Limiting the Hosts That Can Reach the Trusted Network
-
How to Limit the Hosts That Can Be Contacted on the Trusted Network.
-
Increase security by specifying systems to contact at boot time. See Example 43, Changing the Label of the 0.0.0.0/0 IP Address.
-
Configure an application server to accept the initial contact from a remote client. See Example 45, Making the Host Address 0.0.0.0/32 a Valid Initial Address.
-
Configure a labeled Sun Ray server to accept the initial contact from a remote client. See Example 46, Configuring a Valid Initial Address for a Labeled Sun Ray Server.
In this section, you protect the network by limiting the hosts that can reach the network.
How to Limit the Hosts That Can Be Contacted on the Trusted Network
This procedure protects labeled hosts from being contacted by arbitrary unlabeled hosts. When Trusted Extensions is installed, the admin_low default security template defines every host on the network. Use this procedure to enumerate specific unlabeled hosts.
The local trusted network values on each system are used to contact the network at boot time. By default, every host that is not provided with a cipso template is defined by the admin_low template. This template assigns every remote host that is not otherwise defined (0.0.0.0/0) to be an unlabeled system with the default label of admin_low.
Before You Begin
You must be in the Security Administrator role in the global zone.
All hosts that are to be contacted at boot time must exist in the /etc/hosts file.
-
Assign the admin_low template to every unlabeled host that must be
contacted at boot time.
-
Include every unlabeled host that must be contacted at boot time.
-
Include every on-link router that is not running Trusted Extensions, through which this system must communicate.
-
Remove the 0.0.0.0/0 assignment.
-
-
Add hosts to the cipso template.
-
Include every on-link router that is running Trusted Extensions, through which this system must communicate.
-
Make sure that all network interfaces are assigned to the template.
-
Include broadcast addresses.
-
Include the ranges of labeled hosts that must be contacted at boot time.
Add each labeled host that must be contacted at boot time.
See Example 44, Enumerating Systems for a Trusted Extensions System to Contact at Boot for a sample database.
-
- Verify that the host assignments allow the system to boot.
In this example, the administrator creates a public gateway system. The administrator removes the 0.0.0.0/0 host entry from the admin_low template and adds the 0.0.0.0/0 host entry to the unlabeled public template. The system then recognizes any host that is not specifically assigned to another security template as an unlabeled system with the security attributes of the public security template.
# tncfg -t admin_low info
tncfg:admin_low> remove host=0.0.0.0Wildcard address
tncfg:admin_low> exit
# tncfg -t public
tncfg:public> set host_type=unlabeled
tncfg:public> set doi=1
tncfg:public> set def_label="public"
tncfg:public> set min_sl="public"
tncfg:public> set max_sl="public"
tncfg:public> add host=0.0.0.0Wildcard address
tncfg:public> exit
Example 44 Enumerating Systems for a Trusted Extensions System to Contact at Boot
In the following example, the administrator configures the trusted network of a Trusted Extensions system with two network interfaces. The system communicates with another network and with routers. The remote hosts are assigned to one of three templates, cipso, admin_low, or public. The following commands are annotated.
# tncfg -t cipso tncfg:admin_low> add host=127.0.0.1Loopback address tncfg:admin_low> add host=192.0.2.111Interface 1 of this host tncfg:admin_low> add host=192.0.2.112Interface 2 of this host tncfg:admin_low> add host=192.0.2.6File server tncfg:admin_low> add host=192.0.2.255Subnet broadcast address tncfg:admin_low> add host=192.0.2.1Router tncfg:admin_low> add host=198.51.100.0/24Another Trusted Extensions network tncfg:admin_low> exit
# tncfg -t public tncfg:public> add host=192.0.2.12Specific network router tncfg:public> add host=192.0.2.12Specific network router tncfg:public> add host=224.0.0.2Multicast address tncfg:admin_low> exit
# tncfg -t admin_low
tncfg:admin_low> add host=255.255.255.255Broadcast address
tncfg:admin_low> exit
After specifying the hosts to contact at boot time, the administrator removes the 0.0.0.0/0 entry from the admin_low template.
# tncfg -t admin_low tncfg:admin_low> remove host=0.0.0.0 tncfg:admin_low> exitExample 45 Making the Host Address 0.0.0.0/32 a Valid Initial Address
In this example, the security administrator configures an application server to accept initial connection requests from potential clients.
The administrator configures the server's trusted network. The server and client entries are annotated.
# tncfg -t cipso info name=cipso host_type=cipso doi=1 min_label=ADMIN_LOW max_label=ADMIN_HIGH host=127.0.0.1/32 host=192.0.2.1/32 Application server address host=192.0.2.0/24 Application's client network Other addresses to be contacted at boot time
# tncfg -t admin_low info name=cipso host_type=cipso doi=1 def_label=ADMIN_LOW min_label=ADMIN_LOW max_label=ADMIN_HIGH host=192.0.2.0/24 Application's client network host=0.0.0.0/0 Wildcard address Other addresses to be contacted at boot time
After this phase of testing succeeds, the administrator locks down the configuration by removing the default wildcard address, 0.0.0.0/0, committing the change, and then adding the specific address.
# tncfg -t admin_low info
tncfg:admin_low> remove host=0.0.0.0
tncfg:admin_low> commit
tncfg:admin_low> add host=0.0.0.0/32For initial client contact
tncfg:admin_low> exit
The final admin_low configuration appears similar to the following:
# tncfg -t admin_low name=cipso host_type=cipso doi=1 def_label=ADMIN_LOW min_label=ADMIN_LOW max_label=ADMIN_HIGH 192.0.2.0/24 Application's client network host=0.0.0.0/32 For initial client contact Other addresses to be contacted at boot time
The 0.0.0.0/32 entry allows only the clients of the application to reach the application server.
Example 46 Configuring a Valid Initial Address for a Labeled Sun Ray ServerIn this example, the security administrator configures a Sun Ray server to accept initial connection requests from potential clients. The server is using a private topology and the Sun Ray server defaults.
# utadm -a net0
Then, the administrator configures the server's trusted network. The server and client entries are annotated.
# tncfg -t cipso info name=cipso host_type=cipso doi=1 min_label=ADMIN_LOW max_label=ADMIN_HIGH host=127.0.0.1/32 host=192.0.2.1/32 Sun Ray server address host=192.0.2.0/24 Sun Ray client network Other addresses to be contacted at boot time
# tncfg -t admin_low info name=cipso host_type=cipso doi=1 def_label=ADMIN_LOW min_label=ADMIN_LOW max_label=ADMIN_HIGH host=192.0.2.0/24 Sun Ray client network host=0.0.0.0/0 Wildcard address Other addresses to be contacted at boot time
After this phase of testing succeeds, the administrator locks down the configuration by removing the default wildcard address, 0.0.0.0/0, committing the change, and then adding the specific address.
# tncfg -t admin_low info
tncfg:admin_low> remove host=0.0.0.0
tncfg:admin_low> commit
tncfg:admin_low> add host=0.0.0.0/32For initial client contact
tncfg:admin_low> exit
The final admin_low configuration appears similar to the following:
# tncfg -t admin_low name=cipso host_type=cipso doi=1 def_label=ADMIN_LOW min_label=ADMIN_LOW max_label=ADMIN_HIGH 192.0.2.0/24 Sun Ray client network host=0.0.0.0/32 For initial client contact Other addresses to be contacted at boot time
The 0.0.0.0/32 entry allows only Sun Ray clients to reach the server.