Authentication provides the doorway for access to network resources. Without a strong authentication mechanism, sensitive network resources are essentially laid bare for anyone to access. The primary authentication method currently used with eDirectory is the username/password combination. Novell Modular Authentication Service (NMAS) makes it possible to integrate more advanced authentication and authorization techniques into your NetWare environment. Furthermore, NMAS offers a feature new with NetWare 6.5 that improves the traditional password-based authentication method, which is known as universal password . Novell Modular Authentication ServiceNMAS is designed to help you protect information on your network. NMAS offers a more robust framework for protecting your NetWare 6.5 environment. If you're not familiar with the different pieces of NMAS, you should get to know the following concepts. More information about each of these is provided in the NetWare 6.5 online documentation. Phases of OperationThere are specific times when NMAS can be useful in helping to secure your network environment:
Each these phases of operation is completely independent. You can choose to use the same, or completely different, identification techniques for each phase. To provide this functionality, NMAS introduces a few additional concepts to NetWare authentication:
Login FactorsNMAS uses three approaches to logging in to the network, known as login factors . These login factors describe different items or qualities a user can use to authenticate to the network:
NOTE NMAS provides support for password authentication only. Device and biometric login factors are supported with NMAS Enterprise Edition . Login Methods and SequencesA login method is a specific implementation of a login factor. Novell has partnered with several third parties to create a variety of options for each of the login factors described earlier in this chapter. A post-login method is a security process that is executed after a user has authenticated to eDirectory. One such post-login method is the workstation access method, which requires the user to provide credentials in order to unlock the workstation after a period of inactivity. Once you have decided upon and installed a method, you need to assign it to a login sequence in order for it to be used. A login sequence is an ordered set of one or more methods. Users log in to the network using these defined login sequences. If the sequence contains more than one method, the methods are presented to the user in the order specified. Login methods are presented first, followed by post-login methods. Graded AuthenticationAnother important feature in NMAS is graded authentication , which allows you to grade, or control, access to the network based on the login methods used to authenticate to the network. Graded authentication operates in conjunction with standard eDirectory and file system rights to provide very robust control over data access in a NetWare 6.5 environment. There are three main elements to graded authentication:
By configuring these elements of graded authentication, you can greatly increase the security of your network data, and apply different types of security to data of different levels of sensitivity. Installing NMASNMAS requires both server- and client-side software in order to perform its authentication services. Installation of the NMAS client happens during the installation of the Novell Client, and is described in Chapter 2. On the server, NMAS is one of the default services, and will be installed automatically with any service that requires its services, such as Native File Access Protocols (NFAPs). However, if necessary, you can install NMAS manually from iManager or from the graphical server console. To install NMAS from iManager, complete the following steps:
Once NMAS is installed, there are several configuration options, depending on your specific environment and needs. Server-side configuration is available through either iManager or ConsoleOne. Once the NMAS server options are configured, you can configure the NMAS client to leverage NMAS capabilities. Generally, the process involves the following:
For more detailed information on each of these NMAS configuration steps, see the Novell online documentation. Universal PasswordIn addition to its other authentication and authorization options, NMAS also provides a new way of dealing with the different password requirements of some of Novell's cross-platform services. The traditional Novell password, although quite effective for NetWare-based authentication, is limited by its weak capability to integrate with non-NetWare systems. Universal password proposes to resolve this problem by simplifying the management of different password and authentication systems with your NetWare 6.5 environment. Universal password resolves several deficiencies in the current password authentication model across the various NetWare 6.5 services, including:
If these issues mentioned, and the use of international characters in passwords, are not problems for you, you might not need to enable universal password. However, as your network becomes increasing Web-integrated and managed, universal password will likely become more attractive. Universal password leverages NICI for cryptographic services, and NICI now includes special cryptographic key that can be shared across multiple servers. Known as the SDI domain key, it removes the problems associated with encrypting data using server-specific keys. The SDI domain key can be shared across multiple servers so that any server in the domain can decrypt data. Preparing for Universal PasswordThe universal password environment requires NetWare 6.5 on at least one of the servers in any replica ring that holds User objects that will leverage the universal password. To do this, identify the container(s) that holds the objects of those users who will be using universal password, and then locate the eDirectory partition in which that container resides and identify the server(s) that hold replicas of that partition. At least one of those servers will have to be a NetWare 6.5 server. Because of this requirement, universal password is not enabled by default in NetWare 6.5. However, as you plan your NetWare 6.5 migration, plan to upgrade at least one server in each partition first, and then move to other replica servers. This strategy will help smooth the way for using universal password throughout your network. NOTE If you want to use NFAP with universal password, NFAP servers should be upgraded as described previously for SDI domain servers. Configuring the SDI DomainNetWare 6.5 includes SDIDIAG.NLM for configuring the SDI domain in preparation for enabling universal password. Prior to creating the SDI domain, you should check any non-NetWare 6.5 servers that you want in the SDI domain to see if they meet the minimum requirements:
