Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10 |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
6. Configuring a Headless System With Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
7. Trusted Extensions Administration Concepts
8. Trusted Extensions Administration Tools
9. Getting Started as a Trusted Extensions Administrator (Tasks)
10. Security Requirements on a Trusted Extensions System (Overview)
11. Administering Security Requirements in Trusted Extensions (Tasks)
12. Users, Rights, and Roles in Trusted Extensions (Overview)
13. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
14. Remote Administration in Trusted Extensions (Tasks)
15. Trusted Extensions and LDAP (Overview)
16. Managing Zones in Trusted Extensions (Tasks)
17. Managing and Mounting Files in Trusted Extensions (Tasks)
18. Trusted Networking (Overview)
19. Managing Networks in Trusted Extensions (Tasks)
Managing the Trusted Network (Task Map)
Configuring Trusted Network Databases (Task Map)
How to Determine If You Need Site-Specific Security Templates
How to Construct a Remote Host Template
How to Add Hosts to the System's Known Network
How to Assign a Security Template to a Host or a Group of Hosts
How to Limit the Hosts That Can Be Contacted on the Trusted Network
Configuring Routes and Checking Network Information in Trusted Extensions (Task Map)
How to Configure Routes With Security Attributes
How to Check the Syntax of Trusted Network Databases
How to Compare Trusted Network Database Information With the Kernel Cache
How to Synchronize the Kernel Cache With Trusted Network Databases
Configuring Labeled IPsec (Task Map)
How to Apply IPsec Protections in a Multilevel Trusted Extensions Network
Troubleshooting the Trusted Network (Task Map)
How to Verify That a Host's Interfaces Are Up
How to Debug the Trusted Extensions Network
How to Debug a Client Connection to the LDAP Server
20. Multilevel Mail in Trusted Extensions (Overview)
21. Managing Labeled Printing (Tasks)
22. Devices in Trusted Extensions (Overview)
23. Managing Devices for Trusted Extensions (Tasks)
24. Trusted Extensions Auditing (Overview)
25. Software Management in Trusted Extensions (Reference)
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
The following task map describes tasks that are used to add labels to IPsec protections.
|
In this procedure, you configure IPsec on two Trusted Extensions systems to handle the following conditions:
The two systems, enigma and partym, are multilevel Trusted Extensions systems that are operating in a multilevel network.
Application data is encrypted and protected against unauthorized change within the network.
The security label of the data is visible in the form of a CIPSO IP option for use by multilabel routers and security devices on the path between the enigma and partym systems.
The security labels that enigma and partym exchange are protected against unauthorized changes.
You must be in the Security Administrator role in the global zone.
Follow the procedures in Configuring Trusted Network Databases (Task Map). Use a template with a CIPSO host type.
For the procedure, see How to Secure Traffic Between Two Systems With IPsec in System Administration Guide: IP Services. Use IKE for key management, as described in the following step.
Follow the procedure in How to Configure IKE With Preshared Keys in System Administration Guide: IP Services, then modify the ike/config file as follows:
The resulting file appears similar to the following. The label additions are highlighted.
### ike/config file on enigma, 192.168.116.16 ## Global parameters # ## Phase 1 transform defaults p1_lifetime_secs 14400 p1_nonce_len 40 # ## Use IKE to exchange security labels. label_aware # ## Defaults that individual rules can override. p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg des } p2_pfs 2 # ## The rule to communicate with partym # Label must be unique { label "enigma-partym" local_addr 192.168.116.16 remote_addr 192.168.13.213 multi_label wire_label inner p1_xform { auth_method preshared oakley_group 5 auth_alg md5 encr_alg aes } p2_pfs 5 }
### ike/config file on partym, 192.168.13.213 ## Global Parameters # p1_lifetime_secs 14400 p1_nonce_len 40 # ## Use IKE to exchange security labels. label_aware # p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg des } p2_pfs 2 ## The rule to communicate with enigma # Label must be unique { label "partym-enigma" local_addr 192.168.13.213 remote_addr 192.168.116.16 multi_label wire_label inner p1_xform { auth_method preshared oakley_group 5 auth_alg md5 encr_alg aes } p2_pfs 5 }
Use encr_auth_algs rather than auth_algs in the /etc/inet/ipsecinit.conf file to handle authentication. ESP authentication does not cover the IP header and IP options, but will authenticate all information after the ESP header.
{laddr enigma raddr partym} ipsec {encr_algs any encr_auth_algs any sa shared}
Note - You can also add labels to systems that are protected by certificates. Public key certificates are managed in the global zone on Trusted Extensions systems. Modify the ike/config files similarly when completing the procedures in Configuring IKE With Public Key Certificates in System Administration Guide: IP Services.
This procedure configures an IPsec tunnel across a public network between two Trusted Extensions VPN gateway systems. The example that is used in this procedure is based on the configuration that is illustrated in Description of the Network Topology for the IPsec Tasks to Protect a VPN in System Administration Guide: IP Services.
Assume the following modifications to the illustration:
The net 10 networks are multilevel trusted networks. CIPSO IP option security labels are visible on these LANs.
The net 192.168 networks are single-label untrusted networks that operate at the PUBLIC label. These networks do not support CIPSO IP options.
Labeled traffic between enigma and partym is protected against unauthorized changes.
You must be in the Security Administrator role in the global zone.
Use a template with a cipso host type. Set the label range from ADMIN_LOW to ADMIN_HIGH.
Use a template with an unlabeled host type. Set the default label to be PUBLIC.
Use a template with a cipso host type. Set the label range from ADMIN_LOW to ADMIN_HIGH.
Follow the procedure in How to Protect a VPN With an IPsec Tunnel in Tunnel Mode in System Administration Guide: IP Services. Use IKE for key management, as described in the following step.
Follow the procedure in How to Configure IKE With Preshared Keys in System Administration Guide: IP Services, then modify the ike/config file as follows:
The resulting file appears similar to the following. The label additions are highlighted.
### ike/config file on enigma, 192.168.116.16 ## Global parameters # ## Phase 1 transform defaults p1_lifetime_secs 14400 p1_nonce_len 40 # ## Use IKE to exchange security labels. label_aware # ## Defaults that individual rules can override. p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg des } p2_pfs 2 # ## The rule to communicate with partym # Label must be unique { label "enigma-partym" local_addr 192.168.116.16 remote_addr 192.168.13.213 multi_label wire_label none PUBLIC p1_xform { auth_method preshared oakley_group 5 auth_alg md5 encr_alg aes } p2_pfs 5 }
### ike/config file on partym, 192.168.13.213 ## Global Parameters # p1_lifetime_secs 14400 p1_nonce_len 40 # ## Use IKE to exchange security labels. label_aware # p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg des } p2_pfs 2 ## The rule to communicate with enigma # Label must be unique { label "partym-enigma" local_addr 192.168.13.213 remote_addr 192.168.116.16 multi_label wire_label none PUBLIC p1_xform { auth_method preshared oakley_group 5 auth_alg md5 encr_alg aes } p2_pfs 5 }
Note - You can also add labels to systems that are protected by certificates. Modify the ike/config files similarly when completing the procedures in Configuring IKE With Public Key Certificates in System Administration Guide: IP Services.