In an MLS system, in addition to writing DAC resource rules, which control authorization to TCP/IP resources in the SERVAUTH resource class, security labels can be used to protect TCP/IP resources. Using SAF calls, TCP/IP provides CA Top Secret with the information it needs to do MAC and DAC checking in the system.
Support for MLS
The following is supported when MLS is active on an CA Top Secret system:
- Security labeling of TCP/IP resources in the SERVAUTH class, such as stacks (including network security zones and IP addresses), sockets, and socket commands
- MAC checking of access to resources in the SERVAUTH class
- DAC checking of access to resources in the SERVAUTH class
When MLS is active on an CA Top Secret system, audit all programs used.
Note:Not all client-server applications and user commands are authorized for use in an MLS system.
This checklist describes the software configuration requirements when MLS is active on an CA Top Secret system.
Assign security labels to resources in the SERVAUTH class
Protect TCP/IP stack access
Protect TCP and UDP port access
Protect access to the IP network or hosts on the IP network
Assign security labels to acids for users/tasks that must access TCP/IP resources
Applications in a network use sockets to communicate with each other. In an MLS system, if you want to protect network resources with security labels to ensure that no sensitive data is disclosed or declassified, the user sessions under which the applications run and communicate with each other must have equivalent security labels.
Assigning Security Labels to Resources in the SERVAUTH Class
CA Top Secret uses the SAF to control access to network resources and allows a security administrator to assign security labels to these resources. To do this, you need the name of the TCP/IP resource that you want to secure. In SAF, these names are referred to as entity names. In CA Top Secret, these names are referred to as resource names.
- TCP/IP stack resources are named:
- TCP port resources are named:
- TCP/IP security zone resources are named:
Protect TCP/IP Stack Access
TCP/IP uses stacks to control the creation of sockets, the use of socket commands and the use of gethostid() and gethostname() commands.
To provide MAC protection for access to TCP/IP stacks in an CA Top Secret MLS environment, assign security labels to the EZB.STACKACCESS.sysname.tcpnameresources in the SERVAUTH resource class by creating MLS resource records.
To assign security label, LABEL2, to the TCP/IP stack, enter: create a SECLABEL Compiled Record for it and include the $RTYPE control statement. You must have the SECURITY privilege in your logonid to create the record.
TSS ADD(mls) SERVAUTH(ezb.STACKACCESS.SYSNAME.TCPNAME) SECLABEL(LABEL2)
Protect Access to and Hosts on the IP Network
TCP/IP also uses stacks to control access to IP networks. IP addresses are mapped into network security zones. Resource names are created for each network security zone on a stack.
To provide MAC protection for access to a system from an IP address in an CA Top Secret MLS environment:
- Assign an IP address to a network security zone by creating a TCP/IP Profile definition
- Assign a security label to the EZB.NETACCESS.sysname.tcpname.zonenamenetwork zone name to which the IP address is mapped in the SERVAUTH resource class by creating an MLS resource record for it
To assign security label, LABEL2, to an IPv6 address mapped into network security zone, ZONEB, create an MLSresource record for it.
TSS ADD(mls) SERVAUTH(ezb.NETACCESS.SYSNAME.STACKNAME.ZONEB) SECLABEL(LABEL2)
When MLS is activated on the system, and a security label is not specified by a user or application at signon, the seclabel is defaulted from the SERVAUTH resource (if there is one and it is not SYSMULTI). If a seclabel is specified by a user or application at signon, system entry is allowed if the user is authorized to the seclabel specified and it is equivalent to the seclabel that is protecting the IP address in the MLS SERVAUTH resource record.
To support IPv6 addresses, which are much longer than IPv4 addresses, the TERMID is no longer used as the source ID for IP-based ports of entry trying to gain access to the system and resources. Instead, the network access security zone name in the SERVAUTH class contains the IP address of a user trying to gain access to the system and resources. This functionality replaces conversion of IPv4 addresses to hexadecimal terminal names.
Protecting TCP and UDP Port Access
To provide MAC protection for access to TCP and UDP ports in an CA Top Secret MLS environment, do the following:
- Assign security labels to the EZB.PORTACCESS.sysname.tcpname.SAFkeyword resources in the SERVAUTH class