Adding Biometric Authentication to NetWare
- 17 July, 2000 12:01
FRAMINGHAM (07/17/2000) - With a seemingly endless stream of Internet virus attacks and highly publicized security breaches, security concerns are paramount for enterprise network managers. And most companies fear attacks more from inside the firewall than outside.
Stringent password policies coupled with diligent auditing will certainly help, but for many organizations that's just not enough. New developments in biometric devices offer an extra measure of protection but also bring an added administrative burden.
Novell Inc. has tossed its hat into the enhanced security fray with the introduction of its Novell Modular Authentication Services (NMAS) product. NMAS works with Novell Directory Services (NDS) to augment normal user-authentication and system-resource access processes. NMAS supports a variety of biometric devices, smart cards and token generators. It uses graded, or multilevel, authentication to establish access rights based on administrator-defined authentication sequences.
While the product is a bit tedious to install and administer, if you are looking to take these extra security measures in your NetWare environment, NMAS certainly can help you secure your network.
Before you install NMAS you'll want to read the documentation and make sure you have all the required system software versions in place. Minimum requirements include NetWare 5.0 or later (Support Pack 4 for NetWare 5.0 must be installed), NDS eDirectory Upgrade for NetWare 5.0, ConsoleOne 1.2c on the NMAS server, Version 1.5.3 or later of the Novell International Cryptographic Infrastructure (NICI) software and Novell Certificate Server 2.0.2 or later.
All of the required updates are included on the NMAS CD.
Any workstation that will use the NMAS client software must be a Pentium Pro 200-MHz or better with 64M bytes of memory running Windows 95 Release B or later, Windows 98, Windows NT 4.0 with Service Pack 3 or later or Windows 2000.
One annoyance during our installation occurred when we tried to update the NICI software from the NMAS CD and found it was an export (56-bit) version. The installer wouldn't let us go from an older strong encryption version to a newer, weaker version. To fix the problem, we downloaded the strong version from Novell's Web site.
During the installation, we ran into several problems that turned out to be a hardware failure of our 10/100M bit/ sec Ethernet switch. When we changed the switch and reran the NMAS server install, we realized the previous attempt never completely installed but didn't give any indication of a problem. Novell is using a new Java-based install program with this product and acknowledged there's work to be done in the error checking and recovery department.
Another nuisance we discovered is that once you install NMAS, it will, by default, no longer pass the Novell user name/password pair on to a Windows 95 or 98 client. That means you'll have to type your password in again unless you change the client setting. To do this, you must right-click on the big red "N" in the system tray and select Novell Client Properties. Then choose the location profiles tab, select the default profile, and click on the properties button. This opens another dialog box where you must again click on the properties button. Finally, a Novell logon dialog box with multiple tabs appears. Select the credentials tab and check the enable password box to have NMAS send the NetWare password on to the Windows client.
Each workstation that uses one of the alternate authentication methods must have the NMAS client software and appropriate client logon method components installed. It must also have the latest NetWare client software installed.
Configuring individual users to use the different logon methods can be a tedious process. First, you must assign each user to a specific logon method.
If you're using the fingerprint method you must also enroll each user's fingerprint, although this can be done the first time they log on. Next, you establish clearance levels that the user will be allowed to select using combinations of password, token and biometric. Finally, you must establish the trustee assignments based on a clearance level.
Establishing the proper clearances and logon sequences for a group of users requires you to select each user individually and make appropriate changes.
With this release of the NMAS module for ConsoleOne, there's no way to make those kinds of changes in bulk. It is possible to let users register their fingerprint the next time they logon and to set their default logon, but assigning clearances and giving multiple users access to resources with NMAS protection must be done manually.
Once we got everything installed and configured, the system worked as advertised. We were able to access resources depending on what method we used to log on.
We created a new user and assigned a biometric setting plus a password as the primary logon method. We then added the user to the "sales" volume access list when using the sales logon sequence. We also added the user to the access list for a volume named "research" when using the research logon sequence. To verify the access controls, we logged on using each sequence and confirmed the user could only access the proper volume based on the logon sequence used.
Novell offers users a handy way to change logon methods. The normal NetWare logon screen has an advanced tab for displaying things like NDS Tree, context or preferred server. With NMAS there's a new tab that lets you select which logon sequence you'd like to use. A browse button brings up a list box showing all the available methods for you to choose. The next time you log on it will remember your last method and use the same one unless you change it.
As for the documentation, it is a fairly short book with just the bare necessities. It's enough to get you started but not much more.
Stronger security methods have become essential for many organizations.
Novell's NMAS solution works specifically in a NetWare environment where you are authenticating to a NetWare server. While NMAS is a little tedious to install and configure, it definitely provides an extra level of security you don't get with standard NetWare.
Ferrill is a principal engineer for Avionics Test and Analysis at Edwards Air Force Base, Calif. He can be reached at firstname.lastname@example.org.