Technical Whitepaper

Flexible security for NetWare servers
Secure flexibility for NetWare administrators
AdRem sfConsole 2009 – Technical White Paper
©2009 AdRem Software, Inc.
This document is written by AdRem Software and represents the views and opinions of AdRem Software
regarding its content, as of the date the document was issued. The information contained in this document is
subject to change without notice.
ADREM SOFTWARE MAKES NO WARRANTS, EITHER EXPRESS OR IMPLIED, IN THIS DOCUMENT.
AdRem Software encourages the reader to evaluate all products personally.
AdRem Software and AdRem sfConsole are trademarks or registered trademarks of AdRem Software in the
United States and other countries.
All other product and brand names are trademarks or registered trademarks of their respective owners.
AdRem Software, Inc.
410 Park Avenue, 15th Floor
New York, NY 10022
USA
Phone: +1 (212) 319-4114
Fax: +1 (212) 832-4114
Email: [email protected]
Web site: http://www.adremsoft.com
THE NETWARE VULNERABILITY ................................................................................................................ 4
THE SECURITY FACT SHEET ......................................................................................................................... 5
THE SOLUTION .................................................................................................................................................. 6
ADREM SFCONSOLE – KEY FEATURES ...................................................................................................... 7
REMOTE AND LOCAL CONSOLE PROTECTION ........................................................................................................ 7
SECURE ACCESS VIA ANY WEB BROWSER ............................................................................................................. 8
EMERGENCY CONNECTION AND FILE TRANSFER ................................................................................................... 9
ROLE-BASED CONSOLE ACCESS ADMINISTRATION ................................................................................................ 9
CONSOLE ACTIVITY AUDITING ............................................................................................................................ 10
PROXY FOR SECURE ACCESS TO SERVERS BEHIND THE FIREWALL ........................................................................11
QUICK AND EASY MULTI-SERVER INSTALLATION .................................................................................................11
LOW FOOTPRINT – HIGH PERFORMANCE IN SLOW CONNECTIONS .........................................................................11
SINGLE SIGN-ON................................................................................................................................................. 12
MANAGEMENT SNAP-INS FOR CONSOLEONE AND NWADMIN ............................................................................ 12
KEYBOARD AND DESKTOP SHORTCUTS ............................................................................................................... 12
SYSTEM REQUIREMENTS ............................................................................................................................ 13
MORE ABOUT ADREM SFCONSOLE .......................................................................................................... 14
PRICING, LICENSING, AND AVAILABILITY ............................................................................................................. 14
Regulatory compliance.................................................................................................................................. 14
Learn more .................................................................................................................................................... 14
ABOUT ADREM SOFTWARE ......................................................................................................................... 15
3
The NetWare vulnerability
The NetWare vulnerability
Remote console access is the feature that saves administrators the hassle of running to and from between the
server and the workstation. In larger networks, this function also saves remote site travel expenses. RConsole
and RConsoleJ that Novell offers for remote console access pose serious security threats. Firstly, in NetWare up
to version 6 both of them operate over unencrypted connections, which mean the data is transferred as plain text.
What’s more, administrator passwords are stored in an unencrypted text file, making it easy for an attacker to
capture them and gain control of the server in the process.
The second of Novell’s security holes is the insufficient console access control. In today’s corporate
environment, the ability to delegate different administrator duties to different persons is taken for granted.
However, the Novell consoles are protected by one commonly shared password. The unfortunate result is that all
administrators, whether they need it or not, have the same unrestricted access to the server console. Without
doubt, this runs counter to the basic assumptions of Novell’s eDirectory model, and, worse still, lays
organizations open to all sorts of insider attacks, be it theft of sensitive data, incompetent usage, sabotage of data
networks or impersonation. Despite the fact that research demonstrates the need for insider threat awareness and
measures, most companies grossly underestimate this risk. One of the reasons may be that many abuses never
see the light of day, because organizations have no way of monitoring the problem.
To address the aforementioned security issues AdRem Software designed AdRem sfConsole – an easy-to-use
security-conscious solution that installs remotely on any number of servers in small, medium and large
businesses, and eliminates out-of-the-box the security exposures inherent in the Novell consoles.
