Configuring Trusted Network Databases (Task Map)

Trusted Extensions software includes the tnrhtp and tnrhdb databases. These databases provide labels for remote hosts that contact the system. The Solaris Management Console provides the GUI that you use to administer these databases.

How to Determine If You Need Site-Specific Security Templates

Before You Begin

You must be in the Security Administrator role in the global zone.

1. Familiarize yourself with the Trusted Extensions templates.

   Read the tnrhtp file on a local host. The comments in the file are helpful. You can also view the security attribute values in the Security Templates tool in the Solaris Management Console.

   • The default templates match any installation. The label range for each template is ADMIN_LOW to ADMIN_HIGH.

   • The cipso template defines a CIPSO host type whose DOI is 1. The label range for the template is ADMIN_LOW to ADMIN_HIGH.

   • The admin_low template defines an unlabeled host whose DOI is 1. The template's default label is ADMIN_LOW. The label range for the template is ADMIN_LOW to ADMIN_HIGH. In the default configuration, the address 0.0.0.0 is assigned to this template. Therefore, all non-CIPSO hosts are treated as hosts that operate at the ADMIN_LOW security label.

2. Keep the default templates.

   For support purposes, do not delete or modify the default templates. You can change the host that is assigned these default templates. For an example, see How to Limit the Hosts That Can Be Contacted on the Trusted Network.

3. Create new templates if you want to do any of the following:

   • Limit the label range of a host or a group of hosts.

   • Create a single-label host.

   • Create a host that recognizes a few discrete labels.

   • Use a different DOI than 1.

   • Require a default label for unlabeled hosts that is not ADMIN_LOW.

   For details, see How to Construct a Remote Host Template.

How to Open the Trusted Networking Tools

Before You Begin

You must be in the global zone in a role that can modify network security. For example, roles that are assigned the Information Security or Network Security rights profile can modify security settings. The Security Administrator role includes these profiles.

To use the LDAP toolbox, you must have completed Configuring the Solaris Management Console for LDAP (Task Map).

1. Start the Solaris Management Console.

   For details, see Initialize the Solaris Management Console Server in Trusted Extensions.

2. Use the appropriate tool.

   • To modify a template, use the Security Templates tool.

     All currently defined templates display in the right pane. When you select or create a template, online help is available in the left pane.

   • To assign a host to a template, use the Security Templates tool.

   • To create a host that can be assigned to a template, use the Computers and Networks tool.

   • To assign a label to a zone, use the Trusted Network Zones tool. For more information about zones in Trusted Extensions, see Chapter 16, Managing Zones in Trusted Extensions (Tasks).

How to Construct a Remote Host Template

Before You Begin

You must be in the global zone in a role that can modify network security. For example, roles that are assigned the Information Security or Network Security rights profiles can modify security settings. The Security Administrator role includes these profiles.

1. In the Solaris Management Console, navigate to the Security Templates tool.

   See How to Open the Trusted Networking Tools for the steps.

2. Under Computers and Networks, double-click Security Templates.

   The existing templates are displayed in the View pane. These templates describe the security attributes for hosts that this system can contact. These hosts include CIPSO hosts that are running Trusted Extensions and unlabeled hosts.

3. Examine the cipso template.

   View which hosts and which networks are already assigned this template.

4. Examine the admin_low template.

   View which hosts and which networks are already assigned this template.

5. Create a template.

   If the provided templates do not sufficiently describe the hosts that can be in communication with this system, choose Add Template from the Action menu.

   Use the online help for assistance. Before assigning hosts to the templates, create all the templates that your site requires.

6. (Optional) Modify an existing template that is not a default template.

   Double-click the template, and use the online help for assistance. You can change the assigned hosts or the assigned networks.

Example 19-1 Creating a Security Template With a Different DOI Value

In this example, the security administrator's network has a DOI whose value is different from 1. The team that initially configured the system has completed Configure the Domain of Interpretation.

First, the security administrator confirms the value of the DOI in the /etc/system file:

# grep doi /etc/system
set default_doi = 4

Then, in the Security Templates tool, for every template that the administrator creates, the value of doi is set to 4. For the single-label system that is described in Example 19-2, the security administrator creates the following template:

template: CIPSO_PUBLIC
host_type: CIPSO
doi: 4
min_sl: PUBLIC
max_sl: PUBLIC

Example 19-2 Creating a Security Template That Has a Single Label

In this example, the security administrator wants to create a gateway that can only pass packets at a single label, PUBLIC. Using the Security Templates tool in the Solaris Management Console, the administrator creates a template and assigns the gateway host to the template.

