| Skip Navigation Links | |
| Exit Print View | |
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
6. Trusted Extensions Administration Concepts
7. Trusted Extensions Administration Tools
8. Security Requirements on a Trusted Extensions System (Overview)
9. Performing Common Tasks in Trusted Extensions
10. Users, Rights, and Roles in Trusted Extensions (Overview)
11. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
12. Remote Administration in Trusted Extensions (Tasks)
13. Managing Zones in Trusted Extensions
14. Managing and Mounting Files in Trusted Extensions
15. Trusted Networking (Overview)
16. Managing Networks in Trusted Extensions (Tasks)
Labeling Hosts and Networks (Tasks)
Viewing Existing Security Templates (Tasks)
How to View Security Templates
How to Determine If You Need Site-Specific Security Templates
How to Add Hosts to the System's Known Network
Creating Security Templates (Tasks)
How to Create Security Templates
Adding Hosts to Security Templates (Tasks)
How to Add a Host to a Security Template
How to Add a Range of Hosts to a Security Template
Limiting the Hosts That Can Reach the Trusted Network (Tasks)
How to Limit the Hosts That Can Be Contacted on the Trusted Network
Configuring Labeled IPsec (Task Map)
How to Apply IPsec Protections in a Multilevel Trusted Extensions Network
How to Configure a Tunnel Across an Untrusted Network
Troubleshooting the Trusted Network (Task Map)
How to Verify That a System's Interfaces Are Up
How to Debug the Trusted Extensions Network
How to Debug a Client's Connection to the LDAP Server
17. Trusted Extensions and LDAP (Overview)
18. Multilevel Mail in Trusted Extensions (Overview)
19. Managing Labeled Printing (Tasks)
20. Devices in Trusted Extensions (Overview)
21. Managing Devices for Trusted Extensions (Tasks)
22. Trusted Extensions Auditing (Overview)
23. Software Management in Trusted Extensions
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
Static routes enable labeled packets to reach their destination through labeled and unlabeled gateways. MLPs enable an application to use one entry point to reach all zones.
Before You Begin
You must be in the Security Administrator role in the global zone.
You have added each destination host, network, and gateway to a security template. For details, see How to Add a Host to a Security Template and How to Add a Range of Hosts to a Security Template.
# txzonemgr &
If the zone has more than one IP address, choose the entry with the desired interface.
Note - To remove or modify the default router, remove the entry, create the IP entry again and add the router. If the zone has only one IP address, you must remove the IP instance to remove the entry.
Example 16-17 Using the route Command to Set the Default Route for the Global Zone
In this example, the administrator uses the route command to create a default route for the global zone.
# route add default 192.168.113.1 -static
You can add private and shared MLPs to labeled zones and the global zone.
This procedure is used when an application that runs in a labeled zone requires a multilevel port (MLP) to communicate with the zone. In this procedure, a web proxy communicates with the zone.
Before You Begin
You must be in the root role in the global zone. The system must have at least two IP addresses and the labeled zone is halted.
## /etc/hosts file ... proxy-host-name IP-address web-service-host-name IP-address
For example, configure the public zone to recognize packets that are explicitly labeled PUBLIC. For this configuration, the security template is named webprox.
# tncfg -t webprox tncfg:public> set name=webprox tncfg:public> set host_type=cipso tncfg:public> set min_label=public tncfg:public> set max_label=public tncfg:public> add host=mywebproxy.oracle.comhost name associated with public zone tncfg:public> add host=10.1.2.3/16IP address of public zone tncfg:public> exit
For example, the web proxy service might communicate with the PUBLIC zone over the 8080/tcp interface.
# tncfg -z public add mlp_shared=8080/tcp # tncfg -z public add mlp_private=8080/tcp
# zoneadm -z zone-name boot
To add routes, perform How to Add Default Routes.
Example 16-18 Configuring an MLP by Using the txzonemgr GUI
The administrator configures the web proxy service by opening the Labeled Zone Manager.
# txzonemgr &
The administrator double-clicks the PUBLIC zone, then double-clicks Configure Multilevel Ports. Then the administrator selects and double-clicks the Private interfaces line. The selection changes to an entry field similar to the following:
Private interfaces:111/tcp;111/udp
The administrator starts the web proxy entry with a semicolon separator
Private interfaces:111/tcp;111/udp;8080/tcp
After completing the private entry, the administrator types the web proxy into the Shared interfaces field.
Shared interfaces:111/tcp;111/udp;8080/tcp
A popup message indicates that the multilevel ports for the public zone will be active at the next boot of the zone.
Example 16-19 Configuring a Private Multilevel Port for NFSv3 Over udp
In this example, the administrator enables NFSv3 read-down mounts over udp. The administrator has the option of using the tncfg command.
# tncfg -z global add mlp_private=2049/udp
The txzonemgr GUI provides another way to define the MLP.
In the Labeled Zone Manager, the administrator double-clicks the global zone, then double-clicks Configure Multilevel Ports. In the MLP menu, the administrator selects and double-clicks the Private interfaces line and adds the port/protocol.
Private interfaces:111/tcp;111/udp;8080/tcp
A popup message indicates that the multilevel ports for the global zone will be active at the next boot.
Example 16-20 Displaying Multilevel Ports on a System
In this example, a system is configured with several labeled zones. All zones share the same IP address. Some zones are also configured with zone-specific addresses. In this configuration, the TCP port for web browsing, port 8080, is an MLP on a shared interface in the public zone. The administrator has also set up telnet, TCP port 23, to be an MLP in the public zone. Because these two MLPs are on a shared interface, no other zone, including the global zone, can receive packets on the shared interface on ports 8080 and 23.
In addition, the TCP port for ssh, port 22, is a per-zone MLP in the public zone. The public zone's ssh service can receive any packets on its zone-specific address within the address's label range.
The following command shows the MLPs for the public zone:
$ tninfo -m public private: 22/tcp shared: 23/tcp;8080/tcp
The following command shows the MLPs for the global zone. Note that ports 23 and 8080 cannot be MLPs in the global zone because the global zone shares the same address with the public zone:
$ tninfo -m global
private: 111/tcp;111/udp;514/tcp;515/tcp;631/tcp;2049/tcp;
6000-6003/tcp;38672/tcp;60770/tcp;
shared: 6000-6003/tcp
|