NetWare Core Protocol (NCP)


Novell clients use the NCP to access resources, such as NDS, the file systems, and the printer services. If you have NetWare 5.0 or above, you can use NCP over IP as opposed to or in addition to NCP over IPX. However, the NCP packet signature function can consume CPU resources and slow performance, for both the client workstation and the NetWare server.

The NCP packet signature is more of a security feature than a protocol, in the sense that the term protocol is normally used. This feature protects servers and clients that are using the NCP services. The NCP packet signature prevents packet forgery by requiring the server and the client to sign each NCP packet using the RSA (Rivest-Shamir-Adleman) public- and private-key encryption. The RSA algorithm is the standard for data encryption, especially for data sent over the Internet. The packet signature changes with every packet.

By using NCP, NetWare workstations and file servers can communicate by defining the connection control and service request encoding aspects of their interaction. NCP maintains its own connection control and packet-level error checking instead of relying on other protocols for those functions. NetWare workstations issue NCP requests to a server to establish and terminate connections, and to retrieve the following types of information:

  • File access and transfers (with the NCOPY command)

  • Virtual drive mappings (with the MAP command)

  • Directory searches (with the FILER utility)

  • Print queue status (with the PCONSOLE utility)

NetWare servers then respond to these requests with NCP replies. When the server has processed and complied with the request, the workstation terminates the connection by sending a Destroy Service Connection request to the server.

If the server discovers any NCP packets that have incorrect signatures, it discards them without breaking the client workstation's connection with the server. In addition, the server sends an alert message about the source of the invalid packet to the error log, the affected client workstation, and the NetWare server console.

If you do not install NCP packet signature on your system, a network intruder could pose as a more privileged user and send a forged NCP request to a NetWare server. By forging the proper NCP request packet, an intruder could gain the Supervisor object right and access to all network resources. If you install NCP packet signature on the server and all the network client workstations, it is virtually impossible for an intruder to forge an NCP packet that would appear valid.

NCP Packet Signature Options

When you use NCP, several signature options are available, ranging from never signing NCP packets to always signing NCP packets. NetWare servers and NetWare clients each have four signature levels you can set. The signature options for servers and client workstations combine to determine the level of NCP packet signature on the network. You can choose the packet signature level that is most suitable for your system performance needs and network security requirements to include packet signatures and job servers. You should install NCP packet signature if you have any of these security risks:

  • An untrusted user at a workstation on the network

  • Easy physical access to the network cabling system

  • An unattended, publicly accessible workstation

However, some combinations of server and client packet-signature levels can slow performance, but low-CPU-demand systems might not show any performance degradation. NCP packet signature is not necessary for every installation. You might choose not to use NCP packet signature if you can tolerate security risks, such as in these situations:

  • Only executable programs reside on the server.

  • You know and trust all network users.

  • Data on the NetWare server is not sensitive and loss or corruption of this data would not affect operations.

The default NCP packet signature level is 1 for clients and 1 for servers. This setting provides the most flexibility while still offering protection from forged packets. Table 32.5 provides some examples of situations requiring different signature levels.

Table 32.5. Setting NCP Signature Levels

Situation

Security Concern

Recommendation

All information on the server is sensitive.

Intruders can gain access to information on the NetWare server that could compromise the company.

Set the server to level 3 and all clients to level 3 for maximum protection.

Sensitive and nonsensitive information resides on the same server.

The NetWare server has a directory for executable programs and a separate directory for corporate finances.

Set the server to level 2 and clients that need access to company finances to level 3. Set all other clients to level 1.

Users often change locations and workstations.

You are unsure which employees use which workstations, and the NetWare server contains sensitive data.

Set the server to level 3 and all client workstations to level 1.

A workstation is publicly accessible.

You have an unattended workstation that is set up for public access to nonsensitive information, but another server on the network contains sensitive information.

Set the sensitive server to level 3, the unattended workstation to level 0, and the nonsensitive server to level 1.

Server Signature Levels

Before you set a new signature level on the server, you need to determine the server's current signature level, which you do by typing the following console command:

  SET NCP Packet Signature Option  

You can use the SET console command to change the signature level from a lower to a higher level, but you cannot change from a higher to a lower level unless you reboot the server. Before you use the SET console command, you must add

  SET NCP Packet Signature Option = 1  

to the startup.ncf file, and then restart the server. Then, each time you bring up the server, you can set the Signature level for that server by typing

  SET NCP Packet Signature Option =   desired signature level  

The default level is 1. Following is a description of the server signature levels:

  • Server does not sign packets (regardless of the client level).

