When the first version of BorderManager shipped, it set the standard for network operating system firewalls. When BorderManager 3.6 shipped at the end of 2000, it set the standard for stealth marketing. It's been out for over two years now, and you almost never hear of BorderManager in the same breath as competitors such as Microsoft’s ISA Server.
Novell hasn’t completely forgotten about BorderManager. Just after Novell’s BrainShare 2002 conference this year, Novell released BorderManager 3.7, a much needed release that addresses many issues in what appeared to be an orphaned product. I’ll give you a heads-up about the new features and options you’ll find in BorderManager 3.7. With this information, you can decide whether BorderManager 3.7 can fill your needs.
3.6 to 3.7? Can’t be much to it
Novell’s decision to name the new version BorderManager 3.7 may confuse you. The .1 increment can lead you to believe that BorderManager 3.7 is just a minor upgrade or bug fix release to BorderManager 3.6. Nothing’s further from the truth. Novell improved almost all features of BorderManager 3.6 and added new features. Key areas where you’ll notice improvement are:
- VPN enhancements.
- Browser-based packet filter configuration.
- Controlling access to the Internet.
- Protecting your Web server from infection.
This version of BorderManager addresses a problem that Novell and other VPN vendors had experienced with Windows Me—the lack of a full IP stack that would support VPN operations. In Microsoft’s opinion, Windows Me wasn't a "business" OS, and home users didn’t need to have an IP stack that would support VPN use.
To get around this omission, Novell included Novell’s International Cryptographic Infrastructure (NICI) software in its BorderManager 3.7 client to encrypt connections between clients and servers. When the new VPN client is installed, BorderManager will automatically install NICI if it isn’t already on the workstation.
The most significant change to the VPN client is the inclusion and integration of a personal firewall. Encryption on the VPN client protects the communication between the workstation and the network. The network’s firewall prevents the network from being hacked. However, without a firewall on the workstation, the potential exists for the client to be hacked, ultimately allowing the unwelcome intruder an open connection to your corporate network through the unprotected workstation.
Even though BorderManager 3.7’s marketing literature says the personal firewall is included with BorderManager 3.7, you won’t find it. Due to a last-minute glitch between Novell and Norman, the contract to include Personal Firewall wasn’t signed in time for the Personal Firewall feature to be included in the box with BorderManager 3.7. It will be included later, and you’ll be able to download it from Novell’s download page.
Browser-based packet filter configuration
One of the less flexible parts of configuring BorderManager has been setting up packet filters or packet filter exceptions. You’ve either had to be at the server or accessing the server’s console using RConsole. No longer. With BorderManager 3.7, you can set up or modify packet filters through a Web browser interface. You can be just about anywhere on your network and make the needed modifications to which packets are or aren’t allowed onto the network. All you have to do is fire up a Web browser on a workstation.
Just as significant to the change in working with packet filters is how the information is stored on the server. In previous versions of BorderManager, the filters you created were stored in text files so the information was easily corrupted or viewed. BorderManager 3.7 now stores information about packet filters within NDS itself, making the loss or corruption of the information much less likely.
Novell has improved BorderManager’s upgrade process when it comes to moving filter information. After installing BorderManager 3.7, reboot the server, type filtsrv migrate at the server console prompt, and press [Enter]. This command moves the IP filters and exceptions from the files in SYS:ETC over to NDS.
Creating filters in BorderManager has always been part science and part art. Not anymore. When you select which services will be used on the server, BorderManager will create explicit exceptions instead of the blank ones that earlier versions of BorderManager created.
BorderManager 3.7 uses stateful filter exceptions on all outbound traffic. Stateful filters only allow traffic into the network from the outside when there is a matching transaction that first allowed that traffic to go out. This makes BorderManager 3.7 a little tighter to prevent open ports from being detected by hackers performing port scans.
Controlling access to the Internet
On earlier versions of BorderManager, you had to use access rules and either client trust or SSL to control access by user name to the Internet through BorderManager’s proxy. If you used SSL, you had to implement Novell’s Certificate Server to distribute certificates to the clients. BorderManager 3.7 now gives you the option to use a publicly minted certificate from recognized providers such as Entrust or Verisign.
This process means less work for you since the browser you're using should automatically recognize the certificate as being from a trusted CA. The browser will work without requiring you to import the certificate into the local certificate store on each workstation that goes through BorderManager’s proxy server.
BorderManager 3.7 gives you more control over how your users access the Internet from your network. Depending on how tightly you want access controlled to the Internet, you can either continually review the access logs and lock out the sites where users shouldn’t be going, or use a service that will allow you to block access to sites.
The problem with using a service is that the list of sites you're trying to block access to is only as good as the last time you updated the list. In previous versions of BorderManager, you could use CyberPatrol to block sites, but updates were only available on a weekly basis. With BorderManager 3.7, you have the option of using SurfControl (which now owns CyberPatrol). SurfControl’s updates are provided on a daily basis, with 23 more categories and over a million URLs now capable of being blocked.
SurfControl doesn’t come as a part of BorderManager 3.7, but it runs with it. If you want to try SurfControl before you buy, you can install the evaluation version of SurfControl from the BorderManager CD. You can put SurfControl through its paces for 45 days before you have to make a decision to purchase or remove it.
Protecting your Web server from infection
A feature that was quietly added to BorderManager 3.6 with Service Pack 2a has been included in 3.7 as a standard feature—the ability to block virus requests coming into your network and going to Web servers that are handled by the HTTP Accelerator function. Initially released to handle the Code Red virus, this function has been labeled Virus Request Blocking. It looks for signature patterns in the incoming traffic and stops the process in its tracks.
An attractive feature of the Virus Request Blocking service is that you can update it without having to take down BorderManager’s proxy service. You can enter updates without the users having to do without the Internet for even a few minutes.
Run for the Border(Manager)
From conversations I've had with the BorderManager Product Manager, Scott Jones, I think it is safe to say that this isn’t the last update and feature change that you will see with BorderManager. Unlike BorderManager 3.6, which has been around forever, Novell is planning on updating BorderManager more often in the future.
With requests for new features from current Novell customers, I think you can expect a major service pack, or more appropriately named enhancement pack, for BorderManager late this year. Because Novell is paying more attention to BorderManager, adding new features, and addressing the needs of users better than ever, BorderManager 3.7 and future updates are again worth consideration for network administrators wanting to control access between their networks and the Internet.