Networking Guide 7 - Network Access and Security
Networking Guide 7 - Network Access and Security
There are two prerequisites that you should keep in mind when you access a resource on the network: network access and the proper security clearance. These items work together to allow you access to a particular resource.
The first of these two topics that you need to consider is network access. Network access involves installing client software on your computer. This software gives your computer the instructions that it needs to be able to access the network.
Network security involves ensuring that only authorized users have access to the network and that they access it only in authorized ways. You want to ensure that hardware, software, and data are available to authorized users when they are needed, but you also want to ensure that hardware, software, and data are not compromised or threatened. In addition to providing network access, client software works with the network operating system to provide network security.
As a network administrator, you can create an effective security plan in a number of ways and by using a variety of tools and procedures. Some of these are practical, commonsense safeguards, and others involve implementing protective systems and technologies. Although numerous recent examples indicate that almost no network is completely immune to security breaches, taking advantage of the measures in this chapter gives you a head start.
You’ll start by learning the different types of clients and how they are installed. You’ll then learn some of the simplest of security measures, usernames, and passwords, including good and bad examples. You’ll then move on to the more complex ways to secure your network—firewalls and proxies. Finally, you’ll learn about some threats that may exist for your network. The Network+ exam covers all of these topics.
Tip - If someone can walk in and take your server or backup tapes, you don’t have much security at all. In the real world, you’ll want to ensure that all appropriate and necessary physical mechanisms are in place to protect your network.
Accessing Network Resources
Generally speaking, computers don’t know how to access the various resources on your network. Each workstation OS (such as DOS and Windows 95/98, for example) knows how to access only its own local resources (such as local printers and local disk storage). For this reason, network operating systems use various methods to enable workstations to access network resources.
Windows 95/98 computers can use both the various built-in software clients and third-party client software to achieve network connectivity. As a network administrator, you’ll need to tailor the connection software to your network. This is known as proper client selection . Once the client and the server are communicating, the PC can connect to network directories. Drive mappings allow reproducible connections from the local workstation to a network drive. Additionally, local print jobs on the PC are redirected instead of being sent out of a physical LPT port. The job is then sent to a network printer. This is achieved through printer port captures. Let’s look at each of these in detail.
Installing the Windows 95/98 and NT/2000 Client
Not surprisingly, Windows 95/98 comes with a client to connect to Microsoft servers and PCs. The Client for Microsoft Networks is the preferred client to access Microsoft networks. You also need this client to run the server tools for Windows NT/2000 on a Windows 95/98 computer to be able to perform domain administrative tasks.
Additionally, the network administrator will also have to authenticate (provide username and password at a login screen) again when using the server tools versions of administrative utilities on a Windows 95/98 machine. Therefore, the best combination for a network administrator’s desktop machine is Windows NT/2000 Workstation or Server with the Client for Microsoft Networks.
Follow these steps to install the Microsoft Client for Networks on a Windows 95/98 computer:
Be sure that your network interface card (NIC) is properly installed and configured. The operating system must already recognize the card. Locate your Windows 95/98 CD and have it ready.
Connect your network cable, and ensure that the link light on the NIC is on.
Make sure that you are at the Windows 95/98 Desktop.
Choose Start - Settings - Control Panel to open Control Panel.
Double-click Network to open the Network dialog box.
Click Add to open the Select Network Component Type dialog box.
Click the Client icon in the list, and then click Add to open the Select Network Client dialog box.
In the Manufacturers box, click Microsoft.
In the Network Clients box, click Client for Microsoft Networks, and then click OK.
Click OK in the Network dialog box.
Place the Windows 95/98 CD in the drive if prompted to do so. Locate the install CAB files, and click OK if prompted. The Copying Windows Files screen opens and then closes.
In the System Settings Change dialog box, click Yes. The system will now reboot.
Installing the NetWare Client
You have two options for setting up user workstations to connect to a NetWare network:
Novell NetWare Client
Microsoft Client for NetWare Networks
The one you select depends on your network and users. If you have a predominantly Windows NT network, the Microsoft client might better fit your needs. If you have a NetWare network or a hybrid network with a substantial Novell base, you need to use the Novell client; the latest version is available from Novell. Stay away from the clients distributed with Microsoft Windows 95/98 and NT/2000.