The next chapter of this White Paper sets out to demonstrate why security should be of a concern for any
organization depending on cyber technology.
4
The security fact sheet
The security fact sheet
Computer crime and security survey (The Computer Security Institute)
♦ 52 percent of respondents reported unauthorized use of their computer systems in 2006
♦ The average annual losses per respondent due to cyber crime reported in the 2007 survey shot up to $350,424
from $168,000 the previous year.
♦ The total annual losses due to cyber crime reported in the 2007 survey were $66,930,950.
♦ 59 percent detected insider abuse of network access, 13 percent recorded system penetration, and 8 percent
fell victim to theft of proprietary information.
♦ Financial fraud is a major source of the greatest financial losses.
♦ Virus attacks and System penetration by outsiders are another significant cause of loss.
♦ 41 percent of respondents reported 1 to 5 security incidents in a past 12 months.
♦ 26 percent of respondents reported more than 10 incidents in a past 12 months.
♦ 36 percent of respondents reported incidents from inside.
♦ 10 percent of respondents say they do not know whether there was any unauthorized use of their computer
systems in 2006.
Global state of Information security (joint survey conducted by the CIO and
CSO magazine and PricewaterhouseCoopers)
♦ The most common source of cyber attack cited was employee/former employee (69%), hackers (41%)
♦ 40 percent of respondents did not know how many incidents they have suffered.
♦ 29% of security and senior executives do not know how many negative security events they had in their
enterprise in 2006.
♦ 50% of respondents don't know how much money they are losing due to attacks (2006).
♦ Only 48% of respondents encrypt the data before transmission.
Global information security survey (Ernst & Young)
Privacy and the data protection have become increasingly important drivers of information security
Compliance continues to be the primary driver of information security improvements.
Improving IT and operational efficiency are emerging as important objectives.
Information security remains isolated from executive management and the strategic decision making process.
The greatest challenge to delivering information security projects continues to be the availability of
experienced IT and information security resources.
♦ Consider using privacy and data protection as a competitive advantage in the market.
♦ Don't abandon security for performance and conversely don't abandon performance for security.
♦
♦
♦
♦
♦
Global security survey (Deloitte)
♦ 65 percent of respondents reported repeated external breaches.
♦ The top three breaches were: viruses and worms, e-mail attacks and phishing.
♦ 51% of respondents had moved beyond password authentication for end user internet transactions.
5
The solution
The solution
“From my perspective, AdRem sfConsole is a big help in maintaining security and ensuring the productivity
of our administrators.”
Jean Marc Mottet; Systems Engineer; State of Geneva/CTI; Switzerland
AdRem sfConsole offers a completely new standard of NetWare security. This mature, fast, and easy-to-installand-use security solution works in the Windows environment, and safeguards NetWare servers against both
inside and outside intrusions. In remote connections, access to the server console is secured with ultra-strong
encryption (3 encryption algorithms are available: 128-bit key TEAN, 168-bit key Triple DES and 256-bit AES)
and forced eDirectory authentication. The local (physical) console is protected as well, thanks to the keyboard
lock, screen saver and eDirectory authentication.
Program’s another important security feature is console access control. sfConsole leverages the information in
eDirectory to provide network administrators across an organization with transparent, role-based access to the
remote and local server console. It also delivers the ability to log, track and analyze console activity, thereby
simplifying the detection of security breaches, and consolidating the accountability of server investments.
Furthermore, the program ensures business continuity by providing an emergency connection and file transfer in
the event of eDirectory inaccessibility.
However, sfConsole goes beyond securing NetWare server consoles – it also considerably increases the
productivity of any company’s IT organization. The program offers a choice of options for secure, fullyfunctional, clientless operation on the remote console. The proxy connection option means remote access to the
server console is also possible through the firewall. AdRem's proprietary single sign-on technology eliminates
the hassle of repeated logging-in to eDirectory. NetWare administrators will also appreciate sfConsole’s
protocol-independence – the program automatically uses either TCP/IP or IPX protocol. Finally, sfConsole
enables quick and secure remote operation on servers even in heavily overloaded WAN’s or via slow links.
The above features make AdRem sfConsole the secure and flexible alternative to Novell's console solutions.
