Securing NetWare Enterprise Local Area Networks H. Van Tran Cynthia D. Heagy Payoff

Transcription

1 Securing NetWare Enterprise Local Area Networks H. Van Tran Cynthia D. Heagy Payoff Data security professionals in many organizations must protect data and applications running on local area networks (LANs). To do this, they should first understand how the components of their networks function. Then, they should learn how their particular network operating systems provide security. This article both explains the functions of LAN components and describes the security provisions of one of the most widely used operating systems Novel's NetWare. A companion article, Threats to NetWare Enterprise LANs ( ), describes threats to the NetWare enterprise LANs and recommends how to mitigate these dangers. Problems Addressed A LAN that houses important data and applications is known as an enterprise LAN. The security considerations involved in securing such a system differ dramatically from those found with traditional mainframes. For example, in the open environment of enterprise LANs, dial-in and dial-out activities occur frequently, and viruses often disrupt operations. Enterprise LANs must therefore be tightly controlled to ensure that they are maintained in a safe, reliable manner. The leading LAN operating systems used to construct complex networks are Novell's NetWare 3.X, Novell's NetWare 4.X, and Microsoft's Windows NT 3.X. Collectively, the two Novell operating systems account for more than 60% of the LAN installation base worldwide. This article provides an overview of the network environment and offers some suggestions on what to consider in securing NetWare enterprise LANs. Network Hardware Components An enterprise LAN contains four kinds of hardware components microcomputers, a cabling system, a file server, and a network traffic controlling device. Understanding these components is crucial to controlling and securing a LAN. Microcomputers The most visible component of all LANs is the microcomputer. Its main board (i.e., mother board or system board) links many of the microcomputer's internal components to each other (see Exhibit 1). Located on the main board is the Central Processing Unit chip, which directs all computer activities and performs such basic computer operations as executing computer instructions and performing input/output (I/O) operations. Random access memory(ram) chips and read-only memory (ROM) chips are also found on the main board. RAM chips house temporary data and instructions for computer execution, and ROM chips store permanent manufacturer-embedded, low-level instructions. Diagram of Main Board Computer peripherals include keyboards, display monitors, mouses, disk drives, and printers. A large section of a main board contains bus (i.e., expansion) slots where

2 peripherals are connected to the main board by expansion cards. Each peripheral communicates with the central processing unit (CPU) through its expansion card by using a unique I/O path that consists of four parameters interrupt level, memory address, ROM/ RAM address, and Direct Memory Access channel. Every time a new peripheral is added to a microcomputer, these four parameters must be properly configured to allow the new peripheral to exist harmoniously with other peripherals on the same main board. A user can configure a Disk Operating System-based microcomputer to support a unique combination of hardware and applications by configuring two microcomputer configuration files CONFIG.SYS and AUTOEXEC.BAT. The two files are typically stored in the root directory of the main hard drive. The CONFIG.SYS file instructs the DOS operating system how to run various peripherals and components. Commands in the AUTOEXEC.BAT file automatically perform a sequence of routines immediately after the instructions in the CONFIG.SYS file have been completely executed. Cabling System Each microcomputer connected to a NetWare LAN must have a Network Interface Card inserted into one of the bus slots residing on the main board. Again, the interrupt level, memory address, ROM/RAM address, and Direct Memory Access channel must be uniquely configured to allow the card to coexist with other peripherals. Next, the Network Information Center card is connected to the network's cabling system so the microcomputer can transmit data to and receive data from other computers on the network. The cabling system can vary in physical shape, transmission capacity, medium access control (MAC) method, and cost. The physical shape of a cabling system is known as its topology. The three basic network topologies are linear bus, star, and token ring; they are diagramed in Exhibit 1. In a linear bus topology, computers are connected to a central coaxial cable. In star and tokenring topologies, computers are connected to a concentrator, or hub. Token-ring concentrators manage network traffic more efficiently than star concentrators. A cabling system's transmission capacity typically depends on its medium type. Fiber optic cable has a much higher transmission capacity than coaxial cable (i.e., 100M bits per second versus 10M bits per second). The way in which a microcomputer accesses a cabling system to send data is called its MAC method. When a MAC method known as carrier sense multiple access with collision detection (Carrier Sense Multiple Access/Collision Detection) is used, the NIC card of the transmitting microcomputer first senses the cabling system to ensure that the cabling system is free of network traffic. Then, data is transmitted. Microcomputers on the network constantly monitor the cabling system to determine if data transmitted by one microcomputer collides with data transmitted by another. If a microcomputer detects a collision anywhere on a segment, that microcomputer transmits a jam pattern to inform other microcomputers on the same segment of the collision so they will refrain from transmitting data until the collision has cleared. Token ring is another MAC method. With it, a token circulates in the cabling system to invite microcomputers to transmit their data. A microcomputer can transmit data only after it has taken custody of the token; others must wait until it completes its transmission and releases the token. The cost of a cabling system depends on its topology, transmission capacity, and MAC method. When designing a network, network engineers select a combination of these factors that will meet the company's network traffic demand for the lowest possible installation and maintenance costs.

3 File Server Each network has at least one microcomputer that acts as a file server a powerful computer that stores data and software and sends data to other microcomputers, called clients. Clients are network microcomputers that are used by end users to perform their business duties. NetWare 3.X requires at least 4M bytes of RAM, and NetWare 4.X needs at least 8M bytes. However, because the file server often holds temporarily on RAM chips a great deal of data that will be written to its hard drive or transmitted to clients, its actual memory requirement may be much higher, depending on how busy the server is or how many users it supports. Because a file server may have several large hard disks that centrally house group, departmental, or corporate data and software, the size of this storage medium depends on the amount of data, the number and size of programs, and the number of users that it supports. The file server's hard disk is divided into DOS and NetWare partitions. The DOS partition houses the file server's main operating system program, called SERVER.EXE, which boots the file server. The NetWare partition, where network data and applications are kept, is further broken down into volumes. The SYS: volume contains all NetWare network commands and utilities, and possibly user data and application software, if desired. Network Traffic Controlling Device A complex LAN can include multiple network segments, or subnetworks. One segment may have too much network traffic, and another may have very little. One segment may cover a large geographical area, yet another may cover a small area. A network with multiple segments needs such devices as bridges, repeaters, or routers (see Exhibit 1). Bridges reduce heavy network traffic on a segment by isolating network data of different groups of microcomputers on different sections of the segment. When a computer transmits its data to a remote network segment, repeaters extend the transmission distance of the cabling system, and routers move data to its destination by switching data from segment to segment. Network Software The network hardware components previously described are common to all LANs, regardless their Network Operating System. Hardware components by themselves do not initiate network traffic, but software components do. An application residing on the file server or on the client's microcomputer initiates network data and passes it to the network operating systems for transmission on the cabling system. An organization can use NetWare, Windows NT, another system, or a combination of these as its Network Operating System. When NetWare is chosen, it must be installed on both the file server and the client microcomputers to permit client/server communications. Network printing activities can be managed by print server software. However, if dialin and dial-out activities become a security concern, communications server software can be purchased and installed to manage printing activities. File Server The most important operating system software in NetWare is SERVER.EXE, which is stored on the Disk Operating System partition of the file server's hard disk. When SERVER.EXE is loaded, it takes over the operation of the computer from DOS. Peripheral interface software is another kind of operating system software. Developed by hardware manufacturers and distributed by Novell, this software includes such

4 programs as disk and Network Information Center. card drivers. They allow NetWare to communicate with various types of hard drives and Network Interface Card. NetWare loadable modules (NLMs) are typically developed by Novell or third parties to provide additional network capabilities to those provided by SERVER.EXE. Many NLMs are already bundled with the operating system software; others must be purchased as add-on products. STARTUP.NCF and AUTOEXEC.NCFare file server boot files. They work as CONFIG.SYS and AUTOEXEC.BAT files do in the DOS environment. STARTUP.NCF loads disk drivers to allow NetWare to communicate with various types of hard drives. AUTOEXEC.NCF defines the file server's network environment (i.e., name, file server ID, network address) and loads additional NLMs or services not provided by SERVER.EXE. These boot files are created and customized during the file server's installation. The last category of operating system software consists of login scripts and menus for customizing the user environment. A login script typically is a set of instructions that locates directories or applications needed by a user or group of users. A client logging into the file server automatically executes a script stored on the file server's hard disk. Menus show the user a list of application software for selection. Both login scripts and menus can be created or modified during the file server's installation, the installation of a new application, or the creation of a new user or group of users. Client Microcomputers A series of operating system programs must be loaded on the microcomputer's RAM chips for it to communicate with the network file server. The first program is VLM.EXE; it determines whether an application I/O request is for local or network processing. A local request is sent to DOS; a network request is sent to IPXODI.COM for network processing. The second program, IPXODI.COM, contains various protocol stacks to format data to be sent to the file server. The third operating system program is a Network Interface Card driver such as NE2000.COM, which moves data from RAM chips into the network interface card (NIC) so it can be transmitted on the cabling system. The fourth program is the Link Support Layer, or LSL.COM, which determines the format of incoming network data in order to send the data to the appropriate protocol stack in IPXODI.COM for processing. Print Server Network users can print on a local printer connected directly to their microcomputers, on a network printer attached to a file server, or on a printer connected to another network microcomputer. Network printing activities are managed by print server software. This software is created by using a NetWare utility named PCONSOLE and can reside on a microcomputer dedicated to the printing task (i.e., a dedicated print server) or on the file server. Network printers are typically connected to a microcomputer where the print server software resides. Client microcomputers sending their print jobs to network printers must execute a CAPTURE command to route print jobs to appropriate print queues. There, print jobs wait to be retrieved by the print server software for routing to the appropriate printer. Communications Server Dial-in dial-out activities on a NetWare network can be supported by widely dispersed modems and such simple communications software as PCAnywhere. However, but this arrangement provides little control or audit trail. When remote activities become a security concern, modems can be consolidated on a few modem boards installed on a single microcomputer so that remote users can be organized and controlled with communications

