Novell clients use the NCP to access resources, such as NDS, the file systems, and the printer services. If you have NetWare 5.0 or above, you can use NCP over IP as opposed to or in addition to NCP over IPX. However, the NCP packet signature function can consume CPU resources and slow performance, for both the client workstation and the NetWare server. The NCP packet signature is more of a security feature than a protocol, in the sense that the term protocol is normally used. This feature protects servers and clients that are using the NCP services. The NCP packet signature prevents packet forgery by requiring the server and the client to sign each NCP packet using the RSA (Rivest-Shamir-Adleman) public- and private-key encryption. The RSA algorithm is the standard for data encryption, especially for data sent over the Internet. The packet signature changes with every packet. By using NCP, NetWare workstations and file servers can communicate by defining the connection control and service request encoding aspects of their interaction. NCP maintains its own connection control and packet-level error checking instead of relying on other protocols for those functions. NetWare workstations issue NCP requests to a server to establish and terminate connections, and to retrieve the following types of information:
NetWare servers then respond to these requests with NCP replies. When the server has processed and complied with the request, the workstation terminates the connection by sending a Destroy Service Connection request to the server. If the server discovers any NCP packets that have incorrect signatures, it discards them without breaking the client workstation's connection with the server. In addition, the server sends an alert message about the source of the invalid packet to the error log, the affected client workstation, and the NetWare server console. If you do not install NCP packet signature on your system, a network intruder could pose as a more privileged user and send a forged NCP request to a NetWare server. By forging the proper NCP request packet, an intruder could gain the Supervisor object right and access to all network resources. If you install NCP packet signature on the server and all the network client workstations, it is virtually impossible for an intruder to forge an NCP packet that would appear valid. NCP Packet Signature OptionsWhen you use NCP, several signature options are available, ranging from never signing NCP packets to always signing NCP packets. NetWare servers and NetWare clients each have four signature levels you can set. The signature options for servers and client workstations combine to determine the level of NCP packet signature on the network. You can choose the packet signature level that is most suitable for your system performance needs and network security requirements to include packet signatures and job servers. You should install NCP packet signature if you have any of these security risks:
However, some combinations of server and client packet-signature levels can slow performance, but low-CPU-demand systems might not show any performance degradation. NCP packet signature is not necessary for every installation. You might choose not to use NCP packet signature if you can tolerate security risks, such as in these situations:
The default NCP packet signature level is 1 for clients and 1 for servers. This setting provides the most flexibility while still offering protection from forged packets. Table 32.5 provides some examples of situations requiring different signature levels. Table 32.5. Setting NCP Signature Levels
Server Signature LevelsBefore you set a new signature level on the server, you need to determine the server's current signature level, which you do by typing the following console command: SET NCP Packet Signature Option You can use the SET console command to change the signature level from a lower to a higher level, but you cannot change from a higher to a lower level unless you reboot the server. Before you use the SET console command, you must add SET NCP Packet Signature Option = 1 to the startup.ncf file, and then restart the server. Then, each time you bring up the server, you can set the Signature level for that server by typing SET NCP Packet Signature Option = desired signature level The default level is 1. Following is a description of the server signature levels:
Client Signature LevelsTo set DOS or MS Windows 3.x client signature levels, add this parameter to the workstation net.cfg file: signature level = number To set Windows 9x, Windows NT, or Windows 2000 client signature levels for individual workstations, you can change the parameter settings with the Advanced Settings tab of Novell NetWare Client Properties, by following these steps:
You can set the signature level for multiple clients at once by adding the signature level to the configuration file when you install the clients. The following list describes the client/workstation packet signature levels:
Packet Signature and Job ServersA job server is a server that performs a task and then returns the completed task. Job servers can serve as database servers, Web servers, file servers, proxy servers, or a firewall. You should be aware that some job servers do not support NCP packet signature. A job server might produce unsigned sessions if any of the following conditions exists:
To minimize security risks associated with job servers, you can install queues only on servers that carry a packet signature level of 3. After that, do not allow privileged users to put jobs in queues on servers with signature levels less than 3. In addition, you should make sure that the job server's account is unprivileged , verifying that the job server cannot change client rights. If it has that permission, you can disable it and prevent the job server from assuming the rights of a client by adding the following SET command to the server's startup.ncf file: SET Allow Change to Client Rights = OFF The default is ON , because certain job servers and third-party applications cannot function without changing to client rights. Refer to the server's vendor documentation to determine whether the job server can function without client rights. Effective Packet Signature LevelsThe signature levels for the server and the client workstations combine to determine the overall level of NCP packet signature on the networkcalled the effective packet signature level. Some combinations of server and client packet signature levels might slow performance. However, low-CPU-demand systems might not show any performance degradation. You can choose the packet signature level that meets the performance needs and security requirements of the system. Table 32.6 shows the interactive relationship between the server packet signature levels and the client workstation signature levels. Table 32.6. Effective Server/Client Signature Combinations
Troubleshooting Packet Signature ConflictsIf the client workstations are not signing packets, you should ensure that the signature level on the client workstation is not set to 0. SECURITY.VLM loads by default when the client signature level is set to 1, 2, or 3. Use the virtual loadable module (VLM) /V4 command-line parameter when loading the VLM software to display load-time information. If the client workstations cannot log in, make sure the packet signature levels on the server and the client workstation are correct and do not conflict. If any of the following signature combinations exists, clients will not be able to log in:
If you get the Error Receiving from the Network error message, the client workstation is using a version of LOGIN.EXE file that doesn't include NCP packet signature. To remedy this situation, you can install a version of LOGIN.EXE , and its applicable utility files, that is compatible with packet signatures on all NetWare servers on the network. |