NetWare 5 Security Components
Articles and Tips: article
Network Security Development Group
Senior Research Scientist
NANCY C. MCLAIN
Senior Technical Writer
01 Sep 1998
Describes new security features in NetWare 5, including Public Key Infrastructure Services, Novell International Cryptographic Infrastructure and Audit.
Building upon NetWare 4's security features, NetWare 5 offers richer security services that include Public Key Infrastructure Services, Novell International Cryptographic Infrastructure, Secure Authentication Service, and Audit. These new security features are integrated with NDS and simplify administration by offering single-point administration with NDS levels of access control. They also provide security for improved Internet data integrity and privacy across public networks.
This article describes:
Public Key Infrastructure Services
Novell International Cryptographic Infrastructure
Secure Authentication Service
What Is Public Key Infrastructure Services?
Novell's Public Key Infrastructure Services (PKIS) enables public key cryptography and digital certificates in a NetWare environment. PKIS allows any designated NetWare 5 administrators to establish a Certificate Authority (CA) management domain within NDS. PKIS allows administrators to manage certificates and keys for Secure Socket Layer (SSL) security for LDAP servers.
The certificate management capabilities offered through PKIS include:
Establishing a CA local to your organization
Unlimited certificate minting services for applications, using SSL in the NetWare environment, such as Novell LDAP Services for NDS
Ability to create certificate signing requests for use with external CAs
Simplified certificate revocation and certificate suspension based on NDS access controls without complex certificate revocation lists
PKIS's Top Features and Attributes
Integrity of Certificate and Private Key Storage through NDS's trusted directory capabilities.
Ability to manage such tasks as automated artificial certificate creation, using the local CA through NetWare Administrator as a single-point of administration.
PKIS generates certificates according to the X.509 v3 standard. PKIS is compatible with X.509 v 1 and v 2 certificates. The X.509 standard defines an internationally recognized format for providing identity and public key ownership. It contains the issuer's name, the user's identifying information, and the issuer's digital signature. Version 3 of the X.509 standard allows arbitrary extensions for value-added capabilities.
PKIS also generates the PKCS #10 certificate signing requests. A PKCS #10 certificate signing request is a public-key and identity bound for certification by a signing authority. The PKCS #10 certificate request is sent to the certificate authority for a signature.
Ability to securely manage the private keys for server applications.
World wide exportable public key management capabilities with Novell's international cryptographic infrastructure.
The X.509 v3 standard constitutes a widely-accepted standard upon which to base a public key infrastructure. With X.509 v3 defining the certificate format and extended attributes, the certificates generated by PKIS are interoperable with other public key infrastructures. This gives administrators the easiest possible means of creating and managing certificates using NDS, NetWare 5 and the latest standards. Since the capabilities of X.509 v3 have advanced beyond the development of X.509 version 2 certificates, customers can derive the value inherent to this new version.
Why Care About PKIS?
PKIS helps you to build a working public key infrastructure on your network. You can:
Create a CA specific to your organization.
Use the services of an external CA.
You can also use a combination of both as your Certificate Authority needs dictate.
Using PKIS, you can control the costs associated with obtaining key pairs and managing public key certificates. PKIS helps you create a local CA based on NDS that signs certificates for other services on the network. With PKIS you can also generate unlimited key pairs and issue unlimited public key certificates through the local CA at no charge.
NDS stores all keys and certificates that are generated by PKIS or obtained from external Cas. NDS's trusted directory features means that public keys can be openly published while private keys are securely protected.
What Is Novell International Cryptographic Infrastructure?
An infrastructure of network cryptographic services for world-wide consumption that will support strong cryptography and multiple cryptographic technologies in response to customer and internal Novell needs while complying with divers national policies on the shipment and use of cryptography. Cryptography services on the NetWare platform provide fundamental security features such as confidentiality, integrity, authentication, and non-repudiation.
The services are modular in nature, which will allow new cryptographic engines, libraries, and policy managers to be dynamically added. The infrastructure is also tightly controlled, enforced through an integral OS loader which verifies modules before loading, and controls access to modules only via standardized interfaces. Available cryptographic services will be provided via a Novell SDK.
It delivers the following fundamental security features:
NICI is modular in nature. It allows for a transparent addition of cryptographic engines and policies. The secure, integral operating system loader tightly controls the modules by:
Verifying the digital signature on NICI modules before they load.
Requiring standardized application interfaces in order to access the modules.
The Novell Developer's Kit provides the cryptographic services available through NICI.
