NetWare Connect Services: Your Pathway to the Global Business Village
Articles and Tips: article
Senior Research Engineer
Novell Systems Research
01 Jun 1996
This AppNote provides a high-level overview of NetWare Connect Services (NCS), a collection of technologies including NetWare and Novell Directory Services (NDS). When combined with the infrastructures of various long-distance carriers such as AT&T, NCS provides connections for business to a global internetwork or intranet. The AppNote begins with a discussion of the value of NCS for your business, followed by a technical overview of the elements that make up the current AT&T NCS intranet. The AppNote also provides a brief overview of security, as well as information on the IPX Registry, the NCS Developer Program, and the Multimedia Services Affiliates Forum.
RELATED APPNOTES Feb 95 "Wide Area Networking with Frame Relay and NetWare MultiProtocol Router" Jan 95 "Understanding and Using NDS Objects" Apr 94 "Building and Auditing a Trusted Network Environment with NetWare 4" Nov 93 "Designing NetWare 4.x Security"
Intranets are the hot topic currently; intranets take the inherent benefits of the LAN and extend them with wide area network (WAN) technologies. These new intranets help people collaborate by allowing them to share information and resources well beyond the files and printers of the traditional LAN. Intranets serve to create "global villages" for business and have opened a whole new range of on-line interactive business functions, including electronic commerce. From accessing entire business libraries to human resource planning to project tracking and inventory control, the potential is limitless.
NetWare Connect Services (NCS) is a collection of currently available technologies that provide the means and infrastructure to allow you to connect and extend your network to the global village for business purposes. Novell has over 50 million NetWare users and 2.5 million NetWare servers that can be connected to form a web of business villages for electronic commerce and exchanging information.
The collection of technologies that make up NCS includes: NetWare 4.1, Novell Directory Services, and the infrastructure of various long-distance carriers such as AT&T.
Note: Intranet and Internet technologies are changing rapidly.The NCS infrastructure has been designed with an eyetoward the future and technologies such as AsynchronousTransfer Mode (ATM). The NCS network described in thisAppNote discusses AT&T's current design. Similarconfigurations are being created by other carrier partnerssuch as British Telecommunications PLC and DeutscheTelekom; however, design differences will exist.
The Value of NCS
Businesses today are faced with improving their internal and external communications. E-mail is already pervasive, and groupware is not far behind. Users are demanding access to the Internet and its "killer" application, the World Wide Web (WWW). Organizations are now building internal webs and rolling out products such as Novell's GroupWise for better internal communications. This increases the demand for consistent and reliable access to the network. Companies are also looking to provide secure access to information stored on the networks of other businesses, as well as access resources from public intranets.
Figure 1 provides a "before" look at the needs of many organizations, where internal wide area networking needs, access to outside services such as CompuServe, remote access, and Internet access exist in small, isolated pockets.
Figure 1: A depiction of the needs of many organizations before the recent convergence of needs.
Increased demand for WAN, Internet, remote access, and other services is converging with the wide availability of enabling technologies such as NetWare and NDS (see Figure 2). These converged technologies empower an organization with the means and infrastructure to economically satisfy its growing networking needs.
Figure 2: A depiction of the convergence of needs typical in many businesses today.
Over the next few years, the next wave in network computing will connect large numbers of isolated LANs to create a web of intranets. Organizations need better access to internal and external applications and data resources, and NCS provides access to resources on any other LAN or network connected to NCS that you have been given rights to. Companies will be able to offer and use applications and data, providing immediate access to any information you choose.
Outsourcing Your WAN Needs
NCS provides a virtual enterprise by connecting multiple sites in the same organization. Companies can now freely exchange information from one location to another via NCS. Because NCS provides access to a virtual company enterprise, outsourcing your WAN needs to AT&T is much less expensive when compared to building large private networks. The resources available on an intranet versus a private network provide additional compelling reasons for using NCS as your network service provider.
Outsourcing Remote Access
Expectations for consistent remote access are becoming the norm in today's business world, along with the growing importance of groupware applications such as GroupWise. With the increasing mobile workforce, remote access is quickly becoming a mission-critical need for many organizations.
With a dedicated link to NCS, organizations can offer remote access to applications and data stored on NCS. With access to AT&T's over 200 local access numbers, long distance charges are reduced for most users of NCS. AT&T has modem pools installed throughout the country which are supported and maintained 24 hours a day, 7 days a week. You can also access NCS with a AT&T toll-free number in those areas not offering a local number. The current cost of a local connection is $4.25 per hour for a connection. An toll-free number connection costs $6.00 per hour. Other carriers will offer similar types of remote access services with similar benefits.
