HP: Improved Security in Our Unix

Unix  security is getting better. Hewlett-Packard  just added some security upgrades to its own flavor of the operating system, the HP-UX 11i.

The updates to HP-UX 11i version 2 include new encrypted volume and file system support for “data-at-rest,” which describes an embedded trusted computing chip for HP’s Integrity servers.

The new encryption features in HP-UX11i v2 tie in with HP’s Integrity servers which use the much maligned Intel Itanium processor. HP-UX Security Architect Ron Luman argued that HP has a distinct performance advantage because of Itanium, which allows HP-UX 11i to do host-based encryption with low performance overhead.

“Essentially we provide a subsystem in the middle between the actual volume where information is stored,” Luman explained to internetnews.com.”We’re actually storing the encrypted data rather than the data in the clear.”

The encrypted volume support is intended to allow users to keep their existing storage hardware. The system is a host based key management meaning that encryption keys are resident on the platform itself.

To further protect the encryption keys HP is also included Trusted Computing chips on some of its Integrity servers.

“The Trusted platform provides for stronger protection of encryption keys than a software only solution,” Luman said. “By protecting the keys in hardware you can do a lot better job of make sure they are not compromised.”

Security configuration is also getting a boost in HP-UX 11i v2. A new version of HP’s open source Bastille platform hardening application is now available. Bastille walks administrators through a series of questions that helps to setup and configure a secure posture for an operating system and is widely available for Linux. According to Luman, the HP-UX 11i v2 version of Bastille adds to two to three times the number of questions and lots of customization over its Linux cousin. One of the most notable improvements is a drift management reporting feature that that will report if settings have been changed from a security standpoint.

Access to HP-UX systems is improved via and update to HP-UX’s AAA (Authentication, Authorization, and Accounting) server. The new version now includes and an ODBC database plugin which enables the server to go to a database to make more sophisticated policy decisions. Lumen noted that HP-UX AAA supports interoperability based on standards and also selected vendor specific implementations when appropriate including Cisco LEAP and RSA SecurID. When it comes to NAC (Network access control) the answer is quite as clear cut.

“We are monitoring the both the evolving standards and vendor specific implementations in the area of NAP/NAC/TNC, and are currently waiting for the dust to settle,” Luman said.

The improvements to HP-UX 11i version 2 come just a few months before HP is expected to rollout its version 3 of HP-UX 11i. The upcoming HP-UX 11i v3 will support the Open Group’s UNIX 2003 specification. The key benefit of conformance with the specification is that it is intended to make it easier to write and deploy applications across Unix 03 compliant platforms. HP-UX 11i’s two principal competitors, IBM’s AIX 5L and Sun’s Solaris 10 are already Unix 03 certified.

Last week, Sun rolled out security improvements to its Solaris 10 operating system.

Unix 03 compliance may well also make it easier for users to migrate from one compliant system to another.

“Customers that currently run on other UNIX operating environments such as Sun Solaris and IBM AIX who want to migrate to a more cost-effective and in many cases more comprehensive environment are one of the principal new customers who migrate to HP-UX,” Luman said.

Updates prior version to correct spelling of Luman’s name.

News Around the Web