First, the gateway host and IP address are added to the Computers and Networks tool.

gateway-1
192.168.131.75

Then, the template is created in the Security Templates tool.  The following are the values in the template:

template: CIPSO_PUBLIC
host_type: CIPSO
doi: 1
min_sl: PUBLIC
max_sl: PUBLIC

The tool supplies the hexadecimal value for PUBLIC, 0X0002-08-08.

Finally, the gateway-1 host is assigned to the template by its name and IP address.

gateway-1
192.168.131.75

On a local host, the tnrhtp entry appears similar to the following:

cipso_public:host_type=cipso;doi=1;min_sl=0X0002-08-08;max_sl=0X0002-08-08;

On a local host, the tnrhdb entry appears similar to the following:

# gateway-1
192.168.131.75:cipso_public

Example 19-3 Creating a Security Template for an Unlabeled Router

Any IP router can forward messages with CIPSO labels even though the router does not explicitly support labels. Such an unlabeled router needs a default label to define the level at which connections to the router, perhaps for router management, need to be handled. In this example, the security administrator creates a router that can forward traffic at any label, but all direct communication with the router is handled at the default label, PUBLIC.

In the Solaris Management Console, the administrator creates a template and assigns the gateway host to the template.

First, the router and its IP address are added to the Computers and Networks tool.

router-1
192.168.131.82

Then, the template is created in the Security Templates tool. The following values are in the template:

Template Name: UNL_PUBLIC
Host Type: UNLABELED
DOI: 1
Default Label: PUBLIC
Minimum Label: ADMIN_LOW
Maximum Label: ADMIN_HIGH

The tool supplies the hexadecimal value for the labels.

Finally, the router-1 router is assigned to the template by its name and IP address.

router-1
192.168.131.82

Example 19-4 Creating a Security Template That Has a Limited Label Range

In this example, the security administrator wants to create a gateway that restricts packets to a narrow label range. In the Solaris Management Console, the administrator creates a template and assigns the gateway host to the template.

First, the host and its IP address are added to the Computers and Networks tool.

gateway-ir
192.168.131.78

Then, the template is created in the Security Templates tool. The following values are in the template:

Template Name: CIPSO_IUO_RSTRCT
Host Type: CIPSO
DOI: 1
Minimum Label: CONFIDENTIAL : INTERNAL USE ONLY
Maximum Label: CONFIDENTIAL : RESTRICTED

The tool supplies the hexadecimal value for the labels.

Finally, the gateway-ir gateway is assigned to the template by its name and IP address.

gateway-ir
192.168.131.78

Example 19-5 Creating a Security Template That Has a Security Label Set

In this example, the security administrator wants to create a security template that recognizes two labels only. In the Solaris Management Console, the administrator creates a template and assigns the gateway host to the template.

First, each host and IP address that is going to use this template is added to the Computers and Networks tool.

host-slset1
192.168.132.21

host-slset2
192.168.132.22

host-slset3
192.168.132.23

host-slset4
192.168.132.24

Then, the template is created in the Security Templates tool. The following values are in the template:

Template Name: CIPSO_PUB_RSTRCT
Host Type: CIPSO
DOI: 1
Minimum Label: PUBLIC
Maximum Label: CONFIDENTIAL : RESTRICTED
SL Set: PUBLIC, CONFIDENTIAL : RESTRICTED

The tool supplies the hexadecimal value for the labels.

Finally, the range of IP addresses are assigned to the template by using the Wildcard button and a prefix.

192.168.132.0/17

Example 19-6 Creating an Unlabeled Template at the Label PUBLIC

In this example, the security administrator allows a subnetwork of Solaris systems to have the PUBLIC label in the trusted network. The template has the following values:

Template Name: public
Host Type: Unlabeled
Default Label: Public
Minimum Label: Public
Maximum Label: Public
DOI: 1

Wildcard Entry: 10.10.0.0
Prefix: 16

All systems on the 10.10.0.0 subnetwork are handled at the label PUBLIC.

Example 19-7 Creating a Labeled Template for Developers

In this example, the security administrator creates a SANDBOX template. This template is assigned to systems that are used by developers of trusted software. The two systems that are assigned this template create and test labeled programs. However, their tests do not affect the other labeled systems, because the label SANDBOX is disjoint from the other labels on the network.

Template Name: cipso_sandbox
Host Type: CIPSO
Minimum Label: SANDBOX
Maximum Label: SANDBOX
DOI: 1

Hostname: DevMachine1
IP Address: 196.168.129.129

Hostname: DevMachine2
IP Address: 196.168.129.102

The developers who use these systems can communicate with each other at the label SANDBOX.

How to Add Hosts to the System's Known Network

The Computers tool in the Solaris Management Console is identical to the Computers tool in the Solaris OS. This procedure is provided here for your convenience. After the hosts are known, you then assign the hosts to a security template.

