Sun is taking a new approach to rolling out its trusted version of
Solaris. Rather than a completely separate version of Solaris, it’s now in “early access” for something called Trusted Extensions, which overlay Solaris 10.
Sun has also announced that Solaris 10 has the formal green light and
has entered into Common Criteria evaluation EAL4+, a process that began in February.
Common Criteria evaluation includes standards are accepted by over 22
different countries.
Mark Thacker, product line manager of Solaris security at Sun Microsystems, told internetnews.com that Sun is going above and beyond what is normal for EAL certification by conducting Controlled Access Protection Profile (CAPP)
and Role Based Access Control Protection Profile (RBACPP) evaluations.
Sun is also now taking a different approach to building its “trusted”
version of the OS.
“Trusted Solaris has always been a separate OS currently based on Solaris
8, so it’s called Trusted Solaris 8,” Thacker explained. “We’re in early
access now for a product that we call Solaris Trusted Extensions, and what
that will do is layer on top of Solaris 10 to provide a multi-level
environment that will run on top of Solaris 10.”
Thacker added that with Trusted Extensions there is no longer a separate
kernel or a separate OS.
“It is in fact a security configuration of Solaris 10,” Thacker said. “It
also gets us out of an interesting lag issue that we’ve had in the past with
Trusted Solaris not always being up to date with the latest Solaris release.”
Sun’s Thacker sees both value and challenges in putting an OS into
evaluation before it’s complete.
“There is so much that is going to change in an OS before you get into
evaluation that when you do that, you run the risk of changing your security
targets significantly and doing a lot of additional work,” Thacker said.
Earlier this week, Linux vendor Red Hat announced that it was pursuing EAL4 certification with partners IBM and Trusted Computer Systems. (TCS). The evaluation is for Red Hat’s upcoming Enterprise Linux version 5, which is set to be released in 2006.
Thacker said what Sun is doing with Trusted Extensions is starting
to work on it now with the understanding that there will be some things that
change before the product ships.
“I have no idea where Red Hat Enterprise Linux 5 is; I can’t comment on
that, but I do know where Trusted Extensions is and I’m comfortable with the
fact that we’re in early access,” Thacker said. “And we’re starting the
process for evaluation without being at point where code reviewers will ask
to step in and look at the code.”
Though the evaluation labs are independent, Sun doesn’t pull in a
sponsor to help it for the evaluation like Red Hat does.
“Unlike other vendors, we don’t need a sponsor,” Thacker said. “We consider this to be mission critical to our business and we do this ourselves. Sun is its own sponsor and we do not need an outside sponsor to help fund
the development.”