Quick remote installation on multiple servers makes the program particularly useful in large networks, which are
prone to malicious activity. Therefore, a growing number of organizations choose sfConsole to boost
accountability of NetWare servers, increase productivity of NetWare administrators, and actively protect remote
and local server consoles access against inside and outside intrusions.
6
AdRem sfConsole – key features
AdRem sfConsole – key features
Designing strong security into the information systems architecture of an enterprise can reduce overall
operational costs by enabling cost-saving processes such as remote access and customer or supply chain
interactions that could not occur in networks lacking appropriate security.
The White House National Strategy to Secure Cyberspace released (September 2002)
Remote and local console protection
As it has been demonstrated above, users of Novell’s server consoles run the risk of server hacking, password
theft or insider attack. For these reasons, Novell recommends to replace the native consoles with alternative
solutions, such as AdRem sfConsole. This program eliminates all the vulnerabilities inherent in NetWare by
protecting the remote console access with industry-standard data encryption and forced eDirectory
authentication. By being able to choose between three strong encryption methods (128-bit, 168-bit and 256-bit
keys available), administrators can adopt the security level that best matches the sensitivity of their IT
environment. What’s more, sfConsole delivers added security to remote connections through control of access
rights to console commands and screens (see also “Role-based console access administration”). Consequently,
AdRem’s solution effectively prevents any unauthorized use of the server console.
Figure 1 Secure Remote Access to NetWare Console
AdRem sfConsole fully protects the local (physical) server console as well. The program provides a passwordprotected screensaver, a keyboard lock, and the eDirectory authentication, which means only users with
sufficient access rights can log-in to the local server console. This prevents insider attacks and incompetent
usage of the local console, be it downing the server, or accessing the debugger with malicious intent. Moreover,
unlike Novell’s standard screen saver, sfConsole makes it possible to restrict access to console commands and
screens (see also “Role-based console access administration”). The following local server console security
modes are available:
7
AdRem sfConsole – key features
♦ Full console protection – it is impossible to access any server screen (a screen saver will be visible instead
of the active screen) or enter any command from the keyboard without logging in.
♦ Keyboard only (screen saver) – when no one is using the console remotely, the local user can only see a
screen saver and to use the keyboard he has to log in. However, if the are active remote users on the console,
the local user can view the active server screen, e.g. to monitor the operation of remote users.
♦ Keyboard only (no screen saver) – unlike in the previous case, this protection mode eliminates the use of
screen saver; in each situation, the local user can view the active screen and to use the keyboard he has to log
in.
♦ Unrestricted access with screen saver – access to the server console will not be restricted. After a
previously defined period of time from the last keystroke, the screen saver will be started. Pressing any key
will result in returning to the server console screen
♦ Unrestricted access – full access to the local server console (no screen saver and keyboard lock).
Secure access via any Web browser
The web access offered by sfConsole 2009 means that users can remotely connect to a NetWare server using any
Web browser supporting the Adobe Flash 10 or later from any available desktop. What’s more, sfConsole and
NetWare clients need not be installed on the workstation. Users just open a Web browser window and type in the
IP address, including the port number, for communication with the server they want to connect to. The default
port number (5023) can be changed at the user’s discretion.
Figure 2 Secure Access via Web Browser
8
AdRem sfConsole – key features
The web-based console provides the same functionality as the client version of sfConsole. This gives users the
flexibility to perform such administrative tasks as role-based access control, remote emergency connection, and
file transfer from anywhere on the web. Last but not least, web access through sfConsole does not compromise
security – users are still required to authenticate through eDirectory.
Emergency connection and file transfer
In situations when eDirectory is inaccessible (due to its failure, or when DS.NLM is unloaded), sfConsole
ensures management continuity by providing an emergency connection with the server. In such cases, users can
also transfer files from a workstation to all the server directories, including the server’s local DOS partition, they
have been granted access to. This may prove particularly useful when updating an NLM module, or loading the
missing configuration file is desired. The emergency connection may be established anytime from both the
remote console and local server console; however, prior defining the emergency user/password is necessary. In
the cases when the SYS volume is dismounted, you can still connect to the console using a web browser or the
remote console.
Figure 3 Emergency Connection
Role-based console access administration
In today’s corporate environment, it has become common practice to delegate granular access rights to
appropriate persons within the organization. Unfortunately, Novell's consoles are protected by one commonly
shared password, which means that all administrators unwillingly have an unlimited access to the server console.
This obvious deficiency undermines the very foundations of any corporate IT security policy.
To counter these threats, AdRem sfConsole provides extensive eDirectory-enabled access rights management
capabilities - the feature unavailable in most other consoles. By extending the eDirectory schema, the program
9
AdRem sfConsole – key features
stores in eDirectory all the information about trustee rights of console users. sfConsole gives authorized
administrators the power to centrally control access rights to particular users or groups across the organization,
define console start-up scripts, and even restrict users’ rights to selected screens or commands. This way an
administrator can grant users access to only those resources and operations they need to perform their duties (e.g.
archive resources, run selected scripts, monitor server operation). Restricting access to the debugger is possible
as well.
Stringent access restriction protects servers and networks against incompetent or malicious console usage and
unauthorized access to the server. Console access can be administered either within the console, or with Novell’s
ConsoleOne or NWAdmin. It is also possible to use the program without the eDirectory schema extension. In
this case, only users with console operator privileges may use sfConsole.
Figure 4 Emergency Connection
Console activity auditing
To further aid administrators in controlling security, sfConsole delivers the possibility to store, track, and analyze
user activities on the server console. Unlike the standard console.log that records only what happened on the
server console, sfConsole lets users determine when something happened and who did it. For instance, an
authorized administrator can verify who accessed the server console from behind the firewall, viewing the
information about his/her login/logout time, the IP/IPX address, or commands executed on the console by that
user. By being able to track user activity on the console, administrators gain the overall view of all operations on
the console from one central location. What’s more, they can not only quickly detect and address security issues,
but also check compliance with the established security policy to ensure traceable server accountability.
10
AdRem sfConsole – key features
Proxy for secure access to servers behind the firewall
If a connection from some external Internet location is desired, remote access to the NetWare server console is
also possible through the firewall. In this case, users log-in via the web to a single sfConsole server that acts as a
proxy, and from this server they communicate with any other server within the same NDS tree, as seen on the
table below.
Unlike the previous releases of sfConsole, in which opening multiple NCP ports was necessary, version 2007 or
later requires just one dedicated port – selected by the user – to be opened on the firewall, and forwarded to the
proxy. This eliminates the risk inherent in the NCP ports that users can potentially gain unauthorized access to
other NetWare resources from outside the firewall. The proxy connection provides users with access to the server
console only.
The proxy-enabled remote connection is protocol-independent – users connect with the proxy server over TCP,
and then communicate with other NetWare servers over either IPX or TCP. However, they can connect
exclusively to the NetWare servers that are located within one NDS tree.
Figure 5 Remote console proxy for secure access to servers behind the firewall
Quick and easy multi-server installation
sfConsole contains only one NLM, which is sized at about 2 MB. This means installing the program remotely on
100 servers at a time takes no more than half an hour. During installation, the program unloads and removes
other insecure remote consoles (like Novell RConsole or RConsoleJ) from the autoexec.ncf startup file,
providing the assurance these console cannot be used by users with insufficient privileges. As a result, you gain
the confidence that sfConsole is the only available remote console, which can be accessed only by authorized
users.
Low footprint – high performance in slow connections
Thanks to a custom data compression algorithm, AdRem sfConsole allows you to remotely access the server
console even over extremely overloaded wide area networks and via slow links. Since it uses the NCP protocol,
which can be run over IPX or TCP/IP, sfConsole may operate in various configurations. This program is
optimized for WAN and modem connections; typically, the traffic generated by sfConsole is less than 1 kb/s.
11
AdRem sfConsole – key features
Single sign-on
sfConsole utilizes AdRem's proprietary single sign-on technology. This means users log-in using the eDirectory
password just once. All subsequent connections to other servers within the same NDS tree, and all windows
opened later, use the information about user rights that is stored in eDirectory, and do not require entering
passwords again. As a result, users with suitable rights access the server console without the hassle of repeated
log-ins to eDirectory. AdRem sfConsole uses safe connections between the workstation and eDirectory, and may
check all users’ rights before granting them access to the server console. Coupled with the state-of-the-art
encrypting technology, the one-time login increases the security level of the console operation, and streamlines
server console administration.