Before You Begin

You must be in an administrator who can manage networks. For example, roles that include the Network Management or System Administrator rights profiles can manage networks.

1. In the Solaris Management Console, navigate to the Computers tool.

   For details, see How to Open the Trusted Networking Tools.

2. In the Computers tool, confirm that you want to view all computers on the network.
3. Add a host that this system can contact.

   You must add every host that this system might contact, including any static routers and any audit servers.

   1. From the Action menu, choose Add Computer.
   2. Identify the host by name and IP address.
   3. (Optional) Provide additional information about the host.
   4. To add the host, click Apply.
   5. When the entries are complete, click OK.
4. Add a group of hosts that this system can contact.

   Use the online help to add groups of hosts by using a network IP address.

How to Assign a Security Template to a Host or a Group of Hosts

Before You Begin

You must be in the Security Administrator role in the global zone.

All hosts that you want to assign to a template must exist in the Computers and Networks tool. For details, see How to Add Hosts to the System's Known Network.

1. In the Solaris Management Console, navigate to the Security Templates tool.

   For details, see How to Open the Trusted Networking Tools.

2. Double-click the appropriate template name.
3. Click the Hosts Assigned to Template tab.
4. To assign the template to a single host, do the following:
   1. In the Hostname field, type the host's name.
   2. In the IP Address field, type the host's address.
   3. Click the Add button.
   4. To save your changes, click OK.
5. To assign a template to a group of hosts with contiguous addresses, do the following:
   1. Click Wildcard.
   2. In the IP Address field, type the IP address.
   3. In the Prefix field, type the prefix that describes the group of contiguous addresses.
   4. Click the Add button.
   5. To save your changes, click OK.

Example 19-8 Adding an IPv4 Network as a Wildcard Entry

In the following example, a security administrator assigns several IPv4 subnetworks to the same security template. In the Hosts Assigned to Template tab, the administrator adds the following wildcard entries:

IP Address: 192.168.113.0
IP address: 192.168.75.0

Example 19-9 Adding a List of IPv4 Hosts as a Wildcard Entry

In the following example, a security administrator assigns contiguous IPv4 addresses that are not along octet boundaries to the same security template. In the Hosts Assigned to Template tab, the administrator adds the following wildcard entries:

IP Address: 192.168.113.100
Prefix Length: 25

This wildcard entry covers the address range of 192.168.113.0 to 192.168.113.127. The address includes 192.168.113.100.

Example 19-10 Adding a List of IPv6 Hosts as a Wildcard Entry

In the following example, a security administrator assigns contiguous IPv6 addresses to the same security template. In the Hosts Assigned to Template tab, the administrator adds the following wildcard entries:

IP Address: 2001:a08:3903:200::0
Prefix Length: 56

This wildcard entry covers the address range of 2001:a08:3903:200::0 to 2001:a08:3903:2ff:ffff:ffff:ffff:ffff. The address includes 2001:a08:3903:201:20e:cff:fe08:58c.

How to Limit the Hosts That Can Be Contacted on the Trusted Network

This procedure protects labeled hosts from being contacted by arbitrary unlabeled hosts. When Trusted Extensions is installed, this default template defines every host on the network. Use this procedure to enumerate specific unlabeled hosts.

The local tnrhdb file on each system is used to contact the network at boot time. By default, every host that is not provided with a CIPSO template is defined by the admin_low template. This template assigns every system that is not otherwise defined (0.0.0.0) to be an unlabeled system with the default label of admin_low.

Caution - The default admin_low template can be a security risk on a Trusted Extensions network. If site security requires strong protection, the security administrator can remove the 0.0.0.0 wildcard entry after the system is installed. The entry must be replaced with entries for every host that the system contacts during boot.

For example, DNS servers, home directory servers, audit servers, broadcast and multicast addresses, and routers must be in the local tnrhdb file after the 0.0.0.0 wildcard entry is removed.

If an application initially recognizes clients at the host address 0.0.0.0, then you must add the 0.0.0.0/32:admin_low host entry to the tnrhdb database. For example, to receive initial connection requests from potential Sun Ray clients, Sun Ray servers must include this entry. Then, when the server recognizes the clients, the clients are provided an IP address and connected as CIPSO clients.

Before You Begin

You must be in the Security Administrator role in the global zone.

All hosts that are to be contacted at boot time must exist in the Computers and Networks tool.

1. In the Solaris Management Console, navigate to the Security Templates tool in the Files scope.

   The Files scope protects the system during boot. To access the Security Templates tool, see How to Open the Trusted Networking Tools.

