Labeling Hosts and Networks (Tasks)

A Trusted Extensions system can contact other hosts only after the system has defined the security attributes of those hosts. Because remote hosts can have similar security attributes, Trusted Extensions provides security templates to which you can add hosts.

Viewing Existing Security Templates (Tasks)

Before you label remote hosts and networks, read the provided security templates and ensure that you can reach the remote hosts and networks. For instructions, see the following:

• View the security templates – How to View Security Templates

• Determine if your site requires customized security templates – How to Determine If You Need Site-Specific Security Templates

• Add systems and networks to the trusted network – How to Add Hosts to the System's Known Network

How to View Security Templates

You can view the list of security templates and the contents of each template. The examples shown in this procedure are the default security templates.

1. List the available security templates.

   # tncfg list
      cipso
      admin_low
      adapt
      netif

2. View the contents of the listed templates.

   # tncfg -t cipso info
      name=cipso
      host_type=cipso
      doi=1
      min_label=ADMIN_LOW
      max_label=ADMIN_HIGH
      host=127.0.0.1/32

   The 127.0.0.1/32 entry in the preceding cipso security template identifies this system as labeled. When a peer assigns this system to the peer's remote host template with the host_type of cipso, the two systems can exchange labeled packets.

   # tncfg -t admin_low info
      name=admin_low
      host_type=unlabeled
      doi=1
      def_label=ADMIN_LOW
      min_label=ADMIN_LOW
      max_label=ADMIN_HIGH
      host=0.0.0.0/0

   The 0.0.0.0/0 entry in the preceding admin_low security template enables all hosts that are not explicitly assigned to a security template to contact this system. These hosts are recognized as unlabeled.

   • The advantage of the 0.0.0.0/0 entry is that all hosts that this system requires at boot time, such as servers and gateways, can be found.

   • The disadvantage of the 0.0.0.0/0 entry is that any host on this system's network can contact this system. To restrict which hosts can contact this system, see How to Limit the Hosts That Can Be Contacted on the Trusted Network.

   # tncfg -t adapt info
      name=adapt
      host_type=adapt
      doi=1
      min_label=ADMIN_LOW
      max_label=ADMIN_HIGH
      host=0.0.0.0/0

   An adapt template identifies an adaptive host, that is, an untrusted system that cannot have a default label. Instead, its label is assigned by its receiving trusted system. The label is derived from the default label of the IP interface that receives the packet, as specified by the labeled system's netif template.

   # tncfg -t netif info
      name=netif
      host_type=netif
      doi=1
      def_label=ADMIN_LOW
      min_label=ADMIN_LOW
      max_label=ADMIN_HIGH
      host=127.0.0.1/32

   A netif template specifies a trusted local network interface, not a remote host. The default label of a netif template must equal the label of every zone with a dedicated network interface whose IP address matches a host address in that template. Additionally, the lower link that corresponds to the matching zone interface can be assigned only to other zones that share the same label.

How to Determine If You Need Site-Specific Security Templates

• Create site-specific security templates if you want to do any of the following for hosts that you communicate with:

  • Limit the label range of a host or a group of hosts.

  • Create a single-label host at a label other than ADMIN_LOW.

  • Require a default label for unlabeled hosts that is not ADMIN_LOW.

  • Create a host that recognizes a limited set of labels.

  • Use a DOI other than 1.

  • Send information from specified unlabeled hosts to a network interface that is trusted to assign the correct label to the packets from the unlabeled hosts.

How to Add Hosts to the System's Known Network

After you add hosts and groups of hosts to a system's /etc/hosts file, the hosts are known to the system. Only known hosts can be added to a security template.

Before You Begin

You are in the root role in the global zone.

1. Add individual hosts to the /etc/hosts file.

   # pfedit /etc/hosts
   
   ...
   192.168.111.121   ahost

2. Add a group of hosts to the /etc/hosts file.

   # pfedit /etc/hosts
   
   ...
   192.168.111.0   111-network

Creating Security Templates (Tasks)

This section contains pointers or examples of creating security templates for the following network configurations:

• The DOI is a value different from 1 – How to Configure a Different Domain of Interpretation

• Trusted remote hosts are assigned a specific label – Example 16-1

• Untrusted remote hosts are assigned a specific label – Example 16-2

For more examples of security templates that address specific requirements, see Adding Hosts to Security Templates (Tasks).

