01.12.2014 Views

Oracle Solaris 11 - ASBIS SK Online

Oracle Solaris 11 - ASBIS SK Online

Oracle Solaris 11 - ASBIS SK Online

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

Security of <strong>Oracle</strong> SPARC Systems<br />

and<br />

<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> OE<br />

Marek Slivka<br />

Principal Sales Consultant


New SPARC T4 Processor<br />

18 On Chip Crypto functions<br />

Balanced high-bandwidth interfaces and internals<br />

2.85GHz and/or 3.0GHz<br />

2 On Chip 10 GbE Networking<br />

Dynamic Threading<br />

Out of Order Execution<br />

8 Cores, 64 Threads<br />

Co-engineered with <strong>Oracle</strong> software<br />

2 On Chip Dual-Channel DDR3 Memory Controllers<br />

2 On Chip x8 PCIe gen2 I/O Interfaces<br />

3


SPARC T4 CPU and Systems Deliver<br />

High Performance, Security<br />

• Achieves high security performance through on-chip Crypto<br />

Instruction Accelerators in each core<br />

• Streamlines processing and application programming with 29 new<br />

non-privileged cryptographic instructions<br />

• Secures your data as well as your systems<br />

• Makes encryption available to all<br />

– It’s built in – just start using it<br />

– No extra costs to purchase or install<br />

• Delivers up to <strong>11</strong>x encryption performance boost


Encryption<br />

Why Use It?<br />

• To keep data safe; yours and your customers<br />

– Data confidentiality: only authorized readers<br />

– Message integrity: the same as when sent or saved<br />

– Authentication: access only to those authorized<br />

– All disks and tapes leave the data center eventually<br />

• Some regulations demand or highly encourage it<br />

• Warm fuzzies: to sleep at night


Encryption Functions<br />

Why Different Types Are Needed


SPARC T4 Leads in On-Chip Encryption Acceleration


SPARC T4 Leads in On-Chip Encryption


SPARC T4: 4th Generation SPARC On-Chip<br />

Cryptography Leadership


SPARC T4 Cryptographic Acceleration<br />

Significant Performance Gains for SSL


Benefits of SPARC T4 CPU and Systems<br />

High Performance, Security<br />

• Leads in on-chip acceleration of popular encryption standards<br />

– Accelerates 17 cryptographic algorithms<br />

– Plus random number generation support<br />

• Includes simple instruction based application programing<br />

– Allows reduced application code size<br />

– Minimizes complexity and possible errors<br />

– Provides direct access to on-chip encryption acceleration for fast<br />

processing<br />

• Encryption on-chip is more tamper resistant


<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> & SPARC T4: End-to-End Security<br />

SPARC T4 is 30% to 4x faster than Westmere (AES-NI, best x86<br />

crypto)<br />

SSL<br />

SOAP<br />

SSL<br />

SSL<br />

SSL<br />

iPlanet<br />

Web<br />

IPsec (VPN)<br />

Unified Key Management<br />

SSL<br />

Fusion<br />

Middleware<br />

Storage<br />

ZFS<br />

Filesystem<br />

SSL<br />

<strong>Oracle</strong><br />

Database<br />

Storage<br />

Tablespace<br />

Encrypt<br />

• SPARC T4 faster than x86 Westmere (with AES-NI):<br />

– Database queries with security 43% faster vs. x86<br />

– ZFS Filesystem Crypto 4x faster vs. x86<br />

– 10Gb/s SSL T4 uses 50% less threads to saturate 10GbE<br />

– 10Gb/s IPsec (VPN) T4 23% faster vs. x86, T4 uses 3.6x less CPU<br />

– AES-CFB, CBC, CCM, GCM kernels 1.4x to 3.6x faster vs. x86<br />

• SPARC T4 is dramatically faster than IBM Power7<br />

– OpenSSL 4.3x faster single-thread security vs Power7


SPARC T4 & <strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> <strong>Oracle</strong> TDE<br />

• Performance on <strong>Oracle</strong> TDE (Transparent Database Encryption)<br />