2. Modify the hosts that are assigned to the admin_low template.
   1. Double-click the admin_low template.

      Every host that is added can be contacted during boot at the label ADMIN_LOW.

   2. Click the Hosts Assigned to Template tab.

      Every host that is added can be contacted during boot at the label ADMIN_LOW.

   3. Add each unlabeled host that must be contacted at boot time.

      For details, see How to Assign a Security Template to a Host or a Group of Hosts.

      Include every on-link router that is not running Trusted Extensions, through which this host must communicate.

   4. Add the ranges of hosts that must be contacted at boot time.
   5. Remove the 0.0.0.0 entry.
3. Modify the hosts that are assigned to the cipso template.
   1. Double-click the cipso template.

      Every host that is added can be contacted during boot.

   2. Click the Hosts Assigned to Template tab.

      Every host that is added can be contacted during boot at the label ADMIN_LOW.

   3. Add each labeled host that must be contacted at boot time.

      For details, see How to Assign a Security Template to a Host or a Group of Hosts.

      • Include the LDAP server.

      • Include every on-link router that is running Trusted Extensions, through which this host must communicate

      • Make sure that all network interfaces are assigned to the template.

      • Include broadcast addresses.

   4. Add the ranges of hosts that must be contacted at boot time.
4. Verify that the host assignments allow the system to boot.

Example 19-11 Changing the Label of the 0.0.0.0 tnrhdb Entry

In this example, the security administrator creates a public gateway system. The administrator removes the 0.0.0.0 entry from the admin_low template and assigns the entry to an unlabeled template that is named public. The system then recognizes any system that is not listed in its tnrhdb file as an unlabeled system with the security attributes of the public security template.

The following describes an unlabeled template that was created specifically for public gateways.

Template Name: public
Host Type: Unlabeled
Default Label: Public
Minimum Label: Public
Maximum Label: Public
DOI: 1

Example 19-12 Enumerating Computers to Contact During Boot in the tnrhdb Database

The following example shows the local tnrhdb database with entries for an LDAP client with two network interfaces. The client communicates with another network and with routers.

127.0.0.1:cipso       Loopback address
192.168.112.111:cipso Interface 1 of this host
192.168.113.111:cipso Interface 2 of this host
10.6.6.2:cipso        LDAP server
192.168.113.6:cipso   Audit server
192.168.112.255:cipso Subnet broadcast address
192.168.113.255:cipso Subnet broadcast address
192.168.113.1:cipso   Router
192.168.117.0:cipso   Another Trusted Extensions network
192.168.112.12:public Specific network router
192.168.113.12:public Specific network router
224.0.0.2:public      Multicast address
255.255.255.255:admin_low Broadcast address

Example 19-13 Making the Host Address 0.0.0.0 a Valid tnrhdb Entry

In this example, the security administrator configures a Sun Ray server to accept initial connection requests from potential clients. The server is using a private topology and is using the defaults:

# utadm -a bge0

First, the administrator determines the Solaris Management Console domain name:

SMCserver # /usr/sadm/bin/dtsetup scopes
Getting list of managable scopes...
Scope 1 file:/machine1.ExampleCo.COM/machine1.ExampleCo.COM

Then, the administrator adds the entry for client initial connection to the Sun Ray server's tnrhdb database. Because the administrator is testing, the default wildcard address is still used for all unknown addresses:

SunRayServer # /usr/sadm/bin/smtnrhdb \
add -D file:/machine1.ExampleCo.COM/machine1.ExampleCo.COM \
-- -w 0.0.0.0 -p 32 -n admin_low
Authenticating as user: root

Please enter a string value for: password :: 
... from machine1.ExampleCo.COM was successful.

After this command, the tnhrdb database appears similar to the following. The result of the smtnrhdb command is highlighted:

## tnrhdb database
## Sun Ray server address
       192.168.128.1:cipso
## Sun Ray client addresses on 192.168.128 network
       192.168.128.0/24:admin_low
## Initial address for new clients
       0.0.0.0/32:admin_low
## Default wildcard address
0.0.0.0:admin_low
Other addresses to be contacted at boot

# tnchkdb -h /etc/security/tsol/tnrhdb

After this phase of testing succeeds, the administrator makes the configuration more secure by removing the default wildcard address, checks the syntax of the tnrhdb database, and tests again. The final tnhrdb database appears similar to the following:

## tnrhdb database
## Sun Ray server address
       192.168.128.1:cipso
## Sun Ray client addresses on 192.168.128 network
       192.168.128.0/24:admin_low
## Initial address for new clients
       0.0.0.0/32:admin_low
## 0.0.0.0:admin_low - no other systems can enter network at admin_low
Other addresses to be contacted at boot