New Security Features in NetWare 5
Articles and Tips: article
Network Security Development Group
Senior Research Engineer
Novell Developer Information
NANCY C. McLAIN
Senior Technical Writer
Novell Developer Information
01 Sep 1998
Take a quick look at NetWare 5's exciting new security features: public key infrastructure services, international cryptographic infrastructure, secure authentication services, and an enhanced auditÂ system.
Building upon NetWare 4's security features, NetWare 5 offers richer security services that include:
Public Key Infrastructure Services
Novell International Cryptographic Infrastructure
Secure Authentication Service
The Audit system
These new security features are integrated with Novell Directory Services (NDS) and simplify administration by offering single-point administration with NDS levels of access control. They also provide security for improved Internet data integrity and privacy across public networks.
This AppNote discusses these new features and explains why they are important and how they provide NetWare 5 with advanced security services.
Public Key Infrastructure Services
Novell's Public Key Infrastructure Services (PKIS) enables public key cryptography and digital certificates in a NetWare environment. PKIS allows any designated NetWare 5 administrators to establish a Certificate Authority (CA) management domain within NDS. PKIS allows administrators to manage certificates and keys for Secure Socket Layer (SSL) security for LDAP servers.
Certificate management includes services such as establishment of a CA local to your organization, certificate renewal, simplified certificate revocation with certificate suspension (without complex certificate revocation lists), creation of certificate signing requests (for use with external CAs), unlimited certificate minting services for applications, and using SSL in the NetWare environment (such as Novell LDAP Services for NDS).
PKIS' Features and Attributes
Some important features that PKIS offers NetWare 5 include:
Integrity of Certificate and Private Key Storage through NDS' trusted directory capabilities.
Ability to manage such tasks as automated artificial certificate creation, using the local CA through NetWare Administrator as a single-point of administration.
Standards Support for the PKIS generated certificates according to the X.509 v3 standard. PKIS is compatible with X.509 v 1 and v 2 certificates. The X.509 standard defines an internationally recognized format for providing identity and public key ownership. It contains the issuer's name, the user's identifying information, and the issuer's digital signature. Version 3 of the X.509 standard allows arbitrary extensions for value-added capabilities.
Standards Support for PKIS generated PKCS #10 certificate signing requests. A PKCS #10 certificate signing request is a public-key and identity bound for certification by a signing authority. The PKCS #10 certificate request is sent to the certificate authority for a signature.
Ability to securely manage the private keys for server applications.
World wide exportable public key management capabilities with Novell's international cryptographic infrastructure.
The X.509 v3 standard constitutes a widely-accepted standard upon which to base a public key infrastructure. With X.509 v3 defining the certificate format and extended attributes, the certificates generated by PKIS are interoperable with other public key infrastructures. This gives administrators the easiest possible means of creating and managing certificates using NDS, NetWare 5 and the latest standards. Since the capabilities of X.509 v3 have advanced beyond the development of X.509 version 2 certificates, customers can derive the value inherent to this new version.
PKIS helps you to build a working public key infrastructure on your network. You can create a CA specific to your organization and use the services of an external CA. You can also use a combination of both as your Certificate Authority needs dictate.
Using PKIS, you can control the costs associated with obtaining key pairs and managing public key certificates. PKIS helps you create a local CA based on NDS that signs certificates for other services on the network. With PKIS you can also generate unlimited key pairs and issue unlimited public key certificates through the local CA at no charge.
NDS stores all keys and certificates that are generated by PKIS or obtained from external Cas. NDS' trusted directory features means that public keys can be openly published while private keys are securely protected.
Novell International Cryptographic Infrastructure
An infrastructure of network cryptographic services for world-wide consumption that will support strong cryptography and multiple cryptographic technologies in response to customer and internal Novell needs while complying with divers national policies on the shipment and use of cryptography. Cryptography services on the NetWare platform provide fundamental security features such as confidentiality, integrity, authentication, and non-repudiation.
The services are modular in nature, which will allow new cryptographic engines, libraries, and policy managers to be dynamically added. The infrastructure is also tightly controlled, enforced through an integral OS loader which verifies modules before loading, and controls access to modules only via standardized interfaces. Available cryptographic services will be provided via a Novell SDK.
It delivers the following fundamental security features:
NICI is modular in nature. It allows for a transparent addition of cryptographic engines and policies. The secure, integral operating system loader tightly controls the modules by verifying the digital signature on NICI modules before they load and by requiring standardized application interfaces in order to access the modules.