Access to Other Services
In addition to access to information stored on NCS, NCS will provide gateways to other services such as CompuServe, with over 3.5 million subscribers and a growth rate of over 100,000 new members monthly. CompuServe has vast resources online, including Novell's NetWire forums. Information from other large content providers is also available through NCS. A notable example is the LEXIS-NEXIS databases. LEXIS-NEXIS is a division of the multinational Reed Elsiver PLC group. It is one of the leading suppliers of information with over 500 million documents, 146 databases and 10,000 information sources consisting of 5,800 business and 4,300 legal information sources.
Organizations can also to choose to access the Internet and the World Wide Web. Internal webs and access to the WWW over the Internet are becoming expected services within many organizations. NCS provides gateways to the Internet with full access to the Internet for companies that utilize TCP/IP on their local networks. NCS fits into the value added sector of the Internet.
Note: The importance of proper security measures such as TCP/IP firewalls cannot be understated. TCP/IP firewallsare covered later in this AppNote.
How NCS Works
The actual infrastructure of the NCS internetwork will vary based on carrier and will continue to change over time. This AppNote discusses the NCS technologies and infrastructure of the AT&T NCS network currently operating in the United States.
Many of today's networks and information are isolated. NCS connects your NetWare network(s) with AT&T's Interspan Frame Relay Cloud, which provides a connection to the AT&T NCS Internal Network. Users will be able to access resources on any connected LAN if they have been granted access privileges to those resources in the NCS Directory (see Figure 3).
Figure 3: AT&T NetWare Connect Services is composed of many LANs connected via the AT&T Interspan frame Relay Cloud, which connects these LANs to the NCS internal network.
NCS Starts at Your Company
A connection to the AT&T Frame Relay Cloud provides dynamic routing for IPX and IP packets. The connection is made via a Channel Service Unit/Digital Service Unit (CSU/DSU). A CSU/DSU provides flow control and transmits and receives information to and from a local Point of Presence (POP) provided by the carrier, at rates from 56 Kbps to T1 speeds. NCS also provides dial-up connections up to 28.8 Kbps. ISDN connections are expected to be offered starting in 1996.
Figure 4 illustrates the equipment necessary at your site and the connection to the POP known as the Local Loop.
Figure 4: Communications infrastructure used for connecting to AT&T NCS.
Note: Your network does not require NetWare 4 in order toconnect to NCS; NetWare 2 and NetWare 3 networks canbe connected. Service Advertising Protocol (SAP) packetsare filtered from entering NCS. The LAN must have arouter that can service the connection to NCS. AT&Tprovides utilities and software for connecting a LANwithout a 4.1 server. Users will not be able to take fulladvantage of NCS without the ability to access theDirectory.
The Router. The main job of a router is to read the destination address of incoming packets and pass them along towards their specified destination address. Both IP and IPX packets have source and destination addresses located in their header structure. Novell offers a software based router solution, NetWare MultiProtocol Router (MPR) 3.1, that operates on industry-standard PC platforms. MPR offers LAN-to-LAN, client-to-server, and client-to-host communications. Routers that service a connection to NCS prepare IP and IPX packets for transmission over frame relay. Routers configured for NCS inserts Network-Level packets into Data-Link-Level relay frames and route the frames to the buffer on the Channel Services Unit/Digital Services Unit (CSU/DSU).
The Channel Services Unit/Digital Services Unit (CSU/DSU). A CSU/DSU may be thought of as a "digital modem". Although a technical misnomer, this description is appealing to many given the familiarity of modems and their use. The primary purpose of the CSU/DSU is to control the flow of information being sent to and from your network.
Connection to a Carrier. Connections to NCS are provided by carrier partners such as AT&T directly and through local service providers. AT&T currently offers connections at 56 Kbps, fractional T1, or a full T1 (1.544 Mbps) transmission rates. The connection at the carrier end is typically a switch that has an integrated CSU/DSU that is part of the AT&T Interspan Frame Relay Point-of-Presence (POP). POPs may be located at local phone companies or at AT&T. When a frame-relay transmission enters a POP, it enters the AT&T Frame-Relay Cloud.
The Workstation Client Software and Protocol Stacks. NCS supports most versions of NetWare clients, in addition to many TCP/IP packages. The workstations, in addition to other nodes and network segments, must have their IPX address registered with Novell's registry to assure that no two nodes on the network will have the same address. (The Novell IPX Registry is discussed in more detail later in the AppNote.) AT&T is providing client software that includes IPX and IP stacks, with support for PPP in dial-up connections.
