| |
Before you install the remote access software, you should create a security plan for remote users dialing in to your network. This involves selecting the type of access security you want to implement and whether the restrictions will be placed globally or for selected users only.
Remote access provides the following levels of access security:
Default security is in effect when you first install and set up a basic configuration. The default security for each service is explained in Table 2.
Table 2. Default Security Requirements
The default security parameters specify the following:
After the remote client establishes a connection, the remote client must log in to the NetWare network. The system does not prompt for a NetWare login until the user runs the login command.
As an administrator, you can customize the level of security by restricting the following:
You can define the following security options globally for all users:
Maximum connection time ---You can limit the time online for all users. If you set this value to 0 minutes, remote access will immediately disconnect the user when the user dials in. If you set this value to -1, there is no limit. Connections that are already established are not affected.
Idle time before disconnection ---Remote access disconnects a user after the connection has been idle for a specified amount of time, in minutes. This helps you manage line usage costs by disconnecting inactive connections. This option is not valid for ARAS connections.
Password restrictions ---These restrictions apply to the Remote Client password that is set for each user. You can specify the number of times a user can enter an incorrect password, as well as the minimum length of the password.
Dialback ---You can require users to specify a dialback number at connection time. Or, you can allow users to request dialback at connection time.
Dial-out restrictions ---You can restrict users from dialing out to a specific number by specifying a list of authorized numbers. Dial-out restrictions apply only to modem-independent ports.
NOTE: Frame=26:/2.0 internal insetSetting a value for a security option for a user overrides, in order, the nearest container, remote access server, and global settings for that option.
You can define remote access security for each user. If you have more than one remote access server on the network, you can customize user security from a single server console. Note, however, that you must specify dial-out restrictions on each remote access server.
You can configure the following options for each user:
Maximum connection time ---You can limit the time online for a user. If you set this value to 0 minutes, remote access will immediately disconnect the user when the user dials in. If you set this value to -1, there is no limit. Connections that are already established are not affected. This parameter overrides any global defaults.
Idle Timeout ---Remote access disconnects the user after a connection has been idle for a specified amount of time. You can set the idle timeout value for a user or a container. This option is not valid for ARAS connections.
Dialback ---Forced dialback enables you to enforce maximum security by preconfiguring a dialback number for each caller. You can also require users to specify a dialback number at connection time, or you can allow users to choose to dial back and specify a dialback number at connection time.
Dial-out restrictions ---You can restrict a user from dialing out to any number by creating a list of authorized numbers for that user. Dial-out restrictions apply to modem-independent ports.
Remote Client password ---You can set a Remote Client password for ARAS, NCS, and PPPRNS clients using the PAP or CHAP method of authentication. By default, there is no Remote Client password, and ARAS, NCS, and PPPRNS services are denied without a password. The NetWare password is still required for PPPRNS with NWCAP selected. You can set the password to be valid for a specific number of days and require users to change their passwords when they expire. Remote access provides users with the tools to change their Remote Client passwords. Once a user's Remote Client password has expired, the user must use these tools to change the Remote Client password. The user is allowed three grace logins after the password has expired. If the user logs in using the three grace logins without changing the password, the user is denied logon to remote access. The administrator must then use NIASCFG or the NetWare Administrator utility in Windows to assign a new password to the user.
You can configure service-specific security options for each of the following services:
You can disable PPPRNS security or enable one or more of the three supported protocols used to establish a connection:
This type of authentication is the default method for maintaining network security. With this method, users must specify the NetWare password to successfully establish a connection. This type of authentication is supported by the PPPRNS client for the remote access dialer. The NetWare password is encrypted and is not sent in plain text across the wire.
NOTE: The PPPRNS client for DOS (DOSDIAL) and Windows (Windows Dialer) NetWare ConnectTM 2.0 dialers are also supported.
