Trusted Solaris Administration Overview

Security Families

Network administration in the Trusted Solaris environment is based on the concept of security families, that is, treating host machines with common protocols and identical security requirements the same way. For a host to be able to communicate with other hosts on a Trusted Solaris network, you must identify its host type, that is, its networking protocol, and assign it a template of security attributes.

Host Types in Networking

Trusted Solaris classifies host types according to the networking protocols as follows:

Trusted Solaris--refers to workstations running Trusted Solaris. It uses binary representation for security attributes in the protocol.
unlabeled--refers to hosts that do not send or recognize security attributes.
TSIX--refers to hosts supporting the TSIX (RE) 1.1 (Trusted Systems Information eXchange for Restricted Environments standard). It uses the same format as Trusted Solaris hosts (see Figure 3-3) except that it uses tokens (arbitrary 32-bit numbers) rather than binary data to represent security attributes. The tokens use the security attribute token mapping protocol (SATMP).
CIPSO--refers to hosts conforming to CIPSO, TSIX (RE) 1.1. The only security attributes supported under CIPSO are the DOI (domain of interpretation) and CIPSO label.
RIPSO--refers to hosts conforming to RIPSO, as described in the IETF RFC 1108. The Trusted Solaris environment supports an administratively-set fixed RIPSO label to be applied to incoming and outgoing network packets. Although this functionality does not fully meet the RFC specifications, it supplies sufficient functionality where RIPSO labels are needed.

Note -

The TSIX, CIPSO, and RIPSO host types lie in the category of hosts running other trusted operating environments. The unlabeled host type is intended for those hosts that use the standard networking protocol and do not support security attributes.

Networking Security Attributes

The security attributes that can be specified in networking templates are:

minimum label--defines the bottom of the label range for this security family. Outgoing packets to hosts in this security family cannot be below the minimum label.
maximum label--defines the top of the label range for this security family. Outgoing packets to hosts in this security family cannot be higher than the maximum label.
default label--sets the label to be applied by default to incoming packets from hosts in this security family.
default clearance--sets the clearance to be applied by default to incoming packets from hosts in this security family.
DOI--an integer that identifies the domain of interpretation, that is, the labelling scheme used by the default label and clearance for the particular host type.
IP label--identifies type of IP label: RIPSO, CIPSO, or none. If CIPSO, the /etc/system and label_encodings files must be modified to accommodate the ADMIN_HIGH label (see the "About Security Families" help card). If RIPSO, you must specify a RIPSO label for the RIPSO Send Class
allowed privileges--can be used to restrict privileges available to remote Trusted Solaris hosts. If these hosts can use any privileges, set All; if there is a limit, specify only those privileges that can be applied.
forced privileges--sets privileges to enable a remote host, typically an unlabeled host, to perform specific functions that may override security policy.
RIPSO Send Class--used by RIPSO hosts and with RIPSO IP labels only, the classification level at which datagrams sent to a host of that template are protected. The predefined Classes are Top Secret, Secret, Confidential and Classified.
RIPSO Send PAF (protection authority flag)--used by RIPSO hosts and with RIPSO IP labels only, the bit mask identifying the protection authorities on datagrams sent to a host of that template. The predefined authorities are: GENSER, SIOP-ESIm SCI, NSA, and DOE.
RIPSO Return PAF (protection authority flag)--used by RIPSO hosts and with RIPSO IP labels only, specifies the PAF portion of the RIPSO label on ICMP error messages sent back from hosts using this template.

Networking Templates

The purpose of the Trusted Solaris networking templates is to specify the security attribute values to be applied to hosts within a security family. Not all of the security attributes are appropriate to each host type. The following table indicates how security attributes are applied to which host types. The term default means that the attribute is supplied by default. Optional means that is your choice whether to use this default. Not allowed means that any entry will be ignored. Required with or without conditions means the attribute is mandatory.

Table 3-1 Security Attributes by Host Type


Host Types --> Security Attributes	Trusted Solaris	TSIX	Unlabeled	CIPSO	RIPSO
minimum label	default	default	default	default	default
maximum label	default	default	default	default	default
default label	not allowed	not allowed	default	not allowed	default
default clearance	not allowed	not allowed	default	default	default
DOI	optional	optional	optional	optional	optional
IP label	optional	optional	optional	optional	optional
forced privileges	not allowed	not allowed	default	default	default
allowed privileges	default	default	not allowed	not allowed	not allowed
RIPSO Send Class	required if host or IP label is RIPSO	not allowed	required if host or IP label is RIPSO	not allowed	required
RIPSO Send PAF	required if host or IP label is RIPSO	not allowed	required if host or IP label is RIPSO	not allowed	required
RIPSO Return PAF	required if host or IP label is RIPSO	not allowed	required if host or IP label is RIPSO	not allowed	required

Network Configuration Databases

There are three network configuration databases for establishing external communication:

tnrhdb
tnrhtp
tnidb

These databases are loaded into the kernel and are used in accreditation checks as data is transmitted from one host to another. These databases are maintained using the Computers and Security Families dialog boxes in the SMC Computers and Networks tool and the SMC Interface Manager. Trusted Solaris can use a naming service for central management of the tnrhdb and tnrhtp databases; the tnidb database is maintained separately on each host.

Network host information is stored in the tnrhdb(4) database. It holds the IP addresses for all hosts permitted to communicate with workstations in the network and the templates (from the tnrhtp database) assigned to them. The tnrhdb database can also hold default values as part of a fallback mechanism. Substituting 0 in the rightmost byte(s) of the IP address serves as a wildcard for unlisted hosts with IP addresses that match the non-zero portion of the default. You can also set a fixed prefix length by adding a slash (/) followed by the number of fixed bits. See the following table for examples.

Table 3-2 tnrhdb Fallback Mechanisms Example


tnrhdb Entry	Addresses Covered
129.150.118.0:tsol	addresses beginning with 129.150.118.
129.150.0.0:tsol	addresses beginning with 129.150.
129.0.0.0:tsol	addresses beginning with 129.
0.0.0.0:tsol	all addresses on network
129.150.118.128/26:tsol	addresses from 129.150.118.0 to 129.150.118.63

Network template information is stored in the tnrhtp(4) database. In a homogeneous network, only one template is needed; in a heterogeneous network, you need a separate template for each type of host. The attributes in the templates provide attributes from incoming data. They also provide destination information for outgoing data and are use in accreditation checks for incoming packets.

The tnidb(4) database is local to each host. It contains the host's network interfaces with their accreditation ranges. Default values for labels, clearances, effective UIDs/GIDs, and forced privileges apply to communications to and from hosts running environments that do not support these attributes. Note that any default values set in tnrhtp override the values in tnidb. By default, the file is empty because default values are used for all interfaces.