Note: To take full advantage of the network, subscribers to NCS should strongly consider using Novell's Client 32 software. Among other advantages, Client 32 includes support for accessing resources on multiple trees. Utilities are also available from AT&T that allow for connecting NETX and VLM clients. Users will need VLM or Client 32 technology in order to view and access the NCS tree in DS mode.
The Back Office with AT&T as the Carrier
The back-end network at AT&T consists of the Interspan Frame-Relay Cloud, AT&T's Service Node Routing Complexes (SNRC), and the AT&T NCS Internal Network.
AT&T Interspan Frame Relay Cloud. The AT&T Interspan Frame Relay Cloud consists of many POPs that can connect customers to the NCS internal network through one of the SNRCs. Hundreds of POPs are located throughout the U.S. providing low cost access to most customers. Packets are dynamically routed via a Permanent Virtual Circuit (PVC) to a SNRC.
A PVC to AT&T's SNRC with Dynamic Routing. Inside the frame-relay cloud, packets do not follow a specific physical path. A permanent virtual circuit (PVC) provides a logical connection inside the frame relay cloud. A PVC connects your network to a Service Node Routing Complex (SNRC); SNRCs are dedicated to servicing NCS traffic and connect your network to an Enterprise Services Complex (ESC) at AT&T where NCS servers, routers and other equipment are located.
AT&T's NCS Internal Network. An AT&T Enterprise Services Complex (ESC) contains NetWare 4 servers that hold replicas of NDS partitions. These partitions include replicas of public partitions to provide quick access to the public resources. Internet and other e-mail gateways are also located at the ESC to provide access to the Internet and other mail systems. Other servers are present to facilitate access to NCS from NetWare 2 and NetWare 3 servers. In addition, all of the other equipment required to oversee NCS routing is also stored in at the ESC.
Once an organization chooses to connect their resources to a public network, the importance of properly administered security grows dramatically. Security is a broad topic deserving of more coverage than can be provided in this AppNote. The following section provides a brief introduction to many of the security related topics relevant to connecting to NCS. Look to future AppNotes and Developer Notes dedicated to the topic of preparing and securing your network for connection to NCS.
NCS offers various levels of security with physical security, NetWare login and authentication, IPX source address validation, NDS administration and more. Users of NCS will likely also be interested in other security solutions such as TCP/IP and IPX firewalls to further assure adequate security on networks connected to NCS. The following sections provide a brief overview of the various technologies in use to assure adequate security on NCS networks.
Physical Security. Unlike the Internet, where important infrastructure such as routers are maintained an operated by a variety of groups including universities and small companies, NCS hardware is owned and maintained by affiliate carriers. These "trusted carriers" make your information as safe as your voice information on a telephone network. By contrast, organizations that serve as a routing body on the Internet can view, modify, or delete any traffic they are routing!
PPP Dial-Up Authentication Before Access. NCS users will be authenticated before they can gain access to NCS. Authentication for both dial customers and dial LANs is performed through the Point-to-Point Protocol (PPP). PPP authentication is done via Challenge Handshake Authentication Protocol (CHAP) or the NetWare Connect Authentication Protocol (NWCAP). Neither CHAP nor NWCAP exposes the customer password in plain text.
NetWare Login and Authentication. After a user has a connection to NCS, the user must be authenticated to the NDS tree. The authentication process uses RSA public key/private key security. The user's password and private key are never passed "in the clear" over the wire. When a user logs in, the user is delivered an encrypted private key from which the client builds a credential and a signature. The client then promptly erases the private key from memory. The credential and signature are used for background authentication if the user attempts to access other resources on the network (for example, mapping a drive to a new server). Background authentication is one of the technologies that allow for single sign-on.
IPX Source Address Validation. NCS carriers will utilize IPX source address validation on all incoming traffic. (This is not true for IP packets which will require their own security solutions. TCP/IP firewalls are briefly discussed in the next section.) IPX addresses are verified in one of two ways, depending on their source. All NCS routers will be configured to filter non-registered IPX addresses. (More information on the Registry is given in the section The Novell IPX Registry later in this AppNote.)
TCP/IP Firewalls. Customers running IP on their internal networks should be aware of the security issues arising from the fact that your network will be accessible by other machines on the Internet. Most organizations will want to use a TCP/IP firewall between their site and NCS. Firewalls are usually configured to filter incoming packets to limit traffic to e-mail, WWW, and FTP to allowed hosts. Outgoing traffic is typically not restricted to allow access to other TCP/IP sites.
