What's New in Novell BorderManager 3.7?
Articles and Tips: article
Product Manager and Master CNE
01 Mar 2002
This AppNote examines the new features planned for version 3.7 of Novell BorderManager (NBM), Novell's popular firewall/VPN solution. NBM 3.7 is expected to ship in April 2002.
Novell BorderManager, Novell Secure Access, network security, firewalls, Virtual Private Networking
Novell BorderManager 3.7
network administrators and technicians
familiarity with basic Internet security concepts
NetWare 5.1, 6.x
Novell BorderManager (NBM) has been providing a powerful Internet access and security solution to NetWare shops for over four years. It boasts an install base of well over five million, and is ranked by IDC as one of the top five firewall/VPN products (see Who's the Lord of the Rings? Worldwide Firewall/VPN Software Market Forecast and Analysis, 2001-2005, December 2001, IDC). NBM has a loyal following eagerly anticipating the long list of enhancements to be delivered in 2002.
NBM 3.7 is scheduled to ship in April 2002 and will be followed later in the year by an Enhancement Pack. This AppNote examines some of the key new features of NBM 3.7 that will offer a stronger level of protection for your network and simplify administration.
Overview of Novell BorderManager
Novell BorderManager has historically been marketed as a suite of security products that solve a variety of different business problems. However, NBM is now a component of Novell Secure Access, a truly comprehensive bundle of access and security solutions. (For more information on Novell Secure Access, see the product Web site at http://www.novell.com/products/secureaccess.)
Starting with version 3.7, NBM will be a single package (no components or "Enterprise Edition") and will begin to concentrate on its core competencies. This allows Novell to focus engineering efforts on the NBM features in highest demand. It also sharpens the product definition (as discussed below), which simplifies the marketing message and purchasing decisions.
Internet Access Control and Proxy Cache
The most popular feature of NBM is the ability to control and monitor the Internet activity of employees who are sitting inside the company network. The NBM proxy cache can execute Internet access rules based on the identity of each user in Novell eDirectory. If the user is already authenticated to eDirectory, he or she is automatically authenticated to the NBM proxy. If the user is not authenticated to eDirectory, NBM provides a secure interface to log in through a Web browser. Activity is logged by user name, providing a detailed record of who did what and when.
For more information about activity logging, see "Understanding Novell BorderManager's HTTP Proxy Logs" in the January 2002 issue of Novell AppNotes, available online at http://www.novell.com/appnotes.
Virtual Private Networking (VPN)
The second most popular feature of NBM is directory-integrated VPN. VPN provides encrypted links across the public Internet so that users may securely access the corporate network from home or on the road. VPN eliminates the need to provide remote access dial-up service; the user may be connected to the public Internet anywhere, by any means, and still be able to access corporate resources. The reduction in cost of ownership is huge. NBM also supports site-to-site VPN links, which can securely connect branch offices across the Internet, without the cost of expensive WAN circuits.
The third major component of NBM is firewall services, which includes IP packet filtering and Network Address Translation (NAT). Packet filtering functions at the Network and Transport layers of the OSI model. It can be used to control network traffic to and from specific networks or hosts, based on IP ports and transport layer protocols. Packet filtering also allows the control of special network traffic such as router discovery protocols. IP packet filtering is the first layer of defense at a network border and takes precedence over higher-level services such at proxy access rules.
By including robust firewall capabilities, NBM gives the small or medium customer the ability to use a BorderManager server as its Internet connecting device. Integrated firewall services also provides maximum flexibility for design and placement of proxy and VPN services in lager environments, working cooperatively with other firewall platforms.
Note: For more information about the OSI model, refer to Novell's Networking Primer at http://www.novell.com/info/primer/primer.html or Novell's Introduction to Networking, 2nd Edition (Novell Press, ISBN 0-7645-4700-3) available on shopNovell at http://shop.novell.com.
These three core competencies-Internet access control and proxy cache, VPN, and firewall-form the basis of the NBM roadmap for 2002 and beyond. The following sections discuss how NBM 3.7 provides new functionality in each of these areas.