How to Create Security Templates

Before You Begin

You must be in the global zone in a role that can modify network security. For example, roles that are assigned the Information Security or Network Security rights profiles can modify security values. The Security Administrator role includes these rights profiles.

1. (Optional) Determine the hexadecimal version of any label other than ADMIN_HIGH and ADMIN_LOW.

   For labels such as PUBLIC, you can use either the label string or the hexadecimal value, 0x0002-08-08 as label values. The tncfg command accepts either format.

   # atohexlabel "confidential : internal use only"
   0x0004-08-48

   For more information, see How to Obtain the Hexadecimal Equivalent for a Label.

2. Do not alter the default security templates.

   For support purposes, do not delete the default security templates.

   • You can copy and modify these templates.

   • And you can add and remove hosts that are assigned to these templates. For an example, see How to Limit the Hosts That Can Be Contacted on the Trusted Network.

3. Create a security template.

   The tncfg -t command provides three ways to create new templates.

   • Create a security template from scratch.

     Use the tncfg command in interactive mode. The info subcommand displays the values that are supplied by default. Use the Tab key to complete partial properties and values. Type exit to complete the template.

     # tncfg -t newunlabeled
     tncfg:newunlabeled> info
        name=newunlabeled
        host_type=unlabeled
        doi=1
        def_label=ADMIN_LOW
        min_label=ADMIN_LOW
        max_label=ADMIN_HIGH
     tncfg:newunlabeled> set m<Tab>
     set max_label=" set min_label="
     tncfg:newunlabeled> set ma<Tab>
     tncfg:newunlabeled> set max_label=ADMIN_LOW
     ...
     tncfg:newunlabeled> commit
     tncfg:newunlabeled> exit

     You can also supply the complete list of attributes for a security template on the command line. Semicolons separate the set subcommands. An omitted property receives the default value.

     # tncfg -t newunlabeled set host_type=unlabeled;set doi=1; \
     set min_label=ADMIN_LOW;set max_label=ADMIN_LOW

   • Copy and modify an existing security template.

     # tncfg -t cipso
     tncfg:cipso> set name=newcipso
     tncfg:newcipso> info
     name=newcipso
     host_type=cipso
     doi=1
     min_label=ADMIN_LOW
     max_label=ADMIN_HIGH

     Hosts that are assigned to the existing security template are not copied to the new template.

   • Use a template file that the export subcommand creates.

     # tncfg -f unlab_1 -f template-file
     tncfg: unlab_1> set host_type=unlabeled
     ...
     # tncfg -f template-file

     For an example of creating a source template for importing, see the tncfg(1M) man page.

Example 16-1 Creating a Security Template for a Gateway That Handles Packets at One Label

In this example, the security administrator defines a gateway that can only pass packets at the label PUBLIC.

# tncfg -t cipso_public
tncfg:cipso_public> set host_type=cipso
tncfg:cipso_public> set doi=1
tncfg:cipso_public> set min_label="public"
tncfg:cipso_public> set max_label="public"
tncfg:cipso_public> commit
tncfg:cipso_public> exit

The security administrator then adds the gateway host to the security template. For the addition, see Example 16-3.

Example 16-2 Creating an Unlabeled Security Template at the Label PUBLIC

In this example, the security administrator creates an unlabeled template for untrusted hosts that can receive and send packets at the PUBLIC label only. This template might be assigned to hosts whose file systems must be mounted at the PUBLIC label by Trusted Extensions systems.

# tncfg -t public
tncfg:public> set host_type=unlabeled
tncfg:public> set doi=1
tncfg:public> set def_label="public"
tncfg:public> set min_sl="public"
tncfg:public> set max_sl="public"
tncfg:public> exit

The security administrator then adds hosts to the security template. For the addition, see Example 16-12.

Adding Hosts to Security Templates (Tasks)

This section contains pointers or examples of adding hosts to security templates. For discontinuous IP addresses, see How to Add a Host to a Security Template. For a range of hosts, see How to Add a Range of Hosts to a Security Template.

The examples in this section illustrate the following remote host label assignments:

• Trusted remote trusted gateway handles PUBLIC traffic – Example 16-3

• Untrusted remote hosts act as single-label routers – Example 16-4

• Trusted remote hosts restrict traffic to within a narrow label range – Example 16-5

• Trusted remote hosts are assigned a limited set of labels – Example 16-6

• Trusted remote hosts are assigned labels that are disjoint from the rest of the network – Example 16-7

• Trusted netif host labels packets from adapt systems – Example 16-8

• Untrusted adapt host sends packets to a netif host – Example 16-9

• Trusted homogeneous network adds a multicast address at a specific label – Example 16-10

• A host is removed from a security template – Example 16-11

• Untrusted remote hosts and networks are assigned labels – Example 16-12

How to Add a Host to a Security Template

Before You Begin

The following must be in place:

• The IP addresses must exist in the /etc/hosts file or be resolvable by DNS.

  For the hosts file, see How to Add Hosts to the System's Known Network.

  For DNS, see Chapter 3, Managing DNS (Tasks), in Oracle Solaris Administration: Naming and Directory Services.

• The label endpoints must match. For the rules, see Overview of Routing in Trusted Extensions.

• You must be in the Security Administrator role in the global zone.

1. (Optional) Verify that you can reach the host name or IP address that you are going to add.

   In this example, you verify that you can reach 192.168.1.2.

   # arp 192.168.1.2
   gateway-2.example.com (192.168.1.2) at 0:0:0:1:ad:cd

   The arp command verifies that the host is defined in the system's /etc/hosts file or is resolvable by DNS.

2. Add a host name or IP address to a security template.

   For example, add the 192.168.1.2 IP address.

   # tncfg -t cipso
   tncfg:cipso> add host=192.168.1.2

   If you add a host that was previously added to another template, you are notified that you are replacing its security template assignment. For example:

   # tncfg -t cipso
   tncfg:cipso> add host=192.168.1.2
   192.168.1.2 previously matched the admin_low template
   tncfg:cipso> info
   ...
   host=192.168.1.2/32
   tncfg:cipso> exit

3. View the changed security template.

   For example, the following shows the 192.168.1.2 address added to the cipso template:

   tncfg:cipso> info
   ...
      host=192.168.1.2/32

   The prefix length of /32 indicates that the address is exact.

4. Commit the change and exit the security template.

   tncfg:cipso> commit
   tncfg:cipso> exit

   To remove a host entry, see Example 16-11.

Example 16-3 Creating a Gateway That Handles Packets at One Label

In Example 16-1, the administrator creates a security template that defines a gateway that can only pass packets at the label PUBLIC. In this example, the security administrator ensures that the gateway host's IP address can be resolved.

# arp 192.168.131.75
gateway-1.example.com (192.168.131.75) at 0:0:0:1:ab:cd

The arp command verifies that the host is defined in the system's /etc/hosts file or is resolvable by DNS.

Then, the administrator adds the gateway-1 host to the security template:

# tncfg -t cipso_public
tncfg:cipso_public> add host=192.168.131.75
tncfg:cipso_public> exit

The system can immediately send and receive public packets through gateway-1.

Example 16-4 Creating an Unlabeled Router to Route Labeled Packets

Any IP router can forward messages with CALIPSO or CIPSO labels even though the router does not explicitly support labels. Such an unlabeled router requires a default label to define the level at which connections to the router, perhaps for router management, must be handled. In this example, the security administrator creates a router that can forward traffic at any label, but all direct communication with the router is handled at the default label, PUBLIC.

The security administrator creates the template from scratch.

# tncfg -t unl_public_router
tncfg:unl_public_router> set host_type=unlabeled
tncfg:unl_public_router> set doi=1
tncfg:unl_public_router> set def_label="PUBLIC"
tncfg:unl_public_router> set min_label=ADMIN_LOW
tncfg:unl_public_router> set max_label=ADMIN_HIGH
tncfg:unl_public_router> exit

Then, the administrator adds the router to the security template.

# tncfg -t unl_public_router
tncfg:unl_public_router> add host=192.168.131.82
tncfg:unl_public_router> exit

The system can immediately send and receive packets at all labels through router-1.

Example 16-5 Creating a Gateway With a Limited Label Range

In this example, the security administrator creates a gateway that restricts packets to a narrow label range and adds the gateway.

