HiR 9 Novell Netware Inside Out By Asmodian X -=-=-=-=-=-=-=-=-=-=-=-=-=-=- Introduction [-1]: Novell is one of those old school company's that became really popular because their Netware server software could run on just about any old PC machine, and client with just about anything. The downfall of Novell is that it got old and inflexible, and ignored the Internet and the Unices and TCP/IP, until it leapt up and bit them in the ass in the form of Windows NT(tm). Albeit Novell still out guns NT in performance, and security, it just lacked a pretty looking server, and the ease of use part. That factoid wasn't solved until the advent of Netware 5, which draws on TCP/IP and XFree86 for the gui. During this article I will briefly mention some of the ability's that Novell Version 4.1x and above has. And briefly go over how Novell works. Table of Contents: -1. Intro 0 Components of a Novell network .5 Overview on The Server 1 Overview of The client 1.5 Overview of the Services 2 Overview of Security 2.5 Overview of File Rights and Filters 3 Overview of NDS and NDS permissions 3.5 Roto-routing 4 IPX/SPX Sappiness 4.5 Summary 5 Netware 5 and Other After thoughts. Section [0] What makes a Novell Network? Novell networks are usually made up like all other Ethernets (or token rings) are. Network Card, Cable, hub, Server and or routers, Brouters and bridges. Novell relys on client software to work, and the server is the only point where a person can access the file system, (unless your using windows 9x's SMB sharing protocol.) Job-wise, there's a few CNA's(Novell Certified Network Administrator) who actually take care of the users, and some specialized CNE's (Cert. Net. Engineers) that actually perform maintnence and design new additions to the system. The CNA's generally don't know a whole lot about anything, and have done a little bit of computer work. To become a CNA you must memorize a bunch of lists, protocols and garbage, the regurgitate all of it onto the test which costs around 80 to 100$(US). Generally speaking they have to pull up the book to do anything more complicated than adding users and managing the print ques. The CNE's however have had ten times that amount of education, and actually know something about the system. (I'm not a big fan of Cramming sessions for tests, you get nothing out of it). Plus in my opinion its a useless piece of paper, but on the other hand, it gets you the money, and in most cases the job. So go figure.. The Server, Part [.5] The server is an x86 (probably Intel) which is crammed into a closet somewhere under lock and key. The server by itself is useless, except for the few utility's you can run on it in the form of NLM's (Netware Loadable Modules) Neat stuff like, EDIT, Servman and other stuff like that. The server itself can be locked away for long periods of time with out fear of lost productivity because other than being a server, its a useless paper weight. So what if you need to get at the startup files for the server? easy. Most administrators will set up a blurb in one of the startup files to load a remote access module LOAD rspx (spx remote protocol) LOAD remote This is a text book example of how to load the remote console server. This is also a gaping security hole. <*See The security section for more information.*> The Console then can be controlled by a client program called "rconsole" which resides on most dos/win, or win9x clients. Any logged in user can run rconsole, but needs to know the password to get console. -=-=-=-=-=-=- The Client [1] At this point we know roughly the place of the server (which I plan to get into more of that later.) But now we must talk about the client. A Novell Client, is the very first thing that is run (service wise) on your Bill box (dos/win3.1x, win 9x/NT) It Throws up a login screen, and allows you to connect to a certain Novell server, or into a user profile which resides on to another branch of the Novell Directory Service (NDS). We will talk more about NDS later, so don't blow a neuron. Security Difference Between Novell 3.x/4.1x and Unix type security. [UNIX] A Unix box just sits quietly on the network waiting for some one to connect to a service, and use it. The Unix server (assuming it is currently running TCP/IP) has an actual address. Which means it will reside at that logical location on that network, regardless of which user is using the Unix box, or what its Physical Address it is using. A Unix box does not require logins for certain types of services. Like for instance: World Wide Web Finger Time/Date Character Generator These do not require a person to login to the service, they are for the most part PUBLIC services. And relys on the security of the network to keep unwanted users from accessing those services. [Novell Netware] A Client has no static address, it just sits there listening for SAP (Service Announcement Protocol) The Client knows what servers are out on the network by listening for their services broadcasted by server. example: A server broadcasts that it is a server, and is residing at Physical Address xxxxxxxx. A client hears this and places the server on its list of servers that the user can access. Once a user chooses to connect to a server, the user must enter a username, and or password for that server/service. The Server validates the user. Then the client is issued a Connection number made up of their NIC card's Physical address, and some of the users information. The user is counted as a connection to the server, and the Administrator can see which user is