If you want to connect your network to the Internet, you must deploy some type of firewall to keep out hackers. As a NetWare administrator, your first choice for a firewall solution is Novell’s BorderManager 3.7. You can run it on your existing NetWare servers, and you don’t have to worry about learning a new platform. In this Daily Drill Down, I’ll show you how to install and configure BorderManager 3.7.
BorderManager is Novell’s firewall solution for NetWare 5.x and NetWare 6. For more information about BorderManager 3.7, see the Daily Feature “What’s new in BorderManager 3.7?” If this is the first time you’ve worked with a firewall of any kind, don’t rush in to installing BorderManager without some advanced planning. The Daily Feature “Prepare your system before installing BorderManager 3.7” will give you the guidance you need. For the purposes of this Daily Drill Down, I’ll assume that you’re already running NetWare 5x or 6 and that you’ve applied all of the latest support packs to it. We’ll focus on a two-network-card configuration, assuming that your NetWare server currently has only one network card installed.
Install a second network card
When you first configured your NetWare server, it probably had only one network interface card (NIC), but it’s best to have at least two network cards in your server when you want to use it as a firewall. This lets you use separate cards for both your public and private interfaces. A single card handling both interfaces can be quickly overwhelmed by network traffic. Therefore, begin by turning off the server and installing the second network card.
When you’ve installed the second card and restarted the server, one of the first screens you’ll see gives you a choice of drivers to install for the new network card. If NetWare can’t identify the card, you have the option of manually installing the appropriate drivers from a disk. Don’t panic if you don’t have a driver disk right at hand. You can install the drivers later using Novell’s Inetcfg utility. When installing the drivers on the server, you may need to enter a few pieces of information, such as the slot the card is in, the I/O port, and the interrupt the card is using.
When you’ve loaded the network card drivers, you need to decide which network card will be public (connected to the external network) and which will be private (connected to the internal). Because you’ve already been using the first network card in the server to communicate with the network, for simplicity’s sake it’s a good idea to make it the private card. Configure the newly installed card to be the public card.
Setting TCP/IP in Inetcfg
Next you need to assign a TCP/IP address to the public card from one of the pool of addresses provided by the ISP. You can do this using Inetcfg. When you assign the TCP/IP address of the public card in Inetcfg, you should also enter other information about the card. You must enter the default route that tells the server where to forward the traffic that isn’t local for it. In most cases, the default route will be the next hop at your ISP.
You need to enable Network Address Translation (NAT) to let BorderManager map packets coming in from the Internet to the TCP/IP addresses of the internal workstations. Using NAT avoids some of the problems with proxy servers by letting programs communicate directly with external resources.
To enable NAT, start Inetcfg. When the Internetworking Configuration menu appears, select Bindings. Next, select the public card. When the Group Bindings screen appears, select TCP/IP and press [Enter]. Next, select Configure TCP/IP Bind Options and press [Enter]. Then, select Expert TCP/IP Bind Options and press [Enter]. When the Expert TCP/IP LAN Options screen appears, select Network Address Translation and press [Enter]. Change the status from Disabled to Dynamic Only. Press [Esc] repeatedly until you back out of Inetcfg. Inetcfg will prompt you to save the configuration. Select Yes and press [Enter]. Once you’ve completely exited Inetcfg, type reinitialize system at the console prompt and press [Enter] to make your settings take effect.
You’re now ready to get down to actually installing BorderManager. Insert the BorderManager CD into the server’s CD-ROM drive. Depending on how busy your server is, a message may pop up on the console screen indicating that a new device has been detected. This is the server’s way of saying that it has sensed a CD in the CD-ROM drive. Type CDROM and press [Enter]. This will load the necessary modules so that you can access the CD as a mounted volume and automatically mount the BorderManager CD.
BorderManager’s installation is a little different from what you may have done in the past when installing other Novell products. You don’t install BorderManager from NWconfig. Rather, you do everything via the X-Server graphical console. Assuming that the X-Server is already loaded, press [Ctrl][Esc] and select the X-Server Graphical Console. If the X-Server console isn’t loaded, type startx at the console prompt and press [Enter].
