Oracle Solaris Trusted Extensions Administrator's Procedures

ProcedureHow to Construct a Remote Host Template

Before You Begin

You must be in the global zone in a role that can modify network security. For example, roles that are assigned the Information Security or Network Security rights profiles can modify security settings. The Security Administrator role includes these profiles.

  1. In the Solaris Management Console, navigate to the Security Templates tool.

    See How to Open the Trusted Networking Tools for the steps.

  2. Under Computers and Networks, double-click Security Templates.

    The existing templates are displayed in the View pane. These templates describe the security attributes for hosts that this system can contact. These hosts include CIPSO hosts that are running Trusted Extensions and unlabeled hosts.

  3. Examine the cipso template.

    View which hosts and which networks are already assigned this template.

  4. Examine the admin_low template.

    View which hosts and which networks are already assigned this template.

  5. Create a template.

    If the provided templates do not sufficiently describe the hosts that can be in communication with this system, choose Add Template from the Action menu.

    Use the online help for assistance. Before assigning hosts to the templates, create all the templates that your site requires.

  6. (Optional) Modify an existing template that is not a default template.

    Double-click the template, and use the online help for assistance. You can change the assigned hosts or the assigned networks.


Example 13–1 Creating a Security Template With a Different DOI Value

In this example, the security administrator's network has a DOI whose value is different from 1. The team that initially configured the system has completed Configure the Domain of Interpretation in Oracle Solaris Trusted Extensions Configuration Guide.

First, the security administrator confirms the value of the DOI in the /etc/system file:


# grep doi /etc/system
set default_doi = 4

Then, in the Security Templates tool, for every template that the administrator creates, the value of doi is set to 4. For the single-label system that is described in Example 13–2, the security administrator creates the following template:


template: CIPSO_PUBLIC
host_type: CIPSO
doi: 4
min_sl: PUBLIC
max_sl: PUBLIC


Example 13–2 Creating a Security Template That Has a Single Label

In this example, the security administrator wants to create a gateway that can only pass packets at a single label, PUBLIC. Using the Security Templates tool in the Solaris Management Console, the administrator creates a template and assigns the gateway host to the template.

First, the gateway host and IP address are added to the Computers and Networks tool.


gateway-1
192.168.131.75

Then, the template is created in the Security Templates tool.  The following are the values in the template:


template: CIPSO_PUBLIC
host_type: CIPSO
doi: 1
min_sl: PUBLIC
max_sl: PUBLIC

The tool supplies the hexadecimal value for PUBLIC, 0X0002-08-08.

Finally, the gateway-1 host is assigned to the template by its name and IP address.


gateway-1
192.168.131.75

On a local host, the tnrhtp entry appears similar to the following:


cipso_public:host_type=cipso;doi=1;min_sl=0X0002-08-08;max_sl=0X0002-08-08;

On a local host, the tnrhdb entry appears similar to the following:


# gateway-1
192.168.131.75:cipso_public


Example 13–3 Creating a Security Template for an Unlabeled Router

Any IP router can forward messages with CIPSO labels even though the router does not explicitly support labels. Such an unlabeled router needs a default label to define the level at which connections to the router, perhaps for router management, need to be handled. In this example, the security administrator creates a router that can forward traffic at any label, but all direct communication with the router is handled at the default label, PUBLIC.

In the Solaris Management Console, the administrator creates a template and assigns the gateway host to the template.

First, the router and its IP address are added to the Computers and Networks tool.


router-1
192.168.131.82

Then, the template is created in the Security Templates tool. The following values are in the template:


Template Name: UNL_PUBLIC
Host Type: UNLABELED
DOI: 1
Default Label: PUBLIC
Minimum Label: ADMIN_LOW
Maximum Label: ADMIN_HIGH

The tool supplies the hexadecimal value for the labels.

Finally, the router-1 router is assigned to the template by its name and IP address.


router-1
192.168.131.82


Example 13–4 Creating a Security Template That Has a Limited Label Range

In this example, the security administrator wants to create a gateway that restricts packets to a narrow label range. In the Solaris Management Console, the administrator creates a template and assigns the gateway host to the template.

First, the host and its IP address are added to the Computers and Networks tool.


gateway-ir
192.168.131.78

Then, the template is created in the Security Templates tool. The following values are in the template:


Template Name: CIPSO_IUO_RSTRCT
Host Type: CIPSO
DOI: 1
Minimum Label: CONFIDENTIAL : INTERNAL USE ONLY
Maximum Label: CONFIDENTIAL : RESTRICTED

The tool supplies the hexadecimal value for the labels.

Finally, the gateway-ir gateway is assigned to the template by its name and IP address.


gateway-ir
192.168.131.78


Example 13–5 Creating a Security Template That Has a Security Label Set

In this example, the security administrator wants to create a security template that recognizes two labels only. In the Solaris Management Console, the administrator creates a template and assigns the gateway host to the template.

First, each host and IP address that is going to use this template is added to the Computers and Networks tool.


host-slset1
192.168.132.21

host-slset2
192.168.132.22

host-slset3
192.168.132.23

host-slset4
192.168.132.24

Then, the template is created in the Security Templates tool. The following values are in the template:


Template Name: CIPSO_PUB_RSTRCT
Host Type: CIPSO
DOI: 1
Minimum Label: PUBLIC
Maximum Label: CONFIDENTIAL : RESTRICTED
SL Set: PUBLIC, CONFIDENTIAL : RESTRICTED

The tool supplies the hexadecimal value for the labels.

Finally, the range of IP addresses are assigned to the template by using the Wildcard button and a prefix.


192.168.132.0/17


Example 13–6 Creating an Unlabeled Template at the Label PUBLIC

In this example, the security administrator allows a subnetwork of Solaris systems to have the PUBLIC label in the trusted network. The template has the following values:


Template Name: public
Host Type: Unlabeled
Default Label: Public
Minimum Label: Public
Maximum Label: Public
DOI: 1

Wildcard Entry: 10.10.0.0
Prefix: 16

All systems on the 10.10.0.0 subnetwork are handled at the label PUBLIC.



Example 13–7 Creating a Labeled Template for Developers

In this example, the security administrator creates a SANDBOX template. This template is assigned to systems that are used by developers of trusted software. The two systems that are assigned this template create and test labeled programs. However, their tests do not affect the other labeled systems, because the label SANDBOX is disjoint from the other labels on the network.


Template Name: cipso_sandbox
Host Type: CIPSO
Minimum Label: SANDBOX
Maximum Label: SANDBOX
DOI: 1

Hostname: DevMachine1
IP Address: 196.168.129.129

Hostname: DevMachine2
IP Address: 196.168.129.102

The developers who use these systems can communicate with each other at the label SANDBOX.