Keeping Hackers Out

     

The majority of the discussion so far in this chapter has been about guarding against internal threats to your NDS tree and servers. External threats can present themselves , as well, and it is therefore necessary to take steps to limit the possibility of someone outside your organization breaking in. The easiest way to accomplish this is to not enable external access to your production network. However, not being connected to outside networks is simply not an option today, due to the need for external email and Internet connectivity.

Because the default protocol for NetWare 5 and higher is TCP/IP, external hackers can become more of a threat if you do not protect your network adequately by using a firewall (if connected directly to the Internet). Using IPX on your LAN puts a distinct barrier into your system ”it becomes impossible for you to connect to IPX resources without some sort of IPX-to-IP translation gateway.

There are several things you can do to address this issue:

  • Use a TCP/IP Network Address Translation (NAT) gateway.

  • Use a software-based firewall product, such as Novell's BorderManager, or a hardware security appliance, such as Cisco's PIX 535 Firewall, to provide a demilitarized zone (DMZ) between the Internet and your intranet. At the very least, you should put a firewall at your point of presence on the Internet.

  • Perform your own tests and try to break in to your network from outside your network.

A problem as serious as the threat of someone breaking into your network is the threat of a denial-of-service (DoS) attack. This is an attack on a service hosted on one of your systems that denies users access to the service. Several DoS attacks have surfaced recently, but the concept of DoS attacks has been around for a long time (although it has not always been known by that name ).

NOTE

There are not many DoS attack methods that can be used directly against NetWare, but because many NetWare servers run LDAP and Web-based services, your NetWare servers can easily fall victim to DoS attacks via LDAP and Web ports.


No matter what vendor's firewall product you use at your connection to the outside world, you should be certain you are current with any patches the vendor makes available ” especially patches that address security and DoS attacks. DoS can take many forms, from flooding a network interface on a router or server with garbage traffic to intentionally crashing a system that hosts critical services.

Another recommendation is that you keep up on security issues. There are several newsgroups on Usenet as well as mailing lists that discuss security issues. You might also want to search the Internet for sites that specialize in hacking networks. The hackers out there use the information on those sites to learn how to break into other people's systems. You should search those sites and be familiar with the tools of the trade. If you are familiar with those tools, you are better equipped to defend against them.

WARNING

If you decide to experiment with hacking or cracking tools, we strongly suggest that you test on an isolated nonproduction system. Many of the hacker-programmers out there do not take precautions that professional programmers would take, and it is not worth taking a risk with your production network. If you choose to work with these types of tools, it might be wise to let others in your organization know what you are doing and why; otherwise , when they find out what you are doing, they might not understand your motivations.




Novell's Guide to Troubleshooting eDirectory
Novells Guide to Troubleshooting eDirectory
ISBN: 0789731460
EAN: 2147483647
Year: 2003
Pages: 173

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net