HiR 9

Novell Netware Inside Out

By Asmodian X
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Introduction [-1]:
	Novell is one of those old school company's that became really
popular because their Netware server software could run on just about any
old PC machine, and client with just about anything.  The downfall of
Novell is that it got old and inflexible, and ignored the Internet and the
Unices and TCP/IP, until it leapt up and bit them in the ass in the form
of Windows NT(tm).  Albeit Novell still out guns NT in performance, and
security, it just lacked a pretty looking server, and the ease of use
part. That factoid wasn't solved until the advent of Netware 5, which
draws on TCP/IP and XFree86 for the gui. 

	During this article I will briefly mention some of the ability's
that Novell Version 4.1x and above has.  And briefly go over how Novell
works.

Table of Contents:

-1. Intro 
0	Components of a Novell network
.5	Overview on The Server
1	Overview of The client
1.5	Overview of the Services
2	Overview of Security
2.5	Overview of File Rights and Filters
3	Overview of NDS and NDS permissions
3.5	Roto-routing
4	IPX/SPX Sappiness
4.5	Summary
5	Netware 5 and Other After thoughts.


Section [0]
What makes a Novell Network?

	Novell networks are usually made up like all other Ethernets (or
token rings) are.  Network Card, Cable, hub, Server and or routers,
Brouters and bridges.
	Novell relys on client software to work, and the server is the
only point where a person can access the file system, (unless your using
windows 9x's SMB sharing protocol.) 
	Job-wise, there's a few CNA's(Novell Certified Network
Administrator) who actually take care of the users, and some specialized
CNE's (Cert. Net.  Engineers) that actually perform maintnence and design
new additions to the system.  The CNA's generally don't know a whole lot
about anything, and have done a little bit of computer work. To become a
CNA you must memorize a bunch of lists, protocols and garbage, the
regurgitate all of it onto the test which costs around 80 to 100$(US). 
Generally speaking they have to pull up the book to do anything more
complicated than adding users and managing the print ques.  The CNE's
however have had ten times that amount of education, and actually know
something about the system. (I'm not a big fan of Cramming sessions for
tests, you get nothing out of it). Plus in my opinion its a useless piece
of paper, but on the other hand, it gets you the money, and in most cases
the job. So go figure..

The Server, Part [.5]

The server is an x86 (probably Intel) which is crammed into a closet
somewhere under lock and key.  The server by itself is useless, except for
the few utility's you can run on it in the form of NLM's (Netware Loadable
Modules)  Neat stuff like, EDIT, Servman and other stuff like that.  The
server itself can be locked away for long periods of time with out fear of
lost productivity because other than being a server, its a useless paper
weight.  So what if you need to get at the startup files for the server?
easy.  Most administrators will set up a blurb in one of the startup files
to load a remote access module <it usually is something to the effect of

<SNIPLET>
LOAD rspx (spx remote protocol)
LOAD remote <password>
</SNIPLET>

This is a text book example of how to load the remote console server. 
This is also a gaping security hole.  <*See The security section for more
information.*>

The Console then can be controlled by a client program called "rconsole" 
which resides on most dos/win, or win9x clients.  Any logged in user can
run rconsole, but needs to know the password to get console. 

-=-=-=-=-=-=-
The Client [1]

	At this point we know roughly the place of the server (which I
plan to get into more of that later.)  But now we must talk about the
client.
	A Novell Client, is the very first thing that is run (service
wise) on your Bill box (dos/win3.1x, win 9x/NT)  It Throws up a login
screen, and allows you to connect to a certain Novell server, or into a
user profile which resides on to another branch of the Novell Directory
Service (NDS).  We will talk more about NDS later, so don't blow a neuron. 

Security Difference Between Novell 3.x/4.1x and Unix type security.

[UNIX]
A Unix box just sits quietly on the network waiting for some one to
connect to a service, and use it.  The Unix server (assuming it is
currently running TCP/IP) has an actual address.  Which means it will
reside at that logical location on that network, regardless of which
user is using the Unix box, or what its Physical Address it is using.

A Unix box does not require logins for certain types of services.  Like 
for instance:

World Wide Web
Finger
Time/Date
Character Generator

These do not require a person to login to the service, they are for the
most part PUBLIC services.  And relys on the security of the network to
keep unwanted users from accessing those services.

[Novell Netware]
A Client has no static address, it just sits there listening for SAP
(Service Announcement Protocol)  The Client knows what servers are out on
the network by listening for their services broadcasted by server.  
example:

	A server broadcasts that it is a server, and is residing at
	Physical Address xxxxxxxx.

	A client hears this and places the server on its list of servers
	that the user can access.

Once a user chooses to connect to a server, the user must enter a
username, and or password for that server/service.  The Server validates
the user.  Then the client is issued a Connection number made up of their
NIC card's Physical address, and some of the users information.  The user
is counted as a connection to the server, and the Administrator can see
which user is logged in at which machine, just by looking at the
connection number.  

A great advantage of using Netware 4.1x is that NDS allows a person to
access resources on multiple servers by logging in just once.

