Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019
 
 

Adding Hosts to Security Templates

This section contains pointers to or examples of adding hosts to security templates. For discontinuous IP addresses, see How to Add a Host to a Security Template. For a range of hosts, see How to Add a Range of Hosts to a Security Template.

How to Add a Host to a Security Template

Before You Begin

  1. (Optional)Verify that you can reach the host name or IP address that you are going to add.

    In this example, you verify that you can reach 192.168.1.2.

    # arp 192.168.1.2
    gateway-2.example.com (192.168.1.2) at 0:0:0:1:ad:cd

    The arp command verifies that the host is defined in the system's /etc/hosts file or is resolvable by DNS.

  2. Add a host name or IP address to a security template.

    In this example, you add the 192.168.1.2 IP address.

    # tncfg -t cipso
    tncfg:cipso> add host=192.168.1.2

    If you add a host that was previously added to another template, you are notified that you are replacing its security template assignment. For the informational message, see Example 26, Replacing a Host's Security Template Assignment.

  3. View the changed security template.

    The following example shows the 192.168.1.2 address added to the cipso template:

    tncfg:cipso> info
    ...
    host=192.168.1.2/32

    The prefix length of /32 indicates that the address is exact.

  4. Commit the change and exit the security template.
    tncfg:cipso> commit
    tncfg:cipso> exit

    To remove a host entry, see Example 35, Removing Several Hosts From a Security Template.

Example 26  Replacing a Host's Security Template Assignment

This example illustrates the informational message that displays when you assign a security template to a host that already has a template assignment.

# tncfg -t cipso
tncfg:cipso> add host=192.168.1.2
192.168.1.2 previously matched the admin_low template
tncfg:cipso> info
...
host=192.168.1.2/32
tncfg:cipso> exit
Example 27  Creating a Gateway That Handles Packets at One Label

In Example 24, Creating a Security Template for a Gateway That Handles Packets at One Label, the security administrator creates a security template that defines a gateway that can only pass packets at the label PUBLIC. In this example, the security administrator ensures that the gateway host's IP address can be resolved.

# arp 192.168.131.75
gateway-1.example.com (192.168.131.75) at 0:0:0:1:ab:cd

The arp command verifies that the host is defined in the system's /etc/hosts file or is resolvable by DNS.

Then, the administrator adds the gateway-1 host to the security template.

# tncfg -t cipso_public
tncfg:cipso_public> add host=192.168.131.75
tncfg:cipso_public> exit

The system can immediately send and receive public packets through gateway-1.

Example 28  Creating an Unlabeled Router to Route Labeled Packets

Any IP router can forward messages with CALIPSO or CIPSO labels even though the router does not explicitly support labels. Such an unlabeled router requires a default label to define the level at which connections to the router, perhaps for router management, must be handled. In this example, the security administrator creates a router that can forward traffic at any label, but all direct communication with the router is handled at the default label, PUBLIC.

First, the security administrator creates the template from scratch.

# tncfg -t unl_public_router
tncfg:unl_public_router> set host_type=unlabeled
tncfg:unl_public_router> set doi=1
tncfg:unl_public_router> set def_label="PUBLIC"
tncfg:unl_public_router> set min_label=ADMIN_LOW
tncfg:unl_public_router> set max_label=ADMIN_HIGH
tncfg:unl_public_router> exit

Then, the administrator adds the router to the security template.

# tncfg -t unl_public_router
tncfg:unl_public_router> add host=192.168.131.82
tncfg:unl_public_router> exit

The system can immediately send and receive packets at all labels through router-1, the host name of the 192.168.131.82 address.

Example 29  Creating a Gateway With a Limited Label Range

In this example, the security administrator creates a template that restricts packets to a narrow label range and adds the gateway to the template.

# arp 192.168.131.78
gateway-ir.example.com (192.168.131.78) at 0:0:0:3:ab:cd
# tncfg -t cipso_iuo_rstrct
tncfg:cipso_iuo_rstrct> set host_type=cipso
tncfg:cipso_iuo_rstrct> set doi=1
tncfg:cipso_iuo_rstrct> set min_label=0x0004-08-48
tncfg:cipso_iuo_rstrct> set max_label=0x0004-08-78
tncfg:cipso_iuo_rstrct> add host=192.168.131.78
tncfg:cipso_iuo_rstrct> exit

The system can immediately send and receive packets that are labeled internal and restricted through gateway-ir.