# arp 192.168.131.78
gateway-ir.example.com (192.168.131.78) at 0:0:0:3:ab:cd

# tncfg -t cipso_iuo_rstrct
tncfg:cipso_iuo_rstrct> set host_type=cipso
tncfg:cipso_iuo_rstrct> set doi=1
tncfg:cipso_iuo_rstrct> set min_label=0x0004-08-48
tncfg:cipso_iuo_rstrct> set max_label=0x0004-08-78
tncfg:cipso_iuo_rstrct> add host=192.168.131.78
tncfg:cipso_iuo_rstrct> exit

The system can immediately send and receive packets that are labeled internal and restricted through gateway-ir.

Example 16-6 Creating Hosts at Discrete Labels

In this example, the security administrator creates a security template that recognizes two labels only, confidential : internal use only and confidential : restricted. All other traffic is rejected.

First, the security administrator ensures that each host's IP addresses can be resolved.

# arp 192.168.132.21
host-auxset1.example.com (192.168.132.21) at 0:0:0:4:ab:cd
# arp 192.168.132.22
host-auxset2.example.com (192.168.132.22) at 0:0:0:5:ab:cd
# arp 192.168.132.23
host-auxset3.example.com (192.168.132.23) at 0:0:0:6:ab:cd
# arp 192.168.132.24
host-auxset4.example.com (192.168.132.24) at 0:0:0:7:ab:cd

Then, the administrator is careful to type the labels precisely. The software recognizes labels in uppercase and lowercase letters and by short name, but does not recognize labels where the spacing is inaccurate. For example, the label cnf :restricted is not a valid label.

# tncfg -t cipso_int_and_rst
tncfg:cipso_int_and_rst> set host_type=cipso
tncfg:cipso_int_and_rst> set doi=1
tncfg:cipso_int_and_rst> set min_label="cnf : internal use only"
tncfg:cipso_int_and_rst> set max_label="cnf : internal use only"
tncfg:cipso_int_and_rst> set aux_label="cnf : restricted"
tncfg:cipso_int_and_rst> exit

Then, the administrator assigns the range of IP addresses to the security template by using a prefix length.

# tncfg -t cipso_int_rstrct
tncfg:cipso_int_rstrct> set host=192.168.132.0/24

Example 16-7 Creating a Labeled Host for Developers

In this example, the security administrator creates a cipso_sandbox template. This security template is assigned to systems that are used by developers of trusted software. Developer tests do not affect other labeled hosts because the label SANDBOX is disjoint from the other labels on the network.

# tncfg -t cipso_sandbox
tncfg:cipso_sandbox> set host_type=cipso
tncfg:cipso_sandbox> set doi=1
tncfg:cipso_sandbox> set min_sl="SBX"
tncfg:cipso_sandbox> set max_sl="SBX"
tncfg:cipso_sandbox> add host=196.168.129.102
tncfg:cipso_sandbox> add host=196.168.129.129
tncfg:cipso_sandbox> exit

The developers who use the 196.168.129.102 and 196.168.129.129 systems can communicate with each other at the label SANDBOX.

Example 16-8 Creating a Security Template for a netif Host

In this example, the security administrator creates a netif security template. This template is assigned to the labeled network interface that hosts the IP address 10.121.10.3. With this assignment, the Trusted Extensions IP module adds the default label, PUBLIC, to all incoming packets that arrive from an adaptive host.

# tncfg -t netif_public
tncfg:netif_public> set host_type=netif
tncfg:netif_public> set doi=1
tncfg:netif_public> set def_label="PUBLIC"
tncfg:netif_public> add host=10.121.10.3
tncfg:netif_public> commit
tncfg:netif_public> exit

Example 16-9 Creating Security Templates for Adaptive Hosts

In this example, the security administrator plans ahead. The administrator creates different subnets for a network that holds public information and a network that holds internal information. The administrator then defines two adapt hosts. Systems in the public subnet are assigned the PUBLIC label. Systems in the internal network are assigned the IUO label. Because this network is planned ahead of time, each network holds and transmits information at a specific label. Another advantage is that the network is easily debugged when packets are not delivered at the expected interface.

# tncfg -t adpub_192_168_10
tncfg:adapt_public> set host_type=adapt
tncfg:adapt_public> set doi=1
tncfg:adapt_public> set min_label="public"
tncfg:adapt_public> set max_label="public"
tncfg:adapt_public> add host=192.168.10.0
tncfg:adapt_public> commit
tncfg:adapt_public> exit

# tncfg -t adiuo_192_168_20
tncfg:adapt_public> set host_type=adapt
tncfg:adapt_public> set doi=1
tncfg:adapt_public> set min_label="iuo"
tncfg:adapt_public> set max_label="iuo"
tncfg:adapt_public> add host=192.168.20.0
tncfg:adapt_public> commit
tncfg:adapt_public> exit

Example 16-10 Sending Labeled Multicast Messages

On a labeled, homogeneous LAN, the administrator chooses an available multicast address over which to send packets at the label PUBLIC.