-=--=-==--



[1.5] The Services

Novell Netware 4.1x provides File sharing, Printing, Software liscencing
services, email ...blah blah blah...  you get the point.  

Novell Netware even supports TCP/IP.  A person could set up an IPX to IP
gateway, or just have IPX and IP co-exist on the same network.  Another
neeto thing is setting up telnet services on the server.  From there a
person logs in, then gets an XTERM (XFree86 Terminal) that spits out a
server console.  (Xterm's are usable on Un*x machines, and there's also
Win9x Xclients that can display the XTERM.  It shows up like remote does.
Novell also has a slew of Unix like services, like FTP, HTTP and even
addressing services like DHCP and stuff like that.

in any case, Novell Netware provides the standard snafu services that
every one else does plus a few proprietary services.

-=-=-=-=--


[2.0] 

Security. 

Novell Netware has 4 layers of security.

	1.	Login (session based): the server does not acknolage your
		existence with out logging in.
	2.	NDS (Novell Directory Services): Checks what access you
		have on the entire network.  plus access to database on
		users
	3.	File System
		Rights:		(s)upervisor(r)ead(w)rite(e)race(c)reate
				(m)odify(f)ile scan(a)ccess Control
	4.	File Attributes: 	(there are many many many many
					attributes) ie. read only, don't
					compress...etc
 
(Novell Security Goofiness)
	Many administrators will have a guest account that they use
temporarily for temp workers or new employees.  So that in it self defeats
the purpose of layer 1. NDS Cant be directly accessed.  But by default you
have access to the system volume.  If you can get there take a look in the
etc directory.  Thats where the system stores setup.  Most files you don't
have read access too, but there's a fun bug in Netware 4.11. If the admin
setup TCP-IP, the setup proggie puts the rconsole commands in a publicly
readable config file password and all.  So you skip all four layers
and have direct access to the console.  The console does not look very
pretty, but thats where you set up all of the services.. go figure..

	I implore you, be nice to the admin, tell them about this and ask
them to fix it. It can be fixed by simply removing the world readable
attribute from the offending file.  It can also be fixed by putting in a
script file that it self is hidden, but the system can still run it.
Another note, the actual console shows your every move so your presence is
not totally invisible.  Another note is that the admin can actually set up
a screen saver password that would make it more difficult for a person to
get through.



[2.5] File rights and Filters (I.R.F)

	File rights are one of the most important features that Novell 
has.

(File rights)
R	Read contents of a file
W	Write Stuff to a file
C	Create a new file in this directory
E	Erase file in this directory
M	Modify File Attributes
F	File Scan (allows you to see what files are in this directory)
A	Administrator (the god bit) no matter what they have set up in
	this directory in the way of permissions, they no longer apply to
	you.

you can see the permissions using the ndir dos command, or by viewing the
properitys on the file by right clicking on the file and choosing
properitys.

The file rights R and F, are by default assigned to all directory's.
In-order to control what inherited rights a sub folder gets, an
administrator will set up what is known as an Inherited Rights Filter.
Also known as an I.R.F. An IRF can block certain rights from being
inherited from a higher folder.  

<EXAMPLE>
the Attributes in Brackets "[]" are your users effective rights to that
folder. the "-" stands for an IRF.

Root+ [RW   MF ]
    |
    +Fred+   [RW   MF ]
         |
         +Jim+  [R-  -F ](*the W and M attributes have been blocked*)
             |
             +Larry   [R     F ] (* The folder Larry inherited only the R
                                  and F attributes and not the M and W
				  attributes. *)
</EXAMPLE>




[3.0] The Novell Directory Service(s) or N.D.S, and its attributes

	NDS was one of the primary features that Novell added to Netware
4.1x.  It exists in Netware 5 and Has actually been ported to Windows NT
Server.  With NDS a User can use resources (like files servers and
printers ... blah blah blah) any where on the novell network that
he/she/it has been given rights to.  It no longer requires a separate
login to get to other servers resources.  N.D.S is essentially a big
database of services and where they are located at on the network.  To
make a long story short, when you add a computer to a network, you add an
individule being to a communications medium.  When you add a Novell Server
to a Novell Network, It is Assimilated into a collective entity, ala Borg. 
So its a good way to reduce the work of administrating a bunch of servers
because if you talk to one server, you have talked to them all. 
	Some of the resources that a person will see on an NDS database
will be, Users, Orginisational units (something to compartimentalise your
resources)  Groups, printers, Print ques, mail ques ....Blah blah blah.
The Database has its own structure and design, and has changed in design a
wee bit from Netware 4.1x to Netware 5.  

<NDS Stupidity>
A bug in Netware 5's NDS design will crash the entire NDS database if you
assimilate it into an existing Un-patched Netware 4.1x network.
</NDS Stupidity>

The NDS database can be stretched out to reside on multiple servers, just
in-case a server bombs out, the database will still be some what intact.
this is done through partitioning.  All or part of a database can reside
on a server.  This can accomplish several things.  First it keeps server
traffic down, because multiple servers can take care of business.  Second,
you can create a logical structure for a network.  By logical I mean that
it used to be that a large department needed its own server to control
its own resources.  With NDS people could make a logical branch for the
department, and utilize resources from all over the building rather than
investing in redundant equipment.
 
