A comparison of the Security Architectures of Microsoft Windows nt 0 and Novell IntranetWare 11

Download 22.42 Kb.

Date	31.07.2017
Size	22.42 Kb.
	#25759

Secure Authenticated Clients
IntranetWare

A Comparison of the Security Architectures of

Microsoft Windows NT 4.0 and Novell IntranetWare 4.11

Shen Zhong, MS program in Computer Science

COSC573, Windows NT Network

Southeastern University,

501 I Street,S.W .Washington D.C 20024-2788

Executive Summary

Security is becoming an increasingly important consideration when selecting a network operating environment. Because security is not relegated to any single component of the system, a comparison of security in two systems is nontrivial. Security mechanisms must be designed into every component of the system and should operate together, resulting in a coherent security architecture.

Although Novell IntranetWare has historically provided a secure framework for sharing file and print resources on a network, today’s network environments must also provide for secure hosting of client applications as well as back-end applications such as databases and Web servers. The security requirements resulting from modern corporate intranets cannot be met by the IntranetWare architecture.

Windows NT_® provides not only a secure server platform, but also a secure client workstation. Both provide a secure platform for hosting applications and a complete suite of security functionality, while providing the architectural flexibility to meet today’s intranet and Internet requirements.

Slide2: A Comparison of the Security Architecture of Microsoft Window NT 4.0 and Novell IntranetWare 4.11

secure platform for hosting applications and a complete suite of security functionality, while providing the architectural flexibility to meet today’s intranet and Internet

This paper presents an overview of the network architectures, followed by an analysis of the security features of the two platforms as viewed from the following perspectives:

 Network client

Security is becoming an increasingly important consideration when selecting a network operating  Network file server

Security mechanisms must be designed into every component of the system and should operate together, resulting in a coherent security architecture.n server

 Network enterprise application server

This paper presents an overview of the network architectures, followed by an analysis of the security features of the two platforms as viewed from the following perspectives:

Network client
Network file server
Network enterprise application server

Slide

Slide3: Architecture Overview

Windows NT Servers and Windows NT Workstations have the same security architecture and a similar set of security features. As a result, the Windows NT-based network of workstations and servers is a network of peers.

Windows NT offers a fully distributed security model in which every user or process has to be authenticated and every object can have access controls applied to secure it. The Windows NT kernel ensures that only appropriately authenticated users can get access to objects for which they have rights and privileges.

The IntranetWare architecture implements a straightforward client-server paradigm: The client makes requests to the server, and the server carries out the request and returns the results to the client. In the IntranetWare design, the client and servers were intended to be physically separate machines. At the time this architecture was implemented, applications typically ran on the client machine, while the server allowed these applications to safely share file and printer resources.

Because IntranetWare functions as a server only, and not as a client workstation, the functionality provided at the server is generally not the same as that at the client workstation. The security functionality provided at the client will depend on the client workstation that is selected

Slide4: The Network Client Workstation Architecture

Windows NT Workstation uses virtually the same platform and software base as Windows NT Server. Users are identified and authenticated before any access to system resources is granted. Subsequent accesses to resources are controlled using Access Control Lists that allow the owner to specify exactly who and what type of access to the object is allowed.

identity of the user.

Windows NT Workstation allows untrusted applications to run without threat of corrupting the operating system or other applications.

The operating system exists in a separate execution domain that applications cannot enter. When services are needed from the operating system, applications make requests using well-defined programming interfaces. These interfaces allow the operating system to control which users receive access to system services.

IntranetWare is a server operating system and does not include client software. Nor does Novell provide a client operating system. The IntranetWare network integrator is responsible for selecting or developing an appropriately secure client.

The problem of designing your own secure workstation to communicate with the IntranetWare network is a difficult one. As previously stated, the workstation must be able to perform authentication of the user, protect the passwords, provide access control on client resources, protect the security kernel, prevent applications from interfering with each other, and perform audit. In a white paper published by Novell^¹, several alternative architectures are presented. Some are based on reducing the security functionality of the workstation itself, while others are based on the use of specialized hardware added to the workstation.

The Sistex workstation provides security by acting as a security kernel—it intercepts all references to files and devices. This allows it to provide access control over these resources. The operating system essentially runs as an application on top of the Sistex kernel, in the same address space as other applications. Consequently, there are no facilities for protecting the operating system from erroneous or malicious applications, nor is there any access control over operating system resources (for instance, memory, programs).