You can find the Novell Client for NetWare on the following:
Novell’s website at www.novell.com
NetWare Client CD as part of the NetWare installation CD set or floppies (only with older versions)
The ZENworks CD
The SYS volume of a NetWare server
What happens when you lose connectivity with your NetWare server and you need to install client software? If you are using IPX/SPX without a web proxy server, downloading the software from the Novell website is out. Many companies place software media under lock and key, and require support staff to install from the network. If that is the case with your company, that cuts out installing from CDs and floppies. The SYS volume is useless if you can’t access the server. To avoid these problems, place a copy of the client installation software on your local PC the first time you connect to a NetWare server.
Tip Regardless of the vendor you choose, a good practice is to download the installation files for your operating system (CABs for Windows 95/98, i386 directory for NT), client software, video drivers, and NIC drivers as soon as you connect to a server.
Don’t forget about yourself. The best combination for the network administrator’s computer is a Windows 95/98 or NT/2000 operating system with the Novell NetWare Client. Novell’s NDS takes care of authentication, thus addressing network security. Use Windows NT/2000 if you want additional security on your local machine. As an administrator, you have no choice about the client. Without Novell’s client you will not get the full functionality of the NetWare Administrator utility and, besides, Novell’s client is free.
To install the Novell Client for NetWare on a Windows 95/98 computer, follow these steps:
Download the latest Novell Client for NetWare from the Novell website, and run the self-extracting file. Or insert your NetWare Client CD.
Double-click the setup.exe file. (This is true for the non-ZENworks version of the client software.) The Novell client license agreement window opens.
Read the license agreement, and then click Yes to accept the agreement and to open the Welcome dialog box.
In the Select an Installation Option section, click Typical.
Click Install to open the Building Driver Information Database and Copying Files windows.
You’ll be asked if you want to set the preferred server properties for NetWare 3.x servers or the preferred tree, context, and server properties for NetWare 4.x and later servers.
If you click Yes, you will have an opportunity to set these properties in the Novell NetWare Client Properties dialog box. Click OK when you finish entering the information, and the installation continues.
If you click No, the installation continues.
Note On Windows 95/98 computers, some files need to be copied from the Windows 95/98 CABs. If these are not in the Windows\Options\Cabs directory, you will be prompted to insert the Windows 95/98 installation CD.
When the installation is finished and you are prompted to restart the computer, click Reboot.
Warning Be sure that your IPX/SPX or TCP/IP protocol stacks are properly configured.
Installing the Unix Client
Windows 95/98 needs the client portion of the Network File System (NFS) to connect to the Unix NFS. If a computer has this client installed, NFS Client—or similar wording—will appear in the listing in the Network dialog box.
Note Windows 95/98 computers without an NFS client can connect directly to a Unix system that is running Samba. Samba is a free server-based solution that uses Server Message Blocks (SMBs) to allow Microsoft clients to see the Unix file system. Samba is available from ftp://samba.anu.edu.au/pub/samba/. Samba is designed for Unix servers and will not install on a Windows 95/98 PC.
The client portion of NFS is currently available only from third-party vendors. No NFS client is distributed with Windows 95/98 or NT/2000. Two popular NFS client vendors are Sun and NetManage. Sun Microsystems offers server and client products for Unix server to PC connectivity. Its clientbased product is Solstice NFS Client. NetManage offers several products, including Chameleon UnixLink. You should select the vendor and product based on your individual needs and budget and after evaluating the demo software. Since third-party options tend to be more popular than their primary vendor counterparts, we’re going to demonstrate the installation of NetManage’s Chameleon.
Note You can get a demo of Chameleon from the NetManage website at www.netmanage.com. This is a demo; after 30 days, the software ceases to function.
To install the NetManage Chameleon UnixLink on a Windows 95/98 PC, follow these steps:
Double-click setup.exe in the Cham_95\NFS directory. This directory is on your CD or in your download directory after extraction. The NetManage Setup and License Notice windows open.
Read the License Notice, and click Accept to open the Setup Option dialog box.
Click Typical, and then click Next to open the Serial Number dialog box.
Enter your serial number and key in their fields, and then click Next to open the Select Directory dialog box.
Quote:
Note The serial number and key are typically included on a document that comes with the software. You can also obtain them from the website where you downloaded the free software (usually called a “demo” key).
Verify the installation directory. By default it is C:\NETMANAG.95. If you want to install to a different directory, enter the path or browse to the directory. When you are finished, click Next. Files are installed when the Copy Files dialog box opens.
The Building Driver Information Database and Copying Files windows open. You may be prompted for your Windows 95/98 CD if the CAB files are not on your local hard drive.
The Information screen opens, telling you that it will now install support programs. Click OK to open the Choose Program Destination Location dialog box.
Click Next. The NetManage Setup window tells you that components are being installed.
In the Finish window, click Finish. The NetManage Setup window opens, telling you that you must restart Windows for the changes to take effect.
Click Yes to restart Windows
Selecting a Primary Client
Now you have connections to your NT, NetWare, and Unix servers. You now must determine which one will be the primary client on your Windows 95/98 machines. The first question you must ask yourself is: Which servers do your users most often access? For your CAD/CAM engineers, it may be Unix; for web design, it could be either NT or NetWare. Each user will want their favorite servers to appear first in the Network Neighborhood. As an administrator, you will want to gain quick access to the network you spend the most time managing. The network administrator can set a primary type of client to speed access and searches.
To set a primary client on a Windows 95/98 PC, follow these steps:
Choose Start - Settings - Control Panel to open Control Panel.
Double-click Network to open the Network dialog box with the Configuration tab selected. Notice the Client for Microsoft Networks, the NetManage UnixLink NFS Client, and the Novell NetWare Client at the top of the dialog box.
Click the drop-down button to the right of the Primary Network Logon text field to display the drop-down list.
Scroll down through the options, and select the primary client of your choice. Your selection now appears in the Primary Network Logon text field.
Click OK to save the change. The System Settings Change dialog box opens, asking you to restart your computer.
Click Yes to restart your computer.
Managing User Account and Password Security
Usernames and passwords are key to network security, and you use them to control initial access to your system. Although the network administrator assigns usernames and passwords, users can generally change their passwords. Thus, you need to ensure that users have information about what constitutes a good password. In this section, we’ll look at the security issues related to user accounts and passwords, including resource-sharing models and user account and password management
Network Resource-Sharing Security Models
You can secure files that are shared over the network in two ways:
At the share level
At the user level
Although user-level security provides more control over files and is the preferred model, implementing share-level security is easier for the network administrator. Let’s examine these two security models and their features.
Share-Level Security
In a network that uses share-level security, you assign passwords to individual files or other network resources (such as printers) instead of assigning rights to users. You then give these passwords to all users who need access to these resources. All resources are visible from anywhere in the network, and any user who knows the password for a particular network resource can make changes to it. With this type of security, the network support staff will have no way of knowing who is manipulating each resource. Share-level security is best used in smaller networks, where resources are more easily tracked.
Note Windows 95/98 and Windows NT/2000 support share-level security.
User-Level Security
In a network that uses user-level security, rights to network resources (such as files, directories, and printers) are assigned to specific users who gain access to the network through individually assigned usernames and passwords. Thus, only users who have a valid username and password and have been assigned the appropriate rights to network resources can see and access those resources. User-level security provides greater control over who is accessing which resources because users do not share their usernames and passwords with other users (or at least they shouldn’t). User-level security is, therefore, the preferred method for securing files.
Note Windows NT/2000, NetWare, and Unix support user-level security.
Comparing Firewall Operating System Platforms
Comparing Firewall Operating System Platforms
Most firewalls are implemented as a combination of hardware and software. The hardware is typically a server-class machine. The software is usually specially written and sits on top of an NOS. Firewalls are typically dedicated computers (that is, they don’t do file/print serving or perform any other network function).
Let’s briefly look at each of the four major network operating systems and how each implements a firewall.
Note Remember that in addition to firewall software, you need at least two NICs (some firewall products use three) to have a functional firewall.
The Unix Operating System
Unix is the NOS on which the Internet is based and, as such, is also the NOS on which firewalls are based. In Unix, you can unload and lock down individual services. This means that you can configure a Unix server so that only the firewall service is up and running. Proponents of Unix argue that it is more secure than other operating systems because nonessential services can be removed, though knowledgeable Microsoft or Novell administrators can do the same with Windows and NetWare.
To support multiple segments, the firewall needs a number of network interface cards. An advantage of using Unix-based firewalls is that they allow the most network cards (more than 32). NetWare has a practical limit of 16, and Windows is currently limited to 4.
