Sun Microsystems, Inc. and Security: Solaris OS

             Over the past twenty-two years, Sun Microsystems, Inc. (Sun) has been developing and improving the Solaris Operating System (Solaris OS). Sun and Solaris have a fascinating history both of which have a forward-looking trend. The Solaris OS has evolved to include many useful features. In fact, a number of different industries around the world make use of these features. In addition, Sun has developed a security rich Operating system worthy of recognition. Solaris is a widely used feature-filled operating system known for its security.

Sun was incorporated in February 1982. By the end of the 1980s they were the leaders of the workstation market. They continued to lead the workstation market into the early 1990s when they entered the server market. Focus on the server market proved to be a profitable pursuit during the rise of dot-com businesses during the 1990s. (Kranz, 2008) This success was attributed to its SPARC computer chip and Solaris OS. Sun led the way for use of common software and hardware components between workstation manufacturers creating industry standards. Sun positioned itself as an Internet and electronic-commerce specialist. The company’s biggest achievement was the introduction of Java technology. Java was the first universal software platform that enabled developers to write applications that run on any computer. (Sun Microsystems, Inc, n.d.) The dot-com bubble burst in 2001 was detrimental to Sun. In 2005, Sun began to reinvent itself by joining the open-source movement. Sun joined the movement by donating sixteen-hundred patents to the open source community. Currently, Sun offers a range of open source versions of their products. (Krantz, 2008)

The Solaris Operating made its debut in 1987. Solaris was the result of a deal between AT&T and Sun to combine leading UNIX versions into one Operating system. In 1991, Sun replaced the Operating system with the newly UNIX System V Release 4-based Solaris 2 Operating System. Solaris 2 included new advances such as the OpenWindows graphical user interface (GUI). Over the next decade and a half, several versions of Solaris were distributed. Sun strived to stay ahead of technological advances while continuing to meet present needs. In 1997, Solaris 2.7 (Solaris 7) included many new advances including being the first 64-bit release. In 2000, Solaris 8 was released. This version included advances combing datacenter and dot-com business requirements. In 2002, Sun foresaw changes in the server market. As a result they released Solaris 9 adopting Linux compatibility over OpenWindows. In 2005, the latest version of Solaris (Solaris 10) was released. This release offered a number of new developments. In addition, this release hinted at the change of Sun as a company which offered the release free to the public.  In 2006, Sun began the OpenSolaris Project. In the first year, the OpenSolaris Project attracted thousands of developers which continue improving Solaris. (Krantz, 2008) [1]

The latest version of Solaris includes a number of useful features. It provides performance advantages for database, Internet, and Java-based services. The Operating system delivers high-performance networking by implementing modern networking protocols. File system and volume management has been improved. These improvements deliver near limitless capacity, through implementation of a 128-bit file system, and near-zero administration. Interoperability is another important feature; Solaris 10 offers interoperability with hundreds of various hardware and software platforms. Many new tools were included in the release of Solaris 10. For example, the Dynamic Tracing tool offers monitoring of the system in real-time. Solaris 10 reduces platform restrictions by being compatible with hundreds of SPARC-based and x64/x86-based platforms. The introduction of automatic diagnosis and recovery from hardware and application faults helps to avoid downtime. (Feature Overview, n.d.)

