2.2.2 eServer system structure
The system is an eServer computer, which permits one user at a time to log in to the computer console.
Several virtual consoles can be mapped to a single physical console. Different users can login through
different virtual consoles simultaneously. The system can be connected to other computers via physically and
logically protected LANs. The eServer hardware and the physical LAN connecting the different systems
running SLES are not included within the evaluation boundary of this paper. External routers, bridges, and
repeaters are also not included in the evaluation boundary of this paper.
A standalone host configuration operates as a CC-evaluated system, which can be used by multiple users at a
time. Users can operate by logging in at the virtual consoles or serial terminals of a system, or by setting-up
background execution jobs. Users can request local services, such as file, memory, and process management,
by making system calls to the kernel. Even though interconnection of different systems running SLES is not
included in the evaluation boundary, the networking software is loaded. This aids in a user’s request for
network services (for example, FTP) from server processes on the same host.
Another configuration provides a useful network configuration, in which a user can log in to the console of
any of the eServer host computers, request local services at that computer, and also request network services
from any of the other computers. For example, a user can use ssh to log into one host from another, or scp
to transfer files from one host to another. The configuration extends the single LAN architecture to show that
SLES provides Internet Protocol (IP) routing from one LAN segment to another. For example, a user can log
in at the console of a host in one network segment and establish an ssh connection to a host in another
network segment. Packets on the connection travel across a LAN segment, and they are routed by a host in
that segment to a host on another LAN segment. The packets are eventually routed by the host in the second
LAN segment to a host on a third LAN segment, and from there are routed to the target host. The number of
hops from the client to the server are irrelevant to the security provided by the system, and are transparent to
the user.
The hosts that perform routing functions have statically-configured routing tables. When the hosts use other
components for routing (for example, a commercial router or switches), those components are assumed to
perform the routing functions correctly, and do not alter the data part of the packets.
If other systems are to be connected to the network, with multiple TOE systems connected via a physically
protected LAN, then they need to be configured and managed by the same authority using an appropriate
security policy not conflicting with the security policy of the TOE.
2.2.3 TOE servicesEach host computer in the system is capable of providing the following types of services:
•Local services to the users who are currently logged in to the system using a local computer console,
virtual consoles, or terminal devices connected through physically protected serial lines.
•Local services to the previous users via deferred jobs; an example is the cron daemon.
•Local services to users who have accessed the local host via the network using a protocol such as
ssh, which starts a user shell on the local host.
•Network services to potentially multiple users on either the local host or on remote hosts.
Figure 2-3 illustrates the difference between local services that take place on each local host computer, versus
network services that involve client-server architecture and a network service layer protocol. For example, a
user can log in to the local host computer and make file system requests or memory management requests for
services via system calls to the kernel of the local host. All such local services take place solely on the local
host computer and are mediated solely by trusted software on that host.
6