability of applications and information is often viewed as an IT security concern. The SPARC SuperCluster platform provides a number of capabilities that are intended to help detect and prevent resource exhaustion attacks, denial of service attacks, and accidental or intentional faults that can impact the availability of services and data.

Workload Quality of Service

Oracle VM Server for SPARC supports the dynamic reconfiguration of virtual CPUs, memory, and physical I/O devices. This allows you to quickly respond to changes in demand, shifting resources to where they are needed. Further, by defining resource policies for each domain, you can ensure that activity in one domain will not starve other domains of their needed resources.

Similarly, Oracle Solaris has an array of dynamic resource controls that can be employed globally as well as at a zone, project, task, or process level. Similar to Oracle VM Server for SPARC, resource controls can be used to limit the consumption of CPUs, memory, and core file size, as well as to limit the number of processes, file descriptors, and many other parameters. Depending on the actual configuration and your needs, one or more of these parameters can be defined to help ensure that applications and services running in Oracle Solaris, including in zones, consume only their fair share of resources and do not adversely impact other services running on the system. In addition, Oracle Solaris 11 supports the ability to define bandwidth limits that apply to data link devices (such as virtual NICs) as well as to user-defined traffic flows, enabling you to apply limits to network traffic based upon predefined packet attributes.

For applications running in general-purpose domains, Oracle Solaris Cluster is often used to implement failover or clustering for individual zones or domains. Oracle Solaris Cluster can help you reach survivability goals by ensuring that mission-critical services are monitored and restarted upon a failure. Based upon your defined policy, a failed service can be restarted locally or on another node in the cluster.

Network Quality of Service

Each component of the SPARC SuperCluster platform is configured to have multiple InfiniBand network interfaces. Further, the platform includes redundant InfiniBand switches allowing each component to be connected to each switch. Each component's InfiniBand interfaces are bonded together to form a single virtual interface allowing the component to continue operation even if a single interface or switch fails.

Similarly, each SPARC T4-4 node in the SPARC SuperCluster platform includes multiple 10-Gb/sec Ethernet interfaces connected to the client-access network and multiple 1-Gb/sec Ethernet interfaces for management communications. These nodes can leverage Oracle Solaris IP Multipathing (IPMP) and IEEE 802.3ad Link Aggregation for Ethernet redundancy, helping to ensure continuous network connectivity even if a single Ethernet interface or switch fails.

Oracle Solaris 11 also supports a variety of network-level resource controls that allow you to define bandwidth limits at various data-link levels, including virtual and physical NICs, link aggregations, and IP over InfiniBand. These limits can be applied to all, or just a subset of, traffic flowing through those elements. This allows you to categorize and prioritize network traffic to ensure that higher priority traffic is favored over less important traffic flows.

Database Quality of Service

Oracle Real Application Clusters (Oracle RAC) can be used to create a clustered database with a shared cache architecture that overcomes some of the traditional limitations of shared-nothing models. As a result, Oracle RAC can be used to enable highly scalable and available database architectures.

Oracle Database Quality of Service Management is an automated, policy-based solution that monitors the workload requests of an entire system. Quality of Service Management correlates accurate runtime performance and resource metrics, analyzes the data to identify bottlenecks, and produces recommended resource adjustments to maintain performance objectives under dynamic load conditions.

In addition, Oracle Database includes a variety of tools to enable multiple databases to operate under the same operating system. Oracle Database Resource Manager and Instance Caging, for example, support the ability to dynamically control access to CPU resources using fine-grained methods to ensure that workloads running in the database have access to their fair share of compute resources. Further, Oracle Database Resource Manager also can control the degree of parallelism, the number of action sessions, and other shared resources to protect one database from monopolizing resources needed in shared database architectures.