IPX Firewalls. Routers such as Novell's Multi-Protocol Router MPR 3.1 can be configured to filter packets, thus serving as an IPX firewall. Firewall manufacturers are beginning to include other services in their products, such as encryption and added levels of user authentication if further security is desired.
NCP Packet Signature. The NetWare Core Protocol (NCP) can utilize NCP Packet Signature, in which the client and server "sign" each packet with a signature. An NCP packet signature consists of 64 bytes: the first 52 bytes of each packet, a 4-byte length field, and an 8-byte session key established during background authentication. This type of authentication inhibits packet hijacking, replay and spoofing. Clients can be confident they are working with the indicated server.
NDS Security Administration. NDS provides the means for setting up access to resources on NCS. NDS is a global, distributed, replicated database which is the primary vehicle for creating logical representions of network resources and providing secure access to those resources. NDS is based on X.500; thus all resources are stored in a hieracrchical form commonly referred to as a tree. The NCS tree is a global directory with the rights for objects on the tree being assigned by the company that owns those objects.
AT&T manages the public portion of the tree and those portions of the tree you and other customers contract with AT&T to manage.
Note: Because Novell's Client 32 software allows access to resources on multiple trees, it provides the single sign-on capability to access resources on internal trees and theNCS tree at the same time. Client 32 is available for the DOS and Windows platforms.
Within the customers' NDS containers, administrators can apply rights to users, whether they be other employees within the same organization or external users. NDS provides flexible methods for distributing rights that allow for very granular configurations of rights with relatively little effort. Inheritance, security equivalencies, groups, organizational roles, and other tools can be used to efficiently administrate security. The next few paragraphs provide a quick overview of NDS security.
NDS Object and Property Rights. Access to network resources represented as NDS objects in the NCS tree is administered with access to objects and their properties. Object rights are granted to provide access to an object and its properties. Object rights are assigned to allow for access and administration. Property rights are permissions granted to allow for access to view and edit object properties such as a user object's phone, address, or fax number.
NDS Trustee Rights. Trustee rights are permissions granted to users of objects to perform operations on an object such as browse, create, delete, and rename. Objects have an access control list (ACL) that lists all of the trustees of a particular object.
NDS Inherited Rights. Rights granted to container objects are "inherited" from the container by object in the container AND by objects below that container in the tree. This feature lets administrators exploit the hierarchical nature of the Directory. An Inherited Rights Filter (IRF) can be used to limit rights as they flow down the tree.
NDS Equivalence Rights. Security equivalencies can be granted to allow for access to the same information or rights that another object has access to. They are useful in that they can be used to assign temporary access to an object that you know has the desired set of effective rights.
Groups and Organizational Roles. Groups and Organizational Roles provide ways for administering rights to a group of users or to users who need to perform certain tasks based on the type of work they do. Group objects contain user objects. Similar to way inheritance works for object in container objects, users added to a group object are assigned access to the resources available to the group object. Organizational roles are similar but would be used to set up a rights template for a users that may be responsible for administering resources on the network related to what they do such as an e-mail administrator.
NDS Auditing. NDS audit capabilities can be used to further secure your network with an audit trail listing a variety of information regarding transactions that happen on network. Audit and administration duties can be partitioned to provide further security.
NetWare File System Rights. Object and property rights are separate from file system rights. Access to the file system is granted through the administration of DS objects that are related to the file system. Directory Services objects that provide a view of the file system include Servers, Volumes and Directory Maps. File system rights can be granted all the way to the file level.
Note: For a thorough guide to administering security in NDS,we recommend the Novell Press book Novell's Guide toNetWare 4.1 Networks by Jeffrey F. Hughes and Blair W.Thomas.
The Novell IPX Registry
The Novell IPX Registry is a free service offered by Novell to ensure that addressing conflicts between Novell networks do not exist. The Registry will assign addresses in blocks. Address blocks allow for more efficient routing and easier administration since masks can be used when configuring routing tables so as to route entire blocks of addresses. The Registry was designed with foresight to accommodate worldwide growth. It is designed for large hierarchical routing by partitioning the network into areas called routing areas. Routers at area boundaries aggregate the information they send to other areas. This is done by clustering addresses by giving them common prefixes in the same area.
All addresses that are propagated through a Novell network must be registered in ordered to be compliant with the registry. This includes all servers, segments, WAN links and any other device that has an IPX address. The Registry is currently assigning a minimum block size of 16 addresses. For sites with multiple servers, the minimum block is 64 addresses, with a maximum of four times the number of servers or registered NetWare licenses at that site.
