Using NCP Packet Signature

NetWare includes a feature called NCP Packet Signature that protects servers and clients using the NetWare Core ProtocolTM (NCPTM) services.

NCP Packet Signature prevents packet forgery by requiring the server and the client to sign each NCP packet. The packet signature changes with every packet.

Without NCP Packet Signature installed, a user could pose as a more privileged user and send a forged NCP request to a NetWare server. By forging the proper NCP request packet, an intruder could gain the Supervisor right to the Server object and access to all network resources.

NCP packets with incorrect signatures are discarded without breaking the client's connection with the server. However, an alert message about the invalid packet is sent to the error log, the affected client, and the server console. The alert message contains the login name and the station address of the affected client.

If NCP Packet Signature is installed on the server and all of its workstations, it is virtually impossible to forge a valid NCP packet.

For additional information about packet signature, see the following:

To implement packet signature, see Implementing NCP Packet Signature.


Why Should I Use Packet Signatures?

We recommend using NCP Packet Signatures for security risks such as the following:

NCP Packet Signature is not necessary for every server installation. You might choose not to use NCP Packet Signature if you can tolerate security risks in situations such as the following:


NCP Packet Signature Options

Because the packet signature process consumes CPU resources and slows performance both for the client and the NetWare server, NCP Packet Signature is optional.

Several signature options are available, ranging from never signing NCP packets to always signing NCP packets. NetWare servers and Novell clients each have four settable signature levels.

The signature options for servers and clients combine to determine the level of NCP Packet Signature on the network.

You can choose the packet signature level that best meets both your system performance needs and network security requirements.

NOTE:  Some combinations of server and client packet signature levels can slow performance. However, low-CPU-demand systems might not show any performance degradation.


Effective Packet Signature

The NCP Packet Signature levels for the server and the client interact to create the effective packet signature for the network. Some combinations of server and client levels do not allow logging in.

The following figure shows the interactive relationship between the server packet signature levels and the client signature levels.


Effective packet signature of server and client


Recommended Signature Levels

The default NCP Packet Signature level is 1 for clients and 1 for servers. In general, this setting provides the most flexibility while still offering protection from forged packets. Following are some examples of situations requiring different signature levels.

Situation Example Recommendation

All information on the server is sensitive.

If an intruder gains access to any information on the NetWare server, it could damage the company.

Set the server to level 3 and all clients to level 3 for maximum protection.

Sensitive and nonsensitive information reside on the same server.

The NetWare server has a directory for executable programs and a separate directory for corporate finances (such as Accounts Receivable).

Set the server to level 2 and the clients that need access to Accounts Receivable to level 3. All other clients remain at the default, level 1.

Users often change locations and workstations.

You are uncertain which employees will be using which workstations and the NetWare server contains some sensitive data.

Set the server to level 3. Clients remain at the default, level 1.

A workstation is publicly accessible.

An unattended workstation is set up for public access to nonsensitive information, but another server on the network contains sensitive information.

Set the sensitive server to level 3 and the unattended client to level 0.

For information on implementing NCP Packet Signature, see Implementing NCP Packet Signature.


Implementing NCP Packet Signature

To implement NCP Packet Signature, complete the following procedures:


Setting Server Signature Levels

Number Explanation

0

Server does not sign packets (regardless of the client level).

1

Server signs packets only if the client requests it (client level is 2 or higher).

2

Server signs packets if the client is capable of signing (client level is 1 or higher).

3

Server signs packets and requires all clients to sign packets or logging in will fail.

To ensure that the signature level is set each time the server is brought up, you can add this SET parameter command to your STARTUP.NCF file

You can also use the SET parameter command to change the signature level from a lower to a higher level or use NetWare Remote Manager.

You cannot change from a higher to a lower level unless you first reboot the server. For example, if the current signature level is 2, you can't set the signature level to 1 by using the SET command at the console. To change the signature level from 2 to 1, you must add the SET command to the STARTUP.NCF file and then restart the server:


Setting Client Signature Levels

Set client signature levels to 0, 1, 2, or 3. The default is 1. Increasing the value increases security, but decreases performance.

Number Explanation

0

Disabled. Client does not sign packets.

1

Enabled, but not preferred. Client signs packets only if the server requests it (server level is 2 or higher).

2

Preferred. Client signs packets if the server is capable of signing (server level is 1 or higher).

3

Required. Client signs packets and requires the server to sign packets or logging in will fail.

To set DOS or MS Windows client signature levels, add the following parameter to the workstation's NET.CFG file:

signature level = number

To set the Windows 95 or Windows NT client signature level for an individual workstation, change the parameter setting with the Advanced Settings tab of Novell NetWare Client Properties, as follows:

  1. From the system tray, right-click N.

  2. Click Novell Client Properties > Advanced Settings.

  3. Select Signature Level from the scrollable list.

You can set the signature level for multiple clients at once by adding the signature level to the configuration file when you install the clients. For information about configuring Windows clients, see the Novell Client online documentation.


Changing the Signature Level for an NLM

NLM programs that use the Novell Runtime Libraries are assigned a default NCP Packet Signature level that corresponds to the current signature level of the server.

To change the packet signature level for a single NLM, use the following command syntax when you load the NLM:

[LOAD] NLM [CLIB_OPT]/L number

Replace number with 0, 1, 2, or 3.


Setting Packet Signature for Job Servers

A job server is a server that performs a task and then returns the completed task. Most job servers are third-party products.

You should be aware that some job servers do not support NCP Packet Signature. A job server might produce unsigned sessions if one of the following occurs:


Minimizing Risks

To minimize security risks associated with job servers, do the following:


Disabling Change to Client Rights

To prevent a job server from assuming the rights of a client, add the following SET command to the server's STARTUP.NCF file:

SET Allow Change to Client Rights = OFF

The default is On, because certain job servers and third-party applications cannot function without changing to client rights. To determine whether the job server can function without client rights, refer to the documentation that comes with the job server.



Previous | Next