Managing Network Security

A Novell Small Business Suite network maintains data in the file system and in the NDS database. The file system stores files and applications that are used by network users. The NDS database stores information that is used to maintain and manage the network, such as access to network resources, printing, and security.

Access to files, directories, and NDS objects is easily managed from various points in NDS, in the file system structure, or in both. Intruders would need to pass through several transparent layers of security before they could even attempt to access a directory or file.

Controlling Access to the Network

Access control determines what information and resources are available to which users, and what actions users can perform on the network. Access control is implemented through the following.

Authentication. As the network administrator, you control who can log in to the network by adding user accounts with Novell Easy Administration Tool^TM (NEAT).

Authentication means that users logging in to the network and the NDS tree are either granted or denied access. If access is granted, users are given access only to those servers that they have access rights to. When users log in to a server, they can access only the volumes, directories, and files that they have access rights to.

You can control rights for users and groups who need access to all resources, such as data and programs that reside in files and directories. You can also protect all objects from unauthorized access at the server level.

Novell Modular Authentication Service (NMAS) software provides additional login methods for users to authenticate to NDS. These new login methods provide increased security in accessing network resources. NMAS must be installed on both a NetWare 5.1 server and on the Novell client workstation. After NMAS in installed, the new login methods are installed and managed using ConsoleOne^TM. For more information about this service, see the online documentation on the Web.
NDS security. NDS security controls access to NDS objects and their properties. You can grant or deny users or groups access to NDS objects. For example, if you grant a user operator rights to a Printer object, the user can modify the printing parameters for that Printer object.

You can use NetWare^® Administrator to set all rights to objects.
File system security. You protect the file system by controlling access to network files, directories, and volumes. You can grant users or groups different types of rights, including types of access and abilities to perform different actions within the network file system. For example, you can restrict applications and data files on network servers to Read Only access so that the application or data files can be used but not changed.

You can give or deny access to directories and files with NEAT. For more information, see Managing the NetWare File System.
Cryptography Services. Novell Certificate Server provides public key cryptography services that are natively integrated into NDS and that allow you to mint, issue, and manage both user and server certificates. These services allow you to protect confidential data transmissions over public communications channels such as the Internet.

For additional information about cryptography services, see the online documentation on the Online Documentation CD or on the Web. Click NetWare 5.1 > Security Services > Novell Certificate Server 2.0.
Firewall Services. BorderManager^TM 3.5 offers firewall services. Firewall and Caching/Proxy Services of Boarding Manager 3.5 are available in the Novell Small Business Suite 5.1.

For installation instructions, see the PARTNERS.PDF file on the Novell and Partner Solutions CD.

Complete information about BorderManager 3.5 is in the online documentation on the Online Documentation CD or on the Web. Click BorderManager Enterprise Edition 3.5 > Novell BorderManager Enterprise Edition 3.5 Overview and Planning.

Creating a Network Protection Plan

When creating a protection plan for your network, remember that the file system and NDS database information are maintained as separate systems. To create the most efficient protection plan for your network, analyze what methods ensure the most efficient protection for each server and workstation.

You can perform the following tasks to prevent network data loss, reduce system vulnerability, and recover from a system failure.

Use the SECURE CONSOLE utility to lock important functions on the server console. For more information on this utility, see Securing the Server Console or the online documentation on the Online Documentation CD or on the Web. Click NetWare 5.1 > Contents > Utilities Reference > Utilities > SECURE CONSOLE.
Use an uninterruptible power supply (UPS) in case of power outages. See Using a UPS.
Use Transaction Tracking System (TTS) software to prevent data corruption. See Using Transaction Tracking System.
Prevent virus infection by educating users about the dangers of software viruses. See Preventing Virus Infections.
Set NCP^TM packet signature options so that the client and server must sign each data packet. See Preventing Packet Forgery.
Develop an effective backup method that fits your company's needs. See Backing Up and Restoring Data.