  • 1 Server signs packets only if the client requests it and the client level is 2 or higher.

  • 2 Server signs packets if the client is capable of signing (client level is 1 or higher).

  • 3 Server signs packets and requires all clients to sign packets or logging in fails.

Client Signature Levels

To set DOS or MS Windows 3.x client signature levels, add this parameter to the workstation net.cfg file:

 signature level =  number  

To set Windows 9x, Windows NT, or Windows 2000 client signature levels for individual workstations, you can change the parameter settings with the Advanced Settings tab of Novell NetWare Client Properties, by following these steps:

  1. From the system tray, right-click the Novell symbol N .

  2. Click Novell Client Properties.

  3. Click Advanced Settings, and then select Signature Level from the scrollable list. You can set client signature levels to 0, 1, 2, or 3; the default is 1. Increasing the value increases security but decreases performance.

You can set the signature level for multiple clients at once by adding the signature level to the configuration file when you install the clients. The following list describes the client/workstation packet signature levels:

  • Disabled. Client does not sign packets.

  • 1 Enabled, but not preferred. Client signs packets only if the server requests it, and the server level is 2 or higher.

  • 2 Preferred. Client signs packets if the server is capable of signing (server level is 1 or higher).

  • 3 Required. Client signs packets and requires the server to sign packets or logging in will fail.

Packet Signature and Job Servers

A job server is a server that performs a task and then returns the completed task. Job servers can serve as database servers, Web servers, file servers, proxy servers, or a firewall. You should be aware that some job servers do not support NCP packet signature. A job server might produce unsigned sessions if any of the following conditions exists:

  • It does not operate on top of DOS.

  • It does not use standard Novell clients.

  • It is not an NLM (NetWare Loadable Module).

  • It uses its own implementation of the NCP engine (such as embedded print servers in printers).

To minimize security risks associated with job servers, you can install queues only on servers that carry a packet signature level of 3. After that, do not allow privileged users to put jobs in queues on servers with signature levels less than 3. In addition, you should make sure that the job server's account is unprivileged , verifying that the job server cannot change client rights. If it has that permission, you can disable it and prevent the job server from assuming the rights of a client by adding the following SET command to the server's startup.ncf file:

 SET Allow Change to Client Rights = OFF 

The default is ON , because certain job servers and third-party applications cannot function without changing to client rights. Refer to the server's vendor documentation to determine whether the job server can function without client rights.

Effective Packet Signature Levels

The signature levels for the server and the client workstations combine to determine the overall level of NCP packet signature on the networkcalled the effective packet signature level. Some combinations of server and client packet signature levels might slow performance. However, low-CPU-demand systems might not show any performance degradation. You can choose the packet signature level that meets the performance needs and security requirements of the system. Table 32.6 shows the interactive relationship between the server packet signature levels and the client workstation signature levels.

Table 32.6. Effective Server/Client Signature Combinations

Client Level

Server = 0

Server = 1

Server = 2

Server = 3

Client = 0

No Packet Signature

No Packet Signature

No Packet Signature

No Login Access

Client = 1

No Packet Signature

No Packet Signature

Packet Signature

Packet Signature

Client = 2

No Packet Signature

Packet Signature

Packet Signature

Packet Signature

Client = 3

No Login Access

Packet Signature

Packet Signature

Packet Signature

Troubleshooting Packet Signature Conflicts

If the client workstations are not signing packets, you should ensure that the signature level on the client workstation is not set to 0. SECURITY.VLM loads by default when the client signature level is set to 1, 2, or 3. Use the virtual loadable module (VLM) /V4 command-line parameter when loading the VLM software to display load-time information.

If the client workstations cannot log in, make sure the packet signature levels on the server and the client workstation are correct and do not conflict. If any of the following signature combinations exists, clients will not be able to log in:

  • Server packet signature = 3 and the client workstation signature = 0.

  • Server packet signature = 0 and the client workstation signature = 3.

  • The LOGIN utility is an older version that doesn't support packet signature.

  • The NetWare DOS Requester or the shell is an older version that doesn't support packet signature.

If you get the Error Receiving from the Network error message, the client workstation is using a version of LOGIN.EXE file that doesn't include NCP packet signature. To remedy this situation, you can install a version of LOGIN.EXE , and its applicable utility files, that is compatible with packet signatures on all NetWare servers on the network.



Upgrading and Repairing Networks
Upgrading and Repairing Networks (5th Edition)
ISBN: 078973530X
EAN: 2147483647
Year: 2003
Pages: 434

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net