NICI's Top Features and Attributes
Developers the freedom from having to include cryptographic code in their products.
A dynamically bound cryptographic library that delivers controlled cryptographic services to your applications regardless of where they are used.
The ability for international applications to receive expedited U.S. export approval.
Integrity of key management.
An infrastructure supporting key escrow in future releases.
A uniform cryptographic services API.
Network security services built on NICI.
Why Care About NICI?
NICI is the foundation for future network cryptographic services. It:
Ensures that your product complies with international cryptography import and export laws through enforced region-specific cryptographic policies
Provides for single, worldwide commodity vendor products
Supports extensible, application-specific cryptographic libraries and interchangeable cryptographic technologies.
The Novell international cryptographic infrastructure is the foundation for future network cryptographic services. It ensures compliance with International laws on import and export of cryptography through enforced region-specific cryptographic policies; providing for single, worldwide commodity vendor products; and supports extensible, application-specific cryptographic libraries and interchangeable cryptographic technologies.
It has been the case in the past that applications had to provide their own services if they wished to employ cryptography. Because of the way the Novell cryptographic services are designed and will be provided via a standard SDK, application vendors can take full advantage of the services without having to incorporate cryptography in their applications. They can ship just one version of their product world-wide, instead of having multiple versions to accommodate the many and varied national cryptography policies. Novell will assure compliance with international laws and export requirements leaving application developers free from these concerns.
Secure Authentication Services
Authentication is a fundamental component of a robust network service it is how you identify yourself. Without authentication, you cannot secure a network. Novell's Secure Authentication Services (SAS) provides next generation authentication services, as well as evolving industry authentication mechanism for the future. In NetWare 5, SAS provides Secure Sockets Layer (SSL) support. Server applications use the SAS API set to establish encrypted SSL connections.
SAS's Top Features and Attributes
SAS is built entirely on NICI. This means:
The SAS service itself is based on a single executable file. Because there is no cryptography included in the SAS NLM, you can ship a single NLM world-wide. This provides easy administrator management and tracking. Also, any applications written to the SAS API can also be based on a single executable file.
Applications written to the SAS application can go through a one-time and usually expedited export approval process. Novell has already received export approval for SAS and NICI. This means that application developers benefit with expedited export procedures.
PKIS provides key management for the SSL services. Any application written to the SAS interface inherits the ability to have PKIS manage its certificates. NDS Access Control Lists (ACLs) manage access to the private key that enables SSL. Because SAS is a network service, it has its own network identity. ACLs are set up on the SSL key object in such a way that allows only the SAS identity to read the private key. This guarantees that non-authorized entities such as users, other server applications, and even the application built on top of SAS cannot gain access to and expose or subvert the private key.
Why Care About SAS?
Authentication recognizes and protects the end-user. It is how people and things identify themselves. So, without authentication, you cannot secure your network. SAS security properties are attributed to it running on the network inside of the NetWare 5 security boundary. Because SAS is a service, not a library, applications do not have access to the protected authentication materials or the users' secrets. It also provides worldwide exportable cryptographic services for authentication.
What is Audit?
The audit system helps you to accurately monitor and record users' access to network resources.
The audit system now takes advantage of exposed NDS audit services in the following ways:
Audit log files are represented and managed as NDS objects.
The access to the audit information and configuration is controlled by the standard NDS rights.
Auditing is configured at the container and volume levels.
The audit policy for a container or volume specifies what is audited within the volume or container and which users are audited.
Audit's Top Features and Attributes
The ability to assign independent auditors that are separate and distinct from administrator privileges.
Distributed and replicated audit information.
An ability for multiple auditors.
A high granularity of auditable events, to the user level.
An auditing system that the auditor can configure to meet company policies.
New audit events added for NetWare 5 (for example, SSL connections).
Exportable audit data for use by reporting programs.
Why Care About the Audit System?
The audit system is an essential element of the total NetWare security environment. You must have network audit integrity to ensure that the network is secure. Additionally, some industries like banking require auditing to be done as part of business operations. The NetWare auditing system can monitor and record every relevant network transaction, which user performed the transaction, and when the transaction occurred.
NetWare provides the highest level of audit data granularity. This includes:
Which events are audited
Control of audit configuration
Access to audit data
Novell's Public Key Infrastructure Services, Novell International Cryptographic Infrastructure, Secure Authentication Service and Audit components help you take advantage of NetWare 5's secure environment to develop applications requiring extremely high levels of security, data integrity and privacy.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.