Improving Security | HP UX Internet and Networking Software instruction

Optimizing the NetWare Client Software

Improving Security

Improving Security

You can increase the security of your network by using the NCP packet signature feature available in NetWare 4 and 3.12.

The following sections provide you with information and procedures for setting a parameter used in the client workstation conﬁguration (NET.CFG) ﬁle and the SET command used at each NetWare server.

Using NCP Packet Signature to Improve Security

NCP packet signature is an enhanced security feature that protects servers and client workstations using the NetWare Core Protocol™ architecture by preventing packet forgery.

The NCP packet signature is optional because the packet signature process consumes CPU resources and slows performance, both for the client workstation and the NetWare server.

Without the NCP packet signature installed, a knowledgeable network operator can manipulate the client workstation software to send a forged NCP request to a NetWare server. By forging the proper NCP request packet, an intruder can gain rights to access all network resources.

How NCP Packet Signature Works

NCP packet signature prevents forgery by requiring the server and the client workstation to “sign” each NCP packet, using the RSA public and private key encryption. The packet signature changes with every packet.

NCP packets with incorrect signatures are discarded without breaking the client workstation’s connection with the server. However, an alert message about the source of the invalid packet is sent to the error log, the affected client workstation, and the NetWare server console.

If NCP packet signature is installed on the server and all of the network client workstations, it is virtually impossible to forge an NCP packet that would appear valid.

1-8

Image 26

HP UX Internet and Networking Software manual Improving Security, Using NCP Packet Signature to Improve Security

