Novell Cool Solutions: Trench
By Mark Russell
Digg This -
Posted: 22 Sep 2003
I am sysadmin for a college of further education in the South of England. Our core network is NetWare based (6.0.2 and 5.1.5 with eDir 8.7.0) and we run BorderManager 3.7, GroupWise 6.5 and ZENworks for Desktops 3.2. We have a helpdesk team that deals with desktops and peripherals, but all the aforementioned is left to myself and my two Systems team members to administer.
For the last few years I have been known to both staff and students alike as ?Big Brother?; an allusion brought about by the reasonably draconian restrictions I place on both our Internet and e-mail services. I have been threatened with the data protection act and the human rights act (not to mention shouted at extensively) by staff who perceive my work as somehow impinging on their right to enjoy life -- where ?enjoyment? means downloading or e-mailing each other as much daftness as possible. Some people just don't feel their lives are complete without Sheep.exe?.
Well, Blaster, and SoBig-F have finally vindicated my position as resident despoiler of all things fun. It is precisely because our restrictions are so? er? restrictive that we have managed to totally avoid all forms of virus infection. So far.
What we do
Our defences are threefold; I like to call it the ?Belt, Braces and Sledgehammer? approach. Tight security is all well and good, but by far and away the best way to stop unwanted visitors is to hit them repeatedly with a big stick. I often joke that it is my job to make mountains out of molehills -- when you've only got a small team to deal with everything that (ab)users can throw at you then it's easiest to make things big, and above all uncomplicated. I take my coffee black, with two lumps of paranoia.
Firstly, we operate a default deny policy on our BorderManager proxy servers, combined with content filtering provided by SurfControl. Secondly, we have the Bordermanager Packet filters well configured and thirdly, our Access rules prevent students and staff from downloading all forms of executable, screensavers, PIF files, as well as most types of movie and sound file.
Our e-mail gateway is similarly well protected. We are currently running GroupWise 6.5 throughout our institution with restrictions to prevent the transmission of any files larger than 2MB. We use Guinevere v2.0 to provide attachment blocking -- which include all .exe, .com, .bat, .pif, .scr type files, as well as most of the standard media formats. Guinevere is of course configured to use our Sophos Anti-virus product to scan all e-mail traffic and is updated daily. Furthermore, we have globally disabled the HTML view in GroupWise, to prevent any execution of malicious code through those that Spam.
Our AV product, Sophos, is installed universally, with the NetWare server component continually scanning our data volumes and reporting centrally whenever any form of infected medium is placed into a PC. The central installation is updated twice daily, and then pushed out to all PCs (via a *shudder* Win 2000 / IIS 5 Server platform) twice weekly. It would be every day, but we had to make a compromise between effective security and annoying the entire staff and student body; there are times when discretion is the better part of administration!
How we do it
- The default deny: Easy -- by default, BorderManager blocks all traffic through the proxy server. If the first rule in your access control list is ?Allow all to all?, then delete it, and reconfigure your rules to suit.
- Packet filters: Again, by default, the packet filters prevent the flow of all traffic through the proxy. Configuring exceptions to allow particular protocols through the proxy is a bit more complex and requires a bit more thought than the access rules, but there are plenty of TIDs available on Novell's knowledgebase, and plenty of expert advice can be drawn from Craig Johnson's book -- go here: http://nscsysop.hypermart.net/
- Blocking downloads. Use the access control rules in BorderManager. You can block the download of a particular file by using a rule: http://*/*.exe (for executables) or http://*/*.mp3, for example. I owe Tom Gibson for this one but if you want to be really clever you could make the rule: *://*/*.exe -- which will prevent all http(s) or ftp downloads?. Sweet! Clearly these will need tailoring to your particular institution, but they work well.
- File sizes: in ConsoleOne, go to the properties of your GWIA. Choose Access Control and edit the Default Class of Service. You can restrict SMTP incoming and outgoing mail here. It's better to do it on the GWIA than via Guinevere, as the files are rejected outright, rather than having to pass through your network to be scanned.
- Guinevere. I can't speak highly enough about this product. Virus scanner, mail filter and attachment blocker, it's easy to set up and easy to use. Go here: http://www.gwava.com/ to download an evaluation copy. As an added bonus, Gunievere allows you to attach a global signature to all outgoing external e-mail. (Can I get a percentage from endorsing this!!?? )
- GroupWise 6.5 allows you to disable the HTML View in Administration. In the GroupWise view in ConsoleOne, highlight the relevant domain and click Tools -- GroupWise Utilities -- Client Options -- Environment -- Views, and disable the HTML view.
All in all, a very comprehensive security solution is right there in the red box from Novell. In the current climate, given the number of academic institutions that appear to be struggling to combat the effects of these recent infections, we're pretty pleased with the fruits of our labours... so far!
I also couldn't have done this without the hard work of my small but dedicated team. Kudos where kudos are due -- this is a team effort (I quite frankly admit I have no idea how the AV push agent works, and it wasn't me who sorted out the packet filters....). Thanks guys!
NOTE: This article took shape in the School Cool Solutions forum on Fighting Viruses If you have other virus-fighting experiences to share, you can e-mail us here, or go out to the School Cool forums and post to your heart's content.