When you get to the GUI, click Novell | Install. You’ll see a screen showing the currently installed options. Click on the Add button and browse to the root of the CD (this should show as BM37). Click on the OK button to proceed. You’ll see a screen indicating that Install is copying files from the CD.
When the Welcome screen appears, click on the Next button to continue. Insert the BorderManager license floppy into the server’s floppy drive. Review the license agreement and click on the I Agree button to proceed. The next screen will show the services you can install from the BorderManager CD.
BorderManager 3.7 has three components that you can install: Firewall/Caching services, VPN Services, and Authentication Services. For the purposes of this Daily Drill Down, we’re going to install only the Firewall/Caching services. Remove the check marks from the VPN and Authentication boxes, and click Next to proceed.
Install will quickly access the server’s floppy drive to get the needed licenses. You should see a pop-up screen advising you to create a separate volume for the caching functionality of BorderManager. For testing purposes, it’s okay to have the caching occur on the same volume that BorderManager is installed on. When you’re in production or you have a fairly large user base going through BorderManager, handling the caching in a separate volume can help with performance. Click OK to acknowledge the pop-up screen.
An NDS authentication screen will appear next. Enter the admin or equivalent username with rights to the root of the tree, password, and context where the username resides. Click on the OK button to proceed. Once you’ve been authenticated to NDS, you’ll be taken to a BorderManager Services Installation screen. On this screen, you’ll select which network card will be the public card and which will be the private card.
Once you’ve selected your public and private cards, the check mark beside the box that says Set Filters to secure all Public interfaces changes from gray to black. Unless you’re very well versed in doing packet filter exceptions (which allow Internet traffic to access your private network), leave this box checked. You may have to grant some exceptions in application-specific situations, but by putting default filters in place, you’re making it harder for a hacker to get past the firewall and into your network. Verify that the default gateway TCP/IP address shown is the correct one. Click on the Next button to continue.
The next screen that you’ll see asks you to specify the filter exceptions you want to install. In this case, we’re putting the firewall into place on a new network that hasn’t had a firewall before, and we don’t want to inconvenience users while it’s being set up. Check HTTP Proxy, HTTP Transparent, and Telnet Transparent to set up some basic filter exceptions. When the firewall first comes up, users will be able to get out because the HTTP Transparent service we’re using doesn’t require their browser to be reconfigured in order to get through the firewall. As you put access controls in place over time, you can configure workstations to go through the HTTP Proxy. Finally, leaving enabled Telnet Transparent lets you avoid making configuration changes to the router until you become more fluent in BorderManager configuration. Click on the Next button to continue.
On the next screen, notice that Enabled Access Control is selected by default. This will immediately block all users’ traffic until you set up the access rules. Because we don’t want to interfere with user access until we have things ready to go, uncheck this box. You can always enable the access rules later by using NetWare Administrator. For now, removing this check box gives you a chance to bring BorderManager up with a temporary access rule that allows all outbound access. Click on the Next button to continue.
On the next screen that appears, you’ll need to verify that the correct Internet domain name is shown. Click Next to continue. The next screen will show the TCP/IP address of the DNS servers that this server will check. After verifying that the DNS addresses are correct, click Next to continue.
Finally, you’ll see a Summary screen indicating that Install is ready to start copying BorderManager 3.7. Click on Finish to copy the files from the BorderManager CD to the server. After the files have been copied, the NDS schema will be extended to enable BorderManager to read and write information to NDS. Once the installation is complete, you’ll be asked to reboot the server. Click on the Reboot button to finish up the process.
Wrapping it up
At this point, you have a functioning firewall at a very basic level. The next thing to do is to go into NetWare Administrator and create the access rules that will determine which sites users can and can’t access. As you find applications that don’t work, you’ll need to enable additional proxy services. There’s an abundance of documentation on Novell’s Support Web site describing how to configure BorderManager for just about any possible need. You should also download and install any updates and patches for BorderManager 3.7 before rolling it out for general use.