Oracle Solaris 11 - ASBIS SK Online
Oracle Solaris 11 - ASBIS SK Online
Oracle Solaris 11 - ASBIS SK Online
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Security of <strong>Oracle</strong> SPARC Systems<br />
and<br />
<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> OE<br />
Marek Slivka<br />
Principal Sales Consultant
New SPARC T4 Processor<br />
18 On Chip Crypto functions<br />
Balanced high-bandwidth interfaces and internals<br />
2.85GHz and/or 3.0GHz<br />
2 On Chip 10 GbE Networking<br />
Dynamic Threading<br />
Out of Order Execution<br />
8 Cores, 64 Threads<br />
Co-engineered with <strong>Oracle</strong> software<br />
2 On Chip Dual-Channel DDR3 Memory Controllers<br />
2 On Chip x8 PCIe gen2 I/O Interfaces<br />
3
SPARC T4 CPU and Systems Deliver<br />
High Performance, Security<br />
• Achieves high security performance through on-chip Crypto<br />
Instruction Accelerators in each core<br />
• Streamlines processing and application programming with 29 new<br />
non-privileged cryptographic instructions<br />
• Secures your data as well as your systems<br />
• Makes encryption available to all<br />
– It’s built in – just start using it<br />
– No extra costs to purchase or install<br />
• Delivers up to <strong>11</strong>x encryption performance boost
Encryption<br />
Why Use It?<br />
• To keep data safe; yours and your customers<br />
– Data confidentiality: only authorized readers<br />
– Message integrity: the same as when sent or saved<br />
– Authentication: access only to those authorized<br />
– All disks and tapes leave the data center eventually<br />
• Some regulations demand or highly encourage it<br />
• Warm fuzzies: to sleep at night
Encryption Functions<br />
Why Different Types Are Needed
SPARC T4 Leads in On-Chip Encryption Acceleration
SPARC T4 Leads in On-Chip Encryption
SPARC T4: 4th Generation SPARC On-Chip<br />
Cryptography Leadership
SPARC T4 Cryptographic Acceleration<br />
Significant Performance Gains for SSL
Benefits of SPARC T4 CPU and Systems<br />
High Performance, Security<br />
• Leads in on-chip acceleration of popular encryption standards<br />
– Accelerates 17 cryptographic algorithms<br />
– Plus random number generation support<br />
• Includes simple instruction based application programing<br />
– Allows reduced application code size<br />
– Minimizes complexity and possible errors<br />
– Provides direct access to on-chip encryption acceleration for fast<br />
processing<br />
• Encryption on-chip is more tamper resistant
<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> & SPARC T4: End-to-End Security<br />
SPARC T4 is 30% to 4x faster than Westmere (AES-NI, best x86<br />
crypto)<br />
SSL<br />
SOAP<br />
SSL<br />
SSL<br />
SSL<br />
iPlanet<br />
Web<br />
IPsec (VPN)<br />
Unified Key Management<br />
SSL<br />
Fusion<br />
Middleware<br />
Storage<br />
ZFS<br />
Filesystem<br />
SSL<br />
<strong>Oracle</strong><br />
Database<br />
Storage<br />
Tablespace<br />
Encrypt<br />
• SPARC T4 faster than x86 Westmere (with AES-NI):<br />
– Database queries with security 43% faster vs. x86<br />
– ZFS Filesystem Crypto 4x faster vs. x86<br />
– 10Gb/s SSL T4 uses 50% less threads to saturate 10GbE<br />
– 10Gb/s IPsec (VPN) T4 23% faster vs. x86, T4 uses 3.6x less CPU<br />
– AES-CFB, CBC, CCM, GCM kernels 1.4x to 3.6x faster vs. x86<br />
• SPARC T4 is dramatically faster than IBM Power7<br />
– OpenSSL 4.3x faster single-thread security vs Power7
SPARC T4 & <strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> <strong>Oracle</strong> TDE<br />
• Performance on <strong>Oracle</strong> TDE (Transparent Database Encryption)<br />
