1 / 25

OS 2200 Security Update

OS 2200 Security Update. Thursday, February 28, 2008 Dave Crawshaw. Agenda. OS 2200 security Brief overview New features Wrap up. Introduction: Security Policies Dorado 400 Security Policy. Delivered with Dorado 400 High-level statement of what’s available on delivery

gaye
Download Presentation

OS 2200 Security Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OS 2200 Security Update Thursday, February 28, 2008 Dave Crawshaw

  2. Agenda • OS 2200 security • Brief overview • New features • Wrap up OS 2200 Security Update -

  3. Introduction: Security PoliciesDorado 400 Security Policy • Delivered with Dorado 400 • High-level statement of what’s available on delivery • Recommendations – subject to customer’s security policies • Three sections • OS 2200 host-related • Operations-related • SAIL-related OS 2200 Security Update -

  4. OS 2200 Security: Overview Unisys Security Offerings • Unisys provides security products and services to meet customer’s needs • At the site and enterprise level • Advisory services • Project based services • End user services • At the platform level • Platform features • Platform services OS 2200 Security Update -

  5. OS 2200 Security: New Features Security Feature Update Areas • Authentication • Authorization • Security event handling • Encryption • Java application security • Future directions OS 2200 Security Update -

  6. OS 2200 SecurityAuthentication • Authentication – verify validity of a user • User-ids and passwords • User Authentication (FLEX) product • Unisys supports Kerberos and NTLM • Site supplied authorization module • Configurable hacker frustration • Maximum sign-on attempts • Delayed sign-on solicitation OS 2200 Security Update -

  7. OS 2200 Security Enhanced User-id Timeout Tracking • User-id is disabled after preconfigured period of inactivity • Previously, only DEMAND/TIP signons were tracked • Now any logon authentication (e.g., from batch or CIFS or application using Flexible Authentication (FLEX)) keeps the user-id from timing out • Display products authenticating the userid • Via Security Manager or SIMAN • Useful during security audits of the system • Authentication success/failure (17006) log entry OS 2200 Security Update -

  8. OS 2200 SecurityAuthorization • Authorization – defines what legitimate users are allowed to do • Access control to files, applications, transactions, database components • Fine grained user controls using groups, security levels, compartments, permissions • Mandatory access control (MAC) • Discretionary access control (DAC) includesAccess Control Records (ACRs) OS 2200 Security Update -

  9. OS 2200 SecuritySecurity Event Handling • Security event logging and auditing • Authentication attempts • File access attempts • Inbound connect requests • Etc. • Event escalation • Notify operator • Send email • Raise pager alert • Real time OS 2200 Security Update -

  10. OS 2200 Security CpFTP SSL and Security Logging • Type 810 (Sign-on Validation) log entry contains the IP address of the FTP client • This facilitates tracking FTP use • SSL protocol support • In CpFTP 3R3 OS 2200 Security Update -

  11. Intrusion Detection Monitor Correlate Notify OS 2200 Security Intrusion Detection Intrusion detection is the art of detecting and responding to computer misuse. ~ Paul E. Proctor, The Practical Intrusion Detection Handbook • Monitor security events in real time • Detect security violations • Detect unusual or unexpected behavior • Correlate events • Distill information from system, communications, Web & client services • Recognize security violation patterns • Notify appropriate administrators • Report security violations as they occur • Document violations • Stop the intruder • Comply with regulations • Satisfy auditors OS 2200 Security Update -

  12. OS 2200 Security Types of Intrusion Detection Systems • Network-based IDS • Pro - Monitoring of entire network • Pro - Strong outsider detection and deterrence • Con - Not viable with VPNs • Con - Violations within host/server not visible • Host-based IDS • Pro - Visibility to all activity within host • Pro - Addresses the 80% of actual losses due to computer misuse • Pro - Good at trending and detecting suspicious behavior patterns • Con - Each host requires protection • Best protection uses both OS 2200 Security Update -

  13. OS 2200 SecurityData Encryption Capabilities • Cipher API • SSL/TLS in CPComm • Tape encryption • SSH in Operations Sentinel • OPCONN/XPS OS 2200 Security Update -

