 |
» |
|
|
|
The basic goal of operating system security is to preserve the integrity of the system in the face of attack.
HP-UX 11i offers integrated UNIX security protection through a comprehensive and integrated set of security components aimed at proactively mitigating risk, reducing compliance cost, accelerating time to implementation and lowering IT costs.
These complimentary components are designed for optimal protection against both external and internal threats by providing layered security with in-depth protection.
The components that comprise the three major security solutions are listed below in this order:
|
|
|
|
| Protecting data: In transit, in use, & at rest |
| Downloads and documentation |
|
|
Encrypted volume and file system (EVFS)
|
EVFS is an operating system service that fills the compliance need to store files in a way that they cannot be read by unauthorized parties who obtain physical access to storage. Files and databases from current applications can be encrypted without changes to the application or underlying storage infrastructure. Read more.
|
|
Trusted Computing Services (TCS)
|
HP-UX TCS provides software support for hardware-enforced key management on supported HP Integrity servers. By providing a low-cost embedded security chip option (known as a Trusted Platform Module) in its zx2-based Integrity servers, HP has established a foundation for strong protection of sensitive information - including cryptographic keys, such as for EVFS.
|
Security containment
|
HP-UX 11i security containment introduces three core technologies: compartments, fine-grained privileges, and role-based access control. Together, these three components provide a highly secure operating environment without requiring applications to be modified. Read more.
|
|
Protected Systems: Webserver (PS-Webserver)
|
PS-Webserver is a pre-configured secure Web services platform built on HP-UX. The secure architecture and run time environment isolates the Internet from backend servers and isolates the Web server from the intranet. Read more.
|
|
Open SSL
|
Open SSL offers a general-purpose cryptography library and implementation of the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols.
|
Secure Shell
|
Secure Shell is a powerful software-based approach to encrypted network security. It provides secured remote login. Credentials and data sent over the network are encrypted by SSH-1 or SSH-2 protocols and decrypted once they reach their destination.
|
IPSec
|
IPSec adds integrity protection and confidentiality to network communication over the Internet and within the enterprise to applications which lack these capabilities without modifying existing applications.
|
MD5 Secure Checksum
(MD5sum)
|
MD5sum provides a cryptographic file integrity utility and API based on the standard Message Digest 5 (MD5) algorithm.
|
HP-UX 11i Internet Express
|
In addition to the fully-supported features listed above, HP packages a number of limited-support open source products that offer additional data security, including: OpenSC/OpenCT, ClamAV, CyrusSASL, GnuPG, SSLDump, Stunnel, and Tripwire.
|
| Protecting systems: Protect, detect & react |
Downloads and documentation
|
Function
|
Bastille
|
Bastille is a very easy-to-use security hardening wizard (also known as a lockdown wizard) that enhances the security of an HP-UX 11i host by turning off unneeded services, tightening security configuration settings, configuring IPFilter, etc. It accommodates the various degrees of hardening required for web, application and database servers, and can walk a non-security expert through the hardening decisions.
|
|
Host IDS
|
HIDS enhances host-level security with near real-time automatic monitoring of each configured host for signs of potentially damaging intrusions. HIDS is a standard feature of HP-UX 11i, making HP the only systems vendor to offer its own host intrusion detection product. Read more.
|
|
Secure resource partitions
|
Secure Resource Partitions combine kernel level security (via Security Containment) and proven resource management to stack multiple applications within the same operating system.
|
IPFilter
|
IPFilter is a stateful firewall (filters IP packets to control packet flow in or out of the system; stateful simplifies and increases security of rule definitions by allowing return traffic based on outbound rules without having to define broader inbound rules). HP's unique dynamic connection allocation provides protection from denial-of-service attacks. IPFilter provides increased security defense by minimizing the number of server exposure points.
|
Software Assistant (SWA)
|
HP-UX SWA is a command-line tool that consolidates, simplifies and helps automate patch and security bulletin management on HP-UX systems. The SWA tool is the HP-recommended utility to maintain currency with HP-published security bulletins for HP-UX software.
