HP-UX Gets Security Boost

by Sean Michael Kerner

The latest version of HP-UX 11i delivers a host of security enhancements.

Unix security got a little tighter this week. HP added security upgrades its HP-UX 11i operating system.

The updates include new encrypted volume and file system support for "data-at-rest," which describes an embedded-trusted computing chip for HP's Integrity servers.

The new encryption features in HP-UX11i v2 tie in with HP's Integrity servers which use the much maligned Intel Itanium processor. HP-UX Security Architect Ron Luman argued that HP has a distinct performance advantage because of Itanium, which allows HP-UX 11i to do host-based encryption with low-performance overhead.

"Essentially, we provide a subsystem in the middle between the actual volume where information is stored," Luman explained to internetnews.com."We're actually storing the encrypted data rather than the data in the clear."

The encrypted volume support is intended to allow users to keep their existing storage hardware. The system is a host-based key management, meaning that encryption keys are resident on the platform itself.

To further protect the encryption keys HP is also included Trusted Computing chips on some of its Integrity servers.

"The Trusted platform provides for stronger protection of encryption keys than a software only solution," Luman said. "By protecting the keys in hardware you can do a lot better job of make sure they are not compromised."

Security configuration is also getting a boost in HP-UX 11i v2. A new version of HP's open source Bastille platform hardening application is now available. Bastille walks administrators through a series of questions that helps to setup and configure a secure posture for an operating system and is widely available for Linux. According to Luman, the HP-UX 11i v2 version of Bastille adds to two to three times the number of questions and lots of customization over its Linux cousin. One of the most notable improvements is a drift management reporting feature that that will report if settings have been changed from a security standpoint.

Access to HP-UX systems is improved via an update to HP-UX's AAA (Authentication, Authorization, and Accounting) server. The new version now includes an ODBC database plugin that enables the server to go to a database to make more sophisticated policy decisions. Lumen noted that HP-UX AAA supports interoperability based on standards and also selected vendor specific implementations when appropriate including Cisco LEAP and RSA SecurID. When it comes to network access control (NAC), the answer is quite as clear cut.

"We are monitoring both the evolving standards and vendor-specific implementations in the area of NAP/NAC/TNC, and are currently waiting for the dust to settle," Lumen said.

The improvements to HP-UX 11i version 2 come just a few months before HP is expected to rollout its version 3 of HP-UX 11i. The upcoming HP-UX 11i version will support the Open Group's UNIX 2003 specification. The key benefit of conformance with the specification is that it is intended to make it easier to write and deploy applications across Unix 03 compliant platforms. HP-UX 11i's two principal competitors — IBM's AIX 5L and Sun's Solaris 10, which are already Unix 03 certified.

Last week, Sun rolled out security improvements to its Solaris 10 operating system.

Unix 03 compliance may also make it easier for users to migrate from one compliant system to another.

"Customers that currently run on other Unix operating environments such as Sun Solaris and IBM AIX who want to migrate to a more cost-effective and in many cases more comprehensive environment are one of the principal new customers who migrate to HP-UX," Lumen said.

This article was originally published on internetnews.

This article was originally published on Tuesday Dec 19th 2006
Mobile Site | Full Site