Solaris is widely used in a number of different markets. Theses markets include communications, education, energy, financial services, government, healthcare, life sciences, media and entertainment, transportation and travel, and the retail trade (Industry Solutions, n.d.).[2] Sun offers a number of solutions in the communications industry. These solutions focus on converged digital media, integrated network and business systems, and next generation service delivery (Sun in The Communications Industry, n.d.). In the education industry, Sun provides products devoted to academic computing, administrative computing, primary and secondary education, and high performance computing (Sun in the Education Industry, n.d.). Sun has provided the energy industry with an Information Technology (IT) infrastructure that provides a competitive advantage in oil and gas and utility companies (Sun in the Energy Industry, n.d.). Solutions for Banking, Capital Markets, and Insurance have been developed by Sun to help with risk management systems, exploration of new markets, customer satisfaction, mobile banking, microfinance, and payments (Sun in the Financial Services Industry, n.d.). Sun meets many governmental needs with their solutions for justice systems, defense, intelligence, social service, public administration, and space exploration institutions (Sun in the Global Government Industry, n.d.). Sun services the healthcare system in many areas of the industry. Sun provides technological capabilities to labs, clinics, hospitals, insurers, administrators, and datacenters (Sun in the Healthcare Industry, n.d.). In the area of life sciences, Sun provides an array of products for clinical work, research and development, pre-clinical work, discovery, and life science manufacturing (Sun in the Life Sciences Industry, n.d.). Sun has many solutions for the Media and Entertainment, Broadcast, Cable, and Internet Services industries as well (Sun in the Media & Entertainment Industry, n.d.). Retailers also rely on Sun systems for critical business operations. In fact, retailers are Sun’s largest market base (Sun in the Retail Industry, n.d.). Sun has also proved to be a leader in providing solutions for the transportation and travel industry (Sun in the Transportation and Travel Industry, n.d.). Sun Solaris photo

            The Solaris 10 Operating system provides security features that were only available in previously released military-grade versions (known as Trusted Solaris). Digitally signed files provide detection of possible attacks by monitoring for changes to file information. Solaris 10 includes a Basic Audit and Reporting Tool (BART). BART is a file integrity checking application. The BART utility allows a customer to create snapshots of data, applications, and critical system files which can be scanned for changes. Additionally, Sun provides a Fingerprint Database for all files in Solaris with online verification utilities that allows file integrity checking and verification. User and Process Rights Management technologies are integrated which allow users and applications only the minimum capabilities needed to perform their tasks. Solaris 10 is distributed with IP Filter firewall software. This integrated firewall reduces can be configured to reduce the number of network services running and protect against compromised networking packets. Solaris also provides its Secure By Default networking configuration. When a Solaris 10 system is configured as Secure By Default outbound communications continues while inbound communications are restricted to secure shell encrypted remote access. The Solaris 10 Operating system includes a number of authentication features. Support for Pluggable Authentication Mechanism (PAM). PAM allows the addition of authentication services to Solaris dynamically. Kerberos-based protocols are included to allow for authorized and encrypted communications. All Solaris User and Process Rights management information can be stored centrally through a Lightweight Directory Access Protocol (LDAP)-based directory server. An LDAP-based directory server allows for centralized management of users and security role definitions. Password management capabilities in Solaris 10 include strong password encryption options, account lockout, password history, complexity checking, and a banned passwords list. An installation option called Reduced Networking Metacluster creates minimized functionality and services which can be added as needed. This reduces the vulnerability of unnecessarily installed functions and services. (Security, n.d.)

Solaris Trusted Extensions is offered as a standard part of Solaris 10. Solaris Trusted Extensions meet requirements in some industries for increased privacy, accountability, and reduced risk of security violations. This is a multi-level security solution which is unprecedented for commercial-grade Operating systems. Solaris Trusted Extensions integrate labeled security to protect data and applications based on their sensitivity level. Mandatory access control policy (MAC) adds sensitivity labels to all aspects of the Solaris 10 Operating system. With labeled objects an application cannot see or access data with a different security label. The MAC policy applies to the entire operating system, even system administrators cannot violate the policy. Solaris User Rights Management also provides a role-based access control (RBAC) administration tasks. RBAC implements a separation of duties system further adding security. Solaris Trusted Extensions devices (anything from thumb drives to printers) on the system also have labels associated with them. These device labels can be configured to reserve certain data to certain objects. Solaris Trusted Extensions uses Commercial IP Security Option (CIPSO) labeled networking standards. CIPSO allows systems to maintain label security when sharing data using networking. (Solaris Trusted Extensions – Labeled Security for Absolute Protection, n.d.)  

