[unisog] Firewalls or Network Access Controls for Netware Servers

Gary Flynn flynngn at jmu.edu
Wed Jun 22 15:15:05 GMT 2005


Hi,

Has anyone attempted to put up protective network
access controls or firewalls between Netware
clients and servers? The number of open ports
and communications mechanisms seems pretty
daunting.

We've classified them as being similar in sensitivity
as our core business systems and opening them up
completely to clients and depending solely on the
servers' integrity rubs me the wrong way. Even more
so if and when the platform switches from Netware
to SUSE.

Our Netware engineers put together a spreadsheet of
port requirements. Although not all services will
be used (notably Groupwise), exposure of a
significant number of ports to clients appears to
be needed just to cover file and print services,
core Netware services, and ZENWORKS.

http://www.jmu.edu/computing/security/info/netwareports.xls




A TCP port scan of the servers showed the following:

File/Print Server:

PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          Netware NWFTPD
80/tcp    open  http         Apache httpd 2.0.52 ((NETWARE) mod_jk/1.2.6a)
81/tcp    open  http         Novell Netware HTTP Stack (HTTPSTK.NLM)
139/tcp   open  netbios-ssn?
389/tcp   open  ldap         (Anonymous bind OK)
427/tcp   open  svrloc?
443/tcp   open  ssl          Novell Netware SSL
524/tcp   open  ncp          Novell Netware NCP
548/tcp   open  afpovertcp?
631/tcp   open  http         Apache httpd 2.0.52 ((NETWARE) mod_jk/1.2.6a)
636/tcp   open  ssl          OpenSSL
1054/tcp  open  unknown      (not on spreadsheet)
1079/tcp  open  unknown      (not on spreadsheet)
1311/tcp  open  msdtc        Microsoft Distributed Transaction Coordinator
2036/tcp  open  ssl          OpenSSL
2148/tcp  open  unknown
2200/tcp  open  ssl          Novell Netware SSL
2211/tcp  open  http         Apache httpd 2.0.52 ((NETWARE) mod_jk/1.2.6a)
3351/tcp  open  unknown      (spreadsheet says Btrieve...is this still 
necessary in today's netware?)
5051/tcp  open  unknown      (not on spreadsheet)
6389/tcp  open  unknown      (not on spreadsheet)
6901/tcp  open  unknown      (not on spreadsheet)
8008/tcp  open  http         Novell Netware HTTP Stack (HTTPSTK.NLM)
8009/tcp  open  ssl          Novell Netware SSL
9009/tcp  open  unknown
9010/tcp  open  unknown
21571/tcp open  unknown
40193/tcp open  netwareip    Novell Netware/IP (not on spreadsheet)
65434/tcp open  unknown      (not on spreadsheet)


ZENWORKS server:

PORT      STATE SERVICE               VERSION
21/tcp    open  ftp                   Netware NWFTPD
80/tcp    open  http                  Apache httpd 2.0.52 ((NETWARE) 
mod_jk/1.2.6a)
81/tcp    open  http                  Novell Netware HTTP Stack 
(HTTPSTK.NLM)
139/tcp   open  netbios-ssn?
389/tcp   open  ldap?
427/tcp   open  svrloc?
443/tcp   open  ssl                   Novell Netware SSL
524/tcp   open  ncp                   Novell Netware NCP
548/tcp   open  afpovertcp?
636/tcp   open  ssl                   OpenSSL
998/tcp   open  busboy?
1050/tcp  open  java-or-OTGfileshare? (not on spreadsheet)
1069/tcp  open  unknown               (not on spreadsheet)
1070/tcp  open  unknown               (not on spreadsheet)
1090/tcp  open  unknown               (not on spreadsheet)
1091/tcp  open  unknown               (not on spreadsheet)
1311/tcp  open  msdtc                 Microsoft Distributed Transaction 
Coordinator
2036/tcp  open  ssl                   OpenSSL
2148/tcp  open  unknown
2200/tcp  open  ssl                   Novell Netware SSL
2211/tcp  open  http                  Apache httpd 2.0.52 ((NETWARE) 
mod_jk/1.2.6a)
2638/tcp  open  sybase?
3351/tcp  open  unknown               (Btrieve - still necessary?)
6901/tcp  open  unknown               (not on spreadsheet)
8008/tcp  open  http                  Novell Netware HTTP Stack 
(HTTPSTK.NLM)
8009/tcp  open  ssl                   Novell Netware SSL
8039/tcp  open  unknown
8089/tcp  open  unknown
9009/tcp  open  unknown
9010/tcp  open  unknown
21571/tcp open  unknown
40193/tcp open  netwareip             Novell Netware/IP (not on spreadsheet)
65433/tcp open  unknown
65434/tcp open  unknown               (not on spreadsheet)




-- 
Gary Flynn
Security Engineer
James Madison University


More information about the unisog mailing list