– SPARC T4 43% faster secure queries than x86 Westmere (AES/NI)<br />
• Combination of fast query processing and TDE<br />
– Tests 8 different queries on 2-socket servers<br />
– Consistent SPARC T4 query time 128-bit to 256-bit ciphers<br />
44% faster<br />
System AES-CFB-128 AES-CFB-192 AES-CFB-256 AES-CFB-256<br />
SPARC T4 2.85GHz 585 s 586 s 586 s 99%u / 1%sys<br />
x86 3.47GHz Xeon 836 s 841 s 842 s 98%u / 2%sys<br />
% T4 advantage 43% 44% 44%<br />
secs
ZFS Encryption: T4 Beats Westmere(AES-NI)<br />
Encrypted filesystem on <strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> is practical for applications<br />
• SPARC T4 4x faster than Westmere(AES-NI acceleration)<br />
– Both AES-CCM & AES-GCM 4x faster on 128, 192, 256-bits<br />
– SPARC T4 Encryption performance very near cleartext performance<br />
• ZFS encryption uses the <strong>Oracle</strong>'s <strong>Solaris</strong> <strong>11</strong> Cryptographic Framework<br />
Encrypt MB/s - 5 file create Clear AES-128-CCM AES-192-CCM AES-256-CCM<br />
SPARC T4-2 3,802 3,225 3,335 3,167<br />
2x Westmere 3,325 773 764 750<br />
T4 Advantage 1.1x 4.2x 4.4x 4.2x
Encryption: T4 Beats Westmere(AES-NI)<br />
In-memory encryption micro-benchmark on <strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />
• SPARC T4 1.7x faster throughput than 3.33GHz Westmere<br />
– Encryption using ucrypto on T4/IPP on the Westmere/AES-NI<br />
• Single-thread AES-CFB & AES-CBC<br />
– SPARC T4 single-thread 9% to 26% faster than Westmere/AES-NI<br />
Processor AES-256-CBC T4 Advantage AES-256-CFB T4 Advantage<br />
SPARC T4 <strong>11</strong>,567 MB/s – 10,949 MB/s –<br />
Intel X5680 6,670 MB/s 1.7x 7,503 MB/s 1.5x<br />
SPARC T3 5,980 MB/s 1.9x 6,023 MB/s 1.8x
Security with SPARC T4<br />
Built-in Encryption. No Overhead. No Software Changes.<br />
43% faster secure queries<br />
ZFS Encryption: Encrypted Filesystem<br />
3x faster encryption<br />
Encryption: In-memory<br />
1.8x better throughput (reduced time)<br />
See performance substantiation slides
ORACLE’S DUAL OS STRATEGY<br />
Best in class. Optimized for the enterprise. Your Choice.<br />
17
SOLARIS <strong>11</strong>. THE FIRST CLOUD OS.<br />
NEXT GENERATION OF UNIX<br />
#1 UNIX<br />
Built for Cloud Infrastructures<br />
Engineered for <strong>Oracle</strong><br />
18
#1 UNIX<br />
If It Must Run, It’s On <strong>Solaris</strong><br />
More installations<br />
than AIX and HP-UX<br />
combined.<br />
<strong>11</strong>,000+ applications<br />
just work.<br />
Now in a cloud.<br />
Optimized to Run All of Your Applications Faster
Extreme Performance for Cloud Applications<br />
Built for Next-Decade Hardware<br />
10x<br />
Networking<br />
10x<br />
CPU<br />
10x<br />
Memory<br />
10x<br />
Data
Co-engineered with the <strong>Oracle</strong> Stack<br />
CPU<br />
Memory<br />
File<br />
System<br />
I/O<br />
Security<br />
Fully MT-hot kernel, scales to 100s of cores and 10,000s of HW threads<br />
Support for Critical Threads features in T4 chip<br />
JVM support for <strong>Solaris</strong> scheduling classes, User-level high resolution timer support<br />
WLS scalability, smt pause() to optimize busy waits in the JVM, 5X performance<br />
improvement of high-resolution timer<br />
Large page support by JVM, T4 2GB pages for Java performance, Preemption control<br />
NUMA IO framework, Latency-aware kernel memory allocator, NUMA optimizations in<br />
LDOMs, Intimate Shared Memory (ISM), Dynamic Intimate Shared Memory (DISM)<br />
Optimized Shared Memory (OSM), NUMA IO framework, Latency-aware kernel<br />
memory allocator, Large Page support, Fast DB Restart<br />
