NCP Packet Signature

NetWare includes a security feature called NCP packet signature that protects servers and clients using the NetWare Core Protocol^TM (NCP) services.

NCP packet signature prevents packet forgery by requiring the server and the client to sign each NCP packet. The packet signature changes with every packet.

Without NCP packet signature installed, a user could pose as a more privileged user and send a forged NCP request to a NetWare server. By forging the proper NCP request packet, an intruder could gain the Supervisor object right and access to all network resources.

NCP packets with incorrect signatures are discarded without breaking the client's connection with the server. However, an alert message about the invalid packet is sent to the error log, the affected client, and the server console. The alert message contains the login name and the station address of the affected client.

If NCP packet signature is installed on the server and all of its workstations, it is virtually impossible to forge a valid NCP packet.

For additional information about packet signature, see:

When to Use Packet Signature

NCP Packet Signature Options

Effective Packet Signature

Recommended Signature Levels

To implement packet signature, see Using NCP Packet Signature.

When to Use Packet Signature

NCP packet signature is recommended for security risks such as

An untrustworthy user at a workstation on the network

Easy physical access to the network cabling system

An unattended, publicly accessible workstation

NCP packet signature is not necessary for every installation. You might choose not to use NCP packet signature if you can tolerate security risks in situations such as

When only executable programs reside on the server

You know and trust all network users

Data on the NetWare server is not sensitive and loss or corruption of this data would not affect operations

NCP Packet Signature Options

Because the packet signature process consumes CPU resources and slows performance both for the client and the NetWare server, NCP packet signature is optional.

Several signature options are available, ranging from never signing NCP packets to always signing NCP packets. NetWare servers and NetWare clients each have four settable signature levels.

The signature options for servers and clients combine to determine the level of NCP packet signature on the network.

You can choose the packet signature level that best meets both your system performance needs and network security requirements.

NOTE: Some combinations of server and client packet signature levels can slow performance. However, low-CPU-demand systems might not show any performance degradation.

Effective Packet Signature

The NCP packet signature levels for the server and the client interact to create the effective packet signature for the network. Some combinations of server and client levels do not allow logging in.

The following figure shows the interactive relationship between the server packet signature levels and the client signature levels.

Figure 1
Effective Packet Signature of Server and Client

Recommended Signature Levels

The default NCP packet signature level is 1 for clients and 1 for servers. In general, this setting provides the most flexibility while still offering protection from forged packets. Following are some examples of situations requiring different signature levels.

Situation	Example	Recommendation
All information on the server is sensitive.	If an intruder gains access to any information on the NetWare server, it could damage the company.	Set the server to level 3 and all clients to level 3 for maximum protection.
Sensitive and nonsensitive information reside on the same server.	The NetWare server has a directory for executable programs and a separate directory for corporate finances (such as Accounts Receivable).	Set the server to level 2 and the clients that need access to Accounts Receivable to level 3. All other clients remain at the default, level 1.
Users often change locations and workstations.	You are uncertain which employees will be using which workstations, and the NetWare server contains some sensitive data.	Set the server to level 3. Clients remain at the default, level 1.
A workstation is publicly accessible.	An unattended workstation is set up for public access to nonsensitive information, but another server on the network contains sensitive information.	Set the sensitive server to level 3 and the unattended client to level 0.

For information on implementing NCP Packet Signature, see Using NCP Packet Signature.