Trusted Extensions Configuration and Administration

Adding Hosts to Security Templates

This section contains pointers to or examples of adding hosts to security templates. For discontinuous IP addresses, see How to Add a Host to a Security Template. For a range of hosts, see How to Add a Range of Hosts to a Security Template.

The examples in this section illustrate the following remote host label assignments:

• A trusted remote gateway handles PUBLIC traffic. See Example 31, Creating a Gateway That Handles Packets at One Label.

• Untrusted remote hosts act as single-label routers – Example 32, Creating an Unlabeled Router to Route Labeled Packets

• Trusted remote hosts restrict traffic to within a narrow label range. See Example 33, Creating a Gateway With a Limited Label Range.

• Trusted remote hosts are assigned a limited set of labels. See Example 34, Creating Hosts at Discrete Labels.

• Trusted remote hosts are assigned labels that are disjoint from the rest of the network. See Example 35, Creating a Labeled Host for Developers.

• A trusted netif host labels packets from adaptive systems. See Example 36, Creating a Security Template for a netif Host.

• An untrusted adaptive host sends packets to a netif host. See Example 37, Creating Security Templates for Adaptive Hosts.

• A trusted homogeneous network adds a multicast address at a specific label. See Example 38, Sending Labeled Multicast Messages.

• A host is removed from a security template. See Example 39, Removing Several Hosts From a Security Template.

• Untrusted remote hosts and networks are assigned labels. See Example 42, Creating an Unlabeled Subnetwork at the Label PUBLIC.

How to Add a Host to a Security Template

Before You Begin

The following must be in place:

• The IP addresses must exist in the /etc/hosts file or be resolvable by DNS.

  For the hosts file, see How to Add Hosts to the System's Known Network.

  For DNS, see Chapter 3, Managing DNS Server and Client Services in Working With Oracle Solaris 11.3 Directory and Naming Services: DNS and NIS.

• The label endpoints must match. For the rules, see About Routing in Trusted Extensions.

• You must be in the Security Administrator role in the global zone.

1. (Optional)Verify that you can reach the host name or IP address that you are going to add.

   In this example, you verify that you can reach 192.0.2.12.

   # arp 192.0.2.12
   gateway-2.example.com (192.0.2.12) at 0:0:0:1:ad:cd

   The arp command verifies that the host is defined in the system's /etc/hosts file or is resolvable by DNS.

2. Add a host name or IP address to a security template.

   In this example, you add the 192.0.2.12 IP address.

   # tncfg -t cipso
   tncfg:cipso> add host=192.0.2.12

   If you add a host that was previously added to another template, you are notified that you are replacing its security template assignment. For the informational message, see Example 30, Replacing a Host's Security Template Assignment.

3. View the changed security template.

   The following example shows the 192.0.2.12 address added to the cipso template:

   tncfg:cipso> info
   ...
   host=192.0.2.12/32

   The prefix length of /32 indicates that the address is exact.

4. Commit the change and exit the security template.

   tncfg:cipso> commit
   tncfg:cipso> exit

   To remove a host entry, see Example 39, Removing Several Hosts From a Security Template.

Example 30  Replacing a Host's Security Template Assignment

This example illustrates the informational message that displays when you assign a security template to a host that already has a template assignment.

# tncfg -t cipso
tncfg:cipso> add host=192.0.2.12
192.0.2.12 previously matched the admin_low template
tncfg:cipso> info
...
host=192.0.2.12/32
tncfg:cipso> exit

Example 31  Creating a Gateway That Handles Packets at One Label

In Example 28, Creating a Security Template for a Gateway That Handles Packets at One Label, the security administrator creates a security template that defines a gateway that can only pass packets at the label PUBLIC. In this example, the security administrator ensures that the gateway host's IP address can be resolved.

# arp 192.0.2.75
gateway-1.example.com (192.0.2.75) at 0:0:0:1:ab:cd

The arp command verifies that the host is defined in the system's /etc/hosts file or is resolvable by DNS.

Then, the administrator adds the gateway-1 host to the security template.

# tncfg -t cipso_public
tncfg:cipso_public> add host=192.0.2.75
tncfg:cipso_public> exit

The system can immediately send and receive public packets through gateway-1.

Example 32  Creating an Unlabeled Router to Route Labeled Packets

Any IP router can forward messages with CALIPSO or CIPSO labels even though the router does not explicitly support labels. Such an unlabeled router requires a default label to define the level at which connections to the router, perhaps for router management, must be handled. In this example, the security administrator creates a router that can forward traffic at any label, but all direct communication with the router is handled at the default label, PUBLIC.

First, the security administrator creates the template from scratch.

# tncfg -t unl_public_router
tncfg:unl_public_router> set host_type=unlabeled
tncfg:unl_public_router> set doi=1
tncfg:unl_public_router> set def_label="PUBLIC"
tncfg:unl_public_router> set min_label=ADMIN_LOW
tncfg:unl_public_router> set max_label=ADMIN_HIGH
tncfg:unl_public_router> exit

Then, the administrator adds the router to the security template.