Support for Event ports, Userland file system for DB<br />
SDP, IPoIB,Receive-side Scaling, LSO for VNICs, Traffic fan-out for EoIB, HA for SDP,<br />
Open Fabrics User Verbs, SR-IOV performance scaling, Dynamic Reconfiguration for<br />
IB HCAs,vnet & vswitch performance improvements, uDAPL, RDSv1, RDSv3, SDP:<br />
Support for low-latency InfiniBand protocols, Direct I/O with Concurrent writes,<br />
Dynamic Reconfiguration for IB HCAs<br />
Integration of JVM with crypto offload engines<br />
Zones support for EoIB, IPoIB, SDP: Secure isolation, lowest-latency virtualization,<br />
Integration with <strong>Solaris</strong> Crypto offload engine, Zones: Secure isolation, lowest-latency<br />
virtualization
Co-engineered with the <strong>Oracle</strong> Stack<br />
2.4x Faster Database Performance<br />
7x Better Middleware Price/Performance with Java
Designed-in Virtualization
21st Century Cloud Infrastructure<br />
For All Mission Critical Applications<br />
<strong>Solaris</strong> <strong>11</strong><br />
Zone<br />
<strong>Solaris</strong> 10<br />
Zone<br />
<strong>Solaris</strong> Legacy<br />
Zone<br />
<strong>Solaris</strong> Legacy<br />
Zone<br />
<strong>Solaris</strong> 10<br />
Zone<br />
<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> <strong>Oracle</strong> <strong>Solaris</strong> 10<br />
<strong>Oracle</strong> VM<br />
SPARC<br />
x86
Availability Meets The Cloud<br />
<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />
• Integrated end-to-end fault healing of<br />
hardware, OS and virtualization<br />
• Dynamic Domains<br />
Scale<br />
• No software to install<br />
• Zero overhead virtualization<br />
• SPARC / x86 Hypervisors<br />
• <strong>Solaris</strong> Zones<br />
• <strong>Oracle</strong> VM Templates<br />
VMware<br />
• HA for VMs<br />
• Vmotion<br />
• Virtualization<br />
mgmt tools<br />
• Support for x86<br />
• Mission-critical workloads<br />
• Production-safe observability<br />
• Component-Level Dynamic Reconfiguration<br />
• Application failover in zone clusters<br />
• Support for SPARC and x86<br />
• Secure live migration<br />
• Instant provisioning<br />
Availability
<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong>: Network Virtualization<br />
Save On Network Gear. Increase Performance<br />
Virtual equivalents of NICs,<br />
switches, LANs,<br />
firewalls, load balancers,<br />
routers, bridges - Aggregation<br />
Network Resource and<br />
Bandwidth Management for<br />
QOS<br />
Secure isolation of networks<br />
Tight <strong>Solaris</strong> Zones Integration
Network Architecture Strategy
Data at Cloud Scale
Breakthrough Efficiency<br />
Scale Out Design. Built-in Data Services. No License Fees.<br />
Compression<br />
Replication<br />
Flash-aware<br />
virtual storage pools<br />
Deduplication<br />
Dataset<br />
Encryption<br />
Reduce Storage Use by up to 10x
Engineered Cloud Security<br />
At Every Level
Security in the Cloud<br />
Defense in Depth. Multitenancy Design.<br />
• Delegated administration<br />
• Built-in Audit<br />
• Immutable Zones<br />
• Network and data layer protection<br />
• Encrypted data per tenant
Advanced Protection<br />
Integrated Audit, Encryption and Content Security<br />
• Read-only virtual OS<br />
environments<br />
• Encrypted and nonencrypted<br />
data sets in<br />
same storage pool<br />
AIX<br />
• Enterprise encryption key manager<br />
for application, middleware,<br />
database, OS, server and storage<br />
VMware<br />
• Delegated administration for virtual<br />
OS environments for self-service<br />
IT<br />
• Low impact,<br />
always-on auditing<br />
• Assured software<br />
packages with vendor<br />
and customer crypto<br />
signatures
Cloud Deployment Simplified
Redefining Software Lifecycle Management<br />
Safe Updates. Fast Reboots.<br />
• Error-free safe software updates<br />
– Automatic dependency checking<br />
of software packages<br />
– Cloned environment updated,<br />
immediate rollback if needed<br />
• Reboot in seconds<br />
– In-kernel boot loader puts<br />
kernel into memory and switches
Your Software. Our Software. Your Cloud.<br />
<strong>Oracle</strong> <strong>Solaris</strong><br />
Content Server<br />
<strong>Oracle</strong> VM<br />
Templates<br />
Your<br />
Software<br />
Your Enterprise<br />
Repository<br />
Error-free. Safe. Fast.
<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />
Security<br />
<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> Security Protections<br />
<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> Security Technologies<br />
<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong> Security Defaults<br />
36
<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />
Security Protections<br />
Protecting the kernel<br />
Protecting logins<br />
Protecting data<br />
37
<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />
Security Technologies<br />
Audit Service<br />
Basic Audit Reporting Tool (bart, bart_rules, bart_manifest)<br />
Cryptographic Services (cryptoadm, encrypt, mac, pktool, kmfcfg)<br />
File permissions and Access Control Entries (chmod)<br />
38
<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />
Security Technologies<br />
Packet Filtering<br />
IP Filter (ipfilter, ipf, ipnat, scv.ipfd, ipf)<br />
TCP Wrappers (hosts_access)<br />
Passwords and Password Constraints (passwd, crypt.conf)<br />
39
<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />
Security Technologies<br />
Pluggable Authentification Module (pam.conf)<br />
Privileges in <strong>Oracle</strong> <strong>Solaris</strong> (ppriv, privileges)<br />
Remote Access<br />
IPsec and IKE, Secure Shell, Kerveros Service<br />
(ipsecconf, in.iked, ssh, sshd, sshd_config, ssh_config, kerberos, kinit)<br />
40
<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />
Security Technologies<br />
Role-Based Access Control (rbac, roleadm, profiles, user_attr)<br />
Service Management Facility (svcadm, svcs, smf)<br />
<strong>Oracle</strong> <strong>Solaris</strong> ZFS File System (zfs)<br />
<strong>Oracle</strong> <strong>Solaris</strong> Zones (brands, zoneadm, zonecfg)<br />
Trusted Extensions (trusted_extensions, labeld)<br />
41
<strong>Oracle</strong> <strong>Solaris</strong> <strong>11</strong><br />
Security Defaults<br />
System Access Is Limited and Monitored<br />
Kernel, File, and Desktop Protections Are in Place<br />
Additional Security Features Are in Place<br />
42
Why <strong>Oracle</strong> Customers Choose <strong>Solaris</strong><br />
Top Reasons for Investing in <strong>Oracle</strong> <strong>Solaris</strong> Systems<br />
1. Reliable: If it must run, it’s on <strong>Solaris</strong><br />
2. Fast: World record leader for enterprise applications<br />
3. Scalable: Engineered today for next generation systems. Invest for the future<br />
4. Secure: Deeply integrated security. Trusted labeled configurations<br />
5. Virtualized: Maximum resource utilization. Faster time to market<br />
6. Engineered for <strong>Oracle</strong>: Best performance. Fastest deployments<br />
7. SPARC and x86: Choice of industry’s leading enterprise architectures<br />
8. Compatible: Preserves your investments. Avoids costly migrations<br />
9. Trusted Vendor: One phone call