You can get more information about the Novell IPX Registry, including registration forms, by contacting them through one of the following methods:
E-mail: firstname.lastname@example.org Fax: (408) 577-7605 Voice Mail: (408) 577-7506
Postal Address: The Novell Network Address Registry Mail Stop F4-71 2180 Fortune Drive San Jose, CA 95131 USA
The Novell Business Internet Services home page can be found on the World Wide Web at the following URL:
NetWare Connect Services Developer Program
The NetWare Connect Services Developer Program is designed to better equip the developer community in using NetWare Connect Services for enabling leading-edge distributed information systems that help solve today's business problems of enterprise customers. Novell will work with our carrier partners, such as AT&T, Deutsche Telekom, NTT, Telstra and Unisource, to strengthen the programs we provide to help you succeed. Below is an overview of the program offerings:
Developer Guidelines. A technical document to aid developers in moving their applications to NetWare Connect Services. Planned subjects include development considerations, NCS architectural overview and testing considerations.
Software Developer Kit. NetWare Connect Services will take advantage of existing APIs from many of Novell's available SDKs, enabling Novell developers to leverage their previous experience and start coding immediately. APIs will be developed and enhanced by Novell and NCS carriers to provide a comprehensive development environment.
Developer Support. Experienced support engineers will be staffed and available when you require technical assistance. Support for Novell APIs on the Novell SDK CD is obtained through the DeveloperNet Program. The NCS Developer Program will offer more tailored support for NCS developers, by arrangement, to include NCS architectural reviews, review of NCS Developer Guidelines, and NCS lab tours and testing tips.
Marketing and Training Support. A variety of co-marketing opportunities and training will be unveiled in programs that will be tailored to address varying business and market needs.
Special Interest Groups (SIGs). Forums will be scheduled with developers and technical personnel from Novell and its carrier partners to share ideas, experiences, technologies and solutions.
Testing Centers. NetWare Connect Services networks can be utilized to assess the overall performance of your application, to test functions and features, to test for network compliance, to demo your applications to customers in a real network situation,and to reproduce various test environments.
Novell's Software Developer Kit (SDK) for NetWare Connect Services takes advantage of our current suite of APIs that exist in SDKs of other Novell key products and technologies that are being used in NCS. These include:
NetWare 4 (supporting NetWare 2.x and 3.x)
Novell Directory Services
NetWare Security Services
NetWare Link Services Protocol (NLSP)
NetWare MultiProtocol Router
NetWare LAN Workplace
There are unlimited applications and services that can be developed to run on NetWare Connect Services. If it runs on DOS, Windows, UnixWare, or Macintosh, it most likely will run unmodified on NetWare Connect Services. Applications can be delivered in the following areas: services, publishing, network management and utilities, and multimedia.
The Multimedia Services Affiliates Forum
In order to assure better collaboration and utilization of NCS, the Multimedia Services Affiliates Forum has been formed. Through the forum, member companies will work together to facilitate implementation of open standards for the networks, and to ensure their individual networks are seamlessly interconnected and interoperable. The companies emphasized that they will actively recruit additional telecommunications companies, technology providers and content providers for the open forum.
Through the Multimedia Services Affiliate Forum, the telecommunications companies will work together to interconnect their networks, allowing customers to easily access users and information located on any of the affiliate networks. To provide navigation and secure access, AT&T, Deutsche Telekom, NTT, Telstra, and Unisource will share a common directory using NDS. Network applications will be able to access the common directory using an open, standardized interface based upon an integrated DCE/NDS solution.
The affiliate members will also work together to define standards that will be implemented in their networks. These standards include minimum functions for a common service definition, network security and operation, and interfaces between customer support systems. Adoption of these standards by all affiliate members will provide business customers with consistent end-to-end quality of service and customer support.
In addition to advancing networking and application standards, the Multimedia Services Affiliate Forum will develop a common name for affiliated networks, encourage the development of network applications, and recruit information publishers and content providers for the affiliate networks.
This AppNote provided a synopsis of NCS and its current implementation at AT&T. We covered the business reasons for looking to NCS as a solution to today's increasing and the converging needs of Internet and intranet access, remote computing and access to other services. NCS provides an opportunity for small and large organizations to securly interconnect their isolated networks. We also covered NCS components such as NetWare, Novell Directory Services, the AT&T Interspan Frame Relay infrastructure, and the AT&T internal NCS Network. The AppNote also provided a brief overview of the security topics related to NCS, followed by information on the IPX Registry, the NCS Developer Program, and the Multimedia Services Affiliates Forum.
We are at the beginning of a new era within the information age, and NDS is the technology and the means to connect you to the global village. Look for future AppNotes and Developer Notes that will examine the various topics covered here in more detail.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.