Internet Access Control Enhancements
This section looks at the enhancements being made to the Internet access control functions in NBM.
SurfControl Content Database
Internet access control, also referred to by analysts as "employee Internet management," consists of two components. The first is the proxy engine itself, which handles the "Security 3As"-Authentication, Authorization, and Administration. This functionality is typically found in firewall/VPN solutions like Novell BorderManager. (Examples of competing solutions include Check Point Firewall-1 and Microsoft ISA Server 2000.)
The second component is a content database against which Internet access rules may be defined. This is typically a separate product. Previous versions of BorderManager included CyberPatrol as the content database solution (examples of competing solutions include Websense and N2H2). CyberPatrol is now owned by SurfControl, the market leader in web content filtering (Worldwide Security3As Software Market Forecast and Analysis, 2001-2005, October, 2001, IDC). With SurfControl, Novell can provide customers with a bigger, better, stronger solution for NBM 3.7.
The SurfControl Content Database will be included as a component of Novell BorderManager 3.7. This database consists of seven core URL categories containing roughly as many entries as the old CyberPatrol solution. As before, this core database may be used by NBM customers perpetually without updates.
However, compared to before, the motivations to purchase full products from SurfControl are significant. Customers may purchase either SuperScout Web Filter or CyberPatrol Web Filter directly from SurfControl. These products are basically the same under the hood, but they are targeted at different markets (corporate and education, respectively). These full-functionality products add the following capabilities to the SurfControl Content Database included in NBM:
Twenty-three additional URL categories (for a total of thirty)
Over a million total URLs in the database (more than fifteen times the size of the old CyberPatrol database)
Daily updates (the old solution offered weekly updates)
Real-time Web traffic monitoring, logging, and reporting
Note: Customers may elect to evaluate the full functionality of these new solutions for forty-five days by going to SurfControl's Web site after NBM 3.7 is installed with the SurfControl Content Database.
Here is the full list of categories included in the SurfControl database:
Drugs & Alcohol
Arts & Entertainment
Finance & Investment
Glamour & Intimate Apparel
Hobbies & Recreation
Job Search & Career Development
Lifestyle & Culture
Personals & Dating
For more information on SurfControl, its products and their features, go to http://www.surfcontrol.com.
Virus Request Blocking
Code Red introduced a new type of virus to the world-one that uses HTTP and requires no human interaction to spread itself. HTTP-based viruses search the Internet for vulnerable web servers, automatically infect them, and then turn them to searching for other web servers to be infected. Code Red was followed by Nimda and others. The total loss from HTTP viruses last year is estimated in the billions of dollars.
Novell BorderManager's reverse HTTP proxy is a natural point at which to identify and stop attempts by infected web servers to spread an HTTP virus. When an infected Web server is searching for other machines to infect, the traffic it sends follows certain patterns. These patterns may be recorded and used to identify traffic from other infected servers, just as virus pattern definitions are used to identify traditional viruses. NBM Virus Request Blocking intercepts traffic from infected Web servers as they scan your network looking for victims. The new NBM proxy has the ability both to identify known threats and to apply heuristic logic to identify traffic that is likely to have originated from a new threat.
For more detailed information on NBM 3.7 Virus Request Blocking, see "Blocking Virus Requests in Novell BorderManager's HTTP Accelerator" in the February 2002 issue of Novell AppNotes, at http://www.novell.com/appnotes.
Third-Party Certificate Authority Support
NBM's Web proxy supports authentication via a secure (SSL) Web page for those users who are not already logged in to eDirectory and running Client Trust. To use SSL authentication, a PKI infrastructure must be in place and available for use by NBM. For NBM customers, this has typically meant planning and deploying Novell Certificate Server.
Many customers, however, want to use certificates minted by a non-Novell certificate authority (CA), whether it be some other private CA or a recognized public CA such as Entrust or VeriSign. An advantage of using a major public CA is that most Web browsers already recognize these companies as "trusted root" certificate authorities. Therefore, the private CA does not need to be imported to browsers as a trusted root. Also, users are not prompted to accept a new certificate when they first use NBM's SSL authentication. This simplifies implementation of proxy services and streamlines the user experience. It also reduces support overhead, as every pop-up box a user sees is a potential help-desk call.
Third-party CAs require the customer to submit a valid DNS host name when a new certificate is minted for a server. That DNS host name is stored in the certificate itself. In previous versions on Novell BorderManager, during SSL authentication the proxy identified itself to Web browsers by the proxy server's private IP address. If the proxy was using a third-party CA, an error message would display saying that the server name (an IP address) does not match the name in the certificate (a DNS host name). This defeated the goal of streamlining the user experience.
In NBM 3.7, the Web proxy can identify itself to browsers by DNS host name. This allows Novell customers to leverage the increased usability of a recognized public CA, simplifying browser configuration and reducing help-desk calls.
For more information on Novell Certificate Server, visit the product Web site at http://www.novell.com/products/certserver.
This section covers the enhancements being made to the VPN functions of NBM.
New VPN Client
NBM customers have been asking for a VPN client that works on Windows Millennium Edition (Windows ME) for some time. The challenge with Windows ME is that it does not include a full IP stack. Since Windows ME was designed purely for home use, Microsoft felt that it did not require the same level of networking support as other versions of Windows. This has been a problem for VPN vendors because, by definition, VPN clients are outside the office and are therefore very often home PCs running Windows ME.
NBM 3.7 now delivers Windows ME support in the form of a single VPN client installation that automatically detects what version of Windows is running and installs any needed extra components. The NBM 3.7 VPN client supports Windows 98/98SE, ME, NT 4, 2000, and XP Professional. The new VPN client also employs Novell International Cryptographic Infrastructure (NICI) for encryption. The VPN client installation will automatically install the correct version of NICI if it is not present.
VPNs are not a security solution-they are an access solution. Client-site VPN provides a low-cost, general purpose alternative to maintaining a dial-up service and to web portals that don't support legacy network services. The channel between the client and the server is indeed encrypted, which does prevent exposure of corporate data to intermediary parties. However, when you allow a computer to connect via VPN, the client computer itself is most likely unprotected. Upon connection to your VPN service, that computer becomes an unmanaged entry point into your private network.
To address this problem, many NBM customers have chosen to distribute a personal firewall with the VPN client. Personal firewalls are designed to protect workstations against hackers exploiting vulnerabilities in the workstation's operating system or applications. They also prevent communication with Trojans or backdoors that may already exist from previous virus infections. The user is typically told when an application wants out to the Internet. The user is then asked whether the application should be allowed or denied access. Similarly, attempts by remote nodes on the Internet to initiate a dialog with the workstation are blocked and logged.
On a corporate network, these protections are typically provided by centralized firewall devices that all IP traffic must pass through, whether inbound or outbound. But when a laptop is carried outside the office and connected in a hotel room or at home, no such blanket protection exists and the personal firewall is a must. Research shows that the majority of NBM customers do not yet require use of a personal firewall on VPN client machines. However, this is quickly changing as more and more organizations modify their security policies to require them. To provide a more holistic client-site VPN solution, NBM 3.7 includes Norman Personal Firewall (NPF).
Like Novell BorderManager, NPF is a multi-level firewall. This means it functions at both the traditional Network and Transport layers and also at the Application layer. You can allow or deny traffic based on ports, IP node and network addresses, URLs, or application name. With NPF, a system administrator can create the desired security policy for VPN clients and distribute it with the client software in a configuration file. While remote users may alter the configuration, they can return it to the corporate default be recopying the configuration file.
NPF also includes advanced web filtering capabilities that can block scripts, ActiveX, applets, referrer headers, cookies, and advertisements. This provides a powerful extra layer of protection that plugs one of the biggest security holes on any PC-the Web browser. Active Web content can provide useful functionality in browser-based applications. However, it can also be used to transmit proprietary data to servers on the public Internet. Unsuspecting users can expose confidential files, machine configurations and software inventories, or a trail of their Internet activity for the day. NPF's ability to block active web content by origin server means trusted sites may be accessed at their full functionality, while the rest of the world is denied access to private data.
The advanced capabilities of NPF can be leveraged within the corporate network as well as on remote VPN clients. Novell's ZENworks for Desktops may be used to distribute and lock down NPF inside the corporate firewall to provide blocking of active Web content that supplements the URL filtering capabilities of Novell BorderManager. The result is blocking of known, categorized URLs at the proxy, before the target Web server is even contacted, augmented by NFP's ability to block active Web content at the workstation. Like heuristics in a virus scanner, this can effectively predict undesirable sites that are not in the proxy's URL database, based on their use of active Web content.
This section looks at the enhancements being made to the firewall aspects of NBM.
Browser-Based Filter Configuration
One of the top requests for an NBM enhancement is a simpler, point-and-click interface for packet filtering. NBM 3.7 delivers this using Novell iManager. iManager is based on an architecture called eMFrame that significantly simplifies the creation of snap-ins for eDirectory-based products. At the time of this writing, iManager requires NetWare 6. 100% iManager support in NBM should arrive in a product update later this year.
During installation, NBM 3.7 extends the directory schema to add new Server object attributes and new classes for IP packet filtering. After the installation and a reboot, entering "FILTSRV MIGRATE" at the console prompt moves the IP filter configuration from the text files in SYS:\ETC\ into eDirectory. After migration, FILTSRV.NLM reads IP filters and exceptions from eDirectory, not from text files. (Text files are still used for IPX and AppleTalk filters.) You can then use iManager to administer IP filtering. Changes in iManager are automatically pushed out to the server and put into effect.
After the migration of the IP filters and exceptions into eDirectory, you may continue to use the old interface to administer the firewall. Like FILTSRV.NLM, a new FILTCFG.NLM also reads IP filters and exceptions from eDirectory, not from text files.
Storing the firewall configuration in eDirectory provides functionality unavailable in the old model. First, specific filters and exceptions are objects in the Directory, which are then associated with Server objects. Multiple servers can be associated with a filter, significantly simplifying administration for large environments. Second, we expect Directory-based packet filtering to facilitate better clustering support for firewall services. Third, canned filter objects could potentially be provided with Novell and partner products in an LDIF file. When setting up a new network service that requires firewall changes, importing the filter objects and associating them with the appropriate servers would take seconds, compared to the arduous task of modifying filters in the old C-Worthy utility.
Create Filter Exceptions During Installation
NBM 3.7 removes many of the barriers that previously made installation of BorderManager complex and imposing. For example, the install routine requires the installer to load INETCFG if it has not been run on that server and to enter the correct default gateway if one does not exist. The new install feature that customers are likely to appreciate most is the ability to select all NBM services that will be in use on the server and have the minimum necessary filter "excepts" for those services created automatically. Explicit exceptions will be created for each service, not as blanket exceptions as in the past. Stateful inspection will be used for all outbound exceptions. This will ensure the tightest possible default firewall configuration, ready to pass a port scan test on the first reboot.
This AppNote has summarized several of the new features in Novell Border- Manager 3.7. Features were focused on that fall into the three areas where NBM has the greatest technical strengths and value propositions: Internet access control and proxy cache, VPN, and firewall. There are a few more cool surprises in the box, including a condensed version of Craig Johnson's A Beginner's Guide to Novell BorderManager 3.x. (If you are not familiar with Craig's work, check out his books and other resources at http://nscsysop.hypermart.net/.)
Together with BorderManager Authentication Services, the features in Novell BorderManager 3.7 are now all truly built on eDirectory. They offer a stronger level of protection for your network and simplified administration over previous versions. This product revision demonstrates Novell's commitment to access and security solutions and its focus on Novell BorderManager as a key component of Novell's security story.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.