Example 30  Creating Hosts at Discrete Labels

In this example, the security administrator creates a security template that recognizes two labels only, confidential : internal use only and confidential : restricted. All other traffic is rejected.

First, the security administrator ensures that each host's IP addresses can be resolved.

# arp 192.168.132.21
host-auxset1.example.com (192.168.132.21) at 0:0:0:4:ab:cd
# arp 192.168.132.22
host-auxset2.example.com (192.168.132.22) at 0:0:0:5:ab:cd
# arp 192.168.132.23
host-auxset3.example.com (192.168.132.23) at 0:0:0:6:ab:cd
# arp 192.168.132.24
host-auxset4.example.com (192.168.132.24) at 0:0:0:7:ab:cd

Then, the administrator is careful to type the labels precisely. The software recognizes labels in uppercase and lowercase letters and by short name, but does not recognize labels where the spacing is inaccurate. For example, the label cnf :restricted is not a valid label.

# tncfg -t cipso_int_and_rst
tncfg:cipso_int_and_rst> set host_type=cipso
tncfg:cipso_int_and_rst> set doi=1
tncfg:cipso_int_and_rst> set min_label="cnf : internal use only"
tncfg:cipso_int_and_rst> set max_label="cnf : internal use only"
tncfg:cipso_int_and_rst> set aux_label="cnf : restricted"
tncfg:cipso_int_and_rst> exit

Then, the administrator assigns the range of IP addresses to the security template by using a prefix length.

# tncfg -t cipso_int_rstrct
tncfg:cipso_int_rstrct> set host=192.168.132.0/24
Example 31  Creating a Labeled Host for Developers

In this example, the security administrator creates a cipso_sandbox security template. This template is assigned to systems that are used by developers of trusted software. Developer tests do not affect other labeled hosts because the label SANDBOX is disjoint from the other labels on the network.

# tncfg -t cipso_sandbox
tncfg:cipso_sandbox> set host_type=cipso
tncfg:cipso_sandbox> set doi=1
tncfg:cipso_sandbox> set min_sl="SBX"
tncfg:cipso_sandbox> set max_sl="SBX"
tncfg:cipso_sandbox> add host=196.168.129.102
tncfg:cipso_sandbox> add host=196.168.129.129
tncfg:cipso_sandbox> exit

The developers who use the 196.168.129.102 and 196.168.129.129 systems can communicate with each other at the label SANDBOX.

Example 32  Creating a Security Template for a netif Host

In this example, the security administrator creates a netif security template. This template is assigned to the labeled network interface that hosts the IP address 10.121.10.3. With this assignment, the Trusted Extensions IP module adds the default label, PUBLIC, to all incoming packets that arrive from an adaptive host.

# tncfg -t netif_public
tncfg:netif_public> set host_type=netif
tncfg:netif_public> set doi=1
tncfg:netif_public> set def_label="PUBLIC"
tncfg:netif_public> add host=10.121.10.3
tncfg:netif_public> commit
tncfg:netif_public> exit
Example 33  Creating Security Templates for Adaptive Hosts

In this example, the security administrator plans ahead. The administrator creates different subnets for a network that holds public information and a network that holds internal information. The administrator then defines two adaptive hosts. Systems in the public subnet are assigned the PUBLIC label. Systems in the internal network are assigned the IUO label. Because this network is planned ahead of time, each network holds and transmits information at a specific label. Another advantage is that the network is easily debugged when packets are not delivered at the expected interface.

# tncfg -t adpub_192_168_10
tncfg:adapt_public> set host_type=adapt
tncfg:adapt_public> set doi=1
tncfg:adapt_public> set min_label="public"
tncfg:adapt_public> set max_label="public"
tncfg:adapt_public> add host=192.168.10.0
tncfg:adapt_public> commit
tncfg:adapt_public> exit
# tncfg -t adiuo_192_168_20
tncfg:adapt_public> set host_type=adapt
tncfg:adapt_public> set doi=1
tncfg:adapt_public> set min_label="iuo"
tncfg:adapt_public> set max_label="iuo"
tncfg:adapt_public> add host=192.168.20.0
tncfg:adapt_public> commit
tncfg:adapt_public> exit
Example 34  Sending Labeled Multicast Messages

In this example on a labeled, homogeneous LAN, the security administrator chooses an available multicast address over which to send packets at the label PUBLIC.

