HP-UX Security has updated security definition files and has added Auditing and HIDS to HP-UX Containers.
HP-UX Security product updates include OpenSSL, OpenSSH, Bastille, Audit, HIDS, and IPFilter. These products have been updated with the latest security definitions and minor enhancements.
HP-UX Security offers Whitelisting which provides a different approach to security by protecting all critical system files from being modified by only allowing access to your data from a known, trusted 'Whitelist' of applications
The HP-UX security model is built on three main tenets of security: Protecting Data, System Integrity, and Identity Protection.
The breadth of the HP-UX model is addressed in a portfolio of Security Certifications. The complete set of security products and tools needed for this comprehensive coverage is licenced and supported as part of the base HP-UX 11i operating environment.
| Downloads and documentation | Function |
|---|---|
» Encrypted volume and file system (EVFS)
|
EVFS is an operating system service that fills the compliance need to store files in a way that they cannot be read by unauthorised parties who obtain physical access to storage. Files and databases from current applications can be encrypted without changes to the application or underlying storage infrastructure. EVFS also offers the ability to apply extra security to certain individual files such that only authorised parties can access this file— to restrict access to the most sensitive data. |
|
|
WhiteListing provides a new approach to secure data by allowing access to your data only from a known, trusted 'Whitelist' of applications. Once a relationship is established, only 'Whitelist' approved applications can access the data and the identity of the approved application is validated through a cryptographic handshake. Whitelisting also protects a set of files( eg: critical configuration files) from modifications and deletion even from root user. Thus Whitelisting simplifies certification efforts such as PCI compliance. |
» Trusted Computing Services (TCS)
|
HP-UX TCS provides software support for hardware-enforced key management on supported HP Integrity servers. By providing a low-cost embedded security chip option (known as a Trusted Platform Module) in its Integrity servers, HP has established a foundation for strong protection of sensitive information – including cryptographic keys, such as for EVFS. |
|
|
HP-UX 11i security containment introduces three core technologies: compartments, fine-grained privileges, and role-based access control. Together, these three components provide a highly secure operating environment without requiring applications to be modified. |
» OpenSSL
|
OpenSSL offers a general-purpose cryptography library and implementation of the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. FIPS 140-2 certified OpenSSL libraries are made available on HP-UX. |
|
|
Secure Shell is a powerful software-based approach to encrypted network security. It provides secured remote login. Credentials and data sent over the network are encrypted by SSH-1 or SSH-2 protocols and decrypted once they reach their destination. This can also be used to establish a secure tunnel between two hosts/applications. |
» IPSec
|
IPSec adds integrity protection and confidentiality to network communication over the Internet and within the enterprise to applications that lack these capabilities without modifying existing applications. |
|
|
MD5 Secure Checksum provides a cryptographic file integrity utility and API based on the standard Message Digest 5 (MD5) algorithm. |
| Downloads and documentation | Function |
|---|---|
» Bastille
|
Bastille is a very easy-to-use security hardening wizard (also known as a lockdown wizard) that enhances the security of an HP-UX 11i host by turning off unneeded services, tightening security configuration settings, configuring IPFilter, etc. It accommodates the various degrees of hardening required for web, application and database servers, and can walk a non-security expert through the hardening decisions. |
|
|
Install-time Security (ITS) is available to customers running HP-UX 11i v2 or later releases of the operating system, as an install option to lockdown systems during installation. ITS makes HP-UX 11i more secure out-of-the-box when customers select higher security levels. There are four choices, ranging from a highly locked down (DMZ) level with a tightly configured IPFilter firewall blocking most inbound traffic (and many services also disabled or secured) to a maximum compatibility level which installs security tools, but doesn't apply a security level. Refer to the Bastille documentation for more information. |
|
|
Auditing System Extensions provides enhancements to the existing HP-UX auditing system in the form of reporting and Filtering tools. This product helps in better facilitating the compliance regulations such as SOX, PCI, SB1386, and HIPAA. |
» Host IDS
|