Contents

Edition HP 9000 NetworkingHP Part No. J2771-90016 Hewlett-Packard Co Homestead Road Cupertino, CA 95014 USA Printing History Preface Introduction Documentation Conventions This manual uses the following Novell conventions Asterisk Syntax Vii Supplemental Documentation Preface Preface Contents NET.CFG Options Reference Overview 2-2 Introduction Creating and Modifying a NET.CFG File Link Driver Option Alternate Link Support Option NetWare DOS Requester Option Network PRINTERS=number Protocol Tcpip Option Protocol IPX Option 103Protocol SPX Option Transport Provider IPX UDP Option Introduction Core NetWare Client Software Dosnp Software Optimizing the NetWare Client Software Overview Topic Introduction Requirement for Packet Burst Using the Packet Burst ProtocolIncreasing Speed How Packet Burst Works When to Use Packet Burst Configuring for Packet BurstUsing Large Internet Packet Functionality Disabling Packet Burst How Large Internet Packet Works Configuring for Large Internet PacketWhen to Use Large Internet Packet Disabling LIP How NCP Packet Signature Works Using NCP Packet Signature to Improve SecurityImproving Security NCP Packet Signature Levels Level Number Explanation When to Use NCP Packet SignatureNCP Packet Signature Options Effective Packet Signature Levels Examples of Using Packet Signature LevelsSolution Server = Workstation Setting Installing NCP Packet SignatureClient Workstation Is Publicly Accessible Client Workstation Users Often Change Locations Server Setting Disabling Packet Signature Client Workstations Cannot Log Troubleshooting NCP Packet SignatureClient Workstations Are Not Signing Packets Problem Third-Party NLM Programs Do Not Work Insecure Client Workstations Log In to a Secure Server Using Other Client Security Guidelines Additional Information Topic Reference NET.CFG Options Reference NET.CFG Options Reference Introduction Creating and Modifying a NET.CFG File Entering Options and Parameters into the NET.CFG File Following is a sample NET.CFG ﬁle that Sample NET.CFG FileFollowing ﬁgure illustrates the NET.CFG ﬁle format NET.CFG File Format NET.CFG file Using NET.CFG Options and Parameters Link support NET.CFG Options Desktop snmpLink driver drivername Netware dos requester NET.CFG Options Protocol tcpip Protocol ipxProtocol spx Transport provider ipx udp Using the NET.CFG Reference Pages Format of NET.CFG Reference Pages Category Parameters and Values Desktop Snmp OptionAvailable Parameters and Values for the Desktop Snmp Option MIB-II Syntax Asynchronous Timeout ConnectionsAsynchronous Timeout number Parameter and Value Default Example Community Types and Names Snmpenableauthentraps on Desktop Snmp Option Parameters for Community Names DefaultSpeciﬁes the monitor community name Parameter Explanation Speciﬁes the trap community name Community Access ManagementSpeciﬁes the control community name Control Community name public private Desktop Snmp Option Values for Community Type Parameters Value Explanation Enables the value settings for the trap community Enables the value settings for the monitor communityEnables the value settings for the control community Example of NET.CFG Files Using the Community Name and Types System and Snmp Groups MIB-II Management Information Base SupportDesktop Snmp automatically supports three MIB-II groups Authority That an unauthorized user is tying to access the networkExplains these parameters Management stations or reported in Snmp traps Snmpenableauthentrap on off Syscontact contact Sysname name Informs the Snmp manager of your usernameSyslocation location Interface Group TCP/IP Groups Example of NET.CFG File Including Each Group Support Link Driver drivername Link Driver OptionAvailable Parameters and Values for the Link Driver Option This option has the following parameters and values BUS ID name number DMA #1 #2 channelnumber Bus Type Identiﬁcation NumberISA MCA Eisa Pcmcia PCI For example, the frame type Token-Ring can be used in LSB Frame frametypename addressingmode Frame Types, Protocols, and LAN Drivers List of Frame Types, Protocols, and LAN Drivers Frame Type and Description Protocols LAN Drivers Token-Ring LAN Drivers For token ring, enable token ring frame typesEthernet LAN Drivers IRQ #1 #2 interruptrequestnumber MAX Frame Size number Speciﬁes a memory range to be used by the network board MEM #1 #2 hexstartingaddress hexlength Node Address hexaddress mode Replace hexstartingaddress with Lansup Port #1 #2 hexstartingaddress hexnumberofports Protocol name hexprotocolID frametype Defined Protocols and Frame TypesAllows existing LAN drivers to handle new network protocols Slot number Numbers Frame Protocol Frame Type DescriptionEthernetii IPX/SPX Listing of Commonly Used ODI LAN Drivers Driver Name Network Board COM E2HODI CeodiE20ODI E30ODI NCRWL05 LansupMadgeodi NE2 OCTOK16.COM NulldrvOC32TR16.COM OSH391R T20ODI SmcarcwsSMC PC600WS/650WS T30ODI Link Support Option Available Parameters and Values for the Link Support Option Buffers communicationnumber buffersize Default Default Range Example MAX Boards number MAX Stacks number Mempool number k Link support Mempool NetWare DOS Requester Option Current Core Virtual