Trusted Solaris Administrator's Procedures

Managing Trusted Networking (Tasks)

To Open the Security Families Tool

  1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

  2. Bring up the Solaris Management Console and load the Trusted Solaris Management Console in the appropriate name service scope.

  3. Click the Trusted Solaris Configuration to open its list of tools.

  4. Click the Computers and Networks tool and enter a password when prompted.

  5. Double-click the Security Families tool.

    All currently-defined templates display in the right hand pane. Use the online help.

To Construct Templates for Hosts

  1. In the Security Administrator role, open the Security Families tool.

    See "To Open the Security Families Tool" for the steps in detail.

  2. To modify an existing template, double-click the name of a template, then choose Action --> Properties.

    The Modify Template dialog displays with the name of the currently-selected template at its top.

  3. To add a new template, choose Action --> Add Template.

    Refer to the online help when adding a template.


    Caution - Caution -

    When creating a new template, do not forget to change the Default Label. The Default Label in the default template is ADMIN_LOW, and normal users cannot work at that label.


  4. Supply the desired values in the tabs in the Template Manager.

    Refer to the online help for assistance.

  5. Click OK when done.

To Assign Templates to Hosts

  1. In the Security Administrator role, open the Security Families tool.

    See "To Open the Security Families Tool" for the steps in detail.

  2. To change the assignment of a computer or network to a template, double-click the name of the ALL template.

    All computers and networks that are currently in the ALL family display in the right hand pane.

  3. Double-click the icon for the computer or network, then choose Action->Properties.

    The Modify Remote Host Entry dialog displays with the IP address of the network or computer at its top.

  4. Supply the desired values in the fields in the Template Manager, and click OK.

  5. To assign an existing template to a computer or network, double-click the name of a template.

    All computers currently defined in the same Security Family display in the right hand pane.

  6. Choose Action->Add Host.

    The New Remote Host Entry dialog displays.

  7. Type in either the Hostname or the IP Address for any computer or network to which the template should be assigned.

    If a Hostname is entered, when you click the Load button the IP address is looked up. If an IP Address is entered, then the hostname is looked up. The IP Address field accepts any valid IPv4 or IPv6 address for the computer or network.

  8. Type in an optional Prefix Length that indicates the length of the network portion of the address.

  9. Choose the name of a template from the Template pull-down menu.

  10. Click OK.

To Create a Wildcard Entry for Remote Hosts

  1. In the Security Administrator role, open the Security Families tool.

    See "To Open the Security Families Tool" for the steps in detail.

  2. Double-click the ALL template.

  3. Choose Action --> Add host(s).

  4. Click Wildcard, then give an IP address that ends in a zero (0).

    For example, 192.168.0.0 or 192.168.113.0.

  5. Assign an existing template to it.


    Caution - Caution -

    The wildcard entry allows any host on the wildcard's network to communicate with this system at the label of the assigned template.


To Change the tnd Polling Interval

By default, the tnd polls the trusted network databases every 2 minutes. The default for name service database polling is 30 minutes. You may want to change the tnd polling interval to match the name service interval once the network is up and running, and you have added all the templates and hosts.

  1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

  2. Open the Admin Editor from the System_Admin folder in the Application Manager, and edit the /etc/init.d/inetsvc file.

  3. Find the 120 second polling interval, and change it to 1800 or another reasonable value.

To Replace the 0.0.0.0 Entry in the Local Tnrhdb File

The local tnrhdb(4) file on each computer is used to contact the network at boot time. For greater security, you can remove the 0.0.0.0 wildcard entry. However, you must replace it with every remote address that the host contacts at boot time.

  1. In the Security Administrator role, open the Security Families tool in the Files scope.

    See "To Open the Security Families Tool" for the steps in detail.

  2. Double-click ALL, then select 0.0.0.0.

  3. If you know all machines that this computer contacts, remove the wildcard entry by choosing Edit --> Delete.

  4. To replace the wildcard entry, the following entries must be in the /etc/hosts or /etc/inet/ipnodes file, and in the tnrhdb database.

    • An entry for this system, the name service master, and the loopback address, 127.0.0.1

      The install team added these entries during configuration.

    • An entry for every local IP address

      The install team should have added these entries during configuration.

    • One or more router entries

      If the name service client is a router, list all the routers with which it needs to communicate during boot. Include broadcast addresses.

      If the name service client is not a router, create a fallback network entry, such as 192.168.113.0.

    1. For a router, make the following entries by clicking Add --> Host(s).

      Make sure all network interfaces are in the file. For example,


      Host Name:  trusted-gw
      IP Address: 192.168.112.111
      Template: tsol
      

      Host Name:  trusted
      IP Address: 192.168.113.111
      Template: tsol
      

      Make an entry for every router that this host communicates with. This is most easily done when the network uses static routing. For example,


      Host Name:  gateway-2
      IP Address: 192.168.112.12
      Template: unclassified
      

      Host Name:  gateway-3
      IP Address: 192.168.113.12
      Template: unclassified
      

      Make an entry for every broadcast and multicast address. For example,


      Host Name:  broadcast
      IP Address: 255.255.255.255
      Template: admin_low
      

      Host Name:  multicast
      IP Address: 224.0.0.2
      Template: admin_low
      

      Host Name:  broadcast-112
      IP Address: 192.168.112.255
      Template: tsol
      

      Host Name:  broadcast-113
      IP Address: 192.168.113.255
      Template: tsol
      

      The following shows the local tnrhdb file with entries for a name service client with two interfaces. The client communicates with another network and routers.


      192.168.112.111:tsol  Interface 1 of this system
      192.168.113.111:tsol  Interface 2
      192.168.113.5:tsol    NIS+ master
      192.168.113.6:tsol    Audit server
      192.168.113.8:tsol    Mail server
      192.168.112.255:tsol  Subnet broadcast address
      192.168.113.255:tsol  Subnet broadcast address
      127.0.0.1:tsol        Loopback address
      192.168.117.0:tsol    Another Trusted Solaris network
      192.168.112.12:unclassified  Specific network router
      192.168.113.12:unclassified  Specific network router
      224.0.0.2:unclassified       Multicast address
      255.255.255.255:admin_low    Broadcast address
      
    2. If the host being configured is not a router, click Add --> Host(s) to create a fallback entry so that the host can find its router.

      For example,


      Click the Wildcard button
      IP Address: 192.168.113.0
      Template: tsol
      

      For example, for a non-router on a dynamically configured network, the entries might look like:


      192.168.113.99:tsol  This system
      192.168.113.5:tsol     NIS+ master
      192.168.113.0:tsol     Subnet wildcard address
      127.0.0.1:tsol         Loopback address
      192.168.117.0:tsol     Another Trusted Solaris network
      224.0.0.2:unclassified       Multicast address
      255.255.255.255:admin_low    Broadcast address
      

      Note -

      If a network that has Trusted Solaris hosts is assigned a wildcard template that is not a tsol template and the network has any tsol routers, then the administrator must assign the netmask entry the tsol template. For example,


      192.168.112.98:tsol   This system
      192.168.112.0:confidential   Subnet wildcard address
      192.168.112.111:tsol   TSOL router
      255.255.255.255:tsol   Broadcast address
      


Example -- Changing the Label of the 0.0.0.0 Tnrhdb Entry

You may want to give the 0.0.0.0 tnrhdb(4) entry a different unlabeled template, such as the unclassified template from the default set of templates. The system then recognizes any computer not otherwise listed in its tnrhdb file as an unlabeled machine at the label unclassified. Choose Action --> Properties from the menu when 0.0.0.0 is selected to change the assigned template.

Many sites create an unlabeled template specifically for gateways, and assign the gateway template to all gateway systems. The following is an unlabeled template specifically for gateways,


unlab_gateway:host_type=unlabeled;\
def_label=[0x00010000000000000000000000000000000000000000000000000000000000000000];\
def_cl=0x00010000000000000000000000000000000000000000000000000000000000000000;\
forced_privs=empty;\
min_sl=0x00000000000000000000000000000000000000000000000000000000000000000000;\
max_sl=0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff;\
doi=0;\
ip_label=none;\
ripso_label=empty;\
ripso_error=empty;

The backslashes above are for ease of reading. See "To Construct Templates for Hosts" for how to construct a template, and then assign it to the 0.0.0.0 wildcard.

