Assigning Security Attributes to Remote Hosts and Network Gateways

Each site's Security Administrator decides which hosts should be allowed to communicate with the Trusted Solaris system and the security attributes of the hosts. The Security Administrator role uses the Security Families tool in the Solaris Management Console to assign security attributes to hosts by means of templates.

Templates can be assigned directly to a host or indirectly through a wildcard entry that assigns a template to a network address that includes the host. If a host does not have a template assigned either directly or indirectly, no communications can get through. Computers (hosts or routers) that share the same template are considered to be part of the same security family.

Optionally, the SMC Interface Manager tool can be used to assign security attributes to network interfaces, but doing so is useful only in limited circumstances when the defaults are not acceptable:

• To limit the range of labels at which communications are allowed through a network interface, the Security Administrator role can set a restricted label range. The default label range is ADMIN_LOW to ADMIN_HIGH.

• If it is desirable to be able to leave certain fields empty in a single template assigned to one computer or to a group of computers that is accessed through the same network interface, the Security Administrator can specify the values in an entry that applies to that network interface.

  The entries assigned to network interfaces are looked at only if certain fields are left empty in the template assigned to a computer. If a value is not found either in the template that covers the host or in an entry that applies to the interface through which the remote computer is accessed, then a set of default values is applied.

Before assigning templates, the Security Administrator role should do the following:

• Review the existing templates.

  • Choose View->Details from the Security Families tool, which displays some of the values specified for each template.

  • Use the Security Families tool to bring up the Template Manager dialog box, select each template in turn and view its contents.

• Decide which templates should be used for each host and network.

• Modify existing templates or create any new templates needed for the site.

Setting Up Templates

Before assigning templates to hosts, have the following information available:

• A list of the available templates.

• A list of all the hosts and networks with which the hosts in the Trusted Solaris network are allowed to communicate.

Make the following decisions before starting:

• Decide which security attributes to apply to each host.

• Decide whether you can use existing templates or must modify them.