Another Note,  File servers also reside on NDS as an Object.  At only one
point in NDS you can put an IRF onto an object to stop the administrator
Right.  And that place is on the file Volume it self.  It is an effective
road block to separate NDS rights and File Rights.  

(NDS Rights)
	Slightly more numerous than File rights, NDS rights not only
control a users access to certain objects, but to NDS data as well.  NDS
keeps track of attributes to those objects.  Information such as Name age,
address, phone number, date of birth ... what ever the admin puts into the
users object.  There are Object Rights(Make news objects delete...etc),
and there are Property Rights (database info)

Those Object rights are:
o S	Supervisor (*anything you want to do can be done*)
o B	Browse(*See what stuff is*)
o C	Create(*Make New stuff*)
o D	Delete(*Delete Stuff*)
o R	Rename(*Rename something*)

The Property Rights are:
o S	Supervisor (*As above*)
o C	Compare (*Something to the effect of checking to see if something
		exists, or yes/no property comparisons and stuff like
		that. ie.. it can tell you that 75% of the users live at
		the same address*)
o R	Read (* Read that objects properitys*)
o W	Write(* Change properitys on said object*)
o A     Add Self (* you can manipulate your own properitys and stuff
	something akin to supervisor rights but not quite as direct*)

IRF's also exist in NDS, and work in pretty much the same manner as the
File IRF's do.



[3.5]  Roto-Routing

IPX/SPX is alot faster than TCP/IP on a LAN, but runs into problems when
it starts being used in a WAN (Wide-Area-Network) environment. Ie. from
City to City, or country to Country Links.  IPX/SPX can only be bounced
through three routers before the packet gets lost and dies.  Where as
TCP/IP can be routed indefinitely.  IPX/SPX typically is most effective on
a single segment.  Ie every ones using the same medium.  Like for
instance, an IBM token ring network is nice and spiffy for IPX/SPX
because all of the computers, and the servers exist on the same piece of
Wire (so to speak).

What Routing Does Is that takes a packet of information, sees if its for a
computer locally, and if its not, it sends the packet up to the next
network layer (usually a MAN(Metropolitan Area Network), or a WAN(Wide
area network).  Which other routers take a look at the packet and see if
its for them, and then if it is for a computer on their segment, they
snarf it, and the process repeats it self. 

Note: Netware 5 uses ONLY TCP/IP now, which solves the routing problem.


[4.0]	IPX/SPX SAPPINESS

	Sap not only runs from pine trees, but it runs out of Netware 4.1x
and Netware 5 servers as well.  SAP stands for Service Announcement
Protocol.  Sap is how Clients can see what services there are on a Novell
Network.  The Client just stands there stupid and waits for a server to
announce its presence to the world.  SAP simply contains the MAC address
of the resources, and what the resource is.  SAP can run out of clients
too.  For instance, a person can run the Pserver program to announce to
the rest of the network that your printer is ready to accept print jobs.
(of course the server still has to be there to manage the print ques and
stuff)

Note: Netware 5 makes full use of the TCP/IP broadcast address for SAPing
purposes.

[4.5]	Summary

	Novell is one of the most popular Network OS's around.  The rumors
of Novells Demise is greatly exaggerated by everybody's favorite spin
doctor... Mr. Bill.  Most established company's use Some form of Novell or
another for their lans.  In the way of security, Novell is pretty good,
though their target market didn't buy it because of that, and
have been known to do stupid things with their security.

[5.0]	After thoughts

Information on Novell the company and its products:
HTTP://www.novell.com

Security Announcements that first pointed out the Config file flaw.

Bugtraq Mailing list archive.
http://www.geek-girl.com/bugtraq/

The Ugly Red Book that Costs too much for what it actually provides.

Clarke, James David, IV.  " Novell's CNE Study Guide: 
	IntranetWare/Netware 4.11"
	Novell Press, San Jose 1997 

ISBN 0-7645-4512-4 

Slightly biased Summary: 

Although Jam packed with fruity information on Netware, This book is
poorly orginised.  The incessant "Words of wisdom" and the authors Flaming
ego tend to distract your attention from the actual content.  This book
requires a long attention span, and perhaps some form of Ritilan to fully
digest.  Im not suprised if this book was in part sponsored by the midwest
pulp association, weighing in at a paltry 1570 pages.  

Asmodians Slightly biased Rating: If your stuck in the wilderness and need
to start a fire, do not have any qualms about burning this book, you will
be missing nothing..

Telecom guide.

Green, James Harry.  "The Irwin Handbook of Telecommunications 3rd Ed."
	Irwin, Chicago 1997
ISBN 0-7863-0479-0

Summary:

This book is some what dry, however it is concise and very to the point.
I found it easy to read, and it was very factual.  It goes into great
detail on the telecommunications industry.  A must read if you want to
feel the telecomunication industrys pain.