– SPARC T4 43% faster secure queries than x86 Westmere (AES/NI)<br />

• Combination of fast query processing and TDE<br />

– Tests 8 different queries on 2-socket servers<br />

– Consistent SPARC T4 query time 128-bit to 256-bit ciphers<br />

44% faster<br />

System AES-CFB-128 AES-CFB-192 AES-CFB-256 AES-CFB-256<br />

SPARC T4 2.85GHz 585 s 586 s 586 s 99%u / 1%sys<br />

x86 3.47GHz Xeon 836 s 841 s 842 s 98%u / 2%sys<br />

% T4 advantage 43% 44% 44%<br />

secs


ZFS Encryption: T4 Beats Westmere(AES-NI)<br />

Encrypted filesystem on <strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> is practical for applications<br />

• SPARC T4 4x faster than Westmere(AES-NI acceleration)<br />

– Both AES-CCM & AES-GCM 4x faster on 128, 192, 256-bits<br />

– SPARC T4 Encryption performance very near cleartext performance<br />

• ZFS encryption uses the <strong>Oracle</strong>'s <strong>Solaris</strong> <strong>11</strong> Cryptographic Framework<br />

Encrypt MB/s - 5 file create Clear AES-128-CCM AES-192-CCM AES-256-CCM<br />

SPARC T4-2 3,802 3,225 3,335 3,167<br />

2x Westmere 3,325 773 764 750<br />

T4 Advantage 1.1x 4.2x 4.4x 4.2x


Encryption: T4 Beats Westmere(AES-NI)<br />

In-memory encryption micro-benchmark on <strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />

• SPARC T4 1.7x faster throughput than 3.33GHz Westmere<br />

– Encryption using ucrypto on T4/IPP on the Westmere/AES-NI<br />

• Single-thread AES-CFB & AES-CBC<br />

– SPARC T4 single-thread 9% to 26% faster than Westmere/AES-NI<br />

Processor AES-256-CBC T4 Advantage AES-256-CFB T4 Advantage<br />

SPARC T4 <strong>11</strong>,567 MB/s – 10,949 MB/s –<br />

Intel X5680 6,670 MB/s 1.7x 7,503 MB/s 1.5x<br />

SPARC T3 5,980 MB/s 1.9x 6,023 MB/s 1.8x


Security with SPARC T4<br />

Built-in Encryption. No Overhead. No Software Changes.<br />

43% faster secure queries<br />

ZFS Encryption: Encrypted Filesystem<br />

3x faster encryption<br />

Encryption: In-memory<br />

1.8x better throughput (reduced time)<br />

See performance substantiation slides


ORACLE’S DUAL OS STRATEGY<br />

Best in class. Optimized for the enterprise. Your Choice.<br />

17


SOLARIS <strong>11</strong>. THE FIRST CLOUD OS.<br />

NEXT GENERATION OF UNIX<br />

#1 UNIX<br />

Built for Cloud Infrastructures<br />

Engineered for <strong>Oracle</strong><br />

18


#1 UNIX<br />

If It Must Run, It’s On <strong>Solaris</strong><br />

More installations<br />

than AIX and HP-UX<br />

combined.<br />

<strong>11</strong>,000+ applications<br />

just work.<br />

Now in a cloud.<br />

Optimized to Run All of Your Applications Faster


Extreme Performance for Cloud Applications<br />

Built for Next-Decade Hardware<br />

10x<br />

Networking<br />

10x<br />

CPU<br />

10x<br />

Memory<br />

10x<br />

Data


Co-engineered with the <strong>Oracle</strong> Stack<br />

CPU<br />

Memory<br />

File<br />

System<br />

I/O<br />

Security<br />

Fully MT-hot kernel, scales to 100s of cores and 10,000s of HW threads<br />

Support for Critical Threads features in T4 chip<br />

JVM support for <strong>Solaris</strong> scheduling classes, User-level high resolution timer support<br />

