Novell BorderManager ICSA Compliance Kit v. 2.0
Novell Cool Solutions: Feature
Digg This -
Posted: 14 May 2003
The ICSA Compliance Kit (ICK) provides files and instructions specifically to meet ICSA standards. This version of the ICK is for NW51SP6 and NW6SP3.
For more info see TID 2965858
- 1.0 Introduction
- 2.0 Solution
- 3.0 Limitations
- 4.0 Legal Information
ICSA firewall certification criteria specify that authentication is required to access the firewall configuration and log files. This ICSA Compliance Kit (ICK) provides files and instructions specifically to meet this requirement.
IMPORTANT: Applying this patch will remove certain functionality from your NetWare server. Some customers may find this undesirable. Apply this patch only to a NetWare server running Novell BorderManager. Also, this patch should only be applied if you require full compliance with the ICSA Firewall certification criteria. Read the Limitations section of this Readme before you apply this patch.
Novell BorderManager runs on top of NetWare. All configuration information for all Novell BorderManager services (including the firewall service) and all log files are stored on a volume that resides in a NetWare (or NSS) partition. This partition is only accessible by running SERVER.EXE from the DOS partition. Once the server is fully loaded, various system console commands and utilities allow access to the firewall configuration and logs.
This ICK solution uses three files:
1) A modified SERVER.EXE which does not and cannot start the system console thread. Versions for NetWare 5.1 SP6 and for NetWare 6 SP3 are contained in this patch.
2) SCRSAVER.NLM, which requires authentication before accessing the system console screen. This file is provided with NetWare and should already exist in your SYS:\SYSTEM directory.
3) BMCON.NLM (Located in BM37SP2.EXE or later), which starts the system console thread only after SCRSAVER.NLM is fully loaded, running and locked.
The version of SERVER.EXE included in this patch enables the "-con" switch by default and does not allow it to be overridden. This "console block" feature prevents the system console thread from starting until BMCON.NLM calls a specific command.
IMPORTANT: Please note that installing any OS support pack will overwrite your ICSA compliant SERVER.EXE. For each new OS Support Pack, an updated SERVER.EXE will be made available and should be applied immediately to maintain ICSA compliance. Apply only the SERVER.EXE in updated ICSA kits to maintain compliance.
IMPORTANT: BMCON.NLM resides on a NetWare partition and is loaded during the execution of AUTOEXEC.NCF, which also resides on a NetWare partition. Therefore, if either STARTUP.NCF or AUTOEXEC.NCF are not run, or if for some other reason the server load process is interrupted, the server will essentially fail into a "deny all" mode where the system console is inaccessible.
SCRSAVER.NLM also gets loaded during the execution of AUTOEXEC.NCF, with a command line argument that immediately invokes the screensaver and requires authentication to disable it. BMCON.NLM does not start the system console thread until SCRSAVER.NLM is fully loaded.
To implement this patch, do the following in the order indicated:
1) Edit the AUTOEXEC.NCF file to add the following lines at the beginning of the file:
SCRSAVER ACTIVATE BMCON
2) Back up the existing SERVER.EXE file to a floppy or to some other removable media.
3) Copy the new SERVER.EXE file to C:\NWSERVER, overwriting any previous version.
4) Restart the server by running SERVER.EXE or by rebooting the machine.
Note: It is important to overwrite or otherwise remove the standard SERVER.EXE file from the DOS partition to ensure ICSA certification compliance. If the standard SERVER.EXE is simply renamed, there is a chance that an intruder could gain system console access by deleting the ICSA compliant SERVER.EXE and restoring the standard SERVER.EXE by simply renaming the file. (Removable media is outside the scope of the ICSA certification criteria.)
Note: SERVER.EXE does not provide any mechanism to authenticate and unlock the console. The SCRSAVER.NLM that ships with NetWare and the BMCON.NLM which is provided specifically to unlock the screen after making sure that SCRSAVER.NLM is activated provide this functionality.
1) SCRSAVER.NLM authentication depends on the availability of eDirectory. In case of eDirectory failure, access to the console is hindered.
2) This version of SERVER.EXE was also modified to disable the NetWare debugger. The ALT-SHIFT-SHIFT-ESC key combination is not available at any time. Also, the "-D" switch for forcing the start of the debugger after server load is unavailable. If you require use of the NetWare debugger when troubleshooting a server problem, you will need to temporarily copy back the standard SERVER.EXE file to C:\NWSERVER.
3) Other command line switches for SERVER.EXE which are unavailable in this version of SERVER.EXE are: -NA, -A, -NS, -S, -NL and #!<loadstage_number>.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
This product may require export authorization from the U.S. Department of Commerce prior to exporting from the U.S. or Canada.
Copyright (C) 2002 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, BorderManager and NetWare are registered trademarks of Novell, Inc. in the United States and other countries.
eDirectory is a trademark of Novell, Inc.
All third-party trademarks are the property of their respective owners.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com