Storage Quality of Service

To ensure reliable, high-performance access to databases stored on Oracle Exadata Storage Servers, Oracle Automated Storage Management offers a variety of storage mirroring options for disk groups, including normal redundancy (two-way mirroring), high redundancy (three-way mirroring), and external redundancy (no mirroring). Typically, organizations will use external redundancy when their storage is already being mirrored or otherwise protected at the hardware level. In addition to mirroring, Oracle Automated Storage Management supports the notion of failure groups, which can be used to ensure that mirrored storage is placed on different Oracle Exadata Storage Servers.

The I/O Resource Manager is available as part of the Oracle Exadata Storage Server and is used to manage inter- and intra-database I/O resources. This allows not only different databases with different performance requirements to share a common Oracle Exadata Storage Server pool, but even multiple workloads within the same database can have their own resource policies. This flexible architecture ensures that critical workloads and databases are not I/O-constrained when operating on a consolidated architecture.

Security Management

Having collections of security controls and capabilities is necessary to properly secure individual applications and services. However, it is equally important to have comprehensive management capabilities that assist in sustaining the security of the deployed services and systems. The SPARC SuperCluster leverages the security management capabilities of a variety of products including Oracle Integrated Lights Out Manager (Oracle ILOM), Oracle Enterprise Manager Ops Center, Oracle Enterprise Manager, and Oracle Identity Management.

Oracle ILOM

Oracle ILOM is the service processor embedded in the SPARC SuperCluster's compute and storage servers. It is used to perform out-of-band management activities.

Oracle ILOM offers a variety of secure mechanisms allowing you to perform secure lights out management of compute and storage servers, including Web-based access protected by SSL, command-line access using Secure Shell, IPMI v2.0, and SNMPv3.

Oracle ILOM supports separation of duty requirements using a role-based access control model. Individual users are assigned to specific roles that limit the functions that can be performed. In this manner, you can decide which users need full administrative access versus those that simply need the ability to audit Oracle ILOM settings (read-only access), access remote host consoles, or control host power.

To ensure accountability, Oracle ILOM records all logins and configuration changes. Each audit log entry notes the user performing the action as well as a time stamp. This allows you to detect unauthorized activity and changes as well as attribute those actions back to specific users.

Oracle Enterprise Manager Ops Center

Part of the Oracle Enterprise Manager suite, Oracle Enterprise Manager Ops Center is a converged hardware management solution that provides a single administrative interface for servers, operating systems, firmware, virtual machines, zones, storage, and network fabrics. Oracle Enterprise Manager Ops Center is installed by default on the SPARC SuperCluster platform.

From a security perspective, Oracle Enterprise Manager Ops Center can be used to assign administrative access to collections of physical and virtual systems, monitor administrator activity, and detect faults as well as configure and manage alerts. Further, Oracle Enterprise Manager Ops Center supports a variety of reports that allow you to compare your systems against known configuration baselines, patch levels, and security vulnerabilities.

Oracle Enterprise Manager

Oracle Enterprise Manager suite is a comprehensive and integrated cloud management solution that focuses on lifecycle management of applications, middleware, and databases, as well as physical and virtual infrastructure (using Oracle Enterprise Manager Ops Center).

In the context of SPARC SuperCluster, it is important to highlight that the application, middleware, and database management functionality supports detailed monitoring, event notification, patch management, and change management, as well as continuous configuration and compliance management and reporting.

In particular, Oracle Enterprise Manager allows you to centrally maintain security configuration settings as well as access control and auditing policies for groups of databases. Access to these functions can be limited to authorized individuals ensuring that management access supports compliance mandates for separation of duty, least privilege, and accountability.

The Oracle Enterprise Manager platform also supports strong authentication using a variety of methods, fine-grained access controls, and comprehensive auditing, ensuring that even the management of the SPARC SuperCluster environment can be accomplished in a secure manner.

Oracle Identity Management

Oracle Identity Management manages the end-to-end lifecycle of user identities and accounts across an organization, and it includes support for single-sign on, Web-based access control, Web services security, identity administration, and strong authentication, as well as identity and access governance.

