This section contains pointers to or examples of adding hosts to security templates. For discontinuous IP addresses, see How to Add a Host to a Security Template. For a range of hosts, see How to Add a Range of Hosts to a Security Template.
The examples in this section illustrate the following remote host label assignments:
A trusted remote gateway handles PUBLIC traffic. See Example 16–4.
Untrusted remote hosts act as single-label routers – Example 16–5
Trusted remote hosts restrict traffic to within a narrow label range. See Example 16–6.
Trusted remote hosts are assigned a limited set of labels. See Example 16–7.
Trusted remote hosts are assigned labels that are disjoint from the rest of the network. See Example 16–8.
A trusted netif host labels packets from adaptive systems. See Example 16–9.
An untrusted adaptive host sends packets to a netif host. See Example 16–10.
A trusted homogeneous network adds a multicast address at a specific label. See Example 16–11.
A host is removed from a security template. See Example 16–12.
Untrusted remote hosts and networks are assigned labels. See Example 16–15.
Before You Begin
The following must be in place:
The IP addresses must exist in the /etc/hosts file or be resolvable by DNS.
For the hosts file, see How to Add Hosts to the System's Known Network.
For DNS, see Chapter 3, Managing Domain Name System, in Working With Oracle Solaris 11.2 Directory and Naming Services: DNS and NIS .
The label endpoints must match. For the rules, see About Routing in Trusted Extensions.
You must be in the Security Administrator role in the global zone.
In this example, you verify that you can reach 192.168.1.2.
# arp 192.168.1.2 gateway-2.example.com (192.168.1.2) at 0:0:0:1:ad:cd
The arp command verifies that the host is defined in the system's /etc/hosts file or is resolvable by DNS.
In this example, you add the 192.168.1.2 IP address.
# tncfg -t cipso tncfg:cipso> add host=192.168.1.2
If you add a host that was previously added to another template, you are notified that you are replacing its security template assignment. For the informational message, see Example 16–3.
The following example shows the 192.168.1.2 address added to the cipso template:
tncfg:cipso> info ... host=192.168.1.2/32
The prefix length of /32 indicates that the address is exact.
tncfg:cipso> commit tncfg:cipso> exit
To remove a host entry, see Example 16–12.
This example illustrates the informational message that displays when you assign a security template to a host that already has a template assignment.
# tncfg -t cipso tncfg:cipso> add host=192.168.1.2 192.168.1.2 previously matched the admin_low template tncfg:cipso> info ... host=192.168.1.2/32 tncfg:cipso> exitExample 16-4 Creating a Gateway That Handles Packets at One Label
In Example 16–1, the security administrator creates a security template that defines a gateway that can only pass packets at the label PUBLIC. In this example, the security administrator ensures that the gateway host's IP address can be resolved.
# arp 192.168.131.75 gateway-1.example.com (192.168.131.75) at 0:0:0:1:ab:cd
The arp command verifies that the host is defined in the system's /etc/hosts file or is resolvable by DNS.
Then, the administrator adds the gateway-1 host to the security template.
# tncfg -t cipso_public tncfg:cipso_public> add host=192.168.131.75 tncfg:cipso_public> exit
The system can immediately send and receive public packets through gateway-1.
Example 16-5 Creating an Unlabeled Router to Route Labeled PacketsAny IP router can forward messages with CALIPSO or CIPSO labels even though the router does not explicitly support labels. Such an unlabeled router requires a default label to define the level at which connections to the router, perhaps for router management, must be handled. In this example, the security administrator creates a router that can forward traffic at any label, but all direct communication with the router is handled at the default label, PUBLIC.
First, the security administrator creates the template from scratch.
# tncfg -t unl_public_router tncfg:unl_public_router> set host_type=unlabeled tncfg:unl_public_router> set doi=1 tncfg:unl_public_router> set def_label="PUBLIC" tncfg:unl_public_router> set min_label=ADMIN_LOW tncfg:unl_public_router> set max_label=ADMIN_HIGH tncfg:unl_public_router> exit
Then, the administrator adds the router to the security template.
# tncfg -t unl_public_router tncfg:unl_public_router> add host=192.168.131.82 tncfg:unl_public_router> exit
The system can immediately send and receive packets at all labels through router-1, the host name of the 192.168.131.82 address.
Example 16-6 Creating a Gateway With a Limited Label RangeIn this example, the security administrator creates a template that restricts packets to a narrow label range and adds the gateway to the template.