Using a UPS

Using an uninterruptible power supply (UPS) is an essential part of your network. Not only does it help prevent damage to your computers from power surges and brownouts, but it also prevents data loss during power outages. Every server should have a UPS installed, and every workstation should have surge protection.

For more information, see the online documentation on the Online Documentation CD or on the Web. Click NetWare 5.1 > Contents > NetWare Server Documentation > Operating System > Managing > Preventive Maintenance Tasks > Preventing Power Supply Errors.

If your company does not have a UPS, we recommend that, at the minimum, you invest in a surge control connector for every computer on your network in order to prevent data loss in case of a power surge.

Using Transaction Tracking System

Transaction Tracking System (TTS) software can prevent data corruption by backing out of incomplete transactions and keeping a record of backed-out data.

By default, TTS is enabled.

The network server automatically disables TTS if one of the following happens:

Volume SYS becomes full. (Volume SYS is the TTS backout volume.)
The network server has insufficient memory to operate TTS.

If TTS has been disabled and you have solved the problems that led to its disabling, enter the following at the server console prompt to enable TTS again:

ENABLE TTS

Backing Out of Incomplete Transactions Automatically

To enable the server to automatically back out of any incomplete transactions without action on your part, make sure that TTS is enabled by completing the following:

At the server console prompt, enter
MONITOR
From the Available Options menu, select Server Parameters > Transaction Tracking > Auto TTS Backout Flag.
Make sure that the value is set to the default ON.

If the value is set to OFF, edit the STARTUP.NCF file to set it to ON.
Shut down and reboot the server to activate the changes.

Keeping a Log of Backed-Out Data

To keep a log (TTS$LOG.ERR on volume SYS) of all data that is backed out by TTS, make sure that TTS is enabled by completing the following steps:

At the server console prompt, enter
MONITOR
From the Available Options menu, select Server Parameters > Transaction Tracking > TTS Abort Dump Flag.
Make sure that the value is set to ON (the default is OFF). Press Enter to change it if necessary.
Press Esc twice to reach the Update Options menu.
From the Update Options menu, select Update AUTOEXEC.NCF and STARTUP.NCF Now.

A window appears, indicating the path to the AUTOEXEC.NCF file.
(Optional) Press Enter to update the file.

The system writes the parameters to the AUTOEXEC.NCF file or updates the parameters if they are already in the file.

If you do not update AUTOEXEC.NCF, the parameter changes are in effect only until the server is rebooted.

Securing the Server Console

The server console is most secure when it is locked in a place where no one can reboot the server or tamper with it. You can gain an additional level of security by using the SECURE CONSOLE utility.

IMPORTANT: SECURE CONSOLE does not lock the server console.

SECURE CONSOLE provides the following protections:

It prevents NLM^TM programs from being loaded from any directory other than the boot directories---SYS:SYSTEM or C:\NWSERVER. It prevents keyboard entry into the operating system debugger.
It prevents the server date and time from being changed.

To use SECURE CONSOLE, complete the following steps.

At the server console prompt, enter
SECURE CONSOLE
(Optional) To secure the console whenever the server is booted, add the SECURE CONSOLE command to the server's AUTOEXEC.NCF file.

IMPORTANT: To remove SECURE CONSOLE, you must shut down the server and reboot it. If the SECURE CONSOLE command is in the AUTOEXEC.NCF file, you must remove the command from the file before you shut down the server, or the command will automatically run when you restart the server.

To prevent keyboard entry at the console, use the Lock File Server Console option in MONITOR as follows:

At the console prompt, enter
MONITOR
Select Lock File Server Console, then press Enter.
Enter and verify a password to lock the console.

The keyboard will remain locked until the password is entered again.

Preventing Virus Infections

The best way to keep viruses off the network is to educate your users about virus dangers and by enforcing procedures that reduce virus risks.

