?
Solved

Problems Adding Wireless Capability to a Novell Network

Posted on 2004-09-22
23
Medium Priority
?
492 Views
Last Modified: 2008-02-01
At my wife's school they use a Novell network.  Recently she was part of a team that won a grant from HP for wireless enabled tablet PC's and display projectors.  I bought a Linksys WRT54G wireless router and connected it to an Ethernet port in her room (note - security and WEP encryption was also established).  She could access the Internet, but could not log in to the Novell environment.

After finding out about EE, I discovered a great answer from "waybadmojo" (great name by the way) to a question from Bill Clark about adding the name of the Novell tree to the "hosts" file.  This allowed me to give my wife access to the Novell network (hurray!).  However, she still cannot access printers and other computers on the network that are not Novell servers.  When I go to "My Network Places\Entire Network\Microsoft Windows Network" none of the other computers on the wired side of the network show up from a computer connected wirelessly.  When the same computer connects on the wired side they all show up.

After digging through multiple pages of EE Q&A I have discovered that the Linksys router function may be the problem (but this is a guess at this point).  I would like to try fully disabling the router function of the Linksys, but retaining its ability to host multiple wireless computers (there are 5 teachers who particpated in the HP grant).  Would this do the job?  If so, how would I go about it?  Thanks in advance for the help.  I am pretty impressed with your folks.
0
Comment
Question by:snstevens
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
  • +3
23 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 12130211
<pet peeve>
"Novell" is a company. "NetWare" is a product. The network at your wife's school is a "NetWare network", there is a "NetWare environment".
</pet peeve>

I dunno where waybadmojo is lately. Hopefully he'll drop in.

Given your description, I *infer* that the school network in question uses NetWare v5.0 or later (latest is v6.5). Earlier versions are limited to IPX as their network transport, and since you make no mention of IPX, I assume its not in use. That means NetWare v5.0 or later.

I should certainly hope that the vulnerable, insecure M$ side of the network is not available from a wireless link. I can't imagine a faster way to have the Windoze environment hacked, except to maybe install Exchange. WEP is useless. I don't know what "security" you're referring to, but 802.11a-g is hopelessly compromised.

I'm thinking this may be more of a general networking Question, and less a NetWare-specific one. Seems to me the NetWare access is working fine. You're looking to noodle with the Linksys config.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 12132641
You might also check the tablet PC configuration.  They most likely are running Windows XP Professional, and might have the personal firewall active.  They may even be in the wrong workgroup, or not domain members if you have a Windows domain at the school, which would prevent them from seeing other Windows-centric devices.
0
 

Author Comment

by:snstevens
ID: 12134076
PsiCop --

Thanks for your comments.  I'm totally new to the Novell world and appreciate the clarifications.   Some more info -- the school system uses NetWare v6.5.  You may be right - my original question may be more general networking or Linksys specific.  Any advice on the Linksys configuration is appreciated.  I still can't install any network printers at this point.

Not sure what you mean by the M$ side of the network, but I share your concern about wireless security.  I have disabled SSID broadcast and use 128-bit WEP encryption.  Your advice for improving the level of security is also appreciated.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 

Author Comment

by:snstevens
ID: 12134130
ShineOne --

I'll check the Windows firewall but am not sure how this would factor in.  When the Tablet PC is connected directly to the LAN by cable all of the local computers & printers show up fine.  I would think if the firewall was a problem it would be affecting both the wired and the wireless connection.  That said, I will double check the Linksys firewall to be sure the firewall is disabled (will have to go in after school hours today).

Any other insights?
0
 
LVL 34

Accepted Solution

by:
PsiCop earned 500 total points
ID: 12135393
I wish I could help with the Linksys config - never touched one. Ascend, Bay and Cisco gear for me, mostly. Hmmmm.....ABC?

I'll caution you that while SSID broadcast may be disabled, it is still transmitted, in the clear, whenever a properly-configured wireless client connects to the WAP. AirSnort will pick it up the moment the any wireless NIC connects to the AP. By turning off broadcast, you just make the cracker wait for that.

128-bit WEP is only slightly less breakable than the lesser varieties of WEP. The issue isn't the bits of encryption so much as a keying weakness fundamental to WEP itself. WEP relies on RC4, which itself is not bad/weak encryption, but WEP's implementation of RC4 is flawed. It predictably chooses its Initialization Vectors (IVs), meaning that after at most a few hours with AirSnort, a laptop and a Pringles can; anyone sitting in the parking lot (or lunchroom, or playground) can decipher pretty much anything sent via the wireless connection. A little work and it can be deciphered in realtime.

I hope this isn't at MY niece's elementary school - the public school system is casual enough with what is supposedly federally-protected information. I'd be really annoyed to find out that obstensibly confidential student information allegedly protected by FERPA was being broadcast over something as insecure as WEP.

In order to secure wireless in the environment you describe, you need a VPN tunnel over the wireless connection. The Novell side of the house does that to some extent already - the client-to-server communications are RSA-encrypted.
0
 
LVL 35

Assisted Solution

by:ShineOn
ShineOn earned 500 total points
ID: 12138577
If everything works fine wired, and now that you've added the NetWare server to the HOSTS file the NetWare connectivity works wireless, I would suspect something with host name resolution.  If they don't use a Windows domain, but only peer-to-peer "sharing" (which I usually recommend against, btw) then it could be that the router is blocking NetBIOS over IP - which also is a good thing.  Try adding some of the Windows host names & addresses to the LMHOSTS file.
0
 
LVL 2

Assisted Solution

by:specman
specman earned 500 total points
ID: 12143718
Hi;

Your router is indeed interferring with with your "normal" connectivity experience.  Netware uses something called SLP to "inform" all of the various devices where the various services are located.  In the case of your printers your system cannot tell your wireless devices where the printers are located because the SLP information cannot get through the router.  If you can live with some of the other limitations you can make do by manually setting up printers on your devices by using thier IP address directly.

A lot of this stuff can be fixed up by forwarding the applicable ports etc. on the router (or disabling NAT altogether)... but then you make the security problem even worse.

Using an off the shelf solution such as a Linksys router in your situation is a really bad idea; the above posters mentioned some of the major security problems associated with this.  Without  the mentioned VPN solution you WILL get hacked sooner or later... bank on it.
0
 
LVL 10

Assisted Solution

by:DSPoole
DSPoole earned 500 total points
ID: 12147052
NDPS/iPrint or Queue-based printers?  If they are running purely queue-based, then they require IPX.  I don't think the WAP will do IPX.

How to tell:

1)  plug in the laptop into the wired network and boot up.
2)  select Start | Settings | Printers
3)  right-click on a network printer and select Properties
4)  select the Ports tab and look for a check mark in the Port column

If the port being used is NDPS0x (where x is a number) then you are using NDPS.  If the port being used has a \\<TREE>\.<printer>.<context>.<org> sort of look - then it's queue-based.

0
 
LVL 35

Expert Comment

by:ShineOn
ID: 12147612
Queue-based only requires IPX to the printer.  The client connection can be IP.

If they're using jet-directs and printing IP direct-to-printer on the LAN, and they aren't getting NstBIOS name resolution through the router, they won't "see" the printers when they browse the network using Windoze Explorer, just like they won't "see" the other workstations when they browse the network using Windoze Explorer.

- UNLESS -

All of the Windows PC's and printers names-and-addresses are added to the LMHOSTS file

- OR -

They remove any block on NetBIOS over IP (NetBT) which is an exploit-point and should remain blocked for security's sake.
0
 

Author Comment

by:snstevens
ID: 12147659
PsiCop, ShineOn, specman & DSPoole --

Thanks to all of you for your encouragement and good suggestions.  I particularly value the inputs on security from PsiCop and specman and DSPoole.  I plan to follow-up with the school IT team and establish VPN capability so that we can establish a truly secure wireless environment.  Also, your suggestions caused me to come up at least a partial solution to the problem.  Interestingly, it doesn't involve the Linksys WRT54G router.  I think ShineOn is the one who got me headed in the right direction.   Here's what I ended up doing (probably in more detail than you guys need, but might be useful to someone else).

Step 1 - Establish Netware connectivity by adding the schools Netware Tree to the file \\C\WINDOWS\System32\drivers\etc.\hosts.  This allows for login to the NetWare environment across the Linksys router (thanks again to waybadmojo for this tip).

Step 2 - Connect the tablet PC to the wired side of the network, and execute START>RUN>CMD.  In the DOS window execute ">ipconfig /all"   Write down the IP address of the WINS Server.

Step 3.1 - Disconnect the tablet PC and go wireless.  Open the Network Connections page from the Control Panels.  Right click the Wireless Local Area Connection.  Scroll down to "Internet Protocol TCP/IP" - select this and click "Properties".

Step 3.2 - Click the "Advanced" button and then click the WINS tab.

Step 3.3 - Click "Add" and enter the IP address of the WINS Server found in Step 2.  While probably not necessary, I made sure that "Enable LMHOSTS Lookup" was also checked.

Step 4 - Don't know if it was necessary, but I rebooted the system.  

Afterward, I was able to access printers on the wired side of the network that had already been added to the laptop (they were added when it was connected on the wired side).  I have not tried adding a new printer wirelessly yet, but I plan to test  specman's suggestion of using IP addresses.

Summary -- I really appreciate all the help and good information you each provided me.  I plan to talk to the school district IT folks to establish a VPN to increase the security of the wireless environment.  I also plan to study DSPoole's suggestion about IPX and see how that plays into this.  Thanks again for all of your help!
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 12147683
I didn't know you had a WINS server in the environment, or I'd have mentioned that - I thought you were peer-to-peer on the Windows side of the aisle.

WINS provides the NetBIOS name resolution so you don't have to use LMHOSTS.
0
 
LVL 10

Expert Comment

by:DSPoole
ID: 12147896
the best way to secure wirelessly and maintain throughput - MAC filtering.

0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12148615
I dunno, ShineOn. MAC filtering is only effective until they figger out that you're using it and reset their NIC to use a MAC you've permitted. Yeah, it adds another layer, and I'm not saying he shouldn't use it, but I'm not sure I'd regard it as the end-all of wireless security (altho every bit helps, and certainly WEP needs all the help it can get).
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 12148683
You mean "I dunno, DSPoole."
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12150604
D'oh!
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12150606
Sorry, ShineOn, looked right thru ya....... :-)
0
 
LVL 10

Expert Comment

by:DSPoole
ID: 12160956
Psi, MAC addresses are 7 bytes in length - being there are 255 possible combinations PER byte, the odds of "figger"ing out a usable MAC address is highly unlikely.  It's gets even worse if the system detects TWO MAC addresses on the same segment - then you will notice a problem.  WEP is nice but it adds a layer of complexity to the system - you need to publish keys.  It also slows down the data transfer rate because of the encryption.  Also - who says a user won't share a key?  MAC filteing is all controlled by the admin.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12161077
All I gotta do to get a usable MAC is snort the initial connection. Its broadcasted in the clear.
0
 

Expert Comment

by:jpalazzi
ID: 12922095
hey snstevens
can you help me with the first problem you had?  sounds like the same problem i am having at a school
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 12926525
snstevens,

If you think you can help jpalazzi, he's got a Question open at --> http://www.experts-exchange.com/Networking/Netware/Q_21256461.html
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
The top devops trends for 2017 are focused on improved deployment frequency, decreased lead time for change and decreased MTTR.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses
Course of the Month12 days, 18 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question