Novell BorderManager® 3.7: Technical Overview Novell BrainShare 2002 Novell BorderManager® 3.7: Technical Overview X. Felix Software Consultant Novell, Inc. xfelix@novell.com TV. Sriram Senior Software Engineer tvsriram@novell.com TUT 246—Novell BorderManager 3.7: Technical Overview

Agenda Novell Vision and Mission Novell Vision—BorderManager® One Net business solutions model New Features in Novell BorderManager 3.7 (NBM 3.7) Technical Overview on New Features NBM 3.7 New Features—Demonstration Question and Answer Session

Vision…one Net Mission A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

Novell Vision—BorderManager Novell BrainShare 2002 Novell Vision—BorderManager Novell Vision and BorderManager Security Scalability Manageability Reliability Mobility Quality of service TUT 246—Novell BorderManager 3.7: Technical Overview

New Features in NBM 3.7 New in NBM 3.7—Firewall and Caching Service Novell BrainShare 2002 New Features in NBM 3.7 New in NBM 3.7—Firewall and Caching Service GUI-based firewall configuration Enhanced content filtering using SurfControl’s Web Filter Virus Request Blocking in HTTP Accelerator TUT 246—Novell BorderManager 3.7: Technical Overview

New Features in NBM 3.7 (cont.) New in NBM 3.7—Virtual Private Network (VPN) Services VPN Client for Windows ME VPN Client for Windows XP NICI-based VPN client

Technical Overview: Firewall and Caching Services GUI and Novell eDirectory™-based firewall configuration Filter Database—moved from Text Files to eDirectory NBMRuleContainer—Container Object for Filter Objects One Object in organization for all firewalls Extension to more than one firewall (using ConsoleOne®) Service/Packet Types—Part of the Rule Container Sharing across firewalls Feature advantage Configure your firewall using iManager on 6 Pack

Technical Overview: Firewall and Caching Services (cont.) GUI and eDirectory-based firewall configuration On 6Pack—firewall configuration can be done from iManager Web-based management of firewall Routing and packet forwarding for IP-based filters only Wizard-based filter configuration All filters through wizards

Technical Overview: Firewall and Caching Services (cont.) Migration Text file to eDirectory transition Default Filter Exceptions in NBM 3.7 Install Exceptions for forward proxies Filtcfg changes for eDirectory-based storage Optimizations for eDirectory storage and access

Demonstration: GUI-Based Filtcfg

Technical Overview: Firewall and Caching Services (cont.) Enhanced content filtering from Surf Control web filter Enhanced category List Thirty categories Enhanced URL database Single General List replaces Cyber-YES and Cyber-NO list

Technical Overview: Firewall and Caching Services (cont.)

Technical Overview: Firewall and Caching Services (cont.) Virus Request Blocking on HTTP Accelerator Block incoming virus generated HTTP request to web accelerators Only block Viruses of CodeRed/Nimda genre Command Line Configuration of Patterns—run virus updates from NCF files Performance monitoring—separate screen Appnote http://developer.novell.com/research/appnotes/2002/February/02/a020202.htm

Demonstration: Firewall and Caching Services (cont.) Virus request blocking on HTTP accelerator Auto-detect New Virus Requests Virus Requests change very often Plain Database Lookup fails for New Virus Request patterns Regular Expression Comparison is costly Keyword—First Heuristic Parameter for Auto Detect “CMD.EXE” to detect New Virus Requests with different Directory Traversal Hit Count Threshold—second heuristic parameter for Auto Detect Max Hit Count Threshold Average Hit Count Threshold Recommend Threshold

Demonstration: Firewall and Caching Services (cont.)

Technical Overview: VPN Client for Windows ME Advantage Windows ME users now can securely access corporate network through NBM VPN server

Technical Overview: VPN Client for Windows ME (cont.) Challenges Windows ME uses TCPIP stack from Windows 2000 which made Vxd table hooking technique to fail Win ME uses monolithic PPPMAC driver which makes it difficult to interface with Intermediate Driver (IM) concept Solution Arrived solution by using PELDR hooking technique which hooks PE table from where TCPIP gets NDIS entry points The driver is a Pseudo Intermediate Driver (PIM)

Technical Overview: VPN Client for Windows XP Advantage Large number of users use Windows XP and they can now securely access corporate network through NBM 3.7 VPN server

Technical Overview: VPN Client for Windows XP (cont.) Challenges Windows XP is successor of Windows 2000 Windows XP is strict in checking IRQL Solution VPN Client on Windows XP is an intermediate driver based on VPN client’s architecture on Windows 2000 Removed some unwanted spin locks which raises IRQL level

Technical Overview: NICI-Based VPN Clients Advantage NICI does not have export restriction where as BSAFE has (used in earlier versions of NBM VPN Client) Using NICI for encryption helps to have a single VPN client worldwide

New VPN Client

New in NBM 3.7 Install Default Gateway configuration Delete GATE from IP Bind Line of Inetcfg Licenses for all services installed Upgrade requires activation key Default Filter exceptions More than one interface and at least one public interface Default DENY All from and to public interface Filter Exceptions created only for the selected Proxy Services

wiN big Access and Security table one Net solutions lab visit the in the to obtain an entry form