Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019
 
 

Limiting the Hosts That Can Reach the Trusted Network

How to Limit the Hosts That Can Be Contacted on the Trusted Network

This procedure protects labeled hosts from being contacted by arbitrary unlabeled hosts. When Trusted Extensions is installed, the admin_low default security template defines every host on the network. Use this procedure to enumerate specific unlabeled hosts.

The local trusted network values on each system are used to contact the network at boot time. By default, every host that is not provided with a cipso template is defined by the admin_low template. This template assigns every remote host that is not otherwise defined (0.0.0.0/0) to be an unlabeled system with the default label of admin_low.


Caution

Caution  -  The default admin_low template can be a security risk on a Trusted Extensions network. If site security requires strong protection, the security administrator can remove the 0.0.0.0/0 wildcard entry after the system is installed. The entry must be replaced with entries for every host that the system contacts at boot time. For example, DNS servers, home directory servers, audit servers, broadcast and multicast addresses, and routers must be explicitly added to a template after the 0.0.0.0/0 wildcard entry is removed. If an application initially recognizes clients at the host address 0.0.0.0/32, then you must add the 0.0.0.0/32 host entry to the admin_low template. For example, to receive initial connection requests from potential Sun Ray clients, Sun Ray servers must include this entry. Then, when the server recognizes the clients, the clients are provided an IP address and connected as labeled clients.


Before You Begin

You must be in the Security Administrator role in the global zone.

All hosts that are to be contacted at boot time must exist in the /etc/hosts file.

  1. Assign the admin_low template to every unlabeled host that must be contacted at boot time.
    • Include every unlabeled host that must be contacted at boot time.

    • Include every on-link router that is not running Trusted Extensions, through which this system must communicate.

    • Remove the 0.0.0.0/0 assignment.

  2. Add hosts to the cipso template.

      Add each labeled host that must be contacted at boot time.

    • Include every on-link router that is running Trusted Extensions, through which this system must communicate.

    • Make sure that all network interfaces are assigned to the template.

    • Include broadcast addresses.

    • Include the ranges of labeled hosts that must be contacted at boot time.

    See Example 40, Enumerating Systems for a Trusted Extensions System to Contact at Boot for a sample database.

  3. Verify that the host assignments allow the system to boot.
Example 39  Changing the Label of the 0.0.0.0/0 IP Address

In this example, the administrator creates a public gateway system. The administrator removes the 0.0.0.0/0 host entry from the admin_low template and adds the 0.0.0.0/0 host entry to the unlabeled public template. The system then recognizes any host that is not specifically assigned to another security template as an unlabeled system with the security attributes of the public security template.

# tncfg -t admin_low info
tncfg:admin_low> remove host=0.0.0.0Wildcard address
tncfg:admin_low> exit
# tncfg -t public
tncfg:public> set host_type=unlabeled
tncfg:public> set doi=1
tncfg:public> set def_label="public"
tncfg:public> set min_sl="public"
tncfg:public> set max_sl="public"
tncfg:public> add host=0.0.0.0Wildcard address
tncfg:public> exit
Example 40  Enumerating Systems for a Trusted Extensions System to Contact at Boot

In the following example, the administrator configures the trusted network of a Trusted Extensions system with two network interfaces. The system communicates with another network and with routers. The remote hosts are assigned to one of three templates, cipso, admin_low, or public. The following commands are annotated.

# tncfg -t cipso
tncfg:admin_low> add host=127.0.0.1Loopback address
tncfg:admin_low> add host=192.168.112.111Interface 1 of this host
tncfg:admin_low> add host=192.168.113.111Interface 2 of this host
tncfg:admin_low> add host=192.168.113.6File server
tncfg:admin_low> add host=192.168.112.255Subnet broadcast address
tncfg:admin_low> add host=192.168.113.255Subnet broadcast address
tncfg:admin_low> add host=192.168.113.1Router
tncfg:admin_low> add host=192.168.117.0/24Another Trusted Extensions network
tncfg:admin_low> exit
# tncfg -t public
tncfg:public> add host=192.168.112.12Specific network router
tncfg:public> add host=192.168.113.12Specific network router
tncfg:public> add host=224.0.0.2Multicast address
tncfg:admin_low> exit
# tncfg -t admin_low
tncfg:admin_low> add host=255.255.255.255Broadcast address
tncfg:admin_low> exit

After specifying the hosts to contact at boot time, the administrator removes the 0.0.0.0/0 entry from the admin_low template.

# tncfg -t admin_low
tncfg:admin_low> remove host=0.0.0.0
tncfg:admin_low> exit
Example 41  Making the Host Address 0.0.0.0/32 a Valid Initial Address

In this example, the security administrator configures an application server to accept initial connection requests from potential clients.

The administrator configures the server's trusted network. The server and client entries are annotated.

# tncfg -t cipso info
name=cipso
host_type=cipso
doi=1
min_label=ADMIN_LOW
max_label=ADMIN_HIGH
host=127.0.0.1/32
host=192.168.128.1/32 Application server address
host=192.168.128.0/24 Application's client network
Other addresses to be contacted at boot time
# tncfg -t admin_low info
name=cipso
host_type=cipso
doi=1
def_label=ADMIN_LOW
min_label=ADMIN_LOW
max_label=ADMIN_HIGH
host=192.168.128.0/24 Application's client network
host=0.0.0.0/0 Wildcard address
Other addresses to be contacted at boot time

After this phase of testing succeeds, the administrator locks down the configuration by removing the default wildcard address, 0.0.0.0/0, committing the change, and then adding the specific address.

# tncfg -t admin_low info
tncfg:admin_low> remove host=0.0.0.0
tncfg:admin_low> commit
tncfg:admin_low> add host=0.0.0.0/32For initial client contact
tncfg:admin_low> exit

The final admin_low configuration appears similar to the following:

# tncfg -t admin_low
name=cipso
host_type=cipso
doi=1
def_label=ADMIN_LOW
min_label=ADMIN_LOW
max_label=ADMIN_HIGH
192.168.128.0/24 Application's client network
host=0.0.0.0/32 For initial client contact
Other addresses to be contacted at boot time

The 0.0.0.0/32 entry allows only the clients of the application to reach the application server.