On November 6, 2007 a Common Criteria Certificate (EAL 4+) was awarded to Sun for Solaris 10. The Solaris 10 Operating System is certified with Controlled Access Protection Profile (CAPP) and Role Based Access Control Protection Profile (RBACPP) for use on SPARC, Advanced Micro Devices (AMD), and Intel based platforms. On June 11, 2008 a Common Criteria Certificate (EAL 4+) was awarded for Solaris with Trusted Extensions.

Solaris with Trusted extensions is certified with Labeled Security Protection Profile (LSPP) for use on a number of SPARC, Advanced Micro Devices (AMD), and Intel based platforms (Solaris Common Criteria Certification, n.d.) In the 1980s, Trusted Computer System Evaluation Criteria (TCSEC), also known as Orange Book certification, was the standard for evaluating security. Now, Common Criteria Certification is the most current process for evaluating security.  The CAPP/RBACCP EAL 4+ certification for Solaris 10 is roughly equivalent to C2 (Controlled Access Protection) certification as per Orange Book standards. However, Solaris with Trusted Extensions LSPP EAL 4+ certification ranks B1 (Labeled Security Protection) per Orange Book standards. (Laurent, 2006)[3]

Solaris is a widely used feature-filled Operating system known for its security. The many features centered on security, performance, networking, data management, interoperability, platform choice, and availability make Solaris an excellent choice for sensitive and less sensitive industries alike. Industry with less sensitive data can feel secure with Solaris 10 and its proven security features. For sensitive industries, Solaris 10 with Trusted Extensions provides a high level security option which extends the proven security of Solaris 10 by integrating labeled security. Solaris is trusted in many markets including communications, education, energy, financial services, government, healthcare, life sciences, media and entertainment, transportation and travel, and the retail trade.


Feature Overview. (n.d.). In Sun Microsystems. Retrieved February 15, 2009, from

Industry Solutions. (n.d.). In Sun Microsystems. Retrieved February 15, 2009, from

Kranz, T. (2008). The History of Solaris. In Ezine Articles. Retrieved February 16, 2009, from

Kranz, T. (2008). The History of Sun. In Content for Reprint. Retrieved February 18, 2009, from

Laurent, J. 2006, December 18). Jim Laurent’s Weblog [Msg 1]. Message posted to

Security. (n.d.). In Sun Microsystems. Retrieved February 21, 2009, from

Solaris Common Criteria Certification. (n.d.). In Sun Microsystems. Retrieved February 17,2009, from

Solaris Trusted Extensions – Labeled Security for Absolute Protection. (n.d.). In Sun Microsystems. Retrieved February 21, 2009, from

Sun in the Communications Industry. (n.d.). In Sun Microsystems. Retrieved February 15, 2009, from

Sun in the Education Industry. (n.d.). In Sun Microsystems. Retrieved February 15, 2009, from

Sun in the Energy Industry. (n.d.). In Sun Microsystems. Retrieved February 15, 2009, from

Sun in the Financial Services Industry. (n.d.). In Sun Microsystems. Retrieved February 15, 2009, from

Sun in the Global Government Industry. (n.d.). In Sun Microsystems. Retrieved February 15, 2009, from

Sun in the Healthcare industry. (n.d.). In Sun Microsystems. Retrieved February 15, 2009, from

Sun in the Life Sciences Industry. (n.d.). In Sun Microsystems. Retrieved February 15, 2009, from

Sun in the Media & Entertainment Industry. (n.d.). In Sun Microsystems. Retrieved February 15, 2009, from

Sun in the Retail industry. (n.d.). In Sun Microsystems. Retrieved February 15, 2009, from

Sun in the Transportation and Travel industry. (n.d.). In Sun Microsystems. Retrieved February 15, 2009, from

Sun Microsystems, Inc. (n.d.). In FundingUniverse. Retrieved February 20, 2009, from

[1] For a complete listing of the Solaris version history refer to:

[2] For a listing of specific customers by industry refer to:

[3] An excellent presentation outlining all of the security levels for Orange Book (TCSEC) security requirement can be found at:,1,Evaluating System Security: THE ORANGE BOOK etc

Photo by Silveira Neto

Photo by DraXus