WLS scalability, smt pause() to optimize busy waits in the JVM, 5X performance<br />

improvement of high-resolution timer<br />

Large page support by JVM, T4 2GB pages for Java performance, Preemption control<br />

NUMA IO framework, Latency-aware kernel memory allocator, NUMA optimizations in<br />

LDOMs, Intimate Shared Memory (ISM), Dynamic Intimate Shared Memory (DISM)<br />

Optimized Shared Memory (OSM), NUMA IO framework, Latency-aware kernel<br />

memory allocator, Large Page support, Fast DB Restart<br />

Support for Event ports, Userland file system for DB<br />

SDP, IPoIB,Receive-side Scaling, LSO for VNICs, Traffic fan-out for EoIB, HA for SDP,<br />

Open Fabrics User Verbs, SR-IOV performance scaling, Dynamic Reconfiguration for<br />

IB HCAs,vnet & vswitch performance improvements, uDAPL, RDSv1, RDSv3, SDP:<br />

Support for low-latency InfiniBand protocols, Direct I/O with Concurrent writes,<br />

Dynamic Reconfiguration for IB HCAs<br />

Integration of JVM with crypto offload engines<br />

Zones support for EoIB, IPoIB, SDP: Secure isolation, lowest-latency virtualization,<br />

Integration with <strong>Solaris</strong> Crypto offload engine, Zones: Secure isolation, lowest-latency<br />

virtualization


Co-engineered with the <strong>Oracle</strong> Stack<br />

2.4x Faster Database Performance<br />

7x Better Middleware Price/Performance with Java


Designed-in Virtualization


21st Century Cloud Infrastructure<br />

For All Mission Critical Applications<br />

<strong>Solaris</strong> <strong>11</strong><br />

Zone<br />

<strong>Solaris</strong> 10<br />

Zone<br />

<strong>Solaris</strong> Legacy<br />

Zone<br />

<strong>Solaris</strong> Legacy<br />

Zone<br />

<strong>Solaris</strong> 10<br />

Zone<br />

<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> <strong>Oracle</strong> <strong>Solaris</strong> 10<br />

<strong>Oracle</strong> VM<br />

SPARC<br />

x86


Availability Meets The Cloud<br />

<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />

• Integrated end-to-end fault healing of<br />

hardware, OS and virtualization<br />

• Dynamic Domains<br />

Scale<br />

• No software to install<br />

• Zero overhead virtualization<br />

• SPARC / x86 Hypervisors<br />

• <strong>Solaris</strong> Zones<br />

• <strong>Oracle</strong> VM Templates<br />

VMware<br />

• HA for VMs<br />

• Vmotion<br />

• Virtualization<br />

mgmt tools<br />

• Support for x86<br />

• Mission-critical workloads<br />

• Production-safe observability<br />

• Component-Level Dynamic Reconfiguration<br />

• Application failover in zone clusters<br />

• Support for SPARC and x86<br />

• Secure live migration<br />

• Instant provisioning<br />

Availability


<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong>: Network Virtualization<br />

