Understanding Security Attributes Assigned to Network Interfaces

All interfaces on a computer running Trusted Solaris software are automatically detected by the trusted network software and assigned a default set of attributes. The Interface Manager shown below is used only when the Security Administrator role wants to change the defaults for an interface.

The default attributes are shown in the following table:

Summary - Any values specified for a computer in a template take precedence over any values supplied for the network interface, and if no values are specified, system defaults apply. For example, if computer A is assigned a default label of INTERNAL, while the network interface that is connected to the network where computer A resides is assigned a default label of PUBLIC, the data coming from computer A is assigned the INTERNAL label. The default label assigned by the network interface is not used.

Network Interface Accreditation Range

The Minimum Label and the Maximum Label are used to set the range of labels for data that can be sent through the interface.

Full communications within a Trusted Solaris domain require an accreditation range of ADMIN_LOW to ADMIN_HIGH.

To be able to leave certain fields empty in a single template assigned to one computer or to a group of computers that is accessed through the same network interface, the Security Administrator role can specify the values in an entry that applies to that network interface.

The entries assigned to network interfaces are looked at only if certain fields are left empty in the template assigned to a computer. If a value is not found either in the template that covers the host or in an entry that applies to the interface through which the remote computer is accessed, then a set of default values is applied.

Restrict the accreditation range on a network interface with care. Network services fail unless the network interface is configured with an accreditation range that includes the labels upon which those services depend. For example, audit clients cannot write ADMIN_HIGH audit data onto the audit server unless the ADMIN_HIGH label is in the range. Full communications within a Trusted Solaris domain require an accreditation range of ADMIN_LOW to ADMIN_HIGH.

Default Security Attributes

The Default Label, Default Clearance, and optional Forced Privileges in the Interface Manager are rarely useful. They would be used when a Trusted Solaris computer is communicating with a computer that is running an operating system that does not recognize labels or privileges, such as the Solaris operating environment, and then only if the same fields have been left empty in the template that applies to the single-label computer. For example, the Security Administrator role might create an entry for a second interface on the local computer that would apply the same label, clearance, and optional forced privileges to all computers running Solaris on the network that is connected to the second interface. These fields could then be left empty in any templates that cover the computers (as specified in the Security Families tool in Computers and Networks).

Default Label

The Default Label should reflect the level of trust that is appropriate for the computer and its users.

Default Clearance

The Default Clearance sets the upper limit for write operations performed on the Trusted Solaris computer by someone on the unlabeled computer. For example, on an unlabeled computer with a Default Label of CONFIDENTIAL and Default Clearance of SECRET, a user who is working on a file system mounted from a Trusted Solaris computer can open an upgraded file with a label of SECRET and write into it (if the file's name is known to that user).

Forced Privileges

An unlabeled computer does not recognize privileges. Specifying privileges in the Forced Privileges field affects only how the Trusted Solaris system handles requests from a program that is running on the unlabeled computer. Specifying privileges enables a client from an unlabeled computer to do something not otherwise permitted, such as reading a file whose label dominates that of the client or communicating with X clients owned by another user. If the corresponding values are set in a template that covers the computer, the value in the template takes precedence over the values specified for the network interface.

The following describes whose values are used for a network interface:

1. Is the needed value specified in a remote host template?

   1. If yes, the value in the template is used

   2. If no, is the needed value specified in an entry for the interface?

      1. If yes, use the value specified for the interface.

      2. If no, use the default value.