Novell BorderManager Alert monitors server performance, license acquisition for licensed Novell BorderManager services, security, and Proxy Services availability.
For information on specific alerts:
The following table describes some recommended responses to the Novell BorderManager alerts:
Server performance alerts notify you of potential problems with server parameters or operations that can cause Novell BorderManager services to underperform or fail.
The server performance alerts are as follows:
Disk space shortage
A disk space shortage warning indicates that the shortage of disk space is severe enough to potentially cause server operations to fail.
Memory shortage
A memory shortage warning indicates that the shortage of memory is severe enough to potentially cause server operations to fail.
Event Control Block (ECB) shortage (out of receive buffers or no ECBs available)
An ECB shortage warning indicates that the packet receive buffer or ECB shortage is severe enough to potentially cause network input or output to degrade or fail.
A license alert indicates that a Novell BorderManager service was unable to acquire the license it needs to operate.
Novell BorderManager Alert monitors license acquisition for the following:
Proxy Services
Virtual Private Network (VPN) servers and clients
Access control
Security alerts notify you of possible security breaches. The causes of these alerts should be investigated further because your server might be the target of a denial-of-service attack.
Denial-of-service attacks commonly plague servers connected to the Internet and are initiated by someone without authorized access to servers. A denial-of-service condition can be caused by a bombardment of packets sent to a server in order to consume significant memory or CPU processing time. After these server resources have been allocated to handle the packets, connection requests made by legitimate users cannot be processed effectively.
As with computer viruses, new denial-of-service attacks are launched on the Internet community without warning. Many of the known denial-of-service attacks are documented on various Web sites.
The Novell BorderManager security alerts include the following:
Loading or unloading a security-sensitive NLM
Security-sensitive modules are those that can potentially compromise network or server security when they are loaded or unloaded.
The modules that are considered security-sensitive are as follows:
ds.nlm
ftpserv.nlm
ipxipgw.nlm
proxy.nlm
remote.nlm
tftpserv.nlm
vpninf.nlm
vpmaster.nlm
vpslave.nlm
Oversized ping packet
An oversized ping packet warning can indicate that malicious activity is occurring on the server. This alert is generated when the server receives and discards ping packets that have more than 10,240 bytes of data. The server is enabled to discard these packets by default.
For certain situations that require your server to receive larger ping packets, such as router stress tests, specify the following SET commands at the server console to change the largest ping packet size or disable packet discarding:
SET LARGEST PING PACKET SIZE= N
SET DISCARD OVERSIZED PING PACKETS=OFF
The variable n is a decimal number representing the number of bytes allowed. Never specify a number with commas.
To re-enable packet discarding, enter the following command at the server console:
SET DISCARD OVERSIZED PING PACKETS=ON
NOTE:You should know your network topology before changing the largest ping packet size, because packet sizes are limited by the type of media used. For Ethernet only, the oversized ping packet alert is not generated if the largest ping packet size is set between 35,541 and 65,535 bytes. However, alerts are generated for packets smaller than 35,541 bytes. The acceptable packet size ranges for other media differ and depend on each medium’s maximum transmission unit (MTU), which is the largest packet size a medium can transport without fragmentation.
SYN packet flooding
A TCP SYN packet flood warning can indicate that malicious activity is occurring on the server, which can cause a denial-of-service condition. TCP connections require a three-way handshake between the server and client:
The client sends a packet in which the SYN flag is set in the TCP header.
The server sends a SYN/ACK (acknowledgment) packet.
The client sends an ACK packet so data transmission can begin. A denial-of-service condition occurs when the client fails to send the last ACK packet and intentionally sends successive TCP connection requests to the server to fill up the server’s buffer.
After the server’s buffer is full, other clients cannot establish a connection, resulting in a denial-of-service condition.
IMPORTANT:Novell BorderManager Alert detects only SYN packet floods for socket applications, such as FTP.
Because of the importance of defending your server against SYN packet floods, the detection of SYN packet floods should always be enabled. However, for extreme troubleshooting measures, use the following SET command to disable detection if necessary:
SET TCP DEFEND SYN ATTACKS=OFF
Re-enable detection with the following command:
SET TCP DEFEND SYN ATTACKS=ON
Oversized UDP packet
An oversized UDP packet warning can indicate that the malicious activity is occurring on the server. This alert is generated when the server receives and discards UDP packets larger than 16,384 bytes. The server is enabled to discard these packets by default.
If necessary, specify the following SET commands at the server console to change the largest UDP packet size or disable packet discarding:
SET LARGEST UDP PACKET SIZE= n
SET DISCARD OVERSIZED UDP PACKETS=OFF
The variable n is a decimal number representing the number of bytes allowed. Never specify a number with commas.
To re-enable packet discarding, specify the following command at the server console:
SET DISCARD OVERSIZED UDP PACKETS=ON
NOTE:You should know your network topology before changing the largest UDP packet size, because packet sizes are limited by the type of media used. For Ethernet only, the oversized UDP packet alert is not generated if the largest UDP packet size is set between 35,541 and 65,535 bytes. However, alerts are generated for packets smaller than 35,541 bytes. The acceptable packet size ranges for other media differ and depend on each medium’s MTU, which is the largest packet size a medium can transport without fragmentation.
Many other documented denial-of-service attacks can be detected by Novell BorderManager Alert, although attacks are not identified by name.
Proxy alerts generally indicate that a proxy server has not been configured correctly or is down.
The proxy alerts are as follows:
Cache hierarchy parent (ICP parent) down
A cache hierarchy parent down warning indicates a problem with the parent proxy cache server in a configured cache hierarchy. If the cache hierarchy client is enabled on the proxy server and the proxy fails to connect to the parent, the alert is triggered.
If the option to forward all requests through the hierarchy has been selected and the parent is down, requests that cannot be fulfilled through the cache can result in an error because the parent is not available to access the source information.
SOCKS server down
A SOCKS server down warning indicates that the SOCKS server to which the proxy cache server connects as a client is down. If the SOCKS client is enabled on the proxy server and the proxy fails to make a connection, the alert is triggered. Because a SOCKS server is often used as a firewall, requests that cannot be fulfilled through the cache can result in an error because the proxy cannot forward requests through the firewall.
POP3 or SMTP server down
A POP3 server down warning indicates that there is a problem with a POP3 server or an internal SMTP mail server.
The mail proxy enabled on the Novell BorderManager server cannot forward outgoing mail to the POP3 server or deliver incoming mail to the SMTP server.