# arp 192.168.131.78 gateway-ir.example.com (192.168.131.78) at 0:0:0:3:ab:cd
# tncfg -t cipso_iuo_rstrct tncfg:cipso_iuo_rstrct> set host_type=cipso tncfg:cipso_iuo_rstrct> set doi=1 tncfg:cipso_iuo_rstrct> set min_label=0x0004-08-48 tncfg:cipso_iuo_rstrct> set max_label=0x0004-08-78 tncfg:cipso_iuo_rstrct> add host=192.168.131.78 tncfg:cipso_iuo_rstrct> exit
The system can immediately send and receive packets that are labeled internal and restricted through gateway-ir.
Example 16-7 Creating Hosts at Discrete LabelsIn this example, the security administrator creates a security template that recognizes two labels only, confidential : internal use only and confidential : restricted. All other traffic is rejected.
First, the security administrator ensures that each host's IP addresses can be resolved.
# arp 192.168.132.21 host-auxset1.example.com (192.168.132.21) at 0:0:0:4:ab:cd # arp 192.168.132.22 host-auxset2.example.com (192.168.132.22) at 0:0:0:5:ab:cd # arp 192.168.132.23 host-auxset3.example.com (192.168.132.23) at 0:0:0:6:ab:cd # arp 192.168.132.24 host-auxset4.example.com (192.168.132.24) at 0:0:0:7:ab:cd
Then, the administrator is careful to type the labels precisely. The software recognizes labels in uppercase and lowercase letters and by short name, but does not recognize labels where the spacing is inaccurate. For example, the label cnf :restricted is not a valid label.
# tncfg -t cipso_int_and_rst tncfg:cipso_int_and_rst> set host_type=cipso tncfg:cipso_int_and_rst> set doi=1 tncfg:cipso_int_and_rst> set min_label="cnf : internal use only" tncfg:cipso_int_and_rst> set max_label="cnf : internal use only" tncfg:cipso_int_and_rst> set aux_label="cnf : restricted" tncfg:cipso_int_and_rst> exit
Then, the administrator assigns the range of IP addresses to the security template by using a prefix length.
# tncfg -t cipso_int_rstrct tncfg:cipso_int_rstrct> set host=192.168.132.0/24Example 16-8 Creating a Labeled Host for Developers
In this example, the security administrator creates a cipso_sandbox security template. This template is assigned to systems that are used by developers of trusted software. Developer tests do not affect other labeled hosts because the label SANDBOX is disjoint from the other labels on the network.
# tncfg -t cipso_sandbox tncfg:cipso_sandbox> set host_type=cipso tncfg:cipso_sandbox> set doi=1 tncfg:cipso_sandbox> set min_sl="SBX" tncfg:cipso_sandbox> set max_sl="SBX" tncfg:cipso_sandbox> add host=196.168.129.102 tncfg:cipso_sandbox> add host=196.168.129.129 tncfg:cipso_sandbox> exit
The developers who use the 196.168.129.102 and 196.168.129.129 systems can communicate with each other at the label SANDBOX.
Example 16-9 Creating a Security Template for a netif HostIn this example, the security administrator creates a netif security template. This template is assigned to the labeled network interface that hosts the IP address 10.121.10.3. With this assignment, the Trusted Extensions IP module adds the default label, PUBLIC, to all incoming packets that arrive from an adaptive host.
# tncfg -t netif_public tncfg:netif_public> set host_type=netif tncfg:netif_public> set doi=1 tncfg:netif_public> set def_label="PUBLIC" tncfg:netif_public> add host=10.121.10.3 tncfg:netif_public> commit tncfg:netif_public> exitExample 16-10 Creating Security Templates for Adaptive Hosts
In this example, the security administrator plans ahead. The administrator creates different subnets for a network that holds public information and a network that holds internal information. The administrator then defines two adaptive hosts. Systems in the public subnet are assigned the PUBLIC label. Systems in the internal network are assigned the IUO label. Because this network is planned ahead of time, each network holds and transmits information at a specific label. Another advantage is that the network is easily debugged when packets are not delivered at the expected interface.