# tncfg -t cipso_public
tncfg:cipso_public> add host=224.4.4.4
tncfg:cipso_public> exit

Example 16-11 Removing Several Hosts From a Security Template

In this example, the security administrator removes several hosts from the cipso security template. The administrator uses the info subcommand to display the hosts, then types remove, and copies and pastes four host= entries.

# tncfg -t cipso info
   name=cipso
   host_type=cipso
   doi=1
   min_label=ADMIN_LOW
   max_label=ADMIN_HIGH
   host=127.0.0.1/32
   host=192.168.1.2/32
   host=192.168.113.0/24
   host=192.168.113.100/25
   host=2001:a08:3903:200::0/56

# tncfg -t cipso
tncfg:cipso> remove host=192.168.1.2/32
tncfg:cipso> remove host=192.168.113.0/24
tncfg:cipso> remove host=192.168.113.100/25
tncfg:cipso> remove host=2001:a08:3903:200::0/56
tncfg:cipso> info
...
   max_label=ADMIN_HIGH
   host=127.0.0.1/32
   host=192.168.75.0/24

After removing the hosts, the administrator commits the changes and exits the security template.

tncfg:cipso> commit
tncfg:cipso> exit
#

How to Add a Range of Hosts to a Security Template

Before You Begin

For the requirements, see How to Add a Host to a Security Template

1. To assign a security template to a subnet, add the subnet address to the template.

   For example, add two IPv4 subnets to the cipso template, then display the security template.

   # tncfg -t cipso
   tncfg:cipso> add host=192.168.75.0
   tncfg:cipso> add host=192.168.113.0
   tncfg:cipso> info
   ...
   host=192.168.75.0/24
   host=192.168.113.0/24
   tncfg:cipso> exit

   The prefix length of /24 indicates that the address, which ends in .0, is a subnet.

   ---

   Note - If you add a range of hosts that was previously added to another template, you are notified that you are replacing its security template assignment.

   ---

   # tncfg -t cipso
   tncfg:cipso> add host=192.168.113.100/25
   192.168.113.100/25 previously matched the admin_low template

2. To assign a security template to a range of addresses, specify the IP address and the prefix length.

   In the following example, the /25 prefix length covers contiguous IPv4 addresses from 192.168.113.0 to 192.168.113.127. The address includes 192.168.113.100.

   # tncfg -t cipso
   tncfg:cipso> add host=192.168.113.100/25
   tncfg:cipso> exit

   In the following example, the /56 prefix length covers contiguous IPv6 addresses from 2001:a08:3903:200::0 to 2001:a08:3903:2ff:ffff:ffff:ffff:ffff. The address includes 2001:a08:3903:201:20e:cff:fe08:58c.

   # tncfg -t cipso
   tncfg:cipso> add host=2001:a08:3903:200::0/56
   tncfg:cipso> info
   ...
   host=2001:a08:3903:200::0/56
   tncfg:cipso> exit

   • If you mistype an entry, such as omitting :200 from the address, you receive a message similar to the following:

     # tncfg -t cipso
     tncfg:cipso> add host=2001:a08:3903::0/56
     Invalid host: 2001:a08:3903::0/56

   • If you add a host that was previously added to another template, you are notified that you are replacing its security template assignment. For example:

     # tncfg -t cipso
     tncfg:cipso> add host=192.168.113.100/32
     192.168.113.100/32 previously matched the admin_low template
     tncfg:cipso> info
     ...
     host=192.168.113.100/32
     tncfg:cipso> exit

     The Trusted Extensions fallback mechanism ensures that this explicit assignment overrides the previous assignment, as discussed in Trusted Network Fallback Mechanism.

Example 16-12 Creating an Unlabeled Subnetwork at the Label PUBLIC

In Example 16-2, the administrator creates a security template that assigns the label PUBLIC to an untrusted host. In this example, the security administrator assigns a subnetwork to the PUBLIC label. Users on the assigning system can mount file systems from hosts in this subnetwork into a PUBLIC zone.