NOTE NICI v2.4.2 requires eDirectory 8.5.1 or later, so if you are not running a fairly current environment, the preparation for universal password can be significant. You can download NICI v2.4.2 from Novell's support Web site at http://support.novell.com/filefinder/. Based upon the results of the configuration tests, you can add or remove servers SDI domain key servers with SDIDIAG.NLM as well. To add a server to the SDI domain, complete the following steps:
Once you have placed all the necessary servers in the SDI domain, use SDDIAG to check that each server has the cryptographic keys necessary to securely communicate with the other servers in the tree. To do this, complete the following steps:
For example, to check the container provo.quills in quills-tree , you would type the following: CHECK v >> sys:system\sdinotes.txt n provo.quills. quills-tree This operation will report any inconsistencies between the cryptographic keys on the various SDI domain servers. If any problems are noted, use the information in SYS:SYSTEM\SDINOTES.TXT to help you resolve them, and then continue with the configuration. Enable Universal PasswordOnce all the pieces are in place, you are ready to enable universal password. To enable universal password, complete the following steps:
Once enabled, the NetWare 6.5 Novell Client software will start using universal password automatically. When you reset a password, you will actually be resetting the universal password, which will transparently synchronize the traditional NetWare and Simple passwords for your users. They won't notice any difference in behavior. However, this transparent synchronization is fully operational only when running NetWare 6.5 with the latest Novell client software (version 4.9 or later for Windows 2000/XP clients and version 3.4 or later for Windows 95/98 clients ). For more information on the specific capabilities of universal password when used in different combinations of NetWare, Novell Client, and various client services, see the NetWare 6.5 online documentation. eDirectory Login ControlsIn addition to the actual login process, eDirectory provides a variety of login controls designed to help secure the network. Those controls are found in the properties of each User object. The various types of restrictions offered by eDirectory include
NOTE You will also see an Account Balance tab. This is a leftover from a server accounting feature that is no longer supported in NetWare 6.5. You can manage the various login controls from iManager or ConsoleOne. Login controls can be set on individual User objects, or they can be defined at the container level, where they will be automatically applied to all users in that container. To get to the login restrictions pages available through eDirectory, complete the following steps:
Each of the login control pages is described in more detail in the following sections. Password RestrictionsThe Password Restrictions page allows you to set password characteristics for eDirectory users, as shown in Figure 6.2. By default, the only selected option is Allow User to Change Password. However, this will not provide any significant degree of security, so you will want to enable some of the other options.
Figure 6.2. Password Restrictions page in iManager.
Login RestrictionsThe Login Restrictions page allows you to control the capability of a user to log in to the network, as shown in Figure 6.3.
Figure 6.3. Login Restrictions page in iManager.
Time RestrictionsThe Time Restrictions page enables you to limit the time(s) of day when a user can access the network, as shown in Figure 6.4. By default, there are no restrictions. Figure 6.4. Time Restrictions page in iManager.
To set a time restriction, click the box for which you want the restriction to occur, and then click Update to reflect the change. To select a range of time, hold down the Shift key while moving the mouse over the time range. Each block is 30 minutes. When finished, make sure to select OK to save the new restrictions out to eDirectory. If a user is logged in when her lockout period is reached, she will be issued a five-minute warning, after which she will be automatically logged out. NOTE One important caveat to time restrictions is that they are governed by the user's home time and not his current time. For example, if a user in New York, takes a trip to Los Angeles, and is going to dial in to his home network, the time in New York rather than the time in Los Angeles will determine the time restriction. A 6:00 p.m. EST time restriction would shut the user down at 3:00 p.m. PST. Although that might give your employee time to get in a round of golf, it might not be what you intended when configuring the time restriction in the first place. Address RestrictionsThe Address Restrictions page can be used to tie a user account to a specific workstation, as shown in Figure 6.5, thereby forcing users to log in from that hardware location only. Figure 6.5. Address Restrictions page in iManager.
In today's world of dynamic addressing and roaming users, this option is not as useful as it once might have been, but in very security-conscious environments, it can still be necessary. However, TCP/IP functionality is severely limited by the fact that the utility assumes a Class B subnet mask (255.255.0.0) for all IP addressingnot very practical in today's overloaded IP world. Intruder LockoutThe Intruder Lockout page is useful only after a user account has been disabled. Intruder lockout refers to the disabling of a user account after a certain number of unsuccessful login attempts have been made. To re-enable a locked-out account, the administrator unchecks the Account Locked box on this page. The other three entries simply provide information about the status of the locked account. The actual intruder detection system is configured at the container level rather than at the user level. In order to configure your intruder detection environment, complete the following steps:
Once configured, intruder lockout makes it much more difficult for would-be hackers to perform dictionary or other brute force attacks against one of your network accounts. |