The Novell Developer's Kit provides the cryptographic services available through NICI.
NICI's Features and Attributes
Some important features that NICI offers NetWare 5 include:
Providing developers the freedom from having to include cryptographic code in their products.
A dynamically bound cryptographic library that delivers controlled cryptographic services to your applications regardless of where they are used.
The ability for international applications to receive expedited U.S. export approval.
Integrity of key management.
An infrastructure supporting key escrow in future releases.
A uniform cryptographic services API.
Network security services built on NICI.
NICI is the foundation for future network cryptographic services. It ensures that your product complies with international cryptography import and export laws through enforced region-specific cryptographic policies. NICI also provides for single, worldwide commodity vendor products and supports extensible, application-specific cryptographic libraries and interchangeable cryptographic technologies.
NICI is the foundation for future network cryptographic services. It ensures compliance with International laws on import and export of cryptography through enforced region-specific cryptographic policies; providing for single, worldwide commodity vendor products; and supports extensible, application- specific cryptographic libraries and interchangeable cryptographic technologies.
It has been the case in the past that applications had to provide their own services if they wished to employ cryptography. Because of the way the Novell cryptographic services are designed and will be provided via a standard SDK, application vendors can take full advantage of the services without having to incorporate cryptography in their applications. They can ship just one version of their product world-wide, instead of having multiple versions to accommodate the many and varied national cryptography policies. Novell will assure compliance with international laws and export requirements—leaving application developers free from these concerns.
Secure Authentication Services
Authentication is a fundamental component of a robust network service—it is how you identify yourself. Without authentication, you cannot secure a network. Novell's Secure Authentication Services (SAS) provides next generation authentication services, as well as evolving industry authentication mechanism for the future. In NetWare 5, SAS provides Secure Sockets Layer (SSL) support. Server applications use the SAS API set to establish encrypted SSL connections.
SAS' Features and Attributes
SAS is built entirely on NICI. This means:
The SAS service itself is based on a single executable file. Because there is no cryptography included in the SAS NLM, you can ship a single NLM world-wide. This provides easy administrator management and tracking. Also, any applications written to the SAS API can also be based on a single executable file.
Applications written to the SAS application can go through a one-time and usually expedited export approval process. Novell has already received export approval for SAS and NICI. This means that application developers benefit with expedited export procedures.
PKIS provides key management for the SSL services. Any application written to the SAS interface inherits the ability to have PKIS manage its certificates. NDS Access Control Lists (ACLs) manage access to the private key that enables SSL. Because SAS is a network service, it has its own network identity. ACLs are set up on the SSL key object in such a way that allows only the SAS identity to read the private key. This guarantees that non-authorized entities such as users, other server applications, and even the application built on top of SAS cannot gain access to and expose or subvert the private key.
Authentication recognizes and protects the end-user. It is how people and things identify themselves. So, without authentication, you cannot secure your network. SAS security properties are attributed to it running on the network inside of the NetWare 5 security boundary. Because SAS is a service, not a library, applications do not have access to the protected authentication materials or the users' secrets. It also provides worldwide exportable cryptographic services for authentication.
The Audit System
The audit system helps you to accurately monitor and record users' access to network resources.
The audit system now takes advantage of exposed NDS audit services in the following ways:
Audit log files are represented and managed as NDS objects.
The access to the audit information and configuration is controlled by the standard NDS rights.
Auditing is configured at the container and volume levels.
The audit policy for a container or volume specifies what is audited within the volume or container and which users are audited.
Audit's Features and Attributes
Some important features that Audit offers NetWare 5 include:
The ability to assign independent auditors that are separate and distinct from administrator privileges.
Distributed and replicated audit information.
An ability for multiple auditors.
A high granularity of auditable events, to the user level.
An auditing system that the auditor can configure to meet company policies.
New audit events added for NetWare 5 (for example, SSL connections).
Exportable audit data for use by reporting programs.
Why the Audit System?
The audit system is an essential element of the total NetWare security environment. You must have network audit integrity to ensure that the network is secure. Additionally, some industries like banking require auditing to be done as part of business operations. The NetWare auditing system can monitor and record every relevant network transaction, which user performed the transaction, and when the transaction occurred.
NetWare provides the highest level of audit data granularity. This includes which events are audited, control of audit configuration, and access to audit data.
Novell's Public Key Infrastructure Services, Novell International Cryptographic Infrastructure, Secure Authentication Service and Audit components help you take advantage of NetWare 5's secure environment to develop applications requiring extremely high levels of security, data integrity, and privacy.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.