  14. OS 2200 Security Cipher API • OS 2200 based • An interface for transactions and programs to encode plaintext and decode ciphertext data • Supports industry standard cryptography algorithms • Compatible with other platforms • Included in 11.2 UOE and IOE for Dorado 400 OS 2200 Security Update -

  15. OS 2200 SecurityCipher APICryptography Algorithms • Symmetric cryptography algorithms supported • Data Encryption Standard (DES) • Triple DES (3DES) • Advanced Encryption Standard (AES) • Various key lengths • ECB and CBC modes • MD5 one-way message digest algorithm supported • Implemented according to Federal Information Processing Standards (FIPS) requirements • NIST Certification #372 for AES • NIST Certification #418 for 3DES OS 2200 Security Update -

  16. OS 2200 Security Cipher API Hardware Accelerator • Increased performance for bulk cryptographic requirements • Typically 5X improvement for AES on Dorado 300 • Typically 840X improvement for 3DES on Dorado 300 • Ratio depends on data size and format • Full-height industry standard PCI compliant 3.3V card • Supports AES and 3DES algorithms in CBC mode • Supported on Dorao100 and 200 families via SCIOP OS 2200 Security Update -

  17. OS 2200 SecuritySecure Socket Layer (SSL) • SSL data protection protocol uses encryption • Protect the confidentiality of data • Verify the message received is the message sent • Authenticate the end points • SSL in a server satisfies regulatory requirements for end-to-end protection of data OS 2200 Security Update -

  18. OS 2200 SecurityOS 2200 Communications SSL • CPComm 2200 SSL supports SSLv3 and TLS 1.0 • 2200 SSL can be used with existing applications without changing the applications • SSL APIs mimic previous TCP APIs  relatively easy to upgrade applications to use secure communications • SSL feature includes utility programs used to administer the SSL configuration • Implementation is based on the Internet standard RFCs • Encryption algorithms NIST certified: RSA, DSA, RNG, 3DES, AES, HMAC and SHA1 • Additional algorithms: RC4, DES, MD5,and Diffie-Hellman OS 2200 Security Update -

  19. OS 2200 Security Tape Encryption • Sun StorageTek T10000 Encryption Drive • Supports 256-bit AES encryption • 120 MBps throughput • Performance degradation ~1% with compression and encryption • Sun StorageTek Crypto Key Management Station • Tokens contain keys • Token bay makes keys available to drives • Keys always encrypted during transport • Considering release via kit for CP OS 11.x OS 2200 Security Update -

  20. OS 2200 Security JVM 3R2 Security Enhancements • Kerberos Login Module (an option in addition to the cleartext login module) provides a means to authenticate users using the Kerberos network authentication protocol • JVM provides OS 2200-specific authentication using existing OS 2200 user-id records, including group membership • All authentication attempts can be recorded in the OS 2200 system log • Successful logins • Failed user-id logins • Failed password logins • Logouts OS 2200 Security Update -

  21. OS 2200 SecurityUnisys Application Defender • Instruments Java Enterprise Edition Web applications to protect against vulnerabilities • Works with JBoss and Tomcat • For new or existing applications • No source code changes required • Binary code can be protected using aspect-oriented programming (AOP) • No application or server configuration changes are required • Cross-platform product • Included in all ClearPath OS 2200 operating environment packages starting with Release 11.1 OS 2200 Security Update -

  22. The Unisys OS 2200 Java environment is designed with “a security architecture that maps to industry best practice standards.” Furthermore,“The security features implemented within the OS 2200’s Java/JBoss/Tomcat environment allow customers to deploy applications on OS 2200 systems with confidence.” OS 2200 Security Symantec: Unisys’ Web Server, J2EE Environment, and Application Defender Products Meet Industry Best Practices A similar assessment by Symantec on the Unisys Application Defender also yielded an “industry best practices” rating OS 2200 Security Update -

  23. OS 2200 Security Future Directions • BIS use of Cipher API • IPv6 • IPsec • RDMS column-by-column encryption • Tape encryption enhancements • Encryption key management • Cipher API included in all IOEs (for CP OS 12 and above) • Web Services protection and more in Application Defender 2.0 OS 2200 Security Update -

  24. Security in OS 2200 Series Systems • Is real • Is effective • Is increasing Uncompromising security from the very beginning OS 2200 Security Update -

  25. unisys OS 2200 Security Update -

More Related