Virus protection software from Network Associates is included in the Novell Small Business Suite. See the PARTNER.PDF file on the Novell and Partners Solution CD for additional product information and installation instructions.

We also recommend that you do the following:

Back up data frequently.
Maintain layers of archived backups so that you can retrieve a backup from a pre-infected file.
Keep a write-protected, bootable diskette available with the latest virus scan and removal software for all servers and workstations.
Keep a backup of executable files.
Educate yourself about the infection techniques of the latest viruses.
Educate network users about how to detect viruses.
Warn users of the dangers of viruses. Discourage them from using diskettes and files that have been in computers away from work.
Warn users about opening e-mail from unknown sources.
Teach users to turn off their workstations immediately upon encountering a virus.
Restrict access to a server's diskette drives by locking the server in a secure room. Put tape over the drive openings to remind yourself not to use them unnecessarily.
Avoid using the Supervisor account when possible. The fewer rights and privileges your login account has, the less power a virus has to destroy data (and to spread to other computers).
Caution users about downloading files to their workstations from the Internet. Scan the files for viruses if possible.

Preventing Packet Forgery

Another security feature, NCP Packet Signature, protects servers and clients by using NetWare Core Protocol^TM (NCP) services.

NCP Packet Signature prevents packet forgery by requiring the server and the client to sign each NCP packet. The packet signature changes with every packet.

NCP packets with incorrect signatures are discarded without breaking the client's connection to the server. However, an alert message about the invalid packet is sent to the error log, the affected client, and the server console. The alert message contains the login name and the station address of the affected client.

Implementing a Backup and Restore Strategy

Include a full, offline backup of the file system and NDS database in your network protection plan. Your plan should be to back up your data on a regular basis and to make sure that you know how to restore your data.

Using Enhanced SBACKUP

Novell Small Business Suite provides a backup and restore solution for your network through a storage management system, Enhanced SBACKUP.

For specific details on setting up and using Enhanced SBACKUP, see the online documentation on the Online Documentation CD or on the Web. Click NetWare 5.1 > Backup and Restore Services (Storage Management Services).

IMPORTANT: The Enhanced SBACKUP procedures are advanced procedures that should be performed by or with the assistance of someone who is experienced in NetWare 5.1 and NDS. If you need help with the procedures, contact your Novell Authorized Reseller^SM representative.

In addition to the procedures specified in the Enhanced SBACKUP online documentation, note the following:

Running Enhanced SBACKUP

Enhanced SBACKUP, the Storage Management Services^TM (SMS^TM) product for NetWare, can be run from the server by loading the specified NLM programs at the server and then running NWBACK32.EXE at a workstation or running SBCON.NLM at the server.

Loading and Unloading NLM Programs for SMS

Two commands have been created to make loading and unloading the necessary NLM programs for SMS at the server easier. All required files except for NWTAPE.CDM and your SCSI/IDE drivers are loaded. These commands can be used as follows:

To load the NLM programs, enter SBSTART at the server console prompt or click Start > Novell SB > SMS Backup > Load SMS at the workstation.
To unload the NLM programs, enter SBSTOP at the server console prompt or click Start > Novell SB > SMS Backup > Unload SMS at the workstation.

Changing the Protocol Settings

By default, NWBACK32.EXE selects IPX as the Preferred Protocol. If you want to run NWBACK32.EXE in a pure-IP environment, complete the following in order to change the default setting:

Click IP/IPX on the button bar or select File > Preferred Protocol from the menu.
Select TCP/IP, then click OK.
Click Reconfigure SMDR on the button bar or select File > Configure SMDR from the menu.
Check the NDS check box and verify that the NDS tree name is correct.
Click the browse button next to Backup Group Context, then browse the tree for the CN=SMS SMDR Group.
Select the group, then click OK.
Click OK two more times, then restart NWBACK32.EXE.

IMPORTANT: If you only have IP loaded on the server and client workstation and you do not make these changes to the default setting, NWBACK32.EXE will not be able to communicate with the target service agents (TSAs) loaded on the server.