Unix is a command-line based operating system and, thus, doesn’t lend itself to the most friendly firewall platform in the world. However, since the introduction of the X Window interface (and firewall software’s adoption of it), Unix-based firewalls have become easier to use.
Finally, because firewalls must examine hundreds, even thousands, of packetsper second, speed is a major factor in all firewall platforms. Many companies make security products for both Unix and Windows NT/2000. Unix implementations tend to be significantly faster than Windows NT/2000 implementations. If you’re communicating over a T1 line, however, platform speed won’t create a bottleneck. This only becomes a problem when your corporation gets into the higher connection speeds that T3, OC3, and other connections provide (and, therefore, your firewall must be examining more packets per second). In these cases, you should consider Unix-based firewall implementations.
NetWare
NetWare, through the leverage of NDS, provides for easy network administration through NetWare Administrator, the graphical utility that runs on Windows 95/98 and Windows NT/2000. The primary firewall is Novell’s own product, BorderManager. BorderManager installs onto NetWare servers and has a NetWare Administrator snap-in. With this feature, you can continue to use familiar NetWare tools to manage the many aspects of your network, including the firewall.
As a firewall platform NetWare offers two major benefits: speed (which is discussed below) and client compatibility. NetWare is compatible with just about every client platform, including Mac OS, Windows 95/98, Windows NT/2000, DOS, and OS/2. NetWare (with BorderManager) can offer firewall protection for all of these client platforms.
BorderManager integrates with NDS and thus can be managed with NetWare’s single administration utility, NetWare Administrator. This makes BorderManager an easy-to-use firewall product, especially for experienced NetWare network administrators.
NetWare’s core operating system has been optimized for the Intel platform, which is cheap and widely available. Apart from Unix running on a RISC processor, NetWare is considered by the IT industry the fastest, and most efficient, network operating system. BorderManager running on NetWare is one of the fastest firewall software packages available.
Windows NT/2000
As Windows NT and 2000 become more and more popular, firewall developers are porting their software from Unix to Windows. However, because of security problems associated with Windows (see the WinNuke discussion later in this chapter), it doesn’t rival Unix or NetWare for firewall installations. As these problems are solved (through patches and other fixes, and likely in future editions of Windows), Windows NT and 2000 will gain ground in the firewall market.
Most third-party, Windows-based firewalls can integrate with Windows Domain/Active Directory security. This allows proxies to use Windows usernames and passwords.
The primary advantage of a Windows firewall is that it can be managed through a graphical user interface, as can Windows itself. Windows servers (and thus firewalls based on them) are more intuitive to the general user than a Unix operating system, with almost the same level of features. If your network support staff is well versed in Windows, the learning curve for a new firewall will not be as steep as that for another operating system.
Windows, however, isn’t the fastest NOS platform, mainly because of the overhead required to maintain the graphical interface; thus, firewalls running on it aren’t the fastest. To address this issue, some firewall vendors are adding hardware accelerator cards to increase firewall throughput. Microsoft is advancing the line of Windows servers to utilize more than a dozen CPUs and gigabytes of memory in one box so that performance can be increased to much higher levels. These new features will make Windows NT much faster and thus more effective as a firewall platform. With the advent of Windows 2000 servers, high-end throughput speeds are possible.
The Black Box
A black box firewall implementation is your fourth choice. You do not know what operating system is inside the box, but it is definitely not Windows. It might be a special implementation of Unix or a completely proprietary system. These implementations tend to have the fastest throughput because they are designed specifically as firewalls, rather than as file and print network operating systems that run firewall software. Cisco’s PIX Firewall is an example of a proprietary black box system.
The major feature of a black box firewall is simplicity. You don’t have to worry about extraneous features such as file or print services. The box is only a firewall, not a server and a firewall.
Ease of use is not, however, a feature of a black box, which often lacks a screen or an input device. The administrator must rely on connecting to the black box using an external keyboard or terminal to change firewall configuration data. This is not typically a problem with firewalls that don’t require significant configuration (as in simpler network implementations). In this case, once the firewall is configured, you can pretty much leave it alone.
Given the dedicated nature of black box firewalls (they aren’t used to provide other network services) and that they are designed from the ground up as firewalls, they are often very efficient and fast. They use RISC processors and operating systems designed specifically for a firewall. Unfortunately, black boxes cannot be upgraded easily and often must be replaced as new technology is released.