Solved

Problems Adding Wireless Capability to a Novell Network

Posted on 2004-09-22
23
415 Views
Last Modified: 2008-02-01
At my wife's school they use a Novell network.  Recently she was part of a team that won a grant from HP for wireless enabled tablet PC's and display projectors.  I bought a Linksys WRT54G wireless router and connected it to an Ethernet port in her room (note - security and WEP encryption was also established).  She could access the Internet, but could not log in to the Novell environment.

After finding out about EE, I discovered a great answer from "waybadmojo" (great name by the way) to a question from Bill Clark about adding the name of the Novell tree to the "hosts" file.  This allowed me to give my wife access to the Novell network (hurray!).  However, she still cannot access printers and other computers on the network that are not Novell servers.  When I go to "My Network Places\Entire Network\Microsoft Windows Network" none of the other computers on the wired side of the network show up from a computer connected wirelessly.  When the same computer connects on the wired side they all show up.

After digging through multiple pages of EE Q&A I have discovered that the Linksys router function may be the problem (but this is a guess at this point).  I would like to try fully disabling the router function of the Linksys, but retaining its ability to host multiple wireless computers (there are 5 teachers who particpated in the HP grant).  Would this do the job?  If so, how would I go about it?  Thanks in advance for the help.  I am pretty impressed with your folks.
0
Comment
Question by:snstevens
  • 7
  • 5
  • 3
  • +3
23 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 12130211
<pet peeve>
"Novell" is a company. "NetWare" is a product. The network at your wife's school is a "NetWare network", there is a "NetWare environment".
</pet peeve>

I dunno where waybadmojo is lately. Hopefully he'll drop in.

Given your description, I *infer* that the school network in question uses NetWare v5.0 or later (latest is v6.5). Earlier versions are limited to IPX as their network transport, and since you make no mention of IPX, I assume its not in use. That means NetWare v5.0 or later.

I should certainly hope that the vulnerable, insecure M$ side of the network is not available from a wireless link. I can't imagine a faster way to have the Windoze environment hacked, except to maybe install Exchange. WEP is useless. I don't know what "security" you're referring to, but 802.11a-g is hopelessly compromised.

I'm thinking this may be more of a general networking Question, and less a NetWare-specific one. Seems to me the NetWare access is working fine. You're looking to noodle with the Linksys config.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 12132641
You might also check the tablet PC configuration.  They most likely are running Windows XP Professional, and might have the personal firewall active.  They may even be in the wrong workgroup, or not domain members if you have a Windows domain at the school, which would prevent them from seeing other Windows-centric devices.
0
 

Author Comment

by:snstevens
ID: 12134076
PsiCop --

Thanks for your comments.  I'm totally new to the Novell world and appreciate the clarifications.   Some more info -- the school system uses NetWare v6.5.  You may be right - my original question may be more general networking or Linksys specific.  Any advice on the Linksys configuration is appreciated.  I still can't install any network printers at this point.

Not sure what you mean by the M$ side of the network, but I share your concern about wireless security.  I have disabled SSID broadcast and use 128-bit WEP encryption.  Your advice for improving the level of security is also appreciated.
0
 

Author Comment

by:snstevens
ID: 12134130
ShineOne --

I'll check the Windows firewall but am not sure how this would factor in.  When the Tablet PC is connected directly to the LAN by cable all of the local computers & printers show up fine.  I would think if the firewall was a problem it would be affecting both the wired and the wireless connection.  That said, I will double check the Linksys firewall to be sure the firewall is disabled (will have to go in after school hours today).

Any other insights?
0
 
LVL 34

Accepted Solution

by:
PsiCop earned 125 total points
ID: 12135393
I wish I could help with the Linksys config - never touched one. Ascend, Bay and Cisco gear for me, mostly. Hmmmm.....ABC?

I'll caution you that while SSID broadcast may be disabled, it is still transmitted, in the clear, whenever a properly-configured wireless client connects to the WAP. AirSnort will pick it up the moment the any wireless NIC connects to the AP. By turning off broadcast, you just make the cracker wait for that.

128-bit WEP is only slightly less breakable than the lesser varieties of WEP. The issue isn't the bits of encryption so much as a keying weakness fundamental to WEP itself. WEP relies on RC4, which itself is not bad/weak encryption, but WEP's implementation of RC4 is flawed. It predictably chooses its Initialization Vectors (IVs), meaning that after at most a few hours with AirSnort, a laptop and a Pringles can; anyone sitting in the parking lot (or lunchroom, or playground) can decipher pretty much anything sent via the wireless connection. A little work and it can be deciphered in realtime.

I hope this isn't at MY niece's elementary school - the public school system is casual enough with what is supposedly federally-protected information. I'd be really annoyed to find out that obstensibly confidential student information allegedly protected by FERPA was being broadcast over something as insecure as WEP.

In order to secure wireless in the environment you describe, you need a VPN tunnel over the wireless connection. The Novell side of the house does that to some extent already - the client-to-server communications are RSA-encrypted.
0
 
LVL 35

Assisted Solution

by:ShineOn
ShineOn earned 125 total points
ID: 12138577
If everything works fine wired, and now that you've added the NetWare server to the HOSTS file the NetWare connectivity works wireless, I would suspect something with host name resolution.  If they don't use a Windows domain, but only peer-to-peer "sharing" (which I usually recommend against, btw) then it could be that the router is blocking NetBIOS over IP - which also is a good thing.  Try adding some of the Windows host names & addresses to the LMHOSTS file.
0
 
LVL 2

Assisted Solution

by:specman
specman earned 125 total points
ID: 12143718
Hi;

Your router is indeed interferring with with your "normal" connectivity experience.  Netware uses something called SLP to "inform" all of the various devices where the various services are located.  In the case of your printers your system cannot tell your wireless devices where the printers are located because the SLP information cannot get through the router.  If you can live with some of the other limitations you can make do by manually setting up printers on your devices by using thier IP address directly.

