Novell IFOLDER SECURITY ADMINISTRATOR GUIDE

Novell iFolder 3.x Security Administrator Guide

Novell

iFolder

novdocx (ENU) 01 February 2006

3.x

August 15, 2006

www.novell.com

SECURITY ADMINISTRATOR GUIDE

Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2005-2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

novdocx (ENU) 01 February 2006

Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com

Online Documentation: To access the online documentation for this and other Novell products, and to get

updates, see www.novell.com/documentation.

Novell Trademarks

For a list of Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/

legal/trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

novdocx (ENU) 01 February 2006

Contents

About This Guide 7

1 Security Best Practices Overview 9

1.1 Security Recommendations for iFolder 3.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.2 Security Recommendations for OES Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Security Best Practices for Novell iFolder 3.x 11

2.1 Using SSL for Server - LDAP Server Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.2 Using SSL for Enterprise Server - iManager Communications . . . . . . . . . . . . . . . . . . . . . . . . 12

2.3 Using SSL for Enterprise Server - Client Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.4 Using SSL for Enterprise Server - Web Access Server Communications . . . . . . . . . . . . . . . . 12

2.5 Using SSL for Web Access Server - Users’ Web Browser Communications . . . . . . . . . . . . . 12

2.6 Disabling SSL 2.0 Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.7 Configuring a Cipher Suite to Use for SSL/TLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.8 Installing Trusted Roots and Certifications on the iFolder server . . . . . . . . . . . . . . . . . . . . . . 13

2.9 Installing Server Certificates from a Known Certificate Authority. . . . . . . . . . . . . . . . . . . . . . . 13

2.10 Using a Shared Certificate in iFolder Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.11 Ensuring Privilege Separation for the iFolder Proxy User . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.12 Securing the iFolder Proxy User Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.13 Using Synchronize Now to Remove Users Effective Immediately. . . . . . . . . . . . . . . . . . . . . . 15

2.14 Controlling Access to the iFolder Data Store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.15 Controlling Access to the iFolder Server Configuration Files. . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.16 Controlling Access to and Backing Up the iFolder Audit Logs. . . . . . . . . . . . . . . . . . . . . . . . . 15

2.17 Storing iFolder 3.x Data Nonencrypted on the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.18 Preventing the Propagation of Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.19 Backing Up the iFolder Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

novdocx (ENU) 01 February 2006

3 Security Best Practices for the iFolder Client 19

3.1 Configuring Client-Side Firewalls for iFolder Communications . . . . . . . . . . . . . . . . . . . . . . . . 19

3.2 Configuring Client-Side Virus Scanners for iFolder Communications . . . . . . . . . . . . . . . . . . . 19

3.3 Configuring a Web Browser to Use SSL 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4 Other Security Best Practices 21

4.1 Controlling Physical Access to the iFolder Servers and Resources . . . . . . . . . . . . . . . . . . . . 21

4.2 Securing Access to the Servers with a Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4.3 Securing Communications with a VPN If SSL Is Disabled. . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4.4 Securing Wireless LAN Connections If SSL Is Disabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

4.5 Creating Strong Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

A Documentation Updates 23

A.1 August 15, 2006. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

A.1.1 Security Best Practices for iFolder 3.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

A.2 November 1, 2005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

novdocx (ENU) 01 February 2006

6 Novell iFolder 3.x Security Administrator Guide

About This Guide

novdocx (ENU) 01 February 2006

This guide provides specific instructions on how to install, configure, and maintain Novell® iFolder

Audience

This guide is intended for network security administrators.

Feedback

We want to hear your comments and suggestions about this manual and the other documentation included with this product. Please use the User Comment feature at the bottom of each page of the online documentation, or go to www.novell.com/documentation/feedback.html and enter your comments there.

Documentation Updates

For the most recent version of the Novell iFolder 3.x Security Administrator Guide, visit the Novell

iFolder 3.x documentation Web site (http://www.novell.com/documentation/ifolder3/index.html).

3.x and the iFolderTM client for iFolder 3.x in the most secure way possible.

• Chapter 1, “Security Best Practices Overview,” on page 9

• Chapter 2, “Security Best Practices for Novell iFolder 3.x,” on page 11

• Chapter 3, “Security Best Practices for the iFolder Client,” on page 19

• Chapter 4, “Other Security Best Practices,” on page 21

For emerging issues with Novell iFolder 3.x and the iFolder client, see the Novell iFolder 3.x

Readme (http://www.novell.com/documentation/ifolder3/readme/data/readme.html).

Additional Documentation

For information, see the following:

• Novell iFolder 3.x documentation (http://www.novell.com/documentation/ifolder3/index.html)

• Novell Open Enterprise Server product site (http://www.novell.com/products/

openenterpriseserver)

• Novell Open Enterprise Server documentation (http://www.novell.com/documentation/oes/

index.html)

• Novell eDirectory

treetitl.html)

• Novell iManager 2.5 documentation (http://www.novell.com/documentation/imanager25/

treetitl.html)

• Novell Linux Desktop 9 product site (http://www.novell.com/products/desktop/)

• Novell Linux Desktop 9 documentation (http://www.novell.com/documentation/nld/

treetitl.html)

• Novell Technical Support (http://www.novell.com/support/)

8.7.3 documentation (http://www.novell.com/documentation/edir873/

+ 16 hidden pages

Novell IFOLDER SECURITY ADMINISTRATOR GUIDE

Specifications and Main Features

Frequently Asked Questions

User Manual

Novell iFolder 3.x Security Administrator Guide

About This Guide