# tncfg -t adpub_192_168_10 tncfg:adapt_public> set host_type=adapt tncfg:adapt_public> set doi=1 tncfg:adapt_public> set min_label="public" tncfg:adapt_public> set max_label="public" tncfg:adapt_public> add host=192.168.10.0 tncfg:adapt_public> commit tncfg:adapt_public> exit
# tncfg -t adiuo_192_168_20 tncfg:adapt_public> set host_type=adapt tncfg:adapt_public> set doi=1 tncfg:adapt_public> set min_label="iuo" tncfg:adapt_public> set max_label="iuo" tncfg:adapt_public> add host=192.168.20.0 tncfg:adapt_public> commit tncfg:adapt_public> exitExample 16-11 Sending Labeled Multicast Messages
In this example on a labeled, homogeneous LAN, the security administrator chooses an available multicast address over which to send packets at the label PUBLIC.
# tncfg -t cipso_public tncfg:cipso_public> add host=224.4.4.4 tncfg:cipso_public> exitExample 16-12 Removing Several Hosts From a Security Template
In this example, the security administrator removes several hosts from the cipso security template. The administrator uses the info subcommand to display the hosts, then types remove, and copies and pastes four host= entries.
# tncfg -t cipso info name=cipso host_type=cipso doi=1 min_label=ADMIN_LOW max_label=ADMIN_HIGH host=127.0.0.1/32 host=192.168.1.2/32 host=192.168.113.0/24 host=192.168.113.100/25 host=2001:a08:3903:200::0/56
# tncfg -t cipso tncfg:cipso> remove host=192.168.1.2/32 tncfg:cipso> remove host=192.168.113.0/24 tncfg:cipso> remove host=192.168.113.100/25 tncfg:cipso> remove host=2001:a08:3903:200::0/56 tncfg:cipso> info ... max_label=ADMIN_HIGH host=127.0.0.1/32 host=192.168.75.0/24
After removing the hosts, the administrator commits the changes and exits the security template.
tncfg:cipso> commit tncfg:cipso> exit #
Before You Begin
For the requirements, see How to Add a Host to a Security Template.
In this example, you add two IPv4 subnets to the cipso template, then display the security template.
# tncfg -t cipso tncfg:cipso> add host=192.168.75.0 tncfg:cipso> add host=192.168.113.0 tncfg:cipso> info ... host=192.168.75.0/24 host=192.168.113.0/24 tncfg:cipso> exit
The prefix length of /24 indicates that the address, which ends in .0, is a subnet.
# tncfg -t cipso tncfg:cipso> add host=192.168.113.100/25 192.168.113.100/25 previously matched the admin_low template
In the following example, the /25 prefix length covers contiguous IPv4 addresses from 192.168.113.0 to 192.168.113.127. The address includes 192.168.113.100.
# tncfg -t cipso tncfg:cipso> add host=192.168.113.100/25 tncfg:cipso> exit
In the following example, the /56 prefix length covers contiguous IPv6 addresses from 2001:a08:3903:200::0 to 2001:a08:3903:2ff:ffff:ffff:ffff:ffff. The address includes 2001:a08:3903:201:20e:cff:fe08:58c.
# tncfg -t cipso tncfg:cipso> add host=2001:a08:3903:200::0/56 tncfg:cipso> info ... host=2001:a08:3903:200::0/56 tncfg:cipso> exit
If you add a host that was previously added to another template, you are notified that you are replacing its security template assignment. For the informational message, see Example 16–13.
A mistyped entry also displays an informational message, as shown in Example 16–14.
This example illustrates the informational message that displays when you assign a security template to a range of hosts that already has a template assignment.
# tncfg -t cipso tncfg:cipso> add host=192.168.113.100/32 192.168.113.100/32 previously matched the admin_low template tncfg:cipso> info ... host=192.168.113.100/32 tncfg:cipso> exit
Trusted Extensions fallback mechanism ensures that this explicit assignment overrides the previous assignment, as discussed in Trusted Network Fallback Mechanism.
Example 16-14 Handling a Mistyped IP Address in a Security TemplateA mistyped entry displays an informational message. The following host addition omits :200 from the address:
# tncfg -t cipso tncfg:cipso> add host=2001:a08:3903::0/56 Invalid host: 2001:a08:3903::0/56Example 16-15 Creating an Unlabeled Subnetwork at the Label PUBLIC
In Example 16–2, the security administrator creates a security template that assigns the label PUBLIC to an untrusted host. In this example, the security administrator assigns a subnet to the PUBLIC label. Users on the assigning system can mount file systems from hosts in this subnet into a PUBLIC zone.
# tncfg -t public tncfg:public> add host=10.10.0.0/16 tncfg:public> exit
The subnet can immediately be reached at the label PUBLIC.