Resolving Your Server Name to an IP Address

If you do not have a way to resolve the name of your server to an IP address when running NWBACK32.EXE in a pure-IP environment, you will not be able to perform device administration or submit a job to a device using NWBACK32.EXE.

To resolve the name of your server to an IP address, load and configure the NetWare DNS server, or add the following line to the HOSTS file on each workstation:

server's_ip_address server_name

For example:

198.168.0.1 ACME_SVR

Using Third-Party Backup Applications

If you use a third-party backup application, see the documentation that came with your application.

If possible, maintain a standby server that you can attach to your regular server's external disk subsystem in case the server experiences an internal hardware failure. Several third-party vendors offer standby-server products that allow you to copy data from one system to another.

Backing Up and Restoring Data

Backing up network data is an essential function that you must perform to keep the network running smoothly. In case of hardware failure, natural disaster, corrupted data, or incorrectly deleted or changed data, you can always restore a previous version of the data.

About Backing Up

To help prevent problems, be sure to back up your NDS tree on a weekly basis. If you make any modifications to the NDS tree, be sure to back up the whole NDS database.

For the best protection of your NDS data, you should perform a full NDS backup, which backs up the NDS schema and the containers starting at [Root].

For the best protection of your file system, you should back up the entire file system periodically (such as once a week or once a month), and you should back up daily those files that have changed since the last backup.

About Restoring

If you perform regular backups, you can use your backup software to restore your NDS tree to its previous state in case a disaster occurs. If data has become corrupted, you should complete the following steps:

Delete the corrupted NDS data.
Allow time for the corrupted NDS data deletion to occur throughout the network.
Restore the NDS data.

Specific recovery procedures are found in the online documentation for the following scenarios on the Online Documentation CD or on the Web. Click Backup and Restore Services (Storage Management Services) > Setting Up > Restoring Data:

Loss of a non-SYS volume
Loss of volume SYS
Loss of an entire server
Loss of the entire NDS tree

Building a Backup Plan

The following backup and restore guidelines should be included in a network protection plan.

Use Enhanced SBACKUP or third-party backup software certified for NetWare 5.1.
Periodically check with Novell and with your third-party vendor to make sure that you have the latest version of the backup program, device drivers, TSA software, software patches, NLM versions, electronic distribution sources, etc., for updates to the NetWare 5.1 operating system, NDS (DS.NLM), and NDS utilities such as DSTRACE and DSREPAIR.

For updates, check Novell's electronic distribution source. Click NetWare, then select the applicable patch under NetWare 5.1.
Make sure that NDS is fully functional before backing up or restoring.
Only one network user with Supervisor rights should perform and keep track of backups. This will help eliminate problems with incomplete backups resulting from the backup user not having sufficient rights to certain portions of the NDS tree.
Back up NDS regularly.
In a single-server network, replication is not possible because there is no other server to store a replica on. In this environment, you must maintain a full offline backup of NDS. This is the only way you will be able to restore lost NDS data.

The frequency of backing up NDS depends on how often you make changes to your NDS tree. For NDS trees that change often, back up NDS every time you perform a full network backup. Always back up NDS before making major modifications to the NDS tree.
Verify the completeness of each backup and restore session. After each session, check the appropriate error and log files to make sure that the process completed successfully and did not skip crucial portions of your data.
Do not change NDS object names and contexts when restoring.
Do not use a restore situation to redesign your NDS tree. The restore process will go more smoothly if you keep the NDS database the same and restore servers to the same container objects as before.
Always restore NDS information before restoring file system information.
File system rights will be affected by restoring NDS objects. To avoid problems, always restore NDS information before restoring the file system.
Remember to update your software when reinstalling your server.
After reinstalling NetWare 5.1 or NDS from the original media, remember to reapply operating system patches and recopy updated drivers, NLM programs, and utilities before proceeding with a restore.