In the context of SPARC SuperCluster, Oracle Identity Management can be used as a single point for managing identity and access not only for applications and services running on the SPARC SuperCluster platform, but also for the underlying infrastructure and services used to manage it.

Oracle Key Manager

Oracle Key Manager is a comprehensive key management system (KMS) designed to simplify the management and monitoring of encryption keys used to protect information at rest. Oracle Key Manager supports enterprise-class environments with a highly scalable and highly available architecture that can manage thousands of devices and millions of keys. It operates on a hardened operating environment, enforces strong access control and role separation for key management and monitoring operations, and, optionally, supports the secure storage of keys in Oracle's Sun Crypto Accelerator 6000 PCIe Card, a FIPS 140-2 rated hardware secure module.

In the context of SPARC SuperCluster, Oracle Key Manager can authorize, secure, and manage access to encryption keys used by Oracle's StorageTek encrypting tape drives, Oracle Databases encrypted using Transparent Data Encryption, and encrypted ZFS file systems available on Oracle Solaris 11.

General Recommendations and Considerations

The SPARC SuperCluster platform includes an impressive collection of layered security controls that can be tailored to meet specific policies and requirements. It is important to understand how to best utilize these capabilities as well as how to integrate them into an existing IT security architecture. Effective IT security must integrate people, process, and technology aligned by policy and vetted using solid risk management and governance practices. In this section, general recommendations and considerations are offered to guide you in architectural, deployment, and operational dimensions.

Architectural

The following architecture best practices are recommended:

  • Leverage a unified approach to identity and access management by integrating the SPARC SuperCluster platform components as well as its deployed services with your existing identity and access management architecture. Oracle Solaris and Oracle Database, in particular, support a wide array of open and standard protocols that allow them to be easily integrated with existing identity and access management deployments.
  • Consider the use of intrusion prevention systems to monitor network traffic flowing to and from the SPARC SuperCluster platform. Such systems will enable the identification of suspicious communications, potential attack patterns, and unauthorized access attempts. If you are looking for increased visibility within the SPARC SuperCluster platform, consider using host-based intrusion detection and prevention systems. By leveraging the fine-grained auditing capabilities of Oracle Solaris and Oracle Database, host-based systems will have a greater likelihood of detecting inappropriate actions and unauthorized activity.
  • Similarly, consider the use of application- and network-layer firewalls that can protect information flowing to and from the SPARC SuperCluster platform. Often, filtering network ports serve as the first line of defense in preventing unauthorized access to systems and services. Just as with host-based intrusion detection services, if you are looking to realize more fine-grained control of communications between the components of the SPARC SuperCluster platform, you are encouraged to consider both network-level segmentation using Ethernet VLANs or InfiniBand partitions as well as host-based firewalls to enforce inbound and outbound network policy at the host level.
  • Lastly, consider the use of centralized audit and log repositories to aggregate security-relevant information for improved correlation, analysis, and reporting. Most modern security event and incident management systems support a wide array of protocols that can be used for data gathering from network devices, operating systems, databases, and applications. By collecting and storing this information in a centralized (and protected) location, you can also improve the quality and effectiveness of your security incident and forensic response processes. The information that is needed for this kind of analysis will be safely stored away from the systems and applications that might have been compromised. It should be noted that for this kind of approach to be most effective, you should also leverage the network time protocol service to ensure that time is aligned across devices, systems, and software.

Deployment

The following deployment best practices are recommended:

  • Utilize protocols that support strong authentication and encryption of network communications. This protects the confidentiality and integrity of communications and is important when communicating with services deployed on the SPARC SuperCluster platform as well as when managing the platform using its administrative interfaces. Configure administrative and operational services to use encryption protocols and key lengths that align with your organizational policies. Cryptographic services provided by the SPARC SuperCluster platform will also benefit from hardware acceleration, which improves not just security but also overall performance.
  • While many of the products integrated into the SPARC SuperCluster platform are configured by default for secure deployment, organizations often have their own security configuration hardening standards. Oracle produces security guidance for its products, and content relevant to the SPARC SuperCluster platform is included in the "See Also" section at the end of this document. It is important to review this information before attempting to change the security configuration of SPARC SuperCluster components. In particular, it is important to identify where existing organizational standards can be improved as well as where supportability issues might limit what changes can be made to a given component.
  • Several of the products included in the SPARC SuperCluster platform are shipped with default administrative passwords. Change these default passwords as soon as possible to values known only to authorized administrators.