HIDS enhances host-level security with near real-time automatic monitoring of each configured host for signs of potentially damaging intrusions. HIDS is a standard feature of HP-UX 11i, making HP the only systems vendor to offer its own host intrusion detection product. |
» IPFilter
|
IPFilter is a stateful system firewall (filters IP packets to control packet flow in or out of the system; stateful simplifies and increases security of rule definitions by allowing return traffic based on outbound rules without having to define broader inbound rules). HP's unique dynamic connection allocation provides protection from denial-of-service attacks. IPFilter provides increased security defence by minimising the number of server exposure points. |
|
|
HP-UX SWA is a command-line tool that consolidates, simplifies and helps automate patch and security bulletin management on HP-UX systems. The SWA tool is the HP-recommended utility to maintain currency with HP-published security bulletins for HP-UX software. |
|
|
A site's security policies may require users to authenticate before they can boot the system into single-user mode. Previously, this feature was only available on a system that had been converted to Trusted Mode. This product now provides secure single-user mode with root password protection, but without the overhead of converting the system to trusted mode. |
|
|
Enhances the system security of HP-UX 11i v2 and v3. Several security features previously available only in trusted mode are now available on standard mode HP-UX 11i systems. Features include enhanced password and user account security, such as password expiry on inactivity history re-use restrictions, auditing, password length, and much more. |
|
|
Shadow Passwords enhance system security by hiding user encrypted passwords in a shadow password file. Encrypted passwords previously stored in the publicly readable /etc/passwd file can be optionally moved to the /etc/shadow file, which is accessible only by a privileged user. |
|
|
The Strong Random Number Generator provides a cryptographically strong, non-reproducible source of true random numbers for applications with strong security requirements, such as for generating encryption keys. |
| Downloads and documentation | Function |
|---|---|
» Role-based Access Control (RBAC)
|
HP-UX RBAC (a component of security containment) is an alternative to the traditional 'all-or-nothing' root user model, which grants permissions to the root user for all operations, and denies permissions to non-root users for certain operations. HP-UX RBAC allows you to distribute administrative responsibilities by creating roles with appropriate authorisations and assigning them to non-root users and groups. It also supports key stroke logging. |
|
|
HP-UX 11i AAA Server provides authentication, authorisation and accounting services using the RADIUS and EAP protocols to authenticate and authorise user access to network devices and software applications. The AAA Server also generates usage logs for accounting, auditing and billing purposes. It support standards based two-factor authentication which helps address multi-factor authentication requirements of compliance regulation. |
|
|
HP-UX Directory Server (HPDS) provides an industry-standard, centralised directory service on which to build your intranet or extranet. Your HP-UX 11i servers and other directory-enabled applications use the directory service as a common, network-accessible location for storing shared data such as user and group identification, server identification, and access control information. In addition, you can extend the HP-UX Directory Server to support your entire enterprise with a global directory service that enables centralised management of all enterprise resource information. |
|
|
Kerberos Server provides key distribution facilities to implement the Kerberos authentication protocol in network-distributed enterprises. It operates with an LDAP directory providing integrated identity management for authentication and access control. |
|
|
With growth, consolidation and a dynamic environment, enterprises need new technologies to manage and verify security in their IT environments. In a highly distributed environment, local processes, security practices and administration methods are often inconsistent, repetitive and difficult to audit. With LDAP-UX Enterprise IT architects can use LDAP directories as one tool to help unify and simplify many of the above-mentioned practices. |
|
|
PAM Kerberos provides transparent Kerberos login support for HP-UX. |
|
|
PAM RADIUS provides RADIUS based authentication for HP-UX. It can be used to achieve two-factor authentication for HP-UX login. |
|
|
HP-UX provides Kerberos Client software including libraries, header files, and utilities for implementing secured client/server applications. HP-UX provides Kerberos Client software including libraries, header files, and utilities for implementing secured client/server applications. |
