TCP/IP

Configuring a Multilevel Secure System › TCP/IP

TCP/IP

In an MLS system, in addition to writing DAC resource rules, which control authorization to TCP/IP resources in the SERVAUTH resource class, security labels can be used to protect TCP/IP resources. Using SAF calls, TCP/IP provides CA Top Secret with the information it needs to do MAC and DAC checking in the system.

Support for MLS TCP/IP

The following is supported when MLS is active on an CA Top Secret system:

Security labeling of TCP/IP resources in the SERVAUTH class, such as stacks (including network security zones and IP addresses), sockets, and socket commands
MAC checking of access to resources in the SERVAUTH class
DAC checking of access to resources in the SERVAUTH class

Restrictions

When MLS is active on an CA Top Secret system, audit all programs used.

Note: Not all client-server applications and user commands are authorized for use in an MLS system.

Configuration Checklist

This checklist describes the software configuration requirements when MLS is active on an CA Top Secret system.

Requirement	Complete
Configure TCP/IP	□
Assign security labels to resources in the SERVAUTH class	□
Protect TCP/IP stack access	□
Protect TCP and UDP port access	□
Protect access to the IP network or hosts on the IP network	□
Assign security labels to acids for users/tasks that must access TCP/IP resources	□

Configuring TCP/IP

Applications in a network use sockets to communicate with each other. In an MLS system, if you want to protect network resources with security labels to ensure that no sensitive data is disclosed or declassified, the user sessions under which the applications run and communicate with each other must have equivalent security labels.

Assigning Security Labels to Resources in the SERVAUTH Class

CA Top Secret uses the SAF to control access to network resources and allows a security administrator to assign security labels to these resources. To do this, you need the name of the TCP/IP resource that you want to secure. In SAF, these names are referred to as entity names. In CA Top Secret, these names are referred to as resource names.

TCP/IP stack resources are named:
EZB.STACKACCESS.sysname.tcpname
TCP port resources are named:
EZB.PORTACCESS.sysname.tcpname.SAFkeyword
TCP/IP security zone resources are named:
EZB.NETACCESS.sysname.tcpname.zonename

Protect TCP/IP Stack Access

TCP/IP uses stacks to control the creation of sockets, the use of socket commands and the use of gethostid() and gethostname() commands.

To provide MAC protection for access to TCP/IP stacks in an CA Top Secret MLS environment, assign security labels to the EZB.STACKACCESS.sysname.tcpname resources in the SERVAUTH resource class by creating MLS resource records.

Example

To assign security label, LABEL2, to the TCP/IP stack, enter: create a SECLABEL Compiled Record for it and include the $RTYPE control statement. You must have the SECURITY privilege in your logonid to create the record.

TSS ADD(mls) SERVAUTH(ezb.STACKACCESS.SYSNAME.TCPNAME)
             SECLABEL(LABEL2)

Protect Access to and Hosts on the IP Network

TCP/IP also uses stacks to control access to IP networks. IP addresses are mapped into network security zones. Resource names are created for each network security zone on a stack.

To provide MAC protection for access to a system from an IP address in an CA Top Secret MLS environment:

Assign an IP address to a network security zone by creating a TCP/IP Profile definition
Assign a security label to the EZB.NETACCESS.sysname.tcpname.zonename network zone name to which the IP address is mapped in the SERVAUTH resource class by creating an MLS resource record for it

Example

To assign security label, LABEL2, to an IPv6 address mapped into network security zone, ZONEB, create an MLSresource record for it.

TSS ADD(mls) SERVAUTH(ezb.NETACCESS.SYSNAME.STACKNAME.ZONEB)
             SECLABEL(LABEL2)

When MLS is activated on the system, and a security label is not specified by a user or application at signon, the seclabel is defaulted from the SERVAUTH resource (if there is one and it is not SYSMULTI). If a seclabel is specified by a user or application at signon, system entry is allowed if the user is authorized to the seclabel specified and it is equivalent to the seclabel that is protecting the IP address in the MLS SERVAUTH resource record.

Important! To support IPv6 addresses, which are much longer than IPv4 addresses, the TERMID is no longer used as the source ID for IP-based ports of entry trying to gain access to the system and resources. Instead, the network access security zone name in the SERVAUTH class contains the IP address of a user trying to gain access to the system and resources. This functionality replaces conversion of IPv4 addresses to hexadecimal terminal names.

Protecting TCP and UDP port access

To provide MAC protection for access to TCP and UDP ports in an CA Top Secret MLS environment, do the following:

Assign security labels to the EZB.PORTACCESS.sysname.tcpname.SAFkeyword resources in the SERVAUTH class

Example

To assign security label, LABEL2, to a TCP or UDP resource, create an MLS resource record.

TSS ADD(mls) SERVAUTH(ezb.PORTACCESS.SYSNAME.TCPNAME.SAFkeyword)
             SECLABEL(LABEL2)

Assigning Security Labels to Acids for Access to TCP/IP Resources

In an MLS environment, the userids associated with tasks trying to access classified TCP/IP resources can be assigned security labels.