Management snap-ins for ConsoleOne and NWAdmin
sfConsole incorporates the snap-ins for the widely used eDirectory management tools, Novell NWAdmin and
Novell ConsoleOne. This enables users to manage access privileges to console commands and screens directly
from eDirectory.
Keyboard and desktop shortcuts
sfConsole allows you to define keyboard shortcuts for the most frequently used functions. For example, you can
quickly change screens by using the 'Num +' and 'Num - ' key strokes defined as the shortcut. This is particularly
useful for Novell RConsole users who are used to certain keyboard shortcuts already.
12
System requirements
System requirements
NetWare Server
♦ NetWare 5.1 or higher
♦ Open Enterprise Server NetWare 1.x or higher
Windows console
♦
♦
♦
♦
Windows XP Professional, x32 (except Home edition)
Windows Vista, x32 or x64 (except Home editions)
Windows Server 2003 x32 (Standard and Enterprise edition)
Windows Server 2008 x32 or x64 (Standard and Enterprise editions)
Novell Client Installation on Windows
In order to establish connection with the NetWare server, the dedicated Novell Client must be installed on
Windows operating system where the AdRem sfConsole is running.
♦ The Novell Client 4.91 or higher must be installed on machine with Windows XP or Windows Server 2003
both x32 bit systems.
♦ The Novell Client 2.0 or higher must be installed on machine running Windows Vista or Windows Server
2008 either x32 or x64 bit systems.
Web console
Any Web browser that supports Adobe Flash Player 10.0.12 or higher.
Note
Please note the Novell Client is not supporting all versions of Windows operating systems. Please refer to the appropriate
Novell Client documentation for more information.
13
More about AdRem sfConsole
More about AdRem sfConsole
Pricing, licensing, and availability
The AdRem sfConsole security solution is available from www.adremsoft.com. The program is licensed on a per
server basis, which means that a single product license can be installed on an unlimited number of administrator
workstations and used to manage one NetWare server.
Regulatory compliance
Regulations and guidelines related to cyber security:
♦ National Strategy to Secure Cyberspace
♦ Health Insurance Portability and Accountability Act [HIPAA]
♦ Gramm-Leach-Bliley Act
♦ Sarbanes-Oxley Act
♦ European Union’s EU Data Protection Directive
To learn how sfConsole addresses HIPAA compliance requirements, please go to
http://www.adremsoft.com/doc/AdRem_Software_HIPAA_Compliance.pdf
To access a white paper on AdRem Software’s SOX compliance, please link to
http://www.adremsoft.com/doc/AdRem_Software_SOX_Statement.pdf
Learn more
By clicking on http://www.adremsoft.com/sfcon/index.php you can access sfConsole’s product web page
complete with success stories from all major economy sectors along with a free 30-day trial, white papers,
product documentation, flash presentation and pricing.
14
About AdRem Software
About AdRem Software
AdRem Software (www.adremsoft.com) provides rapidly-deployable software solutions for monitoring,
managing, troubleshooting and securing enterprise networks. Since its inception in 1998, the company has been
at the forefront of Novell network management development creating the popular freeware application Free
Remote Console along with two commercial network management solutions, sfConsole and Server Manager.
AdRem’s efforts to create multi-task and easy-to-use solutions were quickly noticed and appreciated, resulting in
the prestigious “Best Commercial Application” award from the Novell Developers’ Contest in 1999 for AdRem
Server Manager.
With AdRem’s flagship solution, AdRem NetCrunch, businesses can automatically visualize and monitor their
multi-technology networks and proactively ensure system, application and service availability to customers,
employees and partners. NetCrunch is noted for delivering integrated, proactive network and systems
management at the price of a point product.
The company's products target IT departments in small and mid-size companies, along with VARs, system
integrators and networking services firms. By using AdRem’s solutions customers can maximize returns on their
IT infrastructures by boosting network/systems performance and availability, optimizing IT asset utilization and
reducing maintenance overhead. The company's solutions are deployed on over 400,000 servers worldwide and
are sold through AdRem’s online store, resellers, distributors and system integrators in more than 50 countries.
15