# tncfg -t unl_public_router
tncfg:unl_public_router> add host=192.0.2.82
tncfg:unl_public_router> exit

The system can immediately send and receive packets at all labels through router-1, the host name of the 192.0.2.82 address.

Example 33  Creating a Gateway With a Limited Label Range

In this example, the security administrator creates a template that restricts packets to a narrow label range and adds the gateway to the template.

# arp 192.0.2.78
gateway-ir.example.com (192.0.2.78) at 0:0:0:3:ab:cd

# tncfg -t cipso_iuo_rstrct
tncfg:cipso_iuo_rstrct> set host_type=cipso
tncfg:cipso_iuo_rstrct> set doi=1
tncfg:cipso_iuo_rstrct> set min_label=0x0004-08-48
tncfg:cipso_iuo_rstrct> set max_label=0x0004-08-78
tncfg:cipso_iuo_rstrct> add host=192.0.2.78
tncfg:cipso_iuo_rstrct> exit

The system can immediately send and receive packets that are labeled internal and restricted through gateway-ir.

Example 34  Creating Hosts at Discrete Labels

In this example, the security administrator creates a security template that recognizes two labels only, confidential : internal use only and confidential : restricted. All other traffic is rejected.

First, the security administrator ensures that each host's IP addresses can be resolved.

# arp 192.0.2.21
host-auxset1.example.com (192.0.2.21) at 0:0:0:4:ab:cd
# arp 192.0.2.22
host-auxset2.example.com (192.0.2.22) at 0:0:0:5:ab:cd
# arp 192.0.2.23
host-auxset3.example.com (192.0.2.23) at 0:0:0:6:ab:cd
# arp 192.0.2.24
host-auxset4.example.com (192.0.2.24) at 0:0:0:7:ab:cd

Then, the administrator is careful to type the labels precisely. The software recognizes labels in uppercase and lowercase letters and by short name, but does not recognize labels where the spacing is inaccurate. For example, the label cnf :restricted is not a valid label.

# tncfg -t cipso_int_and_rst
tncfg:cipso_int_and_rst> set host_type=cipso
tncfg:cipso_int_and_rst> set doi=1
tncfg:cipso_int_and_rst> set min_label="cnf : internal use only"
tncfg:cipso_int_and_rst> set max_label="cnf : internal use only"
tncfg:cipso_int_and_rst> set aux_label="cnf : restricted"
tncfg:cipso_int_and_rst> exit

Then, the administrator assigns the range of IP addresses to the security template by using a prefix length.

# tncfg -t cipso_int_rstrct
tncfg:cipso_int_rstrct> set host=192.0.2.0/24

Example 35  Creating a Labeled Host for Developers

In this example, the security administrator creates a cipso_sandbox security template. This template is assigned to systems that are used by developers of trusted software. Developer tests do not affect other labeled hosts because the label SANDBOX is disjoint from the other labels on the network.

# tncfg -t cipso_sandbox
tncfg:cipso_sandbox> set host_type=cipso
tncfg:cipso_sandbox> set doi=1
tncfg:cipso_sandbox> set min_sl="SBX"
tncfg:cipso_sandbox> set max_sl="SBX"
tncfg:cipso_sandbox> add host=192.0.2.11
tncfg:cipso_sandbox> add host=192.0.2.12
tncfg:cipso_sandbox> exit

The developers who use the 192.0.2.11 and 192.0.2.12 systems can communicate with each other at the label SANDBOX.

Example 36  Creating a Security Template for a netif Host

In this example, the security administrator creates a netif security template. This template is assigned to the labeled network interface that hosts the IP address 10.121.10.3. With this assignment, the Trusted Extensions IP module adds the default label, PUBLIC, to all incoming packets that arrive from an adaptive host.

# tncfg -t netif_public
tncfg:netif_public> set host_type=netif
tncfg:netif_public> set doi=1
tncfg:netif_public> set def_label="PUBLIC"
tncfg:netif_public> add host=192.0.2.14
tncfg:netif_public> commit
tncfg:netif_public> exit

Example 37  Creating Security Templates for Adaptive Hosts

In this example, the security administrator plans ahead. The administrator creates different subnets for a network that holds public information and a network that holds internal information. The administrator then defines two adaptive hosts. Systems in the public subnet are assigned the PUBLIC label. Systems in the internal network are assigned the IUO label. Because this network is planned ahead of time, each network holds and transmits information at a specific label. Another advantage is that the network is easily debugged when packets are not delivered at the expected interface.