Loadable Module VLM Programs Current Non-Core Virtual Loadable Module Programs Module Name Description Compatibility with NetWare Shell Parameters Parameters and Values Status Packets VLM=C\NWCLIENT\CONN.VLM Managing the NetWare DOS RequesterCondition Explanation Best Performance Optimizing the NetWare DOS RequesterVLM /C=C\NWCLIENT\NET.CFG NetWare DOS Requester Option This entry indicates the following Best Conventional Memory Usage Best Compromise Parameters and Values NetWare DOS Requester Option Auto Large TABLE=on off Modules Auto RECONNECT=on off Default ModulesDefault Range Modules AUTO.VLM, NDS.VLM Average Name LENGTH=number Broadcast RETRIES=number Bind RECONNECT=on offAUTO.VLM, BIND.VLM Between performing any function Broadcast Send DELAY=numberBroadcast TIMEOUT=number Serial links on your network Cache Buffer SIZE=number Cache WRITES=on off CHECKSUM=number IPXNCP.VLM, NWP.VLM Confirm Critical Error ACTION=on off VLM.EXE AUTO.VLM, CONN.VLM, FIO.VLM, NDS.VLM SECURITY.VLM Sets the name of the operating system used in the shellCONNECTIONS=number DOS NAME=name EOJ=on off MsdosGENERAL.VLM, NETX.VLM NETX.VLM, REDIR.VLM First Network DRIVE=driveletter Exclude VLM=pathvlmRange Modules GENERAL.VLM, NETX.VLM, REDIR.VLM Handle NET ERRORS=on off Force First Network DRIVE=on off Large Internet PACKETS=on off Connection table in an Upper Memory Block UMB, if available Starting LIP negotiationsProcess across slow links LIP Start SIZE=number Load LOW CONN=on off Load LOW IPXNCP=on off Load LOW REDIR=on off Local PRINTERS=number Lock DELAY=number Lock RETRIES=number Long Machine TYPE=name MAX TASKS=number Allow several applications to run simultaneouslyIBM-PC Message LEVEL=number Message TIMEOUT=number Default Range Minimum Time to NET=number Name CONTEXT=namecontext Netware PROTOCOL=netwareprotocollist Network PRINTERS=number FIO.VLM, IPXNCP.VLM Sets the read buffer size in bytes for MS WindowsPB BUFFERS=number Pburst Read Windows SIZE=number Sets the write buffer size in bytes for MS Windows Preferred TREE=treename Preferred WORKGROUP=workgroupname Print Buffer SIZE=number Print HEADER=number Print TAIL=number Read only COMPATIBILITY=on off RESPONDER=on off Search MODE=number Syntax Search mode=number Default Modules IBM SET Station TIME=on offShort Machine TYPE=name Signature LEVEL=number Show DOTS=on offREDIR.EXE NWP.VLM, SECURITY.VLM = Enabled but not preferred = Preferred = RequiredSyntax True commit=on off Default Off Modules True COMMIT=on off USE DEFAULTS=on off VLM=pathVLM Workgroup NET=workgroupnetaddress 102 Protocol IPX Option Available Parameters and Values for the Protocol IPX Option Bind LANdrivername #number INT64 on off INT7A on off Ipatch byteoffset, value Syntax IPX Packet Size Limit number IPX Retry Count number IPX Sockets number 108 Protocol SPX Option Available Parameters and Values for the Protocol SPX Option SPX Abort Timeout number Minimum SPX Retries number SPX Listen Timeout number SPX Connections number SPX Verify Timeout number Protocol SPX Option 113 Nbadapter 0 Protocol Tcpip OptionLAN Nbbrdcast 0 Nobootp LAN Drivers Bind odidriver number frametype networkname IP Addresses Speciﬁes the IP address for your client workstation Ipaddress ipaddress networkname Speciﬁes the default subnetwork mask if subnetworks are used Ipnetmask netmaskaddress networkname Connection Sockets Iprouter ipaddress networkname Transmission Control Protocol TCP Sockets Tcpsockets number User Datagram Protocol UDP Sockets Udpsockets number Raw Sockets Rawsockets number Additional Support Path Tcpcfg drive path Transport Provider IPX UDP Option Transport Provider IPX UDP Trap Target ipxaddress ipaddress Transport Provider IPX UDP Option 128 Command Line Parameters Reference Command Line Parameters Reference Convention Explanation Programname Software Explanation Core NetWare Client SoftwareExplanation of the Core NetWare Client Software IPXODI.COM Parameter Option Explanation Syntax for using these parameters is as follows This command indicates the following ODI LAN driver.COM VLM.EXE VLM /D /C=C\NWCLIENT\NET.CFG /PS=SALES /MC This command indicates the following Dosnp Software System Messages System Messages System Messages System Messages System Messages System Messages DOSCLINST-1.0-1 Filename could not be installed DOSCLINST-1.0-3 The INSTALL.OVL ﬁle could not be found Action Delete unnecessary ﬁles from the hard disk System Messages System Messages System Messages System Messages System Messages System Messages IPXNCP.VLM System Messages System Messages System Messages System Messages System Messages System Messages System Messages System Messages System Messages System Messages System Messages System Messages System Messages System Messages System Messages System Messages VLM-1.00-9 The VLM.EXE ﬁle is testing the VLMs System Messages System Messages VLM-1.00-37 The VLM.EXE ﬁle is using expanded memory EMS VLM-1.00-39 The VLM.EXE ﬁle is using extended memory XMS System Messages Try one or more of the following System Messages System Messages Index Enable Control Community Lock Delay NetWare DOS Requester Monitor Community Desktop Snmpenableauthentrap Unix conventions, explained commands Index