How to Limit the Hosts That Can Be Contacted on the Trusted Network

This procedure protects labeled hosts from being contacted by arbitrary unlabeled hosts. When Trusted Extensions is installed, this default template defines every host on the network. Use this procedure to enumerate specific unlabeled hosts.

The local tnrhdb file on each system is used to contact the network at boot time. By default, every host that is not provided with a CIPSO template is defined by the admin_low template. This template assigns every system that is not otherwise defined (0.0.0.0) to be an unlabeled system with the default label of admin_low.

Caution –

The default admin_low template can be a security risk on a Trusted Extensions network. If site security requires strong protection, the security administrator can remove the 0.0.0.0 wildcard entry after the system is installed. The entry must be replaced with entries for every host that the system contacts during boot.

For example, DNS servers, home directory servers, audit servers, broadcast and multicast addresses, and routers must be in the local tnrhdb file after the 0.0.0.0 wildcard entry is removed.

If an application initially recognizes clients at the host address 0.0.0.0, then you must add the 0.0.0.0/32:admin_low host entry to the tnrhdb database. For example, to receive initial connection requests from potential Sun Ray clients, Sun Ray servers must include this entry. Then, when the server recognizes the clients, the clients are provided an IP address and connected as CIPSO clients.

Before You Begin

You must be in the Security Administrator role in the global zone.

All hosts that are to be contacted at boot time must exist in the Computers and Networks tool.

In the Solaris Management Console, navigate to the Security Templates tool in the Files scope.

The Files scope protects the system during boot. To access the Security Templates tool, see How to Open the Trusted Networking Tools.

Modify the hosts that are assigned to the admin_low template.
1. Double-click the admin_low template.
  
  Every host that is added can be contacted during boot at the label ADMIN_LOW.
2. Click the Hosts Assigned to Template tab.
  
  Every host that is added can be contacted during boot at the label ADMIN_LOW.
3. Add each unlabeled host that must be contacted at boot time.
  
  For details, see How to Assign a Security Template to a Host or a Group of Hosts.
  
  Include every on-link router that is not running Trusted Extensions, through which this host must communicate.
4. Add the ranges of hosts that must be contacted at boot time.
5. Remove the 0.0.0.0 entry.

Modify the hosts that are assigned to the cipso template.
1. Double-click the cipso template.
  
  Every host that is added can be contacted during boot.
2. Click the Hosts Assigned to Template tab.
  
  Every host that is added can be contacted during boot at the label ADMIN_LOW.
3. Add each labeled host that must be contacted at boot time.
  
  For details, see How to Assign a Security Template to a Host or a Group of Hosts.
  - Include the LDAP server.
  - Include every on-link router that is running Trusted Extensions, through which this host must communicate
  - Make sure that all network interfaces are assigned to the template.
  - Include broadcast addresses.
4. Add the ranges of hosts that must be contacted at boot time.

Verify that the host assignments allow the system to boot.

Example 13–11 Changing the Label of the `0.0.0.0` `tnrhdb` Entry

In this example, the security administrator creates a public gateway system. The administrator removes the 0.0.0.0 entry from the admin_low template and assigns the entry to an unlabeled template that is named public. The system then recognizes any system that is not listed in its tnrhdb file as an unlabeled system with the security attributes of the public security template.

The following describes an unlabeled template that was created specifically for public gateways.

Template Name: public
Host Type: Unlabeled
Default Label: Public
Minimum Label: Public
Maximum Label: Public
DOI: 1

Example 13–12 Enumerating Computers to Contact During Boot in the `tnrhdb` Database

The following example shows the local tnrhdb database with entries for an LDAP client with two network interfaces. The client communicates with another network and with routers.

127.0.0.1:cipso       Loopback address
192.168.112.111:cipso Interface 1 of this host
192.168.113.111:cipso Interface 2 of this host
10.6.6.2:cipso        LDAP server
192.168.113.6:cipso   Audit server
192.168.112.255:cipso Subnet broadcast address
192.168.113.255:cipso Subnet broadcast address
192.168.113.1:cipso   Router
192.168.117.0:cipso   Another Trusted Extensions network
192.168.112.12:public Specific network router
192.168.113.12:public Specific network router
224.0.0.2:public      Multicast address
255.255.255.255:admin_low Broadcast address

Example 13–13 Making the Host Address `0.0.0.0` a Valid `tnrhdb` Entry

In this example, the security administrator configures a Sun Ray server to accept initial connection requests from potential clients. The server is using a private topology and is using the defaults:

# utadm -a bge0

First, the administrator determines the Solaris Management Console domain name:

SMCserver # /usr/sadm/bin/dtsetup scopes
Getting list of managable scopes...
Scope 1 file:/machine1.ExampleCo.COM/machine1.ExampleCo.COM

Then, the administrator adds the entry for client initial connection to the Sun Ray server's tnrhdb database. Because the administrator is testing, the default wildcard address is still used for all unknown addresses:

SunRayServer # /usr/sadm/bin/smtnrhdb \
add -D file:/machine1.ExampleCo.COM/machine1.ExampleCo.COM \
-- -w 0.0.0.0 -p 32 -n admin_low
Authenticating as user: root

Please enter a string value for: password :: 
... from machine1.ExampleCo.COM was successful.

After this command, the tnhrdb database appears similar to the following. The result of the smtnrhdb command is highlighted:

## tnrhdb database
## Sun Ray server address
       192.168.128.1:cipso
## Sun Ray client addresses on 192.168.128 network
       192.168.128.0/24:admin_low
## Initial address for new clients
       0.0.0.0/32:admin_low
## Default wildcard address
0.0.0.0:admin_low
Other addresses to be contacted at boot

# tnchkdb -h /etc/security/tsol/tnrhdb

After this phase of testing succeeds, the administrator makes the configuration more secure by removing the default wildcard address, checks the syntax of the tnrhdb database, and tests again. The final tnhrdb database appears similar to the following:

## tnrhdb database
## Sun Ray server address
       192.168.128.1:cipso
## Sun Ray client addresses on 192.168.128 network
       192.168.128.0/24:admin_low
## Initial address for new clients
       0.0.0.0/32:admin_low
## 0.0.0.0:admin_low - no other systems can enter network at admin_low
Other addresses to be contacted at boot

How to Limit the Hosts That Can Be Contacted on the Trusted Network

Before You Begin

Example 13–11 Changing the Label of the 0.0.0.0 tnrhdb Entry

Example 13–12 Enumerating Computers to Contact During Boot in the tnrhdb Database

Example 13–13 Making the Host Address 0.0.0.0 a Valid tnrhdb Entry

Example 13–11 Changing the Label of the `0.0.0.0` `tnrhdb` Entry

Example 13–12 Enumerating Computers to Contact During Boot in the `tnrhdb` Database

Example 13–13 Making the Host Address `0.0.0.0` a Valid `tnrhdb` Entry