# tncfg -t adpub_192_02
tncfg:adapt_public> set host_type=adapt
tncfg:adapt_public> set doi=1
tncfg:adapt_public> set min_label="public"
tncfg:adapt_public> set max_label="public"
tncfg:adapt_public> add host=192.0.2.0
tncfg:adapt_public> commit
tncfg:adapt_public> exit

# tncfg -t adiuo_198_51_100
tncfg:adapt_public> set host_type=adapt
tncfg:adapt_public> set doi=1
tncfg:adapt_public> set min_label="iuo"
tncfg:adapt_public> set max_label="iuo"
tncfg:adapt_public> add host=198.51.100.0/24
tncfg:adapt_public> commit
tncfg:adapt_public> exit

Example 38  Sending Labeled Multicast Messages

In this example on a labeled, homogeneous LAN, the security administrator chooses an available multicast address over which to send packets at the label PUBLIC.

# tncfg -t cipso_public
tncfg:cipso_public> add host=224.4.4.4
tncfg:cipso_public> exit

Example 39  Removing Several Hosts From a Security Template

In this example, the security administrator removes several hosts from the cipso security template. The administrator uses the info subcommand to display the hosts, then types remove, and copies and pastes four host= entries.

# tncfg -t cipso info
name=cipso
host_type=cipso
doi=1
min_label=ADMIN_LOW
max_label=ADMIN_HIGH
host=127.0.0.1/32
host=192.0.2.2/32
host=192.0.2.0/24
host=192.0.2.100/25
host=2001:a08:3903:200::0/56

# tncfg -t cipso
tncfg:cipso> remove host=192.0.2.2/32
tncfg:cipso> remove host=192.0.2.0/24
tncfg:cipso> remove host=192.0.2.100/25
tncfg:cipso> remove host=2001:a08:3903:200::0/56
tncfg:cipso> info
...
max_label=ADMIN_HIGH
host=127.0.0.1/32
host=192.0.2.0/24

After removing the hosts, the administrator commits the changes and exits the security template.

tncfg:cipso> commit
tncfg:cipso> exit
#

How to Add a Range of Hosts to a Security Template

Before You Begin

For the requirements, see How to Add a Host to a Security Template.

1. To assign a security template to a subnet, add the subnet address to the template.

   In this example, you add an IPv4 subnet to the cipso template, then display the security template.

   # tncfg -t cipso
   tncfg:cipso> add host=192.0.2.0
   tncfg:cipso> info
   ...
   host=192.0.2.0/24
   tncfg:cipso> exit

   The prefix length of /24 indicates that the address, which ends in .0, is a subnet.

   # tncfg -t cipso
   tncfg:cipso> add host=192.0.2.100/25
   192.0.2.100/25 previously matched the admin_low template

2. To assign a security template to a range of addresses, specify the IP address and the prefix length.

   In the following example, the /25 prefix length covers contiguous IPv4 addresses from 192.0.2.0 to 192.0.2.127. The address includes 192.0.2.100.

   # tncfg -t cipso
   tncfg:cipso> add host=192.0.2.100/25
   tncfg:cipso> exit

   In the following example, the /56 prefix length covers contiguous IPv6 addresses from 2001:a08:3903:200::0 to 2001:a08:3903:2ff:ffff:ffff:ffff:ffff. The address includes 2001:a08:3903:201:20e:cff:fe08:58c.

   # tncfg -t cipso
   tncfg:cipso> add host=2001:a08:3903:200::0/56
   tncfg:cipso> info
   ...
   host=2001:a08:3903:200::0/56
   tncfg:cipso> exit

   If you add a host that was previously added to another template, you are notified that you are replacing its security template assignment. For the informational message, see Example 40, Replacing Security Template for a Range of Hosts.

   A mistyped entry also displays an informational message, as shown in Example 41, Handling a Mistyped IP Address in a Security Template.

Example 40  Replacing Security Template for a Range of Hosts

This example illustrates the informational message that displays when you assign a security template to a range of hosts that already has a template assignment.

# tncfg -t cipso
tncfg:cipso> add host=192.0.2.100/32
192.0.2.100/32 previously matched the admin_low template
tncfg:cipso> info
...
host=192.0.2.100/32
tncfg:cipso> exit

Trusted Extensions fallback mechanism ensures that this explicit assignment overrides the previous assignment, as discussed in Trusted Network Fallback Mechanism.

Example 41  Handling a Mistyped IP Address in a Security Template

A mistyped entry displays an informational message. The following host addition omits :200 from the address:

# tncfg -t cipso
tncfg:cipso> add host=2001:a08:3903::0/56
Invalid host: 2001:a08:3903::0/56

Example 42  Creating an Unlabeled Subnetwork at the Label PUBLIC

In Example 29, Creating an Unlabeled Security Template at the Label PUBLIC, the security administrator creates a security template that assigns the label PUBLIC to an untrusted host. In this example, the security administrator assigns a subnet to the PUBLIC label. Users on the assigning system can mount file systems from hosts in this subnet into a PUBLIC zone.

# tncfg -t public
tncfg:public> add host=192.0.2.0/16
tncfg:public> exit

The subnet can immediately be reached at the label PUBLIC.