HP HP 9000 Reference Guide

HP 9000 Networking

NetWare® 4.1/9000

NetWare Client for DOS

and MS Windows Technical Reference

HP Part No. J2771-90016

Printed in U.S.A. 12/96

hp

HEWLETT
PACKARD

Edition 1

Notice

Notice

Hewlett-Packard makes no warranty of any kind with regard to this
material, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose. Hewlett-Packard

shall not be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing, performance, or
use of this material. This product is based in whole or in part on technology
developed by Novell, Inc

Hewlett-Packard assumes no responsibility for the use or reliability of its
software on equipment that is not furnished by Hewlett-Packard

This document contains proprietary information, which is protected by
copyright. All rights are reserved. No part of this document may be
photocopied, reproduced, or translated into another language without the
prior written consent of Hewlett-Packard Company.The information
contained in this document is subject to change without notice.

UNIX is a registered trademark in the United States and other countries,
licensed exclusively through X/Open Company Limited.
Microsoft
a trademark of Microsoft Corporation.
NetWare, and Novell are registered trademarks of Novell, Inc.

®

, MS®, and MS-DOS® are registered trademarks, and Windows is

© Copyright 1996, Hewlett-Packard Company

Restricted Rights Legend

Use, duplication or disclosure by the U.S. Government is subject to
restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical
Data and Computer Software clause at DFARS 252.227-7013 for DoD
agencies, Computer Software Restricted Rights clause at FAR 52.227-19 for
other agencies.

Hewlett-Packard Co.
19420 Homestead Road
Cupertino, CA 95014 USA

ii

Printing History

Printing History

The manual printing date and part number indicate its current edition. The
printing date will change when a new edition is printed. Minor changes may
be made at reprint without changing the printing date. The manual part
number will change when extensive changes are made.

Manual updates may be issued between editions to correct errors or document
product changes. To ensure that you receive the updated or new editions, you
should subscribe to the appropriate product support service. See your HP
sales representative for details.

First Edition: December, 1996

iii

Preface

Preface

Introduction

NetWare Client for DOS and MS Windows Technical Reference provides you
with detailed information to configure the NetWare® DOS Requester™
software, modify the NetWare Client™ configuration file, and troubleshoot
client workstation error messages in order to manage client workstations on
a NetWare network.

This document is for supervisors responsible for managing NetWare client
workstations.

NetWare Client for DOS and MS Windows Technical Reference covers
concepts and procedures for configuring and using NetWare workstation
software on NetWare 2, NetWare 3™, and NetWare 4™ networks.
References are made to each version of NetWare. Ignore any references
which do not pertain to the version of NetWare you are connecting to.

Use NetWare Client for DOS and MS Windows User Guide for procedures
and information on installation and basic client workstation setup.

Contents Overview

To configure your NetWare Client software, use the chapters as described in
the following checklist.

• Use Chapter 1, “Optimizing the NetWare Client Software,” to learn how to
improve workstation performance by using Packet Burst™ and Large Internet
Packets (LIP) and to enhance security on client workstations by using NCP™
packet signatures.

• Use Chapter 2, “NET.CFG Options Reference,” to learn how to set up and
modify the NetWare Client (NET.CFG) configuration file and to reference
information for setting NET.CFG option parameters.

• Use Chapter 3, “Command Line Parameters Reference,” to learn how to
reference information for setting command line parameters.

• Use Chapter 4, “System Messages,” to receive an explanation of each client
workstation system message and a recommendation on a course of action for each
message.

iv

Preface

Documentation Conventions

This manual uses the following Novell® conventions:
Asterisk ( * )
An asterisk denotes a trademarked name belonging to a third-party company.

Novell trademarks are denoted with specific trademark symbols (®, ™, etc.).
An ownership listing of all (Novell and third-party) trademarks cited in a

manual can be found either on the disclaimer page in the front or in a
“Trademarks” section at the back of printed manuals. A trademarks list is also
available in the DynaText* online documentation.

Commands
Boldface characters indicate items that you type, such as commands and

options. You can use any combination of uppercase and lowercase letters.
For example:

C:\A INSTALL

Delimiter Bar ( | )
In syntax examples, a delimiter bar separating two command options

indicates that you can choose one of the options.
For example:

–S | –R

Do not type the bar.
DOS Commands
DOS commands and command option letters are shown in uppercase letters.

For example: FTPD.
Because DOS is not case-sensitive, you can type DOS commands in

uppercase or lowercase letters.
DOS Filenames, Directory Names, and Pathnames
DOS filenames, directory names, and pathnames are shown in uppercase

letters. For example, AUTOEXEC.BAT.
Because DOS is not case-sensitive, you can type these names in uppercase or

v

Preface

lowercase letters.
Ellipses
Ellipses in syntax examples indicate that parameters, options, or settings can

be repeated.
For example, in the command

LOGIN SERVER1/SUPERVISOR /option...

you could replace option with any number of available options.
Emphasis
Italic type also indicates emphasized text. For example:
Remember to load the driver before you install the application.
Key Names
Angle brackets surround the name of a key. For example, <Enter>

corresponds to the Enter key on your keyboard. <Ctrl>+<c> means hold
down the Ctrl key and simultaneously type the letter c (in lowercase, in this
case).

NET.CFG File Section Headings and Parameter Settings
NET.CFG section headings and parameter settings are shown in uppercase

when used as a reference item and lower case when used in syntax or working
examples.

For example:
[Begin example]
NETBIOS VERIFY TIMEOUT specifies how often in (ticks) NetBIOS

sends a keep-alive packet to the other side of a session to preserve the session.
If no packets are being exchanged on the NetBIOS session by the software

that established the session, NetBIOS sends packets at regular intervals to
make sure that the session is still valid.

Syntax

vi

netbios verify timeout

Replace number with a number of ticks.

number

Preface

Default 54 (approximately 3 seconds)
Range 4 to 65,535
Example To make NetBIOS wait longer before sending a

request-for-acknowledgment packet, you could place the
following lines in your NET.CFG file:

netbios
netbios verify timeout 1350

[End example]
Because interpretation of this file is not case-sensitive, you can type its

contents in uppercase or lowercase letters.
Options
In syntax examples, braces indicate that you are required to choose one of the

enclosed options. For example, the following notation means that you must
include a 0 or a 1 in the command:

{0, 1}

Square Brackets
In syntax examples, boldface type enclosed in square brackets indicates

command options that you can type as needed. For example:

FTP [ –D ] [ –F ]

System Response
Monospace type shows system-generated responses that appear on your

workstation screen. For example:

TNVT220>

UNIX Commands
UNIX® commands are shown in boldface letters. For example, vi. Because

UNIX is case-sensitive, these commands are usually lowercase. Type UNIX
commands exactly as shown.

UNIX Filenames, Directory Names, and Pathnames
UNIX filenames, directory names, and pathnames are shown in italics. For

vii

Preface

example, /etc/hosts.
Because UNIX is case-sensitive, these names usually are in lowercase letters.

Type UNIX filenames exactly as shown.
Variables
Italic type indicates variables—descriptive item names, such as command

parameters—that you replace with appropriate values.
For example, in the command

FTP –F remote_host

you type the name of a computer on your network in place of remote_host.

Supplemental Documentation

The following publications provide supplemental information specifically
related to the NetWare Client for DOS and MS Windows technology and
software:

• “The Functions and Operations of the NetWare DOS Requester 1.1,” Novell
Application Notes, May 94, Vol. 5, No. 5 (Novell part no. 164-000031-005)

• “Installing and Configuring Novell's Token-Ring Source Routing Drivers,”
NetWare Application Notes, Oct 91 (Novell part no. 164-000030-010)

• “Logging In to IBM LAN Server and NetWare from a DOS Workstation,”
NetWare Application Notes, Nov 91 (Novell part no. 164-000030-011)

• “Managing Memory in a DOS Workstation: Part 1,” NetWare Application Notes,
Aug 92 (Novell part no. 164-000031-008)

• “Managing Memory in a DOS Workstation: Part 2,” NetWare Application Notes,
Oct 92 (Novell part no. 164-000031-010)

• “Managing Memory in a DOS Workstation: Using Novell DOS 7,” NetWare
Application Notes, Oct 93 (Novell part no. 164-000032-010)

• “Migrating Ethernet Frame Types from 802.3 Raw to IEEE 802.2,” NetWare
Application Notes, Sep 93 (Novell part no. 164-000032-009)

• “Multilingual PC Setup with DR DOS,” NetWare Application Notes,
Sep 93 (Novell part no. 164-000032-009)

• “NET.CFG Parameters for the NetWare DOS Requester 1.1,” Novell Application
Notes, Jun 94, Vol. 5, No. 6 (Novell part no. 164-000036-006)

• “NetWare and LAN Server Client Interoperability via ODINSUP: Part 1,”

viii

Preface

NetWare Application Notes, Sep 92 (Novell part no. 164-000031-009)

• “NetWare and LAN Server Client Interoperability via ODINSUP: Part 2,”
NetWare Application Notes, Nov 92 (Novell part no. 164-000031-011)

• “NetWare and Windows for Workgroups 3.1 Interoperability,” NetWare
Application Notes, Mar 93 (Novell part no. 164-000032-003)

• NetWare Client for DOS and MS Windows User Guide, Novell Publication
(Novell part no. 100-001623-002)

• “ODINSUP Interoperability Configurations for DOS Workstations,” NetWare
Application Notes, Feb 93 (Novell part no. 164-000032-002)

• “Using the DOS Requester with NetWare 4.0,” NetWare Application Notes, Apr
93 (Novell part no. 164-000032-004)

• “Understanding Token-Ring Source Routing,” NetWare Application Notes, May
91 (Novell part no. 164-000030-005)

• “Workstation Memory Management: Using QEMM386, 386 To The Max, and
MS-DOS 6,” NetWare Application Notes, Dec 93 (Novell part no.
164-000032-012)

ix

Preface

x

Contents

1 Optimizing the NetWare Client Software

Overview 1-2

Introduction 1-3

Increasing Speed 1-4

Using the Packet Burst Protocol 1-4
Requirement for Packet Burst 1-4
How Packet Burst Works 1-4
When to Use Packet Burst 1-5
Configuring for Packet Burst 1-5
Disabling Packet Burst 1-5
Using Large Internet Packet Functionality 1-5
How Large Internet Packet Works 1-6
When to Use Large Internet Packet 1-6
Configuring for Large Internet Packet 1-6
Disabling LIP 1-7

Improving Security 1-8

Using NCP Packet Signature to Improve Security 1-8
How NCP Packet Signature Works 1-8
When to Use NCP Packet Signature 1-9
NCP Packet Signature Options 1-9
Effective Packet Signature Levels 1-10
Examples of Using Packet Signature Levels 1-10
All Information on the Server Is Sensitive 1-10
Sensitive and Nonsensitive Information Reside on the Same Server 1-11
Client Workstation Users Often Change Locations 1-11
Client Workstation Is Publicly Accessible 1-11
Installing NCP Packet Signature 1-11
Workstation Setting 1-11
Server Setting 1-12
Disabling Packet Signature 1-12

xi

Contents

Troubleshooting NCP Packet Signature 1-13
Client Workstations Are Not Signing Packets 1-13
Client Workstations Cannot Log In 1-13
The Error Message “Error Receiving from the Network” Appears 1-14
Third-Party NLM Programs Do Not Work 1-14
Insecure Client Workstations Log In to a Secure Server 1-14

Using Other Client Security Guidelines 1-15

Additional Information 1-16

2 NET.CFG Options Reference

Overview 2-2

Introduction 2-3

Creating and Modifying a NET.CFG File 2-4

Entering Options and Parameters into the NET.CFG File 2-4
Sample NET.CFG File 2-5

Using NET.CFG Options and Parameters 2-7

Using the NET.CFG Reference Pages 2-12

Desktop SNMP Option 2-13

Available Parameters and Values for the Desktop SNMP Option 2-13
DESKTOP SNMP 2-13
Asynchronous Timeout Connections 2-14
ASYNCHRONOUS TIMEOUT number 2-14
Community Types and Names 2-15
MONITOR COMMUNITY [“name | public | private”] 2-17
CONTROL COMMUNITY [“name | public | private”] 2-18

xii

Contents

TRAP COMMUNITY [“name | public | private”] 2-18
Community Access Management 2-18
ENABLE MONITOR COMMUNITY [specified | any | off | omitted] 2-20
ENABLE CONTROL COMMUNITY [specified | any | off | omitted] 2-20
ENABLE TRAP COMMUNITY [specified | off | omitted] 2-20
MIB-II (Management Information Base) Support 2-22
System and SNMP Groups 2-22
SNMPENABLEAUTHENTRAP [on | off] 2-24
SYSCONTACT “contact” 2-24
SYSLOCATION “location” 2-25
SYSNAME “name” 2-25
Interface Group 2-25
TCP/IP Groups 2-26
Example of NET.CFG File Including Each Group Support 2-26

Link Driver Option 2-27

Available Parameters and Values for the Link Driver Option 2-27
LINK DRIVER driver_name 2-27
ALTERNATE 2-28
BUS ID name number 2-28
DMA [#1 | #2] channel_number 2-29
FRAME frame_type_name [addressing_mode] 2-30
Frame Types, Protocols, and LAN Drivers 2-31
Ethernet LAN Drivers 2-33
Token-Ring LAN Drivers 2-33
IRQ [#1 | #2] interrupt_request_number 2-34
MAX FRAME SIZE number 2-34
MEM [#1 | #2] hex_starting_address [hex_length] 2-35
NODE ADDRESS hex_address [mode] 2-36
LANSUP 2-37
PORT [#1 | #2] hex_starting_address [hex_number_of_ports] 2-38
PROTOCOL “name” hex_protocol_ID frame_type 2-39
Defined Protocols and Frame Types 2-39
SLOT number 2-40

xiii

Contents

Listing of Commonly Used ODI LAN Drivers 2-41

Link Support Option 2-46

Available Parameters and Values for the Link Support Option 2-46
LINK SUPPORT 2-46
BUFFERS communication_number [buffer_size] 2-47
MAX BOARDS number 2-49
MAX STACKS number 2-50
MEMPOOL number [k] 2-50

NetWare DOS Requester Option 2-52

Current Core Virtual Loadable Module (VLM) Programs 2-52
Current Non-Core Virtual Loadable Module Programs 2-53
Compatibility with NetWare Shell Parameters 2-54
Managing the NetWare DOS Requester 2-56
Optimizing the NetWare DOS Requester 2-57
Best Performance 2-57
Best Conventional Memory Usage 2-59
Best Compromise 2-60
Available Parameters and Values for the NetWare DOS Requester Option 2-61
NETWARE DOS REQUESTER 2-63
AUTO LARGE TABLE=[on | off] 2-63
AUTO RECONNECT=[on | off] 2-64
AUTO RETRY=number 2-64
AVERAGE NAME LENGTH=number 2-65
BIND RECONNECT=[on | off] 2-66
BROADCAST RETRIES=number 2-66
BROADCAST SEND DELAY=number 2-67
BROADCAST TIMEOUT=number 2-67
CACHE BUFFER SIZE=number 2-68
CACHE BUFFERS=number 2-69
CACHE WRITES=[on | off] 2-69
CHECKSUM=number 2-70
CONFIRM CRITICAL ERROR ACTION=[on | off] 2-71

xiv

Contents

CONNECTIONS=number 2-72
DOS NAME=“name” 2-72
EOJ=[on | off] 2-73
EXCLUDE VLM=path_vlm 2-74
FIRST NETWORK DRIVE=drive_letter 2-74
FORCE FIRST NETWORK DRIVE=[on | off] 2-75
HANDLE NET ERRORS=[on | off] 2-75
LARGE INTERNET PACKETS=[on | off] 2-76
LIP START SIZE=number 2-77
LOAD CONN TABLE LOW=[on | off] 2-77
LOAD LOW CONN=[on | off] 2-78
LOAD LOW IPXNCP=[on | off] 2-79
LOAD LOW REDIR=[on | off] 2-79
LOCAL PRINTERS=number 2-80
LOCK DELAY=number 2-81
LOCK RETRIES=number 2-81
LONG MACHINE TYPE=“name” 2-82
MAX TASKS=number 2-83
MESSAGE LEVEL=number 2-83
MESSAGE TIMEOUT=number 2-84
MINIMUM TIME TO NET=number 2-85
NAME CONTEXT=“name_context” 2-85
NETWARE PROTOCOL=netware_protocol_list 2-86
NETWORK PRINTERS=number 2-87
PB BUFFERS=number 2-88
PBURST READ WINDOWS SIZE=number 2-88
PBURST WRITE WINDOWS SIZE=number 2-89
PREFERRED SERVER=“server_name” 2-89
PREFERRED TREE=“tree_name” 2-90
PREFERRED WORKGROUP=“workgroup_name” 2-91
PRINT BUFFER SIZE=number 2-91
PRINT HEADER=number 2-92
PRINT TAIL=number 2-92
READ ONLY COMPATIBILITY=[on | off] 2-93

xv

Contents

RESPONDER=[on | off] 2-94
SEARCH MODE=number 2-94
SET STATION TIME=[on | off] 2-96
SHORT MACHINE TYPE=“name” 2-96
SHOW DOTS=[on | off] 2-97
SIGNATURE LEVEL=number 2-97
TRUE COMMIT=[on | off] 2-98
USE DEFAULTS=[on | off] 2-99
VLM=path_VLM 2-100
WORKGROUP NET=workgroup_net_address 2-101

Protocol IPX Option 2-103

Available Parameters and Values for the Protocol IPX Option 2-103
PROTOCOL IPX 2-103
BIND LAN_driver_name [#number] 2-104
INT64 [on | off] 2-104
INT7A [on | off] 2-105
IPATCH byte_offset, value 2-106
IPX PACKET SIZE LIMIT number 2-106
IPX RETRY COUNT number 2-107
IPX SOCKETS number 2-107

Protocol SPX Option 2-109

Available Parameters and Values for the Protocol SPX Option 2-109
PROTOCOL SPX 2-109
MINIMUM SPX RETRIES number 2-110
SPX ABORT TIMEOUT number 2-110
SPX CONNECTIONS number 2-111
SPX LISTEN TIMEOUT number 2-111
SPX VERIFY TIMEOUT number 2-112

Protocol TCPIP Option 2-114

Available Parameters and Values for the Protocol TCPIP Option 2-114
PROTOCOL TCPIP 2-115

xvi

Contents

LAN Drivers 2-115
BIND odi_driver [number frame_type network_name] 2-116
IP Addresses 2-117
IP_ADDRESS ip_address [network_name] 2-118
IP_NETMASK net_mask_address [network_name] 2-119
IP_ROUTER ip_address [network_name] 2-120
Connection Sockets 2-120
Transmission Control Protocol (TCP) Sockets 2-121
TCP_SOCKETS number 2-121
User Datagram Protocol (UDP) Sockets 2-122
UDP_SOCKETS number 2-122
Raw Sockets 2-123
RAW_SOCKETS number 2-123
Additional Support 2-124
NO_BOOTP 2-124
PATH TCP_CFG [[ drive: ]path [ ; ... ]] 2-125

Transport Provider IPX | UDP Option 2-126

Available Parameters and Values for the Transport Provider IPX | UDP Option 2-126
TRANSPORT PROVIDER IPX | UDP 2-126
TRAP TARGET ipxaddress | ipaddress 2-127

3 Command Line Parameters Reference

Overview 3-2

Introduction 3-3

Core NetWare Client Software 3-4

IPXODI.COM 3-5
LSL.EXE 3-6
ODI LAN driver.COM 3-7
VLM.EXE 3-7

xvii

Contents

DOSNP Software 3-10

4 System Messages

xviii

1

Optimizing the NetWare Client
Software

1-1

Optimizing the NetWare Client Software

Overview

Overview

This chapter explains how to optimize the NetWare® Client™ software for
increasing the speed of client workstations by using the Packet Burst™
protocol and Large Internet Packets (LIP). It also explains how to protect
information on client workstations.

The following topics are covered in this chapter.

Topic

Increasing Speed
Improving Security
Using Other Client Security Guidelines

1-2

Optimizing the NetWare Client Software

Introduction

Introduction

You can increase the speed and improve the security of client workstations
by using the Packet Burst protocol and Large Internet Packets (LIPs), and by
implementing the NCP™ packet signature feature available in NetWare 4™
and 3.12 software.

1-3

Optimizing the NetWare Client Software

Increasing Speed

Increasing Speed

NetWare 3.12 and 4 support the Packet Burst and Large Internet Packet
technologies which increase the access speed of network resources and
services for client workstations.

Using the Packet Burst Protocol

The Packet Burst protocol allows high-performance data transmission
between client workstations and servers.

Some network topologies, such as Ethernet and token ring, allow large
packets to be sent over the network. The LIP (Large Internet Packet)
capability enhances throughput over bridges or routers by increasing the
packet size.

The following sections provide you with information and procedures for
setting parameters used in the client workstation configuration file
(NET.CFG).

Packet Burst on the client workstation is enabled automatically in the
NetWare DOS Requester™ software.

Requirement for Packet Burst

The Packet Burst protocol code requires about 6 KB of memory. However,
as a default, the NetWare DOS Requester uses the Open Data-Link
Interface™ architecture for Packet Burst and doesn’t require additional
workstation memory.

How Packet Burst Works

At connection time, maximum burst sizes are negotiated with each server.
Since Packet Burst is established with each connection, it’s possible to
“burst” with one server but not with another.

Once you establish a Packet Burst connection between a client workstation
and a NetWare server, the client workstation automatically uses the Packet
Burst service whenever an application requests to write more than one
physical packet of data.

1-4

Optimizing the NetWare Client Software

Increasing Speed

When to Use Packet Burst

Packet Burst is not required for every installation; however, disabling LIP
will results in noticeable speed degradation. Some network supervisors
might choose not to use Packet Burst because some of the servers that the
client workstations are connecting to do not support it.

Configuring for Packet Burst

Although Packet Burst is automatically enabled in the NetWare DOS
Requester, you can configure it for your needs.

See “PB BUFFERS=number” , “PBURST READ WINDOWS
SIZE=number” , and “PBURST WRITE WINDOWS SIZE=number” for
details on how to configure for Packet Burst.

Disabling Packet Burst

T o disable Packet Burst at client workstations, add this line to the NET.CFG
file under the “NetWare DOS Requester” option heading:

pb buffers = 0

For example, you would type

netware dos requester

pb buffers=0

Using Large Internet Packet Functionality

Large Internet Packet (LIP) functionality allows the packet size to be
increased from the default of 576 bytes. LIP is enabled automatically in the
NetWare DOS Requester software.

Previously, the size of packets that cross bridges or routers on NetWare
networks was limited to 576 total bytes. Some network architectures like
Ethernet and token ring allow larger packets to be sent over the network.

By allowing the packet size to be increased, LIP enhances the throughput
over bridges and routers if the routers aren’t limited to the smaller packet
size.

1-5

Optimizing the NetWare Client Software

Increasing Speed

The following sections provide you with information and procedures for
setting parameters used in the client workstation configuration file
(NET.CFG).

The Large Internet Packet technology on the client workstation is enabled
automatically in the NetWare DOS Requester software.

NOTE: Some LAN drivers might not operate correctly using this parameter. If you

experience trouble, disable this parameter or update the version of your LAN driver.

How Large Internet Packet Works

In previous NetWare versions, the NetWare Client™ software initiated a
negotiation with the NetWare server to determine an acceptable packet size.

If the NetWare server software detected a router between it and the client
workstation, the server returned a maximum packet size of 576 bytes to the
NetWare Client software.

In the current NetWare version, the NetWare Client software still initiates
packet size negotiation. However, because of LIP, the NetWare server no
longer returns a packet size of 576 bytes when a router is detected.

Instead, the NetWare Client software negotiates with the NetWare server
software to agree on the largest packet size available.

When to Use Large Internet Packet

Large Internet Packet is not required for every installation; however,
disabling LIP results in noticeable speed degradation. Some network
supervisors might choose not to use Large Internet Packet because some of
the servers that the client workstations are connecting to do not support it,
such as NetWare 2 and NetWare 3.11 and earlier.

Configuring for Large Internet Packet

Although LIP is automatically enabled in the NetWare DOS Requester, you
can configure it for your needs.

See “LARGE INTERNET PACKETS=[on | off]” for details on how to
configure for Packet Burst.

1-6

Optimizing the NetWare Client Software

Increasing Speed

Disabling LIP

To disable LIP functionality at the client workstation, add this line to the
NET.CFG file under the “NetWare DOS Requester” option heading:

large internet packets = off

For example, you would type

netware dos requester

large internet packets = off

1-7

Optimizing the NetWare Client Software

Improving Security

Improving Security

You can increase the security of your network by using the NCP packet
signature feature available in NetWare 4 and 3.12.

The following sections provide you with information and procedures for
setting a parameter used in the client workstation configuration (NET.CFG)
file and the SET command used at each NetWare server.

Using NCP Packet Signature to Improve Security

NCP packet signature is an enhanced security feature that protects servers
and client workstations using the NetWare Core Protocol™ architecture by
preventing packet forgery.

The NCP packet signature is optional because the packet signature process
consumes CPU resources and slows performance, both for the client
workstation and the NetWare server.

Without the NCP packet signature installed, a knowledgeable network
operator can manipulate the client workstation software to send a forged
NCP request to a NetW are server . By for ging the proper NCP request packet,
an intruder can gain rights to access all network resources.

How NCP Packet Signature Works

NCP packet signature prevents forgery by requiring the server and the client
workstation to “sign” each NCP packet, using the RSA public and private
key encryption. The packet signature changes with every packet.

NCP packets with incorrect signatures are discarded without breaking the
client workstation’s connection with the server. However, an alert message
about the source of the invalid packet is sent to the error log, the affected
client workstation, and the NetWare server console.

If NCP packet signature is installed on the server and all of the network
client workstations, it is virtually impossible to forge an NCP packet that
would appear valid.

1-8

Optimizing the NetWare Client Software

Improving Security

When to Use NCP Packet Signature

NCP packet signature is not required for every installation. Some network
supervisors might choose not to use it because they can tolerate certain
security risks.

Tolerable Security Risks The following are examples of network situations

that might not need NCP packet signature:

• Only executable programs reside on the server

• All client workstation users on the network are known and trusted by the network
supervisor

• Data on the NetWare server is not sensitive; access, loss, or corruption of this data
would not affect operations

Serious Security Risks NCP packet signature is recommended for security

risks such as these:

• Unauthorized client workstation users on the network

• Easy physical access to the network cabling system

• An unattended, publicly accessible client workstation within your network

NCP Packet Signature Options

Several signature options are available, ranging from never signing NCP
packets to always signing NCP packets. NetWare servers and network client
workstations both have four signature levels, which are explained in the
following table.

Table 1-1 NCP Packet Signature Levels

Level Number Explanation

0 Doesn’t sign packets.
1 Signs packets only if the server requests it (NetWare

server NCP option is 2 or higher).

2 Signs packets if the server is capable of signing

(NetWare server NCP option is 1 or higher).

3 Signs packets and requires the server to sign packets (or

logging in will fail).

1-9

Optimizing the NetWare Client Software

Improving Security

Effective Packet Signature Levels

The signature levels for the server and the client workstations combine to
determine the overall level of NCP packet signature on the network called
the effective packet signature level.

Some combinations of server and client packet signature levels might slow
performance. However, low-CPU-demand systems might not show any
performance degradation.

You can choose the packet signature level that meets both their performance
needs and their security requirements.

The following table shows the interactive relationship between the server
packet signature levels and the client workstation signature levels.

Table 1-2 Effective Packet Signature Combinations of Server and Client Workstations

IF Server = 0 Server = 1 Server = 2 Server = 3

Client Workstation = 0 No packet

signature

Client Workstation = 1 No packet

signature

Client Workstation = 2 No packet

signature

Client Workstation = 3 No logging in Packet signature Packet signature Packet signature

No packet
signature

No packet
signature

Packet signature Packet signature Packet signature

No packet
signature

Packet signature Packet signature

No logging in

Examples of Using Packet Signature Levels

This section includes some examples of when you would use different
signature levels.

All Information on the Server Is Sensitive

Example If an intruder gains access to any information on the

NetWare server, it could damage the company.

Solution The network supervisor sets the server to level 3 and all

client workstations to level 3 for maximum protection.

1-10

Optimizing the NetWare Client Software

Improving Security

Sensitive and Nonsensitive Information Reside on the Same Server

Example The NetWare server has a directory for executable

programs and a separate directory for corporate finances
(such as accounts receivable).

Solution The network supervisor sets the server to level 2 and the

client workstations that need access to accounts
receivable to level 3. All other client workstations
remain at the default level 1.

Client Workstation Users Often Change Locations

Example The network supervisor is uncertain which employees

will be using which client workstations, and the NetW are
server contains some sensitive data.

Solution The network supervisor sets the server to level 3. Client

workstations remain at the default level 1.

Client Workstation Is Publicly Accessible

Example An unattended client workstation is set up for public

access to nonsensitive information, but another server on
the network contains sensitive information.

Solution The network supervisor sets the sensitive server to

level 3 and the unattended client workstation to level 0.

Installing NCP Packet Signature

To install the NCP packet signature support, you must set a parameter used
in the NET .CFG file on each client workstation and a SET command used at
each NetWare server.

Workstation Setting

To install NCP packet signature on a DOS or MS Windows client
workstation, add this line to the NET.CFG file under the NetWare DOS
Requester option:

signature level = number

For example, you would type

1-11

Optimizing the NetWare Client Software

Improving Security

netware dos requester

signature level = 2

Replace number with 0, 1, 2, or 3. The default is level 1, which provides the
most flexibility while still offering protection from forged packets.

See “SIGNATURE LEVEL=number” for details on how to configure for
NCP packet signature support on the client workstation.

NOTE: Some LAN drivers might not operate correctly using this parameter. If you

experience trouble, disable this parameter or update the version of your LAN driver.

Server Setting

To ensure that the SET parameter “NCP PACKET SIGNATURE OPTION”
is added to the system at each server you want NCP packet signature support
on, type the following command at each server console:

SET NCP PACKET SIGNATURE OPTION = number <Enter>

Replace number with 0, 1, 2, or 3. The default is level 1, which provides the
most flexibility while still offering protection from forged packets.

See “Preventing Packet Forgery,” in Chapter 7 of Supervising the NetWork
for details on how to configure for NCP packet signature support on the
server.

Disabling Packet Signature

To disable NCP packet signature support at the client workstation, add this
line to the NET.CFG file under the “NetWare DOS Requester” option
heading:

signature level = 0

For example, you would type

netware dos requester

signature level = 0

For explanations of packet signature levels and their combined use, see
Table 1-1.

1-12