5.9 Using NCP Packet Signature

NetWare includes a feature called NCP Packet Signature that protects servers and clients by using the NetWare Core Protocol™ (NCP™) services.

NCP Packet Signature prevents packet forgery by requiring the server and the client to sign each NCP packet. The packet signature changes with every packet.

Without NCP Packet Signature installed, a user could pose as a more privileged user and send a forged NCP request to a NetWare server. By forging the proper NCP request packet, an intruder could gain the Supervisor right to the Server object and access to all network resources.

NCP packets with incorrect signatures are discarded without breaking the client’s connection with the server. However, an alert message about the invalid packet is sent to the error log, the affected client, and the server console. The alert message contains the login name and the station address of the affected client.

If NCP Packet Signature is installed on the server and all of its workstations, it is virtually impossible to forge a valid NCP packet.

For additional information about packet signature, see the following:

To implement packet signature, see Implementing NCP Packet Signature.

5.9.1 Why Should I Use Packet Signatures?

We recommend using NCP Packet Signatures for security risks such as the following:

  • You have an untrustworthy user at a workstation on the network
  • Easy physical access to your network cabling system exists
  • You have an unattended, publicly accessible workstation on the network

NCP Packet Signature is not necessary for every server installation. You might choose not to use NCP Packet Signature if you can tolerate security risks in situations such as the following:

  • Only executable programs reside on the server
  • You know and trust all network users
  • Data on the NetWare server is not sensitive and loss or corruption of this data would not affect operations

5.9.2 NCP Packet Signature Options

Because the packet signature process consumes CPU resources and slows performance both for the client and the NetWare server, NCP Packet Signature is optional.

Several signature options are available, ranging from never signing NCP packets to always signing NCP packets. NetWare servers and Novell clients each have four settable signature levels.

The signature options for servers and clients combine to determine the level of NCP Packet Signature on the network.

You can choose the packet signature level that best meets both your system performance needs and network security requirements.

NOTE:Some combinations of server and client packet signature levels can slow performance. However, low-CPU-demand systems might not show any performance degradation.

5.9.3 Effective Packet Signature

The NCP Packet Signature levels for the server and the client interact to create the effective packet signature for the network. Some combinations of server and client levels do not allow logging in.

The following figure shows the interactive relationship between the server packet signature levels and the client signature levels.

Figure 5-1 Effective Packet Signature for a Server and Client

5.9.4 Recommended Signature Levels

The default NCP Packet Signature level is 1 for clients and 1 for servers. In general, this setting provides the most flexibility while still offering protection from forged packets. Following are some examples of situations requiring different signature levels.

Table 5-13 NCP Packet Signature Level Recommendations

Situation

Example

Recommendation

All information on the server is sensitive.

If an intruder gains access to any information on the NetWare server, it could damage the company.

Set the server to level 3 and all clients to level 3 for maximum protection.

Sensitive and nonsensitive information reside on the same server.

The NetWare server has a directory for executable programs and a separate directory for corporate finances (such as Accounts Receivable).

Set the server to level 2 and the clients that need access to Accounts Receivable to level 3. All other clients remain at the default, level 1.

Users often change locations and workstations.

You are uncertain which employees will be using which workstations and the NetWare server contains some sensitive data.

Set the server to level 3. Clients remain at the default, level 1.

A workstation is publicly accessible.

An unattended workstation is set up for public access to nonsensitive information, but another server on the network contains sensitive information.

Set the sensitive server to level 3 and the unattended client to level␣0.

For information on implementing NCP Packet Signature, see Implementing NCP Packet Signature.

5.9.5 Implementing NCP Packet Signature

To implement NCP Packet Signature, complete the following procedures:

Setting Server Signature Levels

  • To determine the server’s current signature level, enter the following command at the System Console prompt or view the setting using Novell Remote Manager:

    SET NCP Packet Signature Option

  • To set a server’s packet signature level, enter the following command at the System Console prompt or change the setting using Novell Remote Manager:

    SET NCP Packet Signature Option = number

    Replace number with 0, 1, 2, or 3. The default is 1.

    For example:

    SET NCP Packet Signature Option = 2

Table 5-14 Server NCP Packet Signature Options and Explanations

Number

Explanation

0

The server does not sign packets (regardless of the client level).

1

The server signs packets only if the client requests it (client level is 2 or higher).

2

The server signs packets if the client is capable of signing (client level is 1 or higher).

3

The server signs packets and requires all clients to sign packets or logging in will fail.

To ensure that the signature level is set each time the server is brought up, you can add this Set parameter command to your startup.ncf file

You can also use the Set parameter command to change the signature level from a lower to a higher level or use Novell Remote Manager.

You cannot change from a higher to a lower level unless you first reboot the server. For example, if the current signature level is 2, you can’t set the signature level to 1 by using the Set command at the console.

To change the signature level from 2 to 1, you must add the Set command to the startup.ncf file and then restart the server.

Setting Client Signature Levels

Set client signature levels to 0, 1, 2, or 3. The default is 1. Increasing the value increases security, but decreases performance.

Table 5-15 Client NCP Packet Signature Options and Explanations

Number

Explanation

0

Disabled. The Client does not sign packets.

1

Enabled, but not preferred. The Client signs packets only if the server requests it (server level is 2 or higher).

2

Preferred. The Client signs packets if the server is capable of signing (server level is 1 or higher).

3

Required. The Client signs packets and requires the server to sign packets or logging in will fail.

To set DOS or MS Windows client signature levels, add the following parameter to the workstation’s net.cfg file:

signature level = number

To set the Windows 95 or Windows NT client signature level for an individual workstation, change the parameter setting with the Advanced Settings tab of Novell NetWare Client Properties, as follows:

  1. In the system tray, right-click N.

  2. Click Novell Client Properties > Advanced Settings.

  3. Select Signature Level from the scrollable list.

You can set the signature level for multiple clients at once by adding the signature level to the configuration file when you install the clients. For information about configuring Windows clients, see the Novell Client online documentation.

Changing the Signature Level for an NLM

NLM programs that use the Novell Runtime Libraries are assigned a default NCP Packet Signature level that corresponds to the current signature level of the server.

To change the packet signature level for a single NLM, use the following command syntax when you load the NLM:

[LOAD] NLM [CLIB_OPT]/L number

Replace number with 0, 1, 2, or 3.

Setting Packet Signature for Job Servers

A job server is a server that performs a task and then returns the completed task. Most job servers are third-party products.

You should be aware that some job servers do not support NCP Packet Signature. A job server might produce unsigned sessions if one of the following occurs:

  • It does not operate on top of DOS
  • It does not use standard Novell clients
  • It is not an NLM
  • It uses its own implementation of the NCP engine (such as embedded print servers in printers)
Minimizing Risks

To minimize security risks associated with job servers:

  • Install queues only on servers with signature level 3.
  • Do not allow privileged users to put jobs in queues on servers with signature levels below 3.
  • Make sure the job server’s account is unprivileged.
  • Disable the job server’s ability to change to client rights.
Disabling Change to Client Rights

To prevent a job server from assuming the rights of a client, add the following SET command to the server’s startup.ncf file:

SET Allow Change to Client Rights = OFF

The default is On, because certain job servers and third-party applications cannot function without changing to client rights. To determine whether the job server can function without client rights, refer to the documentation that comes with the job server.