logged in at which machine, just by looking at the connection number. A great advantage of using Netware 4.1x is that NDS allows a person to access resources on multiple servers by logging in just once. -=--=-==-- [1.5] The Services Novell Netware 4.1x provides File sharing, Printing, Software liscencing services, email ...blah blah blah... you get the point. Novell Netware even supports TCP/IP. A person could set up an IPX to IP gateway, or just have IPX and IP co-exist on the same network. Another neeto thing is setting up telnet services on the server. From there a person logs in, then gets an XTERM (XFree86 Terminal) that spits out a server console. (Xterm's are usable on Un*x machines, and there's also Win9x Xclients that can display the XTERM. It shows up like remote does. Novell also has a slew of Unix like services, like FTP, HTTP and even addressing services like DHCP and stuff like that. in any case, Novell Netware provides the standard snafu services that every one else does plus a few proprietary services. -=-=-=-=-- [2.0] Security. Novell Netware has 4 layers of security. 1. Login (session based): the server does not acknolage your existence with out logging in. 2. NDS (Novell Directory Services): Checks what access you have on the entire network. plus access to database on users 3. File System Rights: (s)upervisor(r)ead(w)rite(e)race(c)reate (m)odify(f)ile scan(a)ccess Control 4. File Attributes: (there are many many many many attributes) ie. read only, don't compress...etc (Novell Security Goofiness) Many administrators will have a guest account that they use temporarily for temp workers or new employees. So that in it self defeats the purpose of layer 1. NDS Cant be directly accessed. But by default you have access to the system volume. If you can get there take a look in the etc directory. Thats where the system stores setup. Most files you don't have read access too, but there's a fun bug in Netware 4.11. If the admin setup TCP-IP, the setup proggie puts the rconsole commands in a publicly readable config file password and all. So you skip all four layers and have direct access to the console. The console does not look very pretty, but thats where you set up all of the services.. go figure.. I implore you, be nice to the admin, tell them about this and ask them to fix it. It can be fixed by simply removing the world readable attribute from the offending file. It can also be fixed by putting in a script file that it self is hidden, but the system can still run it. Another note, the actual console shows your every move so your presence is not totally invisible. Another note is that the admin can actually set up a screen saver password that would make it more difficult for a person to get through. [2.5] File rights and Filters (I.R.F) File rights are one of the most important features that Novell has. (File rights) R Read contents of a file W Write Stuff to a file C Create a new file in this directory E Erase file in this directory M Modify File Attributes F File Scan (allows you to see what files are in this directory) A Administrator (the god bit) no matter what they have set up in this directory in the way of permissions, they no longer apply to you. you can see the permissions using the ndir dos command, or by viewing the properitys on the file by right clicking on the file and choosing properitys. The file rights R and F, are by default assigned to all directory's. In-order to control what inherited rights a sub folder gets, an administrator will set up what is known as an Inherited Rights Filter. Also known as an I.R.F. An IRF can block certain rights from being inherited from a higher folder. the Attributes in Brackets "[]" are your users effective rights to that folder. the "-" stands for an IRF. Root+ [RW MF ] | +Fred+ [RW MF ] | +Jim+ [R- -F ](*the W and M attributes have been blocked*) | +Larry [R F ] (* The folder Larry inherited only the R and F attributes and not the M and W attributes. *) [3.0] The Novell Directory Service(s) or N.D.S, and its attributes NDS was one of the primary features that Novell added to Netware 4.1x. It exists in Netware 5 and Has actually been ported to Windows NT Server. With NDS a User can use resources (like files servers and printers ... blah blah blah) any where on the novell network that he/she/it has been given rights to. It no longer requires a separate login to get to other servers resources. N.D.S is essentially a big database of services and where they are located at on the network. To make a long story short, when you add a computer to a network, you add an individule being to a communications medium. When you add a Novell Server to a Novell Network, It is Assimilated into a collective entity, ala Borg. So its a good way to reduce the work of administrating a bunch of servers because if you talk to one server, you have talked to them all. Some of the resources that a person will see on an NDS database will be, Users, Orginisational units (something to compartimentalise your resources) Groups, printers, Print ques, mail ques ....Blah blah blah. The Database has its own structure and design, and has changed in design a wee bit from Netware 4.1x to Netware 5. A bug in Netware 5's NDS design will crash the entire NDS database if you assimilate it into an existing Un-patched Netware 4.1x network. The NDS database can be stretched out to reside on multiple servers, just in-case a server bombs out, the database will still be some what intact. this is done through partitioning. All or part of a database can