With the powerful directory-integrated features inherent to Novell BorderManager, you can control your usersÕ access to corporate resources and monitor their Internet activitiesÑwhether theyÕre in the office or on the road. Novell BorderManager leverages identity-based access control to ensure that your mobile employees have secure, role-based access to network services from any location.
Moreover, Novell BorderManager provides Internet access control and supports numerous content-filtering solutions. These features protect your network from undesirable Internet content, including programs that destroy or steal data, games that waste usersÕ time and Web content that exposes your company to legal liability.
www.novell.comTE C H N I C A L W H I T E PA P E RNovell BorderManager 3.8Untitled Document2256912121313PR O T E C T Y O U R N E T W O R K A G A I N S TI N T E R N A L A N D E X T E R N A L T H R E AT SA C C E S S C O N T R O LP R O X Y S E RV I C E SV P N F I R E WA L LM O N I TO R A N D L O G I N T E R N E TA C T I V I T YN O V E L L N S U R E S E C U R E I D E N T I T YM A N A G E M E N T S O L U T I O N SC O N C L U S I O NS Y S T E M R E Q U I R E M E N T SNovell BorderManager 3.8Table of ContentsUntitled DocumentNovell BorderManager supports industry standardsand leverages the security and scalability of bothNovell eDirectory"and LDAP-compliant directorieson Linux*, NetWare , Windows* and UNIX* networks. Novell BorderManager enables you to extendyour business infrastructure beyond your firewallswithout compromising security. It allows you toprotect your resources, improve productivity andsignificantly reduce costs. In conjunction withother Novell Nsure"services including provisioning,Web access management and single sign-on Novell BorderManager helps you create acomprehensive secure identity managementsolution for your entire organization.AC C E S S C O N T R O L Not surprisingly, Web traffic consumes themajority of network bandwidth. In uncontrolledworkplaces, users spend at least some work timesearching for recreational Web sites (such as news and entertainment Web sites). If users areaccessing recreational content on company time,they re limiting the bandwidth available to otheremployees and cutting into your bottom line. NovellBorderManager 3.82Protect Your Network AgainstInternal and External ThreatsNetwork security remains a top priority for organizations worldwide. In a ComputerInstitute annual survey, 90 percent of the respondents from large corporations and gov-ernment agencies reported having had security breaches in a 12-month period. Novell BorderManager 3.8 virtually eliminates security breaches by providing an integratedsecurity solution that safeguards your network against internal and external threats.Strong and reliable, Novell BorderManager includes firewall, VPN and proxy technolo-gies that protect networks and resources, while ensuring end-user productivity.With the powerful directory-integrated features inherent to Novell BorderManager,you can control your users access to corporate resources and monitor their Internetactivities whether they re in the office or on the road. Novell BorderManager lever-ages identity-based access control to ensure that your mobile employees have secure,role-based access to network services from any location. Moreover, Novell BorderManager provides Internet access control and supportsnumerous content-filtering solutions. These features protect your network from unde-sirable Internet content, including programs that destroy or steal data, games thatwaste users time and Web content that exposes your company to legal liability.Untitled DocumentThe Novell BorderManager access controlfeature enables you to set rules that limit users access to online content based on a variety ofcriteria. For example, you can manage useractivity by service, node or network address, URL, time of day, content category, user identity,group membership and a variety of other criteria.Access control ensures that your network bandwidthis only used for productive, business-relatedactivities. It can also protect users from accessingpotentially harmful Web sites, such as a Web sitethat contains a virus. Access control offers a full range of securitybenefits, including the following:" Provides all levels of security, includingNetwork and Transport layer firewall via packetfiltering and network address translation, and Application layer firewall security through multiple proxies." Supports an overall security policy that can be customized according to individual users,user groups, time of day, application andother criteria." Specifies which requests should be allowedand which should be denied, based on whetherthe requests are made through proxy servicesor a VPN.The Novell BorderManager access controlfeature consists of two components: access rulesand access control lists.Access RulesConfigured in Novell eDirectory, access rules arethe primary elements of access control. The NovellBorderManager server typically positioned betweenyour company s intranet and the Internet appliesthese rules to all requests, regardless of whetherthe requests come through the proxy services or a VPN. By creating Allow or Deny rules, you can grantor deny access to any of the following resources:" Many network and Web services " Novell BorderManager proxy services " VPNs " URLs Ideal for providing fine-grained security, accessrules can be configured at the following NovelleDirectory object levels:" Country (C) " Organization (O) " Organizational Unit (OU) " Server Access Control ListsWhen Novell BorderManager is loaded onto aserver, it collects the access rules created at eachdirectory object levels. It first collects rules fromthe Server object, then from the OrganizationalUnit object above the Server object and so on.Once it has collected all sets of access rules, they are used to create the Novell BorderManagerserver s access control lists (ACLs). This consolidatedlist of rules controls the destinations or servicesthat objects are permitted to access through theNovell BorderManager server, as well as when anobject can access them. Because you can configureand store access rules in different directory objects,Novell BorderManager 3.83Untitled Documentyou can establish a hierarchical relationship of access-control rules to block content at different levels.This would enable you, for example, to block Web access during business hours for all company employeesexcept those in the marketing department. The following figures depict how you can control both Internet and intranet access at the networklevel. An employee s request for Internet content must pass through the BorderManager server beforebeing sent to the Internet. Figure 1 illustrates how access control rules allow requests for authorizedinformation to be granted while requests for illegal content are blocked. Figure 1: Access controlprevents an employee fromaccessing inappropriate Web resources.Access control can also protect your networkagainst harmful or illegal content that users mayunwittingly access. For example, an employeecould access a Web page that contains a virus. NovellBorderManager 3.84By downloading this page, the employee couldinfect both his workstation and the network.Access control ensures that the harmful contentcannot breach your network s boundaries.Untitled DocumentFigure 2: Access controlprevents harmful contentfrom entering your network.Novell BorderManager 3.85PR O X Y S E RV I C E S Novell BorderManager proxy services enhancenetwork security, improve user productivity andnetwork performance and reduce your organization sexposure to liability. Novell BorderManagerapplication proxies are application-level gatewaysthat allow you to control the ports and addressesthat users are authorized to access. The proxiesexecute the access rules that specify whetheraccess is allowed or denied from a specifiedsource to a specified destination. The source maybe an Internet Protocol (IP) address, a range ofaddresses, a subnet address or a directory object(user, group or container). The destination may be a service running on the Novell BorderManagerserver, IP addresses/ports, URL patterns orcategories from a content filtering database, such as SurfControl*, N2H2* or Connectotel.The HTTP application proxy verifies accessrights through the directory and supports SecureSockets Layer (SSL) tunneling and user certificates.Used together, SSL tunneling and user certificatescreate an encrypted path between client andserver that protects information from interceptionand tampering. Novell BorderManager proxy services alsoimprove network performance by caching frequentlyrequested Internet information. This reduces thebandwidth consumed by redundant requests forinformation, decreases the load on the Internetconnection and shortens the required downloadtime. This, in turn, improves user productivity.Novell BorderManager proxy services use threeprimary types of caching:" Forward Proxy Caching (Web ClientAcceleration). In a forward proxy cache, the proxy server is located between clientsand the Internet. This proxy server makesrequests to Web servers for the intranetclients, using appropriate protocols such asUntitled DocumentNovellBorderManager 3.86HTTP , FTP and Gopher. The proxy server thencaches frequently requested URLs, HTML pagesand FTP files. Subsequent requests for thatcontent are supplied to the client from theproxy server s own cache. This eliminates thedelay that occurs when users access a Website and minimizes the traffic between thecorporate network and the Internet." Internet Caching Protocol (ICP) Hierarchical Caching (Network Acceleration).ICP hierarchical caching is implemented with multiple proxy servers configured in ahierarchical or mesh topology. This topologyis characterized by proxy servers that areconnected in parent-child and peer relation-ships. If a miss occurs the proxy cannot findthe information in the first server contacted the proxy contacts the other servers in themesh. The nearest proxy server that has therequested information in its cache forwardsthe information to the requesting proxy,which in turn forwards it to the requestingclient. By reducing the wide area network (WAN)traffic load, ICP hierarchical caching freesvaluable bandwidth. In addition, because therequested information is sent from the nearestproxy server, network delays are minimized.This reduces user wait times and increasesuser productivity. Novell BorderManager alsosupports CERN cache hierarchies." Reverse Proxy Caching (Web ServerAcceleration or HTTP Acceleration). Withreverse proxy cache, the proxy server acts asa front end to one or more Web servers andcaches all information that is stored on thoseWeb servers. Novell BorderManager retainsreverse-proxy functionality for existingcustomers, and Novell offers a full-featuredreverse-proxy solution in Novell iChain ,another premier Novell security product.Novell BorderManager proxy services supportthe following protocols and applications:" HTTP (0.9, 1.0 and 1.1), including HTTPS and Secure Sockets Layer (SSL) " FTP " Domain Name System (DNS) " Gopher " Simple Mail Transfer Protocol/Post OfficeProtocol 3 (SMTP/POP3) " Network News Transfer Protocol (NNTP) " RealAudio* and RealVideo* " Real Time Streaming Protocol (RTSP) " SOCKS 4 and 5 " Generic TCP/UDP " HTTP Transparent proxy " Telnet Transparent proxy V P N Novell BorderManager also includes VPN services,which enable your company to securely connectthe corporate intranet with other intranet sites,remote users and business partners, using thepublic Internet. The information transmittedacross the VPN via the Internet is encrypted toprevent unauthorized access by eavesdroppers. In addition, the information is checked foraccuracy to detect tampering by hackers.Novell BorderManager VPN services integratewith Novell eDirectory or fully