Sun finds Net creates users for secure OS

A black hole is how Sun Microsystems Federal officials describe the government's
security certification process.

And though the company has invested 12 years and $50 million to develop a
multilevel-secure (MLS) and compartmented-mode workstation (CMW) version of the Solaris
operating system, sales to date have been unimpressive.

But the growth of the Internet "has brought people to our door," said Joe
Alexander, product manager for Trusted Solaris 2.5, the newest B1-level MLS+ release of
Solaris 2.5.1.

A security profiles feature, which lets Trusted Solaris 2.5 administrators limit user
access to specific Unix commands and graphical tools, is now part of the standard Solaris
2.6 operating system--some vindication for Sun Federal's years of effort.

Trusted Solaris 2.5 competes with B-1 MLS+ versions of Digital Equipment Corp.'s
Digital Unix and Hewlett-Packard Co.'s HP-UX as a platform for trusted gateways,
firewalls, World Wide Web servers and workstations.

The latest version of the OS runs on the 64-bit UltraSparc processor, which powers most
of Sun's latest hardware, from Ultra 1 and Ultra 2 workstations to the 30-processor
Enterprise Server 6000.

But Trusted Solaris 2.5 is not yet year 2000-ready. Customers will have to purchase and
install a patch, available next January, to prepare the OS for the year 2000 date change,
Alexander said.

The four to five years leading up to the current Trusted Solaris release were rocky, he
said, as funding for development was "turned off, turned back on, turned off"
because customers weren't buying.

Sun Federal officials said the Defense Intelligence Agency originally wrote the
specification for CMW security and asked the National Security Agency to handle the
certification.

"When NSA wasn't moving as fast as DIA wanted, DIA pulled the plug," said
John Leahy, group manager for Sun Microsystems Federal.

In the meantime, Leahy said, the certification process had widened at least a
full-generation gap between the commercial OS and the secure version. Trusted Solaris 1.2,
released in 1995, did not support the multithreading or symmetric multiprocessing
capabilities of Sun servers.

Although NSA has evaluated Digital's and HP's secure Unix operating systems, Trusted
Solaris 2.5 has not been certified and may never be. NSA officials have said they plan to
turn over their security testing responsibilities to private labs certified by the
National Institute of Standards and Technology.

Alexander said Sun never managed to deliver an NSA-certified version of Trusted
Solaris, despite eight years of work with NSA.

"The evaluation body goes in front of peers and has to defend its efforts, which
forces the process to go longer," he said.

Sun did submit Trusted Solaris 2.5 to the United Kingdom's Information Technology
Security Evaluation and Certification process for E3/F-B1 and E3/F-C2 security, which will
be completed in April 1988, Alexander said. ITSEC certification tells potential buyers
that the vendor's product claims have been independently verified.

"With ITSEC, we can win contracts in Europe with Trusted Solaris, but we don't get
final payment until the certification is handed to the government activity that requires
it," Alexander said.

NSA has agreed within the last year to reciprocal recognition of C2-level evaluations,
and "that's a start," he said.

Over the next several years, NSA and NIST plan to recognize the international Common
Criteria Evaluation Methodology as the successor to U.S. Orange Book standards for
security products, an NSA spokeswoman said.

After the two agencies have transferred their evaluation technology to the private
labs, NSA and NIST will act together as a certification body "to assure the quality
and consistency of results," she said.

The new Trusted Solaris, unlike previous versions, can run most existing Solaris
applications, including the Netscape Navigator browser. Customers receive a list of the
applications Sun has tested with Trusted Solaris.

The graphical user interface is a trusted version of the Common Desktop Environment,
the same interface as that of Solaris 2.6 and other Unix 95-branded operating systems.

Customization options adjust it for C2 or B1 requirements, trusted networking,
distributed naming services and interoperability with standard Unix servers, Alexander
said.

He said Sun expects quick certification for baseline compliance with the Defense
Information Infrastructure Common Operating Environment requirements.

A trusted version of the Solstice AdminSuite 2.1 gives administrators a set of
graphical tools to manage users, hosts, interfaces and serial ports. Instead of having to
"fat-finger everything they do, now they can point and click, drop and drag,"
Alexander said.

A trusted-roles feature prevents administrators from logging in as "root" or
"superuser"--potential security holes in other Unix OSes. Instead,
administrators log in as themselves and assume roles so that the system can manage those
roles and control who's doing what, Alexander said.

Root is present in Trusted Solaris 2.5 only as a role, primarily because many
commercial software products require it for loading. "Some commercial packages behave
well in a trusted environment," Alexander said. Others don't, he said, because they
call for a superuser or root function to do certain tasks.

Trusted Solaris also has a privilege checker that lets the administrator assess whether
it's safe to bring a particular commercial product into the environment, he said.

Trusted Solaris 2.5 will sell at promotional prices of $149 for the desktop version and
$1,395 for servers through the end of 1997. Current Solaris users get special upgrade
prices.

Trusted Solaris appears on more than a dozen federal contracts including NASA's
Scientific and Engineering Workstation Procurement II, Sun officials said.

Contact Sun Microsystems' Joe Alexander at 703-204-4202.