Securing your enterprise is always challenging, but today it seems like a hopeless task. Some days you don’t even know whether your worst threats are inside or outside of your organization.
Of course, the biggest targets for attackers of either ilk are the “superuser” accounts, which offer the highest possible degree of access to the system and almost unlimited power over applications and data. Once the superuser (whether it be known as root, Administrator, or admin) account is compromised, your business has a problem as serious as a CFO flying to Brazil in the middle of the night.
For protecting superuser and other sensitive accounts where “hardened” authentication makes sense, Novell Inc. NetWare shops have some new options, thanks to the release of Novell Modular Authentication Service (NMAS) 1.0.2 Enterprise Edition.
NMAS includes client-and server-side components that allow developers to adapt their products quickly to work in a NetWare environment, while making it easy for IT departments to deploy more secure authentication methods. From a functional standpoint, NMAS is excellent, but implementation issues and costs led us to give NMAS a final score of Good.
The main drawback to implementing alternative authentication methods with NMAS is the expense. At US$49 per user for the software components, it’s easy to see why a blanket rollout of NMAS might be a hard sell to the budget committee. Hardware costs will present another obstacle to widespread acceptance.
As an example, Novell supplied us with two vendors’ authentication products: Key Tronic’s F-Scan fingerprint reader (managed by Identix BioLogon software) and Vasco Data Security’s Digipass 300 handheld token. The Key Tronic reader we tested retails at $119.99 and the Vasco token at $51.50; multiply these prices by a thousand and you have a serious chunk out of anyone’s budget.
Unfortunately, and we’ve said this before, good security isn’t cheap. But if you’re vulnerable, the cost of not having adequate security can be even greater. Because you don’t have to license NMAS for every user in your tree, you can focus on those users who are handling sensitive material or whose privileges, when misused, can bring about disaster.
NMAS runs on NetWare 5.x servers, but plan on a lot of prep work for each server. Even NetWare 5.1 installations will require upgrades to the cryptographic and public key infrastructures, so be prepared to reboot your server three or four times before you’ve finished setting up NMAS.
Although installing NMAS could be less complicated, we were relieved to find that NMAS is simple to use. Using ConsoleOne, we created log-in and security policies, assigned various security requirements to users and data volumes, and then applied them as if we were the users. All of this information is stored in the NDS database, which in a production environment is replicated among multiple servers.
From the user’s perspective, the first noticeable difference is the lack of a password field in the NetWare log-in box; the user enters his or her ID and the client passes the information to a server running NMAS. Using the NMAS information stored in the NDS directory, the client then runs through the log-in sequences as previously established by the administrator. The user can also change the authentication grade in the middle of the Windows session by logging in under the new grade from the NetWare Services icon in the System Tray.
After using NMAS and combinations of the fingerprint, password, and token methods, we’re sold on fingerprints. Fingerprint readers are faster than typing a strong password, and, unlike tokens, fingerprints are very difficult to misplace. Nor do fingerprints expire the week before users go on vacation, practically guaranteeing that when they return they’ll have forgotten how to log in to the network. The time you save on password changes may not completely pay for an all-fingerprint shop, but your users will appreciate the additional ease of use.
NMAS isn’t perfect, and it’s too expensive for organizations to consider applying as an across-the-board solution. But if you need to provide better-than-password protection to your most powerful user accounts, this may be what you’re looking for. Bring your checkbook but remember that you’re spending money with a purpose.
P.J. Connolly (firstname.lastname@example.org) covers networking and security for the Test Center, although the two are often mutually exclusive.
THE BOTTOM LINE: GOOD
NMAS 1.0.2 Enterprise Edition
Business Case: Due to the high cost of implementation, this network security software may not be practical for everyone on your network, but it makes good sense as a way to secure the most sensitive user accounts.
Technology Case: NMAS strengthens the security of NetWare by allowing network users to log in using modern authentication devices such as fingerprint readers, smart cards, and tokens — technologies that provide much better protection than passwords.
+ Integrated user administration
+ Requires little or no user training
+ Provides plug-in framework for integrating available authentication technology into NetWare environment
– Cumbersome installation
– Expensive to implement widely
Cost: $49 per NMAS user; substantial additional charges for authentication hardware
Platform(s): NetWare 5.x; Windows 9x/2000, Windows NT desktops with Novell client software
Novell Inc., Provo, Utah; (801) 861-4272; http://www.novell.com/products/nmas.
Copyright 2000 InfoWorld (US), International Data Group Inc. All rights reserved.
Prices listed are in US currency.