A lot of this stuff can be fixed up by forwarding the applicable ports etc. on the router (or disabling NAT altogether)... but then you make the security problem even worse.

Using an off the shelf solution such as a Linksys router in your situation is a really bad idea; the above posters mentioned some of the major security problems associated with this.  Without  the mentioned VPN solution you WILL get hacked sooner or later... bank on it.
0
 
LVL 10

Assisted Solution

by:DSPoole
DSPoole earned 125 total points
ID: 12147052
NDPS/iPrint or Queue-based printers?  If they are running purely queue-based, then they require IPX.  I don't think the WAP will do IPX.

How to tell:

1)  plug in the laptop into the wired network and boot up.
2)  select Start | Settings | Printers
3)  right-click on a network printer and select Properties
4)  select the Ports tab and look for a check mark in the Port column

If the port being used is NDPS0x (where x is a number) then you are using NDPS.  If the port being used has a \\<TREE>\.<printer>.<context>.<org> sort of look - then it's queue-based.

0
 
LVL 35

Expert Comment

by:ShineOn
ID: 12147612
Queue-based only requires IPX to the printer.  The client connection can be IP.

If they're using jet-directs and printing IP direct-to-printer on the LAN, and they aren't getting NstBIOS name resolution through the router, they won't "see" the printers when they browse the network using Windoze Explorer, just like they won't "see" the other workstations when they browse the network using Windoze Explorer.

- UNLESS -

All of the Windows PC's and printers names-and-addresses are added to the LMHOSTS file

- OR -

They remove any block on NetBIOS over IP (NetBT) which is an exploit-point and should remain blocked for security's sake.
0
 

Author Comment

by:snstevens
ID: 12147659
PsiCop, ShineOn, specman & DSPoole --

Thanks to all of you for your encouragement and good suggestions.  I particularly value the inputs on security from PsiCop and specman and DSPoole.  I plan to follow-up with the school IT team and establish VPN capability so that we can establish a truly secure wireless environment.  Also, your suggestions caused me to come up at least a partial solution to the problem.  Interestingly, it doesn't involve the Linksys WRT54G router.  I think ShineOn is the one who got me headed in the right direction.   Here's what I ended up doing (probably in more detail than you guys need, but might be useful to someone else).

Step 1 - Establish Netware connectivity by adding the schools Netware Tree to the file \\C\WINDOWS\System32\drivers\etc.\hosts.  This allows for login to the NetWare environment across the Linksys router (thanks again to waybadmojo for this tip).

Step 2 - Connect the tablet PC to the wired side of the network, and execute START>RUN>CMD.  In the DOS window execute ">ipconfig /all"   Write down the IP address of the WINS Server.

Step 3.1 - Disconnect the tablet PC and go wireless.  Open the Network Connections page from the Control Panels.  Right click the Wireless Local Area Connection.  Scroll down to "Internet Protocol TCP/IP" - select this and click "Properties".

Step 3.2 - Click the "Advanced" button and then click the WINS tab.

Step 3.3 - Click "Add" and enter the IP address of the WINS Server found in Step 2.  While probably not necessary, I made sure that "Enable LMHOSTS Lookup" was also checked.

Step 4 - Don't know if it was necessary, but I rebooted the system.  

Afterward, I was able to access printers on the wired side of the network that had already been added to the laptop (they were added when it was connected on the wired side).  I have not tried adding a new printer wirelessly yet, but I plan to test  specman's suggestion of using IP addresses.

Summary -- I really appreciate all the help and good information you each provided me.  I plan to talk to the school district IT folks to establish a VPN to increase the security of the wireless environment.  I also plan to study DSPoole's suggestion about IPX and see how that plays into this.  Thanks again for all of your help!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 35

Expert Comment

by:ShineOn
ID: 12147683
I didn't know you had a WINS server in the environment, or I'd have mentioned that - I thought you were peer-to-peer on the Windows side of the aisle.

WINS provides the NetBIOS name resolution so you don't have to use LMHOSTS.
0
 
LVL 10

Expert Comment

by:DSPoole
ID: 12147896
the best way to secure wirelessly and maintain throughput - MAC filtering.

0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12148615
I dunno, ShineOn. MAC filtering is only effective until they figger out that you're using it and reset their NIC to use a MAC you've permitted. Yeah, it adds another layer, and I'm not saying he shouldn't use it, but I'm not sure I'd regard it as the end-all of wireless security (altho every bit helps, and certainly WEP needs all the help it can get).
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 12148683
You mean "I dunno, DSPoole."
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12150604
D'oh!
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12150606
Sorry, ShineOn, looked right thru ya....... :-)
0
 
LVL 10

Expert Comment

by:DSPoole
ID: 12160956
Psi, MAC addresses are 7 bytes in length - being there are 255 possible combinations PER byte, the odds of "figger"ing out a usable MAC address is highly unlikely.  It's gets even worse if the system detects TWO MAC addresses on the same segment - then you will notice a problem.  WEP is nice but it adds a layer of complexity to the system - you need to publish keys.  It also slows down the data transfer rate because of the encryption.  Also - who says a user won't share a key?  MAC filteing is all controlled by the admin.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12161077
All I gotta do to get a usable MAC is snort the initial connection. Its broadcasted in the clear.
0
 

Expert Comment

by:jpalazzi
ID: 12922095
hey snstevens
can you help me with the first problem you had?  sounds like the same problem i am having at a school
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12926525
snstevens,

If you think you can help jpalazzi, he's got a Question open at --> http://www.experts-exchange.com/Networking/Netware/Q_21256461.html
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now