An Indipendent Review on Novell Netware from the security point of view.
Alkmaar, 1 April 2003
Written by Daniele Muscetta
In these days everybody seems to be talking only about different Unix flavours and/or the Microsoft Operating Systems as if they were the ONLY viable platforms for enterprises.
There seems to be a quite big slice on the market that has been completely forgotten: Novell Netware. Here and there in this text I will be quoting something that Rain Forest Puppy has already written (Netware: The Forgotten OS - http://www.wiretrip.net/rfp/talks/blackhat-vegas-2002/bh2002.ppt). I did not really wanted to "steal" his words… but reading them, I had to agree on most points, and I found it to be the starting point for considerations I was already making myself, in my mind.
The reality is that Netware is common in the enterprise. It might not have such a huge market share as Microsoft does or as the different Linux or Unix variants do, but there are people using it. Moreover, even if the company (Novell) does not seem to push it too much, they do have a reliable platform, and despite of some rumors of being an old technology, they are opening more and more to "modern" technology and web-enabling this famous platform.
Just to talk in general about them, they are very strong in
the Directory Market: their eDirectory Product (the evolution
of NDS version 8) is a very reliable and scalable directory service,
according to many much more powerful than MS Active Directory
and of any other "generic"LDAP based directories. Its
main strength is the capacity to run on a variety of Operating
Systems: Netware itself, but also Linux, UNIX, Windows 2000, and
others.
Check out a couple of info about it:
http://www.novell.com/news/press/archive/2000/09/pr00099.html
http://asia.cnet.com/itmanager/productfinder/?pf_arg=0-6133362-8-20692485-1.html
Moreover, Netware 6 is now not anymore just a strong Directory,
File and Print Server.
It has now many new web-based services. The Novonyx web server
(traditional Novell HTTP Stack - based on Netscape Enterprise
Web Server) has been (nearly completely) replaced by Apache. Not
just Apache on his own, but strengthened by PERL, a PHP module,
and (not installed by default, but available for download) also
MySQL. A porting of PostgreSQL is also on its way.
Thanks to the porting effort of Ulrich Neumann (Novell DeveloperNet
SysOp - http://neumann.gne.de
), who also offers several other ported components such as LibC,
GD, PNG libraries and other open source projects on his site,
Novell takes now advantage of its unique toolkit of AMP technologies
(Apache, MySQL, PHP). They call this - guess what? - Netware AMP.
You can find here a tutorial on how to enable these technologies:
http://developer.novell.com/ndk/whitepapers/namp.htm
. Keep in mind that this tutorial does not even cover all of the
latest versions. Refer to Novell's website or to Google for other
documentation. You can also check out http://apache.proserve.nl/dist/httpd/binaries/netware
as well as http://developer.novell.com/ndk/php.htm
.
Moreover, on Novell 6 we find a TOMCAT servlet container, which
enables the development of powerful JAVA applications. This is
used by web-enabled applications provided by Novell itself, such
as the "management portal" or the Groupwise Web-Access
interface, to provide a couple of examples in that sense.
What is also noted in the previously mentioned review by RFP, is obviously that Novell is using suspect components. These are porting of OpenSource projects, or usually other Unix-derivates; just take as an example the graphical X Windows environment that is now provided on the OS, just to mention one.
Here is the point where I wanted to get to:
In this period of vulnerabilities being disclosed every minute
on Unix and Windows platforms, Novell seems not to be involved
in the life of the "security community" at all. Or at
least, not as much. It has had of course its own vulnerabilities
disclosed, and all of them have been patched or have had workarounds
described.
Still it is not actively facing the "connected world"
of the Internet, and it is mainly used only in internal networks
by those who were using it before and keep sticking with it. (I
did find a "personal" FTP site running Novell, tough,
some weeks ago - but I lost that link).
It is unclear to me if Novell is really willing to open its platform to the "Web Services" market. It could do it, and I suspect that in this period of uncertainty about Windows or Unix, it could attract loads of customers searching for a viable alternative. I am especially thinking to people who are willing to move away from Microsoft but that find Unix or Linux too difficult: I meet everyday plenty of those. They would appreciate this stable platform, which is not difficult to use and still powerful. On the other end I do not see such a strong marketing effort in that sense happening from Novell. Not that I love marketing (all of the opposite) but I would expect to see that from a commercial company.
This in my modest opinion can have two reasons: either they
just don't know how to jump on the wave and ride it, or they prefer
to keep a smaller market of consolidated customers, and not to
expose themselves too much. I would not know. We said about there
have been security holes found, but they've all been patched or
been given a workaround without too much noise. Are there maybe
more bugs, which are publicly unknown (0day)? I do not know. That
might well be. I am testing the thing, and I am waiting to be
hacked. I set up a Novell Apache webserver on the internet, were
I constantly see several attempts of shellcode execution being
performed, trying variants of known exploits valid on Unix. I
could not say if it has been compromised, but I believe not yet.
It is very difficult to determine the degree of exposure of such
a platform. It is proprietary, the code is close and jealously
guarded, and there is not enough literature about it. Also, there
are no famous foresinc tools. At least there is not as much stuff
written or developed as you can easily find for Windows or Unix.
Moreover, no one in the security community seems to be putting
the minimum effort in studying it (at least publicly).
I do suppose so far that it is a pretty safe platform, at a minimum because not much is known yet. On the other hand, if we consider the company as having had a strong security itself, such that even Kevin Mitnick had to get into their network through social engineering (http://216.26.163.62/2002/mc02_22.html ) we have to assume it was very difficult breaking in it with a technical exploit! Or maybe not, that was just the shortest path.
When you consider other aspects, Novell as a company has a history of security. Their Border Manager product, is a high-quality, ICSA certified firewall/VPN server. When it comes to auditing NDS, since old versions of Netware, it was equipped with a very intuitive and complete tool: AUDITCON, something that many NT Administrators would have always liked to have, but it is still not completely there (if not with expensive third-party solutions which can facilitate reading of NT security logs). They use since quite an amount of time RSA technology for authentication, etc. Examples are many. They also have strong partnetships with several antivirus vendors and with big players in the field of Strong Authentication and BioMetrics, other than with some companies that do report on "intrusion attempts" (only considered from the Directory Service point of view, Successful and Failed Logons, etc).
I do hope NetWare it is really rock solid. Otherwise, it's
just security through obscurity.
I do not have a steady opinion on this one subject. I am still
swinging myself in between the two opposites.
I just presented some ideas. To the readers is left the freedom
to make their own opinion about it.
Disclaimer:
All mentioned products and names are
trademarks of the respective owners.
While every effort has been made to ensure the accuracy of the
information presented here, this document is not a substitute
for competent professional advice. This information is presented
as a guide on an "as-is" basis; all warranties of fitness
for a particular purpose, either implied or otherwise are hereby
disclaimed. I am not even certified on Novell!