Want to Try Safe Browsing?

If you have installed Solaris Trusted Extensions, you may want to try
the Safe Browsing environment that I use at Sun. The configuration is a
bit complicated, but I have provided most of the files in a compressed
tar file  txdemo
which you can download. After uncompressing the file you should extract
it as root in the global zone. The tar file will extract into /opt/txdemo.



It is assumed that you will be using separate Firefox browsers in the
public and internal zones. The public zone will be used to access the
external Internet and the internal zone will be used for the internal
Intranet. To maintain network separation, a URL transfer service will
forward external URLs from your internal browser so that they can be
processed using the pubic browser.



Some of these files need to be customized or copied.



The manifest for the url-xfer service needs to be copied into the
public zone which you will use to access the public Internet. You
should do this as root in the public zone. For example:

    # cd /var/svc/manifest/application
# mkdir web
# cp /opt/txdemo/var/svc/manifest/application/web/url-xfer.xml web


The two proxy.pac scripts (public.pac, internal.pac) should be
customized as described in each script. The values for urlProxy and
corpProxy should be changed as appropriate for your office environment.



You must configure your browser proxy settings approriately, via the
Connection Settings panel for Proxies. This is normally under the
Preferences menu.



For example, in the public browser you should specify the following URL:

    file:///opt/txdemo/proxy/public.pac

In the internal browser you should specify the following URL:

        file:///opt/txdemo/proxy/internal.pac

The shell script ./bin/openURL is specific to Firefox. If you are using
a different browser you will need to customize this script. If the
mozilla-xremote-client application is not in /usr/lib/firefox you will
need to correct the pathname.



In addition to these steps, you will need to specify the networking
policy for web access. All of the following steps can be done
graphically using the Computers and Networks GUI in the Solaris
Managment Console
. If you prefer to do get your hands dirty, the files
can be edited by hand.



The port 8080 in the public zone must be specified as a Multilevel
Port. If you are using an all-zones IP address in the public zone, you
should specify the port of the shared IP address.



The /etc/security/tsol/tnzonecfg entry would look like this:

    public:0x0002-08-08:0::8080/tcp

If the public zone has a unique IP address, you should specify the per-zone port. The entry should look like this:



    public:0x0002-08-08:0:8080/tcp:



You will need to create unlabeled hosts type entries for the public and
internal labels. The entries should look like this in
/etc/security/tsol/tnrhtp

    public:host_type=unlabeled;doi=1;min_sl=admin_low;max_sl=0x0004-08-48;def_label=0x0002-08-08;

    internal:host_type=unlabeled;doi=1;min_sl=admin_low;max_sl=0x0004-08-48;def_label=0x0004-08-48;

You should assign the public template to your corporate web proxy
server, and specify that the default template for your corporate
network is internal.



You will need entries like this in /etc/security/tsol/tnrhdb

    # Corporate Proxy Servers
    192.149.246.19:public
    # Default Label for Corporate Intranet
    0.0.0.0:internal

You should reboot the public zone after the configuration is complete.
Then you should enable the service in the public zone as follows:

    # svcadm enable url-xfer

You should now be able to run the demonstration. How'd it go?


Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog explores some of the security features of Oracle Solaris. In particular, topics such as Role-Based Access Control and Labeled Security are my special interests.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks