Preventing packet forgery

NetWare Services includes a security feature, NCP packet signature, that protects servers and clients using the NetWare Core Protocol.

NCP packet signature prevents packet forgery by requiring the server and the client to ``sign'' each NCP packet. The packet signature changes with every packet.

NCP packets with incorrect signatures are discarded without breaking the client's connection with the server. However, an alert message about the invalid packet is sent to the error log, the affected client, and the message monitor. The alert message contains the login name and the station address of the affected client.

NCP packet signature options

Because the packet signature process consumes CPU resources and slows performance, both for the client and the NetWare server, NCP packet signature is optional.

Several signature options are available, ranging from never signing NCP packets to always signing NCP packets. NetWare servers and clients both have four settable signature levels.

The signature options for servers and clients combine to determine the level of NCP packet signature on the network.

When to use NCP packet signature

NCP packet signature is not required for every installation. Some network supervisors may choose not to use NCP packet signature because they can tolerate security risks in the following types of situations:

• Only executable programs reside on the server.

• All network users are known and trusted by the supervisor.

• Data on the NetWare server is not sensitive; loss or corruption of this data would not affect operations.

• An untrustworthy user at a workstation on the network

• Easy physical access to the network cabling system

• An unattended, publicly accessible workstation

Server security

Security is a major concern for administrators and users when working with files and directories on the network. Several types of security exist in NetWare Services:

• File system (see ``Making the file system secure and accessible'').

• NetWare Directory Services (see ``Managing the NDS tree'').

• Login restrictions (see ``Managing the server'').

• Server restrictions (described in this topic).

The following list describes the prerequesites:

• Access to scoadmin(1M)

• System Owner permission to use scoadmin's NetWare Setup utility

1. From scoadmin, select NetWare, then select the NetWare Setup utility.

3. Select NetWare Server.

4. Select Security.

   The ``NetWare Server Security'' window appears.

5. Set the following variables as appropriate.

   • Basic. The Basic category shows the most commonly changed NetWare Services security variable:

     • NCP Packet Signature Option. This variable determines the signature levels for NCP packets. Valid values are Disabled, Enabled, Preferred, and Required (see the list in ``Client signature levels''). The default is Enabled.

   • Advanced. The Advanced category shows and allows you to change the less commonly used security variables:

     • Allow Unencrypted Passwords? This variable controls unencrypted passwords. ``Yes'' means unencrypted passwords are allowed. ``No'' means passwords must be encrypted and clients who use software that sends clear text passwords cannot log in. The default is ``No''.

     • Allow Change To Client Rights? This variable controls the ability of a Print or Job server to assume rights of a queue job's submitter as it services a queue job. ``Yes'' means submitter's rights are allowed to be assumed. ``No'' means submitter's rights are not allowed to be assumed. On a system that needs tight security, set this to ``No''. The default is ``Yes''.

6. Click OK.

Server signature levels

Use ``NCP Packet Signature Option'' in the previous procedure to assign server packet signature levels.

Client signature levels

Client signature levels are assigned in the NET.CFG file at the client workstation as follows:

signature level = number

To replace the existing number with Disabled (0), Enabled (1), Preferred (2), or Required (3), use NetWare Settings for NUC at the UnixWare desktop; use a text editor for DOS, Windows, or OS/2 clients. The default is Enabled (1). The levels are explained in the following list:

Disabled (0)

Client does not sign packets.

Enabled (1)

Client signs packets only if the server requests it (server option is 2 or higher).

Preferred (2)

Client signs packets if the server is capable of signing (server option is 1 or higher).

Required (3)

Client signs packets and requires the server to sign packets (or logging in will fail).

Effective packet signature

The packet signature levels for the server and the client interact to create the ``effective packet signature'' for the network. Some combinations of server and client levels do not allow logging in.

``Effective packet signature of server and client'' shows the interactive relationship between the server packet signature levels and the client signature levels.

Effective packet signature of server and client

Examples of signature levels in different situations

The default NCP packet signature level is Enabled (1) for clients and Preferred (2) for servers. In general, this setting provides the most flexibility while still offering protection from forged packets.

The following are examples of using different signature levels:

• All information on the server is sensitive

  If an intruder gains access to any information on the NetWare server, it could damage the company. The network supervisor sets the server to level 3 (Required) and all clients to level 3 (Required) for maximum protection.

• Sensitive and nonsensitive information reside on the same server

  The NetWare server has a directory for executable programs and a separate directory for corporate finances (such as Accounts Receivable). The network supervisor sets the server to level 2 (Preferred) and the clients that need access to Accounts Receivable to level 3 (Required). All other clients remain at the default, level 1 (Enabled).

• Users often change locations and workstations

  The network supervisor is uncertain which employees will be using which workstations, and the NetWare server contains some sensitive data. The network supervisor sets the server to Required (3). Clients remain at the default Enabled (1).

• A workstation is publicly accessible

  An unattended workstation is set up for public access to nonsensitive information, but another server on the network contains sensitive information. The network supervisor sets the sensitive server to Required (3) and the unattended client to Disabled (0).

Assigning the server packet signature option

The default server packet signature option is Preferred (2). To change the option, use the ``NCP Packet Signature Option'' in the scoadmin NetWare Setup utility. See ``Server signature levels''.

Assigning the DOS or Windows workstation packet signature level

The default client packet signature level is Enabled (1). To change the level, add the following parameter to the NET.CFG file of each DOS or Windows workstation:

signature level = number

Replace number with 0 (Disabled), 1 (Enabled), 2 (Preferred), or 3 (Required).

Assigning the OS/2 workstation packet signature level

The default client packet signature level is Enabled (1). To change the level, add the following parameter to the NetWare Requester area of the NET.CFG file for each OS/2 workstation:

signature level number

Replace number with 0 (Disabled), 1 (Enabled), 2 (Preferred), or 3 (Required).

Assigning the NUC workstation packet signature level

This signature level applies to all NUC clients unless it is set in a user-specific NET.CFG file.

The default packet signature level is Enabled. To change the level, use the nwsignatures(1Mnuc) utility.