reside on a server. This can accomplish several things. First it keeps server traffic down, because multiple servers can take care of business. Second, you can create a logical structure for a network. By logical I mean that it used to be that a large department needed its own server to control its own resources. With NDS people could make a logical branch for the department, and utilize resources from all over the building rather than investing in redundant equipment. Another Note, File servers also reside on NDS as an Object. At only one point in NDS you can put an IRF onto an object to stop the administrator Right. And that place is on the file Volume it self. It is an effective road block to separate NDS rights and File Rights. (NDS Rights) Slightly more numerous than File rights, NDS rights not only control a users access to certain objects, but to NDS data as well. NDS keeps track of attributes to those objects. Information such as Name age, address, phone number, date of birth ... what ever the admin puts into the users object. There are Object Rights(Make news objects delete...etc), and there are Property Rights (database info) Those Object rights are: o S Supervisor (*anything you want to do can be done*) o B Browse(*See what stuff is*) o C Create(*Make New stuff*) o D Delete(*Delete Stuff*) o R Rename(*Rename something*) The Property Rights are: o S Supervisor (*As above*) o C Compare (*Something to the effect of checking to see if something exists, or yes/no property comparisons and stuff like that. ie.. it can tell you that 75% of the users live at the same address*) o R Read (* Read that objects properitys*) o W Write(* Change properitys on said object*) o A Add Self (* you can manipulate your own properitys and stuff something akin to supervisor rights but not quite as direct*) IRF's also exist in NDS, and work in pretty much the same manner as the File IRF's do. [3.5] Roto-Routing IPX/SPX is alot faster than TCP/IP on a LAN, but runs into problems when it starts being used in a WAN (Wide-Area-Network) environment. Ie. from City to City, or country to Country Links. IPX/SPX can only be bounced through three routers before the packet gets lost and dies. Where as TCP/IP can be routed indefinitely. IPX/SPX typically is most effective on a single segment. Ie every ones using the same medium. Like for instance, an IBM token ring network is nice and spiffy for IPX/SPX because all of the computers, and the servers exist on the same piece of Wire (so to speak). What Routing Does Is that takes a packet of information, sees if its for a computer locally, and if its not, it sends the packet up to the next network layer (usually a MAN(Metropolitan Area Network), or a WAN(Wide area network). Which other routers take a look at the packet and see if its for them, and then if it is for a computer on their segment, they snarf it, and the process repeats it self. Note: Netware 5 uses ONLY TCP/IP now, which solves the routing problem. [4.0] IPX/SPX SAPPINESS Sap not only runs from pine trees, but it runs out of Netware 4.1x and Netware 5 servers as well. SAP stands for Service Announcement Protocol. Sap is how Clients can see what services there are on a Novell Network. The Client just stands there stupid and waits for a server to announce its presence to the world. SAP simply contains the MAC address of the resources, and what the resource is. SAP can run out of clients too. For instance, a person can run the Pserver program to announce to the rest of the network that your printer is ready to accept print jobs. (of course the server still has to be there to manage the print ques and stuff) Note: Netware 5 makes full use of the TCP/IP broadcast address for SAPing purposes. [4.5] Summary Novell is one of the most popular Network OS's around. The rumors of Novells Demise is greatly exaggerated by everybody's favorite spin doctor... Mr. Bill. Most established company's use Some form of Novell or another for their lans. In the way of security, Novell is pretty good, though their target market didn't buy it because of that, and have been known to do stupid things with their security. [5.0] After thoughts Information on Novell the company and its products: HTTP://www.novell.com Security Announcements that first pointed out the Config file flaw. Bugtraq Mailing list archive. http://www.geek-girl.com/bugtraq/ The Ugly Red Book that Costs too much for what it actually provides. Clarke, James David, IV. " Novell's CNE Study Guide: IntranetWare/Netware 4.11" Novell Press, San Jose 1997 ISBN 0-7645-4512-4 Slightly biased Summary: Although Jam packed with fruity information on Netware, This book is poorly orginised. The incessant "Words of wisdom" and the authors Flaming ego tend to distract your attention from the actual content. This book requires a long attention span, and perhaps some form of Ritilan to fully digest. Im not suprised if this book was in part sponsored by the midwest pulp association, weighing in at a paltry 1570 pages. Asmodians Slightly biased Rating: If your stuck in the wilderness and need to start a fire, do not have any qualms about burning this book, you will be missing nothing.. Telecom guide. Green, James Harry. "The Irwin Handbook of Telecommunications 3rd Ed." Irwin, Chicago 1997 ISBN 0-7863-0479-0 Summary: This book is some what dry, however it is concise and very to the point. I found it easy to read, and it was very factual. It goes into great detail on the telecommunications industry. A must read if you want to feel the telecomunication industrys pain.