# tncfg -t public
tncfg:public> add host=10.10.0.0/16
tncfg:public> exit

The subnetwork can immediately be reached at the label PUBLIC.

Limiting the Hosts That Can Reach the Trusted Network (Tasks)

In this section, you protect the network by limiting the hosts that can reach the network.

• How to Limit the Hosts That Can Be Contacted on the Trusted Network

• Increase security by specifying systems to contact at boot time – Example 16-13

• Configure an application server to accept the initial contact from a remote client – Example 16-15

• Configure a labeled Sun Ray server to accept the initial contact from a remote client – Example 16-16

How to Limit the Hosts That Can Be Contacted on the Trusted Network

This procedure protects labeled hosts from being contacted by arbitrary unlabeled hosts. When Trusted Extensions is installed, the admin_low default security template defines every host on the network. Use this procedure to enumerate specific unlabeled hosts.

The local trusted network values on each system are used to contact the network at boot time. By default, every host that is not provided with a cipso template is defined by the admin_low template. This template assigns every remote host that is not otherwise defined (0.0.0.0/0) to be an unlabeled system with the default label of admin_low.

---

Caution - The default admin_low template can be a security risk on a Trusted Extensions network. If site security requires strong protection, the security administrator can remove the 0.0.0.0/0 wildcard entry after the system is installed. The entry must be replaced with entries for every host that the system contacts at boot time. For example, DNS servers, home directory servers, audit servers, broadcast and multicast addresses, and routers must be explicitly added to a template after the 0.0.0.0/0 wildcard entry is removed. If an application initially recognizes clients at the host address 0.0.0.0/32, then you must add the 0.0.0.0/32 host entry to the admin_low template. For example, to receive initial connection requests from potential Sun Ray clients, Sun Ray servers must include this entry. Then, when the server recognizes the clients, the clients are provided an IP address and connected as labeled clients.

---

Before You Begin

You must be in the Security Administrator role in the global zone.

All hosts that are to be contacted at boot time must exist in the /etc/hosts file.

1. Assign the admin_low template to every unlabeled host that must be contacted at boot time.

   • Include every unlabeled host that must be contacted at boot time.

   • Include every on-link router that is not running Trusted Extensions, through which this system must communicate.

   • Remove the 0.0.0.0/0 assignment.

2. Add hosts to the cipso template.

   Add each labeled host that must be contacted at boot time.

   • Include every on-link router that is running Trusted Extensions, through which this system must communicate.

   • Make sure that all network interfaces are assigned to the template.

   • Include broadcast addresses.

   • Include the ranges of labeled hosts that must be contacted at boot time.

   See Example 16-14 for a sample database.

3. Verify that the host assignments allow the system to boot.

Example 16-13 Changing the Label of the 0.0.0.0/0 IP Address

In this example, the administrator creates a public gateway system. The administrator removes the 0.0.0.0/0 host entry from the admin_low template and adds the 0.0.0.0/0 host entry to the unlabeled public template. The system then recognizes any host that is not specifically assigned to another security template as an unlabeled system with the security attributes of the public security template.

# tncfg -t admin_low info
tncfg:admin_low> remove host=0.0.0.0Wildcard address
tncfg:admin_low> exit

# tncfg -t public
tncfg:public> set host_type=unlabeled
tncfg:public> set doi=1
tncfg:public> set def_label="public"
tncfg:public> set min_sl="public"
tncfg:public> set max_sl="public"
tncfg:public> add host=0.0.0.0Wildcard address
tncfg:public> exit

Example 16-14 Enumerating Systems for a Trusted Extensions System to Contact at Boot

In the following example, the administrator configures the trusted network of a Trusted Extensions system with two network interfaces. The system communicates with another network and with routers. The remote hosts are assigned to one of three templates, cipso, admin_low, or public. The following commands are annotated.

