Appendix B: Functions of Server, Client, and Network Medium Components
Articles and Tips: article
01 Nov 1997
This appendix summarizes the functions and requirements for server, client, and network medium components within the NetWare Enhanced Security architecture.
In the following table, "S" indicates that the server role has the responsibility for generating, managing, enforcing, or verifying the indicated function. A "C" indicates that the client role has the responsibility.
Table 1: Service protocols and component functions.
ServiceProtocol
|
DAC
|
I&A
|
Audit
|
ObjectReuse
|
SystemArch.
|
Accounting NCPs |
S Enforce |
S Verify |
S Generate |
||
AppleTalk FilingProtocol NCPs |
|||||
Audit NCPs |
S Enforce |
S Verify |
S Manage S Generate |
||
Bindery EmulationNCPs |
S Enforce S Public |
S Enforce C Enforce S Manage C Mange S Verify |
S Generate |
||
Connection NCPs |
S Public |
S Verify |
S Generate |
S Enforce |
S Enforce |
Data Migration NCPs |
|||||
Extended AttributesNCPs |
S Enforce |
S Verify |
S Generate |
S Enforce |
S Enforce |
File ServerEnvironment NCPs |
S Public |
S Verify |
S Generate |
S Enforce |
|
File System NCPs |
S Enforce S Public |
S Verify |
S Generate |
S Enforce |
S Enforce |
Messaging NCPs |
S Enforce |
S Verify |
S Generate |
S Enforce |
S Enforce |
NCP Extension NCPs |
|||||
Novell DirectoryServices NCPs |
S Enforce S Manage S Public |
S Enforce C Enforce S Manage C Manage S Verify |
S Generate |
S Enforce |
|
Queue and PrintNCPs |
S Enforce |
S Verify |
S Generate |
||
Statistics NCPs |
S Public |
||||
SynchronizationNCPs |
S Enforce |
S Verify |
S Enforce |
S Enforce |
|
Time SynchronizationNCPs |
|||||
Transaction TrackingNCPs |
S Public |
S Verify |
S Enforce |
S Enforce |
|
Storage ManagementServices Protocol |
S Enforce |
S Enforce C Enforce S Verify |
|||
Print Server Statusand Control Protocol |
S Enforce S Public |
S Enforce C Enforce S Verify |
|||
PrinterCommunicationsProtocol |
S Enforce |
Complete Server Components
A complete server component is an implementation of the functions that are typically found in a component that implements the majority of the server roles, and in some cases, client roles, defined for the NetWare Enhanced Security architecture.
The following list summarizes the server component requirements that are requirements for all components.
1. Each component must have an NTCB partition that protects local resources and mediates access to the network.
2. If a user is allowed to have a different identity on different components, there must be a means for associating the identities with all auditable actions taken by that user.
3. The NTCB partition at each component where named objects are stored and managed must enforce a DAC policy.
4. A component NTCB partition may not permit untrusted software to communicate with untrusted software in other components without mediation according to a defined access control policy.
5. The NTCB partition at each component that performs I&A or DAC functions must generate the associated audit events.
6. The NTCB partition at each component in the network must protect all authentication data that it stores and/or processes.
7. The NTCB partition at each component in the network ust protect its audit data.
8. The implementation of all protocols in a multi-user environment must conform to the Object Reuse requirements of the TNI.
9. In DoD environments, if a component has a rating that permits it to support mandatory access control or labeling policies, the component must view the rest of the network as operating at a single security level.
10. In DoD environments, if a component does not have a rating that permits it to support mandatory access control or labeling policies, the component must operate in Dedicated Mode or System High Mode.
11. A component NTCB partition may not permit untrusted software to run on behalf of multiple users simultaneously.
12. If a component uses a second component to store information critical to the secure operation of the first component's NTCB, the first component must ensure that the protection mechanisms, such as DAC, of the second component are properly used to protect the information in accord with the requirements of the TNI.
13. If a component performs management functions for a second component, the first component must implement the management functions as part of its NTCB partition, and the NTCB partition documentation must identify them as administration tools.
14. In each component, the mechanisms for signaling over the network cable must be part of the NTCB partition.
15. A component NTCB partition may not permit untrusted software to directly control signaling on the network cable.
16. Every component in a NetWare Enhanced Security network must have a unique Link Layer address.
17. In each component, the link layer implementation must be part of the NTCB partition.
18. A component NTCB partition may not permit untrusted software to issue Ethernet packets without NTCB verification of the source link layer address.
19. A component NTCB partition must process only those incoming link layer packets that are addressed to the component.
20. Every component in a NetWare Enhanced Security network must have a unique Internetwork Layer (IPX) address.
21. A component NTCB partition may not permit untrusted software to issue non-IPX packets or to issue IPX packets without NTCB verification of the source IPX address.
22. A component NTCB partition must process only those IPX packets that are addressed to the component.
23. All components implementing the routing function must implement the server role of the Routing Information Protocol (RIP) and the Service Access Protocol (SAP).
24. A component NTCB partition may not permit untrusted software to issue Routing Information Protocol (RIP) or Service Access Protocol (SAP) responses.
If a component implements the server role of any protocol described in this architecture:
It must implement the entire server role for that protocol.
The implementation must be part of the component's NTCB partition.
The implementation must be in accord with the security semantics set forth in the SFS for that protocol.
The requirements specific to the complete server component are:
A complete server must be a C2 IAD component.
A complete server must implement all of the server role of NCP.
A complete server may implement the client and/or server roles of SMSP, PSSCP, and/or PCP.
Complete Client Components
A complete client component is an implementation of the functions that are typically found in a component that implements the majority of the client roles, and in some cases, server roles, defined for the NetWare Open Security Architecture.
The following list summarizes the client component requirements that are requirements for all components.
1. Each component must have an NTCB partition that protects local resources and mediates access to the network.
2. If a user is allowed to have a different identity on different components, there must be a means for associating the identities with all auditable actions taken by that user.
3. The NTCB partition at each component where named objects are stored and managed must enforce a DAC policy.
4. A component NTCB partition may not permit untrusted software to communicate with untrusted software in other components without mediation according to a defined access control policy.
5. The NTCB partition at each component that performs I&A or DAC functions must generate the associated audit events.
6. The NTCB partition at each component in the network must protect all authentication data that it stores and/or processes.
7. The NTCB partition at each component in the network must protect its audit data.
8. The implementation of all protocols in a multi-user environment must conform to the Object Reuse requirements of the TNI.
9. In DoD environments, if a component has a rating that permits it to support mandatory access control or labeling policies, the component must view the rest of the network as operating at a single security level.
10. In DoD environments, if a component does not have a rating that permits it to support mandatory access control or labeling policies, the component must operate in Dedicated Mode or System High Mode.
11. A component NTCB partition may not permit untrusted software to run on behalf of multiple users simultaneously.
12. If a component uses a second component to store information critical to the secure operation of the first component's NTCB, the first component must ensure that the protection mechanisms, such as DAC, of the second component are properly used to protect the information in accord with the requirements of the TNI.
13. If a component performs management functions for a second component, the first component must implement the management functions as part of its NTCB partition, and the NTCB partition documentation must identify them as administration tools.
14. In each component, the mechanisms for signaling over the network cable must be part of the NTCB partition.
15. A component NTCB partition may not permit untrusted software to directly control signaling on the network cable.
16. Every component in a NetWare Enhanced Security network must have a unique link layer address.
17. In each component, the link layer implementation must be part of the NTCB partition.
18. A component NTCB partition may not permit untrusted software to issue Ethernet packets without NTCB verification of the source link layer address.
19. A component NTCB partition must process only those incoming link layer packets that are addressed to the component.
20. Every component in a NetWare Enhanced Security network must have a unique Internetwork Layer (IPX) address.
21. A component NTCB partition may not permit untrusted software to issue non-IPX packets or to issue IPX packets without NTCB verification of the source IPX address.
22. A component NTCB partition must process only those IPX packets that are addressed to the component.
23. All components implementing the routing function must implement the server role of the Routing Information Protocol (RIP) and the Service Access Protocol (SAP).
24. A component NTCB partition may not permit untrusted software to issue Routing Information Protocol (RIP) or Service Access Protocol (SAP) responses.
The following list summarizes the client component requirements that are requirements for all components that implement client roles.
1. A client must implement enough of the protocol stack to perform its functions within the network.
2. The client-role component must implement those Novell Directory Services NCPs or Bindery Emulation NCPs that provide user authentication and password changing. The implementation must be part of the NTCB partition in the client-role component.
3. The implementation of the client role of SMSP in any component must be part of the NTCB partition in that component.
4. The implementation of the client role of PSSCP that is identified with a user ID which has operator (administrator) privilege with regard to the printer facilities in any component must be part of the NTCB partition in that component.
5. The implementation of the client role of PCP in any component must be part of the NTCB partition in that component.
If a client component implements the server role of any protocol described in this architecture:
It must implement the entire server role for that protocol.
The implementation must be part of the component's NTCB partition.
The implementation must be in accord with the security semantics set forth in the SFS for that protocol.
The requirements specific to the complete client component are that client components without local objects to protect may be C2 I components, but client that contain local objects must protect them and must be C2 DI or IAD components.
Simple Network Medium Components
A simple network medium component is a single LAN segment, the simplest component interconnection defined in the NetWare Enhanced Security Architecture. Considerations for more complex interconnection are given above.
The following are the simple network medium component requirements that are requirements for all physical layer implementations.
1. The physical layer is responsible for providing a means of signaling from any connected component to any other connected component.
2. The physical layer is responsible for maintaining confidentiality of the information that is transmitted between these components.
Copyright 1997 by Novell, Inc. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose without the express written permission of Novell.
All product names mentioned are trademarks of their respective companies or distributors.
* Originally published in Novell AppNotes
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.