Operational

The following operational best practices are recommended:

  • While it is relatively straightforward to configure the SPARC SuperCluster platform for use in a secure deployment, it is important to understand that security must be maintained throughout the lifecycle of the platform and its deployed services. As such, utilize tools that will help detect unauthorized changes, configuration drift, and security patches that have not been applied. The Oracle Enterprise Manager suite of tools offers an integrated solution for managing such operational issues from the hardware through any deployed applications and services.
  • Regularly evaluate the users and administrators who have access to the SPARC SuperCluster platform and its deployed services to verify whether the levels of access and privilege are appropriate. Over time, without review, the level of access granted to individuals tends to increase without bound. It is recommended that access rights (for both operational and administrative access) be reviewed to ensure that users' level of access is aligned to their roles and responsibilities.

Conclusion

Collectively, the extensive set of security controls and capabilities available on the SPARC SuperCluster platform provides a well-rounded security foundation upon which you can deploy services. More importantly, however, is the balance that has been achieved between the tight integration of its components and the level of configuration and operational flexibility that allows you to customize the security posture of the SPARC SuperCluster platform based upon your policies and requirements. This reinforced yet flexible security architecture makes this engineered system an ideal platform for organizations consolidating applications and databases, operating multitier enterprise applications, or delivering multitenant application services.

See Also

For more information, see the white paper "A Technical Overview of the Oracle SPARC SuperCluster T4-4": http://www.oracle.com/us/products/servers-storage/servers/sparc-enterprise/supercluster-t4-4-arch-wp-1537679.pdf.

Also see the resources in the following sections.

Product Security Guides

Security White Papers and Articles

Oracle VM Server for SPARC
Oracle Solaris 11
Oracle Database 11g
Oracle Middleware

About the Authors

For over 20 years, Glenn has developed secure IT architectures and best practices for global customers and industries. Glenn is the Chief Technology Officer for the Enterprise Solutions Group at Oracle where he focuses on enterprise architecture, IT governance, information security, and holistic IT systems design. Previously, Glenn was a Distinguished Engineer and Chief Security Architect at Sun Microsystems. He has also served in a number of leadership positions at organizations such as the National Cybersecurity Partnership, the Center for Internet Security, and the Cloud Security Alliance. Glenn is a Certified Information Systems Security Professional and has a master's degree in computer science from St. Joseph's University.

Ramesh Nagappan is a Senior Principal Engineer at Oracle. He specializes in enterprise security with a strong focus on applied cryptography for applications and network infrastructures. Currently he works on security integrations for SPARC SuperCluster platform-based applications. He joined Oracle as part of the Sun Microsystems acquisition. At Sun, he was part of the Javasoft and ISV engineering organizations for more than 12 years, where he was involved with Java security, Solaris security, identity management, and large-scale application integration projects aligned with government, defense, and national security organizations.

Joel Weise has worked in the field of information security for over 30 years. As the Director of Security Architecture at Oracle, he leads the design, architecture, and engineering efforts of system and application security solutions for a range of different enterprises. Joel is also a leading expert on legal and regulatory issues as they relate to information security, a founding member of the Information Systems Security Association (ISSA) and an ISSA Distinguished Fellow, the chairman of the ISSA Journal's Editorial Advisory Board, and a member of and subject matter expert for the American Bar Association Science and Technology working committee. His current research work is focused on the elaboration of adaptive security, complex adaptive systems, security governance, and security maturity modeling.

Revision 1.0, 07/31/2012

See sysadmin-related content for all Oracle technologies by following OTN Systems on Facebook and Twitter.