Save On Network Gear. Increase Performance<br />

Virtual equivalents of NICs,<br />

switches, LANs,<br />

firewalls, load balancers,<br />

routers, bridges - Aggregation<br />

Network Resource and<br />

Bandwidth Management for<br />

QOS<br />

Secure isolation of networks<br />

Tight <strong>Solaris</strong> Zones Integration


Network Architecture Strategy


Data at Cloud Scale


Breakthrough Efficiency<br />

Scale Out Design. Built-in Data Services. No License Fees.<br />

Compression<br />

Replication<br />

Flash-aware<br />

virtual storage pools<br />

Deduplication<br />

Dataset<br />

Encryption<br />

Reduce Storage Use by up to 10x


Engineered Cloud Security<br />

At Every Level


Security in the Cloud<br />

Defense in Depth. Multitenancy Design.<br />

• Delegated administration<br />

• Built-in Audit<br />

• Immutable Zones<br />

• Network and data layer protection<br />

• Encrypted data per tenant


Advanced Protection<br />

Integrated Audit, Encryption and Content Security<br />

• Read-only virtual OS<br />

environments<br />

• Encrypted and nonencrypted<br />

data sets in<br />

same storage pool<br />

AIX<br />

• Enterprise encryption key manager<br />

for application, middleware,<br />

database, OS, server and storage<br />

VMware<br />

• Delegated administration for virtual<br />

OS environments for self-service<br />

IT<br />

• Low impact,<br />

always-on auditing<br />

• Assured software<br />

packages with vendor<br />

and customer crypto<br />

signatures


Cloud Deployment Simplified


Redefining Software Lifecycle Management<br />

Safe Updates. Fast Reboots.<br />

• Error-free safe software updates<br />

– Automatic dependency checking<br />

of software packages<br />

– Cloned environment updated,<br />

immediate rollback if needed<br />

• Reboot in seconds<br />

– In-kernel boot loader puts<br />

kernel into memory and switches


Your Software. Our Software. Your Cloud.<br />

<strong>Oracle</strong> <strong>Solaris</strong><br />

Content Server<br />

<strong>Oracle</strong> VM<br />

Templates<br />

Your<br />

Software<br />

Your Enterprise<br />

Repository<br />

Error-free. Safe. Fast.


<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />

Security<br />

<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> Security Protections<br />

<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> Security Technologies<br />

<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> Security Defaults<br />

36


<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />

Security Protections<br />

Protecting the kernel<br />

Protecting logins<br />

Protecting data<br />

37


<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />

Security Technologies<br />

Audit Service<br />

Basic Audit Reporting Tool (bart, bart_rules, bart_manifest)<br />

Cryptographic Services (cryptoadm, encrypt, mac, pktool, kmfcfg)<br />

File permissions and Access Control Entries (chmod)<br />

38


<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />

Security Technologies<br />

Packet Filtering<br />

IP Filter (ipfilter, ipf, ipnat, scv.ipfd, ipf)<br />

TCP Wrappers (hosts_access)<br />

Passwords and Password Constraints (passwd, crypt.conf)<br />

39


<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />

Security Technologies<br />

Pluggable Authentification Module (pam.conf)<br />

Privileges in <strong>Oracle</strong> <strong>Solaris</strong> (ppriv, privileges)<br />

Remote Access<br />

IPsec and IKE, Secure Shell, Kerveros Service<br />

(ipsecconf, in.iked, ssh, sshd, sshd_config, ssh_config, kerberos, kinit)<br />

40


<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />

Security Technologies<br />

Role-Based Access Control (rbac, roleadm, profiles, user_attr)<br />

Service Management Facility (svcadm, svcs, smf)<br />

<strong>Oracle</strong> <strong>Solaris</strong> ZFS File System (zfs)<br />

<strong>Oracle</strong> <strong>Solaris</strong> Zones (brands, zoneadm, zonecfg)<br />

Trusted Extensions (trusted_extensions, labeld)<br />

41


<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />

Security Defaults<br />

System Access Is Limited and Monitored<br />

Kernel, File, and Desktop Protections Are in Place<br />

Additional Security Features Are in Place<br />

42


Why <strong>Oracle</strong> Customers Choose <strong>Solaris</strong><br />

Top Reasons for Investing in <strong>Oracle</strong> <strong>Solaris</strong> Systems<br />

1. Reliable: If it must run, it’s on <strong>Solaris</strong><br />

2. Fast: World record leader for enterprise applications<br />

3. Scalable: Engineered today for next generation systems. Invest for the future<br />

4. Secure: Deeply integrated security. Trusted labeled configurations<br />

5. Virtualized: Maximum resource utilization. Faster time to market<br />

6. Engineered for <strong>Oracle</strong>: Best performance. Fastest deployments<br />

7. SPARC and x86: Choice of industry’s leading enterprise architectures<br />

8. Compatible: Preserves your investments. Avoids costly migrations<br />

9. Trusted Vendor: One phone call

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!