Let's consider the typical scenario of a Web application that has a web server, application server and database server. All servers are located in different network zones separated by firewalls.
From the security point of view, is it possible to install all the three servers as Solaris 10 zones on the same physical server?
Do Solaris zones have security mecanisms to isolate servers to make sure that a compromised Web server could not affect other servers?
There are with no doubt security mechanism in place to isolate non-global zones from each other as this is actually how zones were implemented by design.
Excerpt from Introduction to Oracle® Solaris Zones
A process assigned to a zone can manipulate, monitor, and directly communicate with other processes that are assigned to the same zone. The process cannot perform these functions with processes that are assigned to other zones in the system or with processes that are not assigned to a zone. Processes that are assigned to different zones are only able to communicate through network APIs.
There is no known mechanism I'm aware of for a process running in a ngz, even as root, to access or compromise another zone data unless of course, a communication channel has been purposely put in place, like sharing a folder or communicating through the network. This would be also the case with physically separate servers though.
A ngz might affect another zone performance, even leading to denial of service if both are sharing the same underlying resources like CPU, memory, disk, network, and so on. This can be overcome by dedicating, capping or fairly scheduling these resources.
On the other hand, a process running on the global zone has by default some visibility to every non global zone under it. That's the reason why you generally shouldn't install anything non administrative on the global zone.
You can, in addition to the standard mechanisms, enable mandatory access control with Solaris Trusted Extensions. These extensions use labels to classify zones, files, network, and devices and enforce the requested operations authorization.
Another way to hide what is running inside zones from the global zone is to instantiate them as kernel zones. You'll need Solaris 11.2 or newer for that.
Note that Solaris 10 is eleven years old. You might want to switch to Solaris 11 which has many enhancements. In addition to the previously mentioned kernel zones, you might be interested by Immutable zones which add a new layer of protection against attacks, and by the improvements introduced in Solaris 11 Trusted Extensions.
Solaris 10 has a Common Criteria evaluation at EAL4+ of the Labelled Security Protection Profile. That separation is provided by Zones. Zones were designed to provide exactly this separation when deployed in the Trusted Extensions configuration. The original question describes a pretty much classic use case for a Solaris Trusted Extensions and there are many such deployments worldwide as "network guards" to safely span networks at differing classifications.
The answer is kinda yes and kinda no. Zones rely on the same kernel running on the hosting LDOM or the physical server. If he kernel gets breached, all of them are hosed. But as far as server roles are considered, you can say that they are isolated, provided you did your networking setup due diligence real well.
In an ideal world, you do not resort to this setup. You generally combine all web servers into the same LDOM or physical server, all app servers and all DB servers. And scale horizontally. Say you need more horsepower for your app servers, you add another LDOM or physical server and redistribute the app server load around. Same with web or more than likely DB servers.