This type of authentication offers minimum security. It is not enabled by default. If you enable this protocol, users must specify the Remote Client Password to successfully establish a connection. The Remote Client password is sent in plain text across the wire. This method is supported by the PPPRNS client for the remote access dialer. Enable this option if you have UNIX clients that support PAP, such as the LAN WorkPlace® software. NOTE: The PPPRNS client for DOS (DOSDIAL) and Windows (Windows Dialer) NetWare Connect 2.0 dialers are also supported.
This type of authentication allows third-party PPP clients that support CHAP to connect to remote access. It is disabled by default, and is used by Windows 95 and Windows NT. This method is not supported by the PPPRNS client that is shipped with Novell Internet Access Server 4.1. This method of authentication requires users to specify the Remote Client password to establish a connection. The Remote Client password is used for encryption and is not sent across the wire.
If the default NWCAP authentication is enabled, users must specify a NetWare username and password. If you enable PAP or CHAP, users must specify Remote Client passwords.
PPPRNS negotiates the security modes in the following order (when enabled): CHAP, PAP, and NWCAP. For example, the server is configured to support both NWCAP and CHAP. If the client supports CHAP, CHAP is used. If the client supports NWCAP, NWCAP is used. If the client supports both CHAP and NWCAP, CHAP is used because it is negotiated first.
When PAP or CHAP is used, a Remote Client password must be defined to allow users access. To allow users access without Remote Client passwords, either turn off PPPRNS security or use the Set PPPRNS AdmitNoConfig=ON command at the server console to validate users without Remote Client passwords.
NOTE: To use the native Windows 95 or Windows NT dialer to connect to a Novell Internet Access Server 4.1 server, you must enable CHAP or PAP on Novell Internet Access Server 4.1 and either assign a Remote Client password to each user or allow users without Remote Client passwords to be validated.
If you want your Windows 95 dialer to use NetWare passwords instead of Remote Client passwords, you must install the latest Novell Client for Windows 95 from the client CD-ROM. Refer to the Novell Internet Access Server 4.1 remote access online help for more information. From the server console, type SET PPPTSM NWCAPFIRST=ON. This does not affect Windows 95 or Windows NT clients using the Microsoft client or older NetWare clients.
If security is disabled at the server side, the remote client must specify None for the security type.
For NASI Connection Service (NCS), you apply security to the network workstation dialing out and to the remote workstation dialing in. Enabling security for the network workstation means that NASI workstations must specify a password. Enabling remote security means that remote workstations must specify a username and a Remote Client password.
For AppleTalk Remote Access Service (ARAS), you can restrict access to AppleTalk zones globally for all users or on a per-user basis.
Remote access supports third-party security products that implement token-based challenge/response types of security. These products have both hardware and software components. Remote access supports the software by providing a configuration option in the configuration utility. The hardware components are installed between the remote access port and the modem.
When third-party security is enabled, PPPRNS and NCS users must be validated through third-party security. After third-party security passes, call selection takes place. Any configured security for a service is applied to the call before the session is established.
PPPRNS users must configure their dialers to enter terminal mode to process the third-party security validation and transfer the call to PPP mode. If the dialer is configured incorrectly, that is, the call goes into PPP mode right away, the call will be rejected. Refer to the Novell Internet Access Server 4.1 remote access online help for information about how to use scripts for the dialers.
When the services available on a port are PPPRNS, NCS, or both, the incoming call executes third-party security as soon as the call is received. If additional services (such as ARAS) are also available on a port, the usual call selection will take place first. This enables services that do not support third-party security to accept calls even when third-party security is enabled. After the initial call selection, third-party security is executed.
If third-party security passes, a second call selection process takes place to determine which service the call is destined for.
If PPPRNS clients are configured incorrectly and the call is selected during the initial call selection process, the call is terminated.
If you have services other than PPPRNS or NCS selected, you can minimize the call establishment time for PPPRNS and NCS calls by restricting ARAS (and other services that do not support third-party security) to using specific ports.
| |