# tncfg -t cipso_public
tncfg:cipso_public> add host=224.4.4.4
tncfg:cipso_public> exit
Example 35  Removing Several Hosts From a Security Template

In this example, the security administrator removes several hosts from the cipso security template. The administrator uses the info subcommand to display the hosts, then types remove, and copies and pastes four host= entries.

# tncfg -t cipso info
name=cipso
host_type=cipso
doi=1
min_label=ADMIN_LOW
max_label=ADMIN_HIGH
host=127.0.0.1/32
host=192.168.1.2/32
host=192.168.113.0/24
host=192.168.113.100/25
host=2001:a08:3903:200::0/56
# tncfg -t cipso
tncfg:cipso> remove host=192.168.1.2/32
tncfg:cipso> remove host=192.168.113.0/24
tncfg:cipso> remove host=192.168.113.100/25
tncfg:cipso> remove host=2001:a08:3903:200::0/56
tncfg:cipso> info
...
max_label=ADMIN_HIGH
host=127.0.0.1/32
host=192.168.75.0/24

After removing the hosts, the administrator commits the changes and exits the security template.

tncfg:cipso> commit
tncfg:cipso> exit
#

How to Add a Range of Hosts to a Security Template

Before You Begin

For the requirements, see How to Add a Host to a Security Template.

  1. To assign a security template to a subnet, add the subnet address to the template.

    In this example, you add two IPv4 subnets to the cipso template, then display the security template.

    # tncfg -t cipso
    tncfg:cipso> add host=192.168.75.0
    tncfg:cipso> add host=192.168.113.0
    tncfg:cipso> info
    ...
    host=192.168.75.0/24
    host=192.168.113.0/24
    tncfg:cipso> exit

    The prefix length of /24 indicates that the address, which ends in .0, is a subnet.

    # tncfg -t cipso
    tncfg:cipso> add host=192.168.113.100/25
    192.168.113.100/25 previously matched the admin_low template
  2. To assign a security template to a range of addresses, specify the IP address and the prefix length.

    In the following example, the /25 prefix length covers contiguous IPv4 addresses from 192.168.113.0 to 192.168.113.127. The address includes 192.168.113.100.

    # tncfg -t cipso
    tncfg:cipso> add host=192.168.113.100/25
    tncfg:cipso> exit

    In the following example, the /56 prefix length covers contiguous IPv6 addresses from 2001:a08:3903:200::0 to 2001:a08:3903:2ff:ffff:ffff:ffff:ffff. The address includes 2001:a08:3903:201:20e:cff:fe08:58c.

    # tncfg -t cipso
    tncfg:cipso> add host=2001:a08:3903:200::0/56
    tncfg:cipso> info
    ...
    host=2001:a08:3903:200::0/56
    tncfg:cipso> exit

    If you add a host that was previously added to another template, you are notified that you are replacing its security template assignment. For the informational message, see Example 36, Replacing Security Template for a Range of Hosts.

    A mistyped entry also displays an informational message, as shown in Example 37, Handling a Mistyped IP Address in a Security Template.

Example 36  Replacing Security Template for a Range of Hosts

This example illustrates the informational message that displays when you assign a security template to a range of hosts that already has a template assignment.

# tncfg -t cipso
tncfg:cipso> add host=192.168.113.100/32
192.168.113.100/32 previously matched the admin_low template
tncfg:cipso> info
...
host=192.168.113.100/32
tncfg:cipso> exit

Trusted Extensions fallback mechanism ensures that this explicit assignment overrides the previous assignment, as discussed in Trusted Network Fallback Mechanism.

Example 37  Handling a Mistyped IP Address in a Security Template

A mistyped entry displays an informational message. The following host addition omits :200 from the address:

# tncfg -t cipso
tncfg:cipso> add host=2001:a08:3903::0/56
Invalid host: 2001:a08:3903::0/56
Example 38  Creating an Unlabeled Subnetwork at the Label PUBLIC

In Example 25, Creating an Unlabeled Security Template at the Label PUBLIC, the security administrator creates a security template that assigns the label PUBLIC to an untrusted host. In this example, the security administrator assigns a subnet to the PUBLIC label. Users on the assigning system can mount file systems from hosts in this subnet into a PUBLIC zone.

# tncfg -t public
tncfg:public> add host=10.10.0.0/16
tncfg:public> exit

The subnet can immediately be reached at the label PUBLIC.