5 server software. This software must reside on the microcomputer housing the modems. This microcomputer can be a dedicated communications server or an existing file server. Novell's current communications server software, called Net Connect, can efficiently manage a pool of modems, control remote access to the network, and generate dial-in/dialout audit data. NetWare Security Levels NetWare 3.X and 4.X protect resources residing on the file server with three levels of security: user authentication, directory and file system security, and directory and file attributes. NetWare 4.X provides an additional level of security, NetWare Directory Services. Remote users are first authenticated by Net Connect if this software is in use. Both remote and local users are authenticated by the login process in which a valid user name and password are verified. Additional login restrictions(e.g., date, time, other password measures, intruder protection, and Network Information Center hardware address) are also available to restrict access to the file server. Directory and File System Security The second level of security is directory and file system security. It restricts access to various directories and files on the file server to users or user groups that have been granted appropriate rights. A summary of NetWare rights is provided in Exhibit 2. A user receives access rights to a given directory or a file from three different sources: rights from these sources are additive. These sources are: The explicit granting of access rights to a user. The explicit granting of access rights to a group to which the user belongs. The explicit granting of access rights to a user. NetWare Access Rights Rights Read Write Create Erase Modify File scan Access Control Description Gives user the right to open files in the directory and read their contents or to run programs. Gives the user the right to open and change the contents of files. Gives the user the right to create new files and subdirectories. Gives the user the right to delete a directory, its files, and subdirectories. Gives the user the right to change the attributes or name of directories and files. Gives the user the right to see files and directories. Gives the user the right to change access privileges and inherited rights filters.

6 Supervisory Gives the user all rights to a directory, its files and subdirectories. Supervisory directory/file rights cannot be blocked by an inherited rights filter. A user who has supervisory rights can grant any right to other users. Rights Description Read Gives user the right to open files in the directory and read their contents or to run programs. Write Gives user the right to open and change contents of files. Create Gives user the right to create new files and subdirectories. Erase Gives user the right to delete a directory, its files, and subdirectories. Modify Gives user the right to change the attributes or name of directories and files. File Scan Gives user the right to see files and directories. Access Control Gives user the right to change access privileges and inherited rights filters. Supervisory Gives user all rights to a directory, its files and subdirectories. Supervisory directory/file rights cannot be blocked by an inherited rights filter. A user who has supervisory rights can grant any right to other users * Note: An inherited rights filter is a technique for removing certain rights from flowing down to lower-level subdirectories. This final source of access rights is called security equivalence. Rights given to a user at a given directory flow down to lower-level subdirectories and their files. In other words, the user inherits the same rights at lower-level directories as those explicitly granted at a higher-level directory. The inheritance of access rights can be curtailed or stopped by the use of inherited rights filters or by a new granting of access rights at lower-level subdirectories. Access rights are granted by using either the SYStem CONsole utility or the FILER utility in Novell 3.X or using the NetWare Administrator graphical utility in Novell 4.X. Inherited rights filters are set by using FILER in Novell 3.X or using NetWare Administrator graphical utility in Novell 4.X. Directory and File Attributes The third level of security is the use of directory and file attributes. They are considered another form of prevention control. A summary of NetWare directory and file attributes is provided in Exhibit 3. NetWare Directory and File Attributes Abbreviation A CI DI X H P Attribute Archive Needed (files only) Copy Inhibit (files only) Delete Inhibit (files and directories) Execute Only (files only) Hidden (files and directories) Purge(files and directories)

7 Ro Rw RI Sh Sy T Read Only (files only) Read Write (files only) Rename Inhibit (files and subdirectories) Shareable (files only) System (files and directories) Transactions (files only) Abbreviation Attribute A Archive Needed (files only) CI Copy Inhibit (files only) DI Delete Inhibit (files and directories) X Execute Only (files only) H Hidden (files and directories) P Purge (files and directories) Ro Read Only (files only) Rw Read Write (files only) RI Rename Inhibit (files and subdirectories) Sh Shareable (files only) Sy System (files and directories) T Transaction (files only) Directory and file attributes can be used to override directory and file access rights when they have been applied to prevent all network users and groups from gaining unwanted access to specific directories or files. For example, if a user has been explicitly granted the eraseright to a file, but a read-only attribute has been assigned to the file, the user cannot erase the file. To erase the file, the user must change the file's attribute to read/write before erasing it. Directory and file attributes are set using the FLAG utility in Novell 3.X or the NetWare Administrator graphical utility in Novell 4.X. NetWare Directory Services With NetWare 3.X, a server defines and manages users, groups, network resources, and network security. NetWare 4.X, on the other hand, has a network management feature known as NetWare Directory Services (NDS) that manages users, groups, network resources, and network security globally. In a NetWare 4.X network, business units, subunits, groups, users, file servers, and print servers are called objects. They are defined, tied together hierarchically, and stored in a common data base called an NDS data base. Objects are of two types: container and leaf. Container objects contain other objects. In addition to leaf objects, container objects can contain business unit, subunit, or user group objects. Leaf objects are terminal objects and typically include users, file servers, and print servers. Access to the NDS data base is necessary to manage network resources, and it is governed by NDS security. Only users with network administrative responsibilities can access all or part of the data base. It is secured in the same way as directory and file system access is; network administrators are granted the rights necessary to manage the entire NDS data base or a few container objects. A summary of NDS object rights is provided in Exhibit 4. Object Rights Rights Description

8 Supervisor Browse Create Rename Gives administrator all access privileges to the object. However, a privilege can be blocked by an inherited rights filter. Gives administrator the right to see the object in the NDS database. Gives administrator the right to create a new object in the NDS database. Gives administrator the right to change the name of the object in the NDS database. Rights Description Supervisor Gives administrator all access privileges to the object. However, a privilege can be blocked by an inherited rights filter. Browse Gives administrator the right to see the object in the NDS data base. Create Gives administrator the right to create a new object in the NDS data base. Rename Gives administrator the right to change the name of the object in the NDS data base. Rights given to an administrator at a given container object flow down to lower-level objects. In other words, the administrator inherits the same administrative rights at lowerlevel objects as those object rights explicitly granted at a higher-level container object. However, the inheritance of object rights can be curtailed or stopped by the use of inherited right filters. This feature allows different sections of the NDS data base to be administered by different administrators by completely blocking object rights given to other NDS administrators from higher-level container objects. LAN administrators with appropriate NDS rights can explicitly grant two types of access: NDS and file and directory. They can grant NDS access to another LAN administrator to manage a user, group of users, subunit, or business unit. File and directory access can be granted directly to a user, a group of users, a subunit, or a business unit. NDS is therefore a powerful tool for managing network resources globally. Because the NDS data base stores all network resource information and access control data, it is the one gateway to the NetWare 4.X network and must be protected from disaster. Disaster recovery is provided by dividing the NDS data base into partitions and creating their replicas. The original partitions are stored on file servers, close to their users for efficient network access. Their replicas are stored on geographically remote file servers to serve as backup copies of the original partitions. Partitions and replicas are typically managed by using Partition Manager, a subset of the NetWare Administrator graphical tool. Recommended Course of Action Data security professionals attempting to secure a NetWare LAN should first make sure they understand how the network's components work. Then, they should study the security features found in the NetWare operating system. Next, they should read Threats to NetWare Enterprise LANs ( ). Author Biographies H. Van Tran H. Van Tran is an associate professor of accounting at the University of Houston at Clear Lake in Houston TX. Cynthia D. Heagy

9 Cynthia D. Heagy, DBA, CPA, CMA, is an associate professor of accounting at the University of Houston at Clear Lake in Houston TX.

10