Slide5: Network Client Workstation Security Requirements(1)
Windows NT Workstation requires username/password authentication before a user can gain access to any system resource. Passwords are stored in encrypted form in Windows NT. Windows NT uses a challenge-response mechanism for peer authentication so that the passwords never cross the network in the clear.

Windows NT also provides a powerful set of facilities for administering strong passwords, including tools to enforce password aging, length, and history. Windows NT Workstation can also be set up to restrict specific individuals from physically logging on to the network and restrict usage to specific times of the day (for example, groups of people can be forced to log on to particular workstations only during certain hours).

A Sistex client workstation provides authentication based on username and password. The password is used to create an encrypted session key, which is passed over the network to the server for authentication. The password is not safe from compromise while in memory on the workstation, because system memory is not protected by the operating system. As a result, facilities for removing the password from memory are provided.

The workstation does not provide strong password enforcement, lockout, and so forth. Instead this is provided by the server.

Slide6: Network Client Workstation Security Requirements(2)

The Windows NT security kernel is protected from applications using the concept of execution domains. Applications execute in the user domain, whereas the security kernel executes in the kernel domain.

In the Sistex Workstation architecture, the security subsystem is provided by add-on hardware and, consequently, is separate from the operating system. This design provides protection of the security subsystem that resides on the add-on security card through physical partitioning, but no partitioning of the operating system or applications.

Secure Authenticated Clients

Windows NT

Client workstations should be able to join a network securely. This will prevent a malicious user from introducing a rogue machine. Windows NT Workstations have to be authorized and share a secret with the domain controller in order to join a domain. This ensures that only authenticated clients of Windows NT can join and participate in the Windows NT domain.

IntranetWare

IntranetWare does not provide any facilities for authenticating clients on the network. All that is needed is the appropriate client software (such as Client 32), and connectivity can take place.

Secure Communications

Windows NT

The workstations need to be able to securely communicate with the servers and among themselves. This will help to defeat any hacker trying to sniff the traffic on the wire. Windows NT provides built-in cryptographic technology for secure communication.

IntranetWare

IntranetWare uses packet signing to create an unforgeable signature for every message. The signature is a combination of the workstation signature and a random number. If a message does not have the correct signature, it is discarded.

Slide 7 & 8:Network Client Architecture Comparison

The following table summarizes the security features of the two network clients

Slide9: File Server Architecture Comparison

The following table summarizes the security features of the two network file servers:

Slide10: Enterprise Application Server Architecture

The security architecture of an application server needs features above and beyond those discussed in the previous sections on network client workstations and file servers. Such features include:

The ability to protect the operating system and applications by implementing and enforcing security partitions.

The ability to minimize risk by allocating operating system privileges to applications with a fine level of granularity and control, resulting in the least amount of privilege given to applications.
The ability to extend the trusted perimeter by providing applications developers with the facilities to incorporate proven operating system security functionality into applications.

Slide11: Enterprise Application Server Architecture Comparison

The following table summarizes the security features of the enterprise application server:

Slide12& 13: Conclusion(1) &(2);

Sameas the slide

Summary

It is clear that IntranetWare provides a secure solution for file and print server requirements, but in an enterprise network environment is limited by the inflexibility of the file server architecture. The need for a separate secure client workstation, the inability to securely host back-end applications on the server, and the lack of consistency in the overall security model make IntranetWare poorly suited for an enterprise network platform, where security is a concern.

On the other hand, Windows NT provides not only secure file and print services, but also:

A consistent set of security features available on both Windows NT Workstation and Windows NT Server.
A suite of security functionality, including cryptographic functions, that can be incorporated into applications.
A single set of security abstractions across the entire network, simplifying security administration.

The flexibility of the peer architecture, along with improved authentication, auditing, security partitioning, and manageability make Windows NT an excellent solution for secure network environments. Upon completion of the current evaluation by the NCSC, Windows NT will be the only complete out-of-the-box network system that offers full C2 level security. There are no additional components to buy or develop. Together, these features make Windows NT the choice platform for modern enterprise networks.

Directory: Students Pro
Students Pro -> Microsoft Windows 2000 By Q. Liu (Student id: 106520) Abstract
Students Pro -> Microsoft Windows nt – The Foundation
Students Pro -> Contents: Introduction ( 1 )

Download 22.42 Kb.

Share with your friends: