One of the first product testing of BorderManager. Overall, it gives Bordermanager thumbs up.
From: nwfusion.com
BorderManager protects and enhances Internet connections
By Tom Stenson
Network World, 8/25/97
Novell, Inc. this week is slated to deliver a major part of its Internet strategy
with the release of BorderManager, a package of software tools for giving
IntranetWare LANs access to the 'Net. Our evaluation of a gold beta version
of the product shows it is indeed a comprehensive set of tools, but work
remains to fashion them into a seamless whole.
BorderManager is a major salvo in the war to protect IntranetWare desktops
against the armies pro-moting native TCP/IP solutions. Comprising a firewall,
content-filtering software, an IPX/IP gate-way, virtual private network (VPN)
software and proxy cache software, Border-Manager gives IntranetWare
administrators a complete, easily managed set of TCP/IP security and caching
tools.
Though all the products work well, there are integration problems. For
example, the NetWare Connect remote access application still has its own
management program, while the new proxy, cache and gateway features are
managed with the NWAdmin program.
BorderManager includes basic firewall functions: It blocks unknown IP
addresses and filters on the packet level (IP addressing and control) and the
circuit level (TCP-level session control). BorderManager also foils address
spoofing. The product's multiprotocol routing utilities let you use the server as a
bastion host, monitoring all traffic to and from your network. Fully integrated
inside the NWAdmin, a trial copy of Microsys-tems Software, Inc.'s Cyber
Patrol, set to expire after 45 days, provides all the filtering choices any paranoid
manager could want.
BorderManager's Proxy Cache Server provides noticeable speed
improvements over an uncached system by using multiple caching techniques.
Its VPN component, with up to 128-bit encryption for domestic use, is
competent, if not flashy.
BorderManager supports remote clients with NetWare Connect, which offers
PPP Remote Node Service and multiprotocol router functions. Up to 128
asynchronous ports can be controlled by the server for dial-in and dial-out use
by clients.
Netscape Communications Corp.'s Navigator 3.X is included in the client
software set. A NetWare/IP version for IntranetWare and the IPX/IP Gateway
software are included, although these are just upgrades of the existing
IntranetWare software.
Novell also includes a run-time version of IntranetWare for sites without an
existing IntranetWare server. It comes with Novell Directory Services (NDS)
and the NWAdmin tool. Watch out, though: The updated NWAdmin program
is filed in the PUBLIC-WIN95 directory rather than in PUBLIC. So if you
already run NWAdmin, change your shortcut or you'll wonder why the upgrade
didn't take.
Many of BorderManager's features are especially advantageous for Novell's
installed base. For example, you can pick NDS clients from a list when creating
rules, rather than typing in IP addresses or Domain Name System (DNS) host
names. Using NDS, BorderManager controls access rights and security
privileges of all users - not just those in any one domain - across the entire
network from a single workstation.
Non-NDS clients can be controlled with the utilities, but you must enter their information by hand.
Novell plans to allow NDS to absorb TCP/ IP clients, but products are not available yet.
NetWare-familiar functions BorderManager adds three pages to NWAd-min: Border Services Setup,
Virtual Private Net-work and Outgoing Rules.
With the Rules page, you can control Internet access for users, groups and container objects, as well
as the physical server running the Border-Manager software, using NWAdmin. Because security
restrictions can change according to the time of day, BorderManager implements the same hour grid
used in IntranetWare 4.11 to block time. Rules that control access to what your organization deems
nonproductive Internet sites apply to all users regardless of protocol.
BorderManager also monitors real-time activity, such as current IPX/IP sessions, cached sites rated
by activity and how long each utility has been running.
You can build VPNs by exchanging software keys between servers and network managers. One
master server can organize several slave servers. All packets traveling across the Internet or intranet
are encrypted using RSA keys of up to 128 bits domestically and 56 bits for export.
The Border Services Setup button in NWAdmin lets you set IP addresses and start and stop the
various proxy services and gateways.
Beyond NWAdmin's Border BorderManager's IPX/IP Gateway first appeared as a separate product
and is now bundled with IntranetWare. The new and improved IPX/IP Gateway component of
BorderManager is really a subset of the Novell IP Gateway. Also included is Network Address
Translation, in which users with TCP/IP addresses not registered for Internet use are translated to
legal IP addresses when going out to the Internet.
The IPX/IP translation seems to have all the bugs worked out and performed flawlessly under every
TCP/IP application we tried, including multiple browsers, e-mail clients and terminal emulators. The
Novell software can reference existing DNS servers or run its own DNS server if necessary.
Another feature of the Novell IP Gateway is its ability to register, track, control and monitor pure
TCP/IP traffic through BorderManager. Even non-NetWare IP stations route through the
BorderManager server to provide some control. BorderManager can control clients connected
through NDS, DNS host names, IP addresses or complete subnetworks.
Proxy Cache Server
We observed a noticeable improvement in browser response time after installing Proxy Cache Server,
and this was confirmed by other network users unaware of the new software. Because the Proxy
Cache Server is on the same local network as the requesting client, cached information is delivered at
network speed, rather than Internet speed. All clients need to do is fill in the "proxy server ID'' blank
in their Web browsers to route traffic through the Proxy Cache Server. NetWare and non-NetWare
clients are supported exactly the same by the cache server.
The Proxy Cache Server also provides Web server acceleration by caching requests to your Web
server. Its Web Server Accelerator component handles all requests to your Web server, blocking
outsiders from reaching the server directly. Not only do clients get their Web pages faster, but
because the real Web server is hidden by the BorderManager server, you also increase your security.
One Web Server Accelerator can pretend to be multiple Web servers, speeding response for all.
Another new caching technology effectively caches an entire client network. How does this work? If a
client requests a Web page and the local cache server can't help, it queries neighboring cache servers
as well as those on the next level. These "parent'' servers hold retrieved information for all cache
servers below them and their neighbors.
This comes in handy even when a distant Web server is unreachable because the cache server can
generate the error locally without waiting for the client browser packets to return with an error
message from the unresponsive server.
Tuning settings for the Proxy Cache Server include the amount of RAM and disk space allocated for
cache purposes and how to handle older information based on the time-to-live settings on some Web
pages.
Installation and configuration
Installation relies on the tired C-Worthy interface familiar to users of Novell server software because
security requires this product to be server-centric. You can install BorderManager on an existing
IntranetWare server or on any Intel Corp. system via the bundled run-time copy of IntranetWare. You
must configure specific packet types and access levels set for each network interface on the host
machine.
Some of the BorderManager configuration questions will catch NetWare specialists by surprise. Packet- and circuit- level filtering for IP addresses is new to NetWare. If you are a NetWare-only manager, have your TCP/IP network administrator close at hand when you install BorderManager. Common questions include the name of your DNS server, backup DNS servers, gateways, subnet masks and default router addresses.
Those are the easy questions. Non-TCP/IP folks may faint when they see more than 60 different TCP protocol options with port numbers to control for the circuit-level part of the proxy - necessary, but new to NetWare people. The default blocks all traffic in and out of the BorderManager server, which is safe but disconcerting if you aren't prepared. Existing clients can download the upgraded client software from the Net-Ware server or use an included utility to upgrade the software automatically during a subsequent logon session, which works well for simple configurations. You also can upgrade client software directly from the distribution CD-ROM at each workstation. The full range of Intel clients is supported by the new Client32 software, from DOS to Windows NT and everything in between.
In summary
BorderManager controls every point of NetWare-to-TCP/IP network connection, giving Novell customers a way to connect to the world safely and quickly, while saving money on performance en-hancements. Firewall functions are complete and solid, but not the highlight. Security, always a concern with Internet connections, is controlled for the entire network by NDS and NWAdmin in one comprehensive point of administration. Web client acceleration, Web server acceleration and performance upgrades for entire networks are the biggest advantages most users will see.
If Novell moves to TCP/IP for client-to-server communications, the IPX/IP Gateway component of BorderManager will fade in importance. The Novell IP Gateway components, however, will become more critical to network control. In fact, all the controls within BorderManager for handling TCP/IP clients may be a trial run for next year's operating system.
Although there are more NetWare users today than Internet users, the first group is demanding to become part of the second. BorderManager is an excellent vehicle for taking them there. |
