JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions

14.  Managing and Mounting Files in Trusted Extensions

15.  Trusted Networking (Overview)

The Trusted Network

Trusted Extensions Data Packets

Trusted Extensions Multicast Packets

Trusted Network Communications

Network Commands in Trusted Extensions

Network Configuration Databases in Trusted Extensions

Trusted Network Security Attributes

Network Security Attributes in Trusted Extensions

Host Type and Template Name in Security Templates

Default Label in Security Templates

Domain of Interpretation in Security Templates

Label Range in Security Templates

Auxiliary Labels in Security Templates

Trusted Network Fallback Mechanism

Overview of Routing in Trusted Extensions

Background on Routing

Routing Table Entries in Trusted Extensions

Trusted Extensions Accreditation Checks

Source Accreditation Checks

Gateway Accreditation Checks

Destination Accreditation Checks

Administration of Routing in Trusted Extensions

Choosing Routers in Trusted Extensions

Gateways in Trusted Extensions

Routing Commands in Trusted Extensions

Administration of Labeled IPsec

Labels for IPsec-Protected Exchanges

Label Extensions for IPsec Security Associations

Label Extensions for IKE

Labels and Accreditation in Tunnel Mode IPsec

Confidentiality and Integrity Protections With Label Extensions

16.  Managing Networks in Trusted Extensions (Tasks)

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

20.  Devices in Trusted Extensions (Overview)

21.  Managing Devices for Trusted Extensions (Tasks)

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Trusted Network Fallback Mechanism

A host IP address can be added to a security template either directly or indirectly. Direct assignment adds a host's IP address. Indirect assignment adds a range of IP addresses that includes the host. To match a particular host, the trusted network software first looks for the specific IP address. If the search does not find a specific entry for the host, it looks for the “longest prefix of matching bits”. You can indirectly assign a host to a security template when the IP address of the host falls within the “longest prefix of matching bits” of an IP address with a fixed prefix length.

In IPv4, you can make an indirect assignment by subnet. When you make an indirect assignment by using 4, 3, 2, or 1 trailing zero (0) octets, the software calculates a prefix length of 0, 8, 16, or 24, respectively. For examples, see Table 15-1.

You can also set a fixed prefix length by adding a slash (/) followed by the number of fixed bits. IPv4 network addresses can have a prefix length between 1 – 32. IPv6 network addresses can have a prefix length between 1 – 128.

The following table provides fallback address and host address examples. If an address within the set of fallback addresses is directly assigned, the fallback mechanism is not used for that address.

Table 15-1 Trusted Extensions Host Address and Fallback Mechanism Entries

IP Version
Host Entry for host_type=cipso
IP Addresses Covered
IPv4
192.168.118.57
192.168.118.57/32
192.168.118.57
The /32 sets a prefix length of 32 fixed bits.
192.168.118.128/26
From 192.168.118.0 through 192.168.118.63
192.168.118.0
192.168.118.0/24
All addresses on 192.168.118. subnet.
192.168.0.0/24
All addresses on 192.168.0. subnet.
192.168.0.0
192.168.0.0/16
All addresses on 192.168. subnet.
192.0.0.0
192.0.0.0/8
All addresses on 192. subnet.
192.168.118.0/32
Host address 192.168.118.0. Not a range of addresses.
192.168.0.0/32
Host address 192.168.0.0. Not a range of addresses.
192.0.0.0/32
Host address 192.0.0.0. Not a range of addresses.
0.0.0.0/32
Host address 0.0.0.0. Not a range of addresses.
0.0.0.0
All addresses on all networks
IPv6
2001\:DB8\:22\:5000\:\:21f7
2001:DB8:22:5000::21f7
2001\:DB8\:22\:5000\:\:0/52
From 2001:DB8:22:5000::0 through 2001:DB8:22:5fff:ffff:ffff:ffff:ffff
0\:\:0/0
All addresses on all networks

Note that the 0.0.0.0/32 address matches the specific address, 0.0.0.0. By adding the 0.0.0.0/32 entry to a system's unlabeled security template, you enable hosts with the specific address, 0.0.0.0, to contact the system. For example, DHCP clients contact the DHCP server as 0.0.0.0 before the server provides the clients with an IP address.

To create a tnrhdb entry on a Sun Ray server that serves DHCP clients, see Example 16-16. To create a tnrhdb entry for an application that serves DHCP clients, see Example 16-15. The 0.0.0.0:admin_low network is the default entry in the admin_low unlabeled host template. Review How to Limit the Hosts That Can Be Contacted on the Trusted Network for security issues that would require changing this default.

For more information about prefix lengths in IPv4 and IPv6 addresses, see Deciding on an IP Addressing Format for Your Network in Configuring and Administering Oracle Solaris 11.1 Networks and IPv6 Addressing Overview in System Administration Guide: IP Services.