# tncfg -t cipso
tncfg:admin_low> add host=127.0.0.1Loopback address
tncfg:admin_low> add host=192.168.112.111Interface 1 of this host
tncfg:admin_low> add host=192.168.113.111Interface 2 of this host
tncfg:admin_low> add host=192.168.113.6File server
tncfg:admin_low> add host=192.168.112.255Subnet broadcast address
tncfg:admin_low> add host=192.168.113.255Subnet broadcast address
tncfg:admin_low> add host=192.168.113.1Router
tncfg:admin_low> add host=192.168.117.0/24Another Trusted Extensions network
tncfg:admin_low> exit

# tncfg -t public
tncfg:public> add host=192.168.112.12Specific network router
tncfg:public> add host=192.168.113.12Specific network router
tncfg:public> add host=224.0.0.2Multicast address
tncfg:admin_low> exit

# tncfg -t admin_low
tncfg:admin_low> add host=255.255.255.255Broadcast address
tncfg:admin_low> exit

After specifying the hosts to contact at boot time, the administrator removes the 0.0.0.0/0 entry from the admin_low template.

# tncfg -t admin_low
tncfg:admin_low> remove host=0.0.0.0
tncfg:admin_low> exit

Example 16-15 Making the Host Address 0.0.0.0/32 a Valid Initial Address

In this example, the security administrator configures an application server to accept initial connection requests from potential clients.

The administrator configures the server's trusted network. The server and client entries are annotated.

# tncfg -t cipso info
   name=cipso
   host_type=cipso
   doi=1
   min_label=ADMIN_LOW
   max_label=ADMIN_HIGH
   host=127.0.0.1/32
   host=192.168.128.1/32 Application server address
   host=192.168.128.0/24 Application's client network
Other addresses to be contacted at boot time

# tncfg -t admin_low info
   name=cipso
   host_type=cipso
   doi=1
   def_label=ADMIN_LOW
   min_label=ADMIN_LOW
   max_label=ADMIN_HIGH
   host=192.168.128.0/24 Application's client network
   host=0.0.0.0/0 Wildcard address
Other addresses to be contacted at boot time

After this phase of testing succeeds, the administrator locks down the configuration by removing the default wildcard address, 0.0.0.0/0, committing the change, and then adding the specific address.

# tncfg -t admin_low info
tncfg:admin_low> remove host=0.0.0.0
tncfg:admin_low> commit
tncfg:admin_low> add host=0.0.0.0/32For initial client contact
tncfg:admin_low> exit

The final admin_low configuration appears similar to the following:

# tncfg -t admin_low
   name=cipso
   host_type=cipso
   doi=1
   def_label=ADMIN_LOW
   min_label=ADMIN_LOW
   max_label=ADMIN_HIGH
   192.168.128.0/24 Application's client network
   host=0.0.0.0/32 For initial client contact
Other addresses to be contacted at boot time

The 0.0.0.0/32 entry allows only the clients of the application to reach the application server.

Example 16-16 Configuring a Valid Initial Address for a Labeled Sun Ray Server

In this example, the security administrator configures a Sun Ray server to accept initial connection requests from potential clients. The server is using a private topology and the Sun Ray server defaults.

# utadm -a net0

Then, the administrator configures the server's trusted network. The server and client entries are annotated.

# tncfg -t cipso info
   name=cipso
   host_type=cipso
   doi=1
   min_label=ADMIN_LOW
   max_label=ADMIN_HIGH
   host=127.0.0.1/32
   host=192.168.128.1/32 Sun Ray server address
   host=192.168.128.0/24 Sun Ray client network
Other addresses to be contacted at boot time

# tncfg -t admin_low info
   name=cipso
   host_type=cipso
   doi=1
   def_label=ADMIN_LOW
   min_label=ADMIN_LOW
   max_label=ADMIN_HIGH
   host=192.168.128.0/24 Sun Ray client network
   host=0.0.0.0/0 Wildcard address
Other addresses to be contacted at boot time

After this phase of testing succeeds, the administrator locks down the configuration by removing the default wildcard address, 0.0.0.0/0, committing the change, and then adding the specific address.

# tncfg -t admin_low info
tncfg:admin_low> remove host=0.0.0.0
tncfg:admin_low> commit
tncfg:admin_low> add host=0.0.0.0/32For initial client contact
tncfg:admin_low> exit

The final admin_low configuration appears similar to the following:

# tncfg -t admin_low
   name=cipso
   host_type=cipso
   doi=1
   def_label=ADMIN_LOW
   min_label=ADMIN_LOW
   max_label=ADMIN_HIGH
   192.168.128.0/24 Sun Ray client network
   host=0.0.0.0/32 For initial client contact
Other addresses to be contacted at boot time

The 0.0.0.0/32 entry allows only Sun Ray clients to reach the server.