|
Install-time Security
|
Install-time Security (ITS) is available to customers running HP-UX 11i v2 or later releases of the operating system, as an install option to lockdown systems during installation. ITS makes HP-UX 11i more secure out-of-the-box when customers select higher security levels. There are four choices, ranging from a highly locked down (DMZ) level with a tightly configured IPFilter firewall blocking most inbound traffic (and many services also disabled or secured) to a maximum compatibility level which installs security tools, but doesn't apply a security level.
|
Boot Authentication
|
A site's security policies may require users to authenticate before they can boot the system into single-user mode. Previously, this feature was only available on a system that had been converted to Trusted Mode. This product now provides secure single-user mode with root password protection, but without the overhead of converting the system to trusted mode.
|
Standard Mode Security Extensions
|
Enhances the system security of HP-UX 11i v2 and v3. Several security features previously available only in trusted mode are now available on standard mode HP-UX 11i systems. Features include enhanced password and user account security, such as password expiration on inactivity history reuse restrictions, auditing, and much more.
|
Shadow Passwords
|
Shadow Passwords enhance system security by hiding user encrypted passwords in a shadow password file. Encrypted passwords previously stored in the publicly readable /etc/passwd file can be optionally moved to the /etc/shadow file, which is accessible only by a privileged user.
|
Strong Random Number Generator
|
The Strong Random Number Generator provides a cryptographically strong, non-reproducible source of true random numbers for applications with strong security requirements, such as for generating encryption keys.
|
HP-UX 11i Internet Express
|
In addition to the fully-supported features listed above, HP packages a number of limited-support open source products that offer additional system security, including: Chkrootkit, PAM_passwdqc, DanteSOCKS, Snort, Nessus, Xinetd.
|
| Protecting identity: Authentication & access control |
Downloads and documentation
|
Function
|
Identity Management Integration (IdMI)
|
Providing the most complete and integrated solution for security management, IdMI allows administrators to enforce critical system access and authorizations. In addition to integrated enforcement, with the bundled version of Select Access for IdMI, customers benefit from single-vendor support for this mission critical capability.
|
Select Access for IdMI
|
Select Access for IdMI is a follow-up product to the HP-UX Identity Management Integration feature. This version of Select Access supports complete administration of HP-UX security policy for both user authentication and access control privileged functions within the OS. HP-UX security policy can be centrally controlled and managed through Select Access.
|
Role-based Access Control (RBAC)
|
HP-UX RBAC (a component of security containment) is an alternative to the traditional "all-or-nothing" root user model, which grants permissions to the root user for all operations, and denies permissions to non-root users for certain operations. HP-UX RBAC allows you to distribute administrative responsibilities by creating roles with appropriate authorizations and assigning them to non-root users and groups.
|
|
HP-UX 11i AAA Server provides authentication, authorization and accounting services using the RADIUS and EAP protocols to authenticate and authorize user access to network devices and software applications. The AAA Server also generates usage logs for accounting, auditing and billing purposes.
|
Red Hat Directory Server
|
Red Hat Directory Server is a Lightweight Directory Access Protocol (LDAP) compliant software server that centralizes user profiles, application settings, group data, policies and access control information into a network-based registry. The server is available on HP-UX 11i and operates on both HP 9000 and HP Integrity 64-bit hardware server platforms.
|
LDAP-UX Client
|
With growth, consolidation and a dynamic environment, enterprises need new technologies to manage and verify security in their IT environments. In a highly distributed environment, local processes, security practices and administration methods are often inconsistent, repetitive and difficult to audit. With LDAP-UX Enterprise IT architects can use LDAP directories as one tool to help unify and simplify many of the above-mentioned practices.
|
Kerberos Server
|
Kerberos Server provides key distribution facilities to implement the Kerberos authentication protocol in network-distributed enterprises. It operates with an LDAP directory providing integrated identity management for authentication and access control.
|
PAM Kerberos
|
PAM Kerberos provides transparent Kerberos login support for HP-UX.
|
Kerberos Client
|
HP-UX provides Kerberos Client software including libraries, header files, and utilities for implementing secured client/server applications
|
HP-UX 11i Internet Express
|
In addition to the fully-supported features listed above, HP packages a number of limited-support open source products that offer additional identity management, including: Perl-LDAP, sudo, and OpenSAML.
|
|
|
Printable version