To Configure a Network Interface

  1. If adding a new interface, insert the network interface card, following the hardware and software installation steps in the guides shipped with the interface.

    The interface installation program installs a new device file called hostname.device_abbreviation in /etc.

  2. For a host with more than one network interface, do the configuration either for a router or multihomed host, as described in the the Solaris TCP/IP and Data Communications Administration Guide.

  3. If the site security policy requires other than default settings for any interfaces, change the entries in the Interface Manager.

    As described in "Understanding Security Attributes Assigned to Network Interfaces", interfaces on a computer running Trusted Solaris software are automatically detected by the trusted network software and assigned a default set of attributes. The Interface Manager shown below is used only when the security administrator role wants to change the defaults for an interface.

    The Interface Manager tool is available when Scope=Files. The default attributes for network interfaces are shown in the following screen shot.

    Figure 8-1 Interface Manager with Default Security Attributes

    Graphic


    Note -

    Do not change the Min SL from ADMIN_LOW unless you have explicitly defined all routes.


To Set Up Static Routes with Emetrics

  1. Assume the System Administrator role and go to an ADMIN_LOW workspace.

  2. Double-click the Set TSOL Gateways action in the System_Admin folder to open the /etc/tsolgateways file for editing.

    See the tsolgateways(4) man page for more about the syntax and use of /etc/tsolgateways. The syntax of the emetric in tsolgateways is the same as for the route command.

  3. Set up one or more default entries, if desired.

    The first entry sets up a default route, using a specific gateway's address 192.168.113.36 and a metric of 1 to be used when there is no specific route defined for either the host or destination of a packet.


    default 192.168.113.36  1
    
  4. Set up one or more network entries, if desired.

    The second line below shows a network entry set up with a standard metric. The third line shows a network entry set up with an emetric, setting a label range of PUBLIC to INTERNAL.


    default 192.168.113.36  1
    net 192.168.102.0 gateway-101 1
    net 192.168.101.0 gateway-102 -m metric=2,min_sl="PUBLIC",
    max_sl="INTERNAL"
    
  5. Set up one or more host entries, if desired.

    The new fourth line shows a host entry set up for a gateway host named trusted with an emetric setting a label range of PUBLIC to PUBLIC.


    default 192.168.113.36  1
    net 192.168.102.0 gateway-101 1
    net 192.168.101.0 gateway-102 -m metric=2,min_sl="PUBLIC",
    max_sl="INTERNAL"
    host 192.168.101.3 trusted -m metric=2,min_sl="PUBLIC",
    max_sl="PUBLIC"
    
  6. Make sure there is an entry for any destination host(s) and gateway(s) in the local /etc/hosts file, or NIS+ hosts.org_dir table.


    192.168.113.36 mynah
    
  7. Make sure there is an entry for all destination hosts, network(s) and gateway(s) in the local /etc/security/tsol/tnrhdb file.


    192.168.113.36:tsol1
    
  8. Write and quit the file.


    :wq
    

To Set Up Tunneling

A forwarding host is any Trusted Solaris 8 4/01, Trusted Solaris 8, Trusted Solaris 7, or Trusted Solaris 2.5.1 gateway being set up to tunnel through one or more gateway(s) not running a Trusted Solaris 8 4/01, Trusted Solaris 8, Trusted Solaris 7, or Trusted Solaris 2.5.1 release to advertise the emetrics of its routes to the Trusted Solaris gateways on the other side.

  1. Assume the Security Administrator role on the forwarding host and go to an ADMIN_LOW workspace.

  2. Use the Admin Editor action to create or open the /etc/security/tsol/tunnel file for editing.

  3. Enter one IP address of a target (sub)network on per line.

    See the following example.


    192.168.36.0
  4. Write and quit the file.


    :wq
    
  5. To set up two-way routing using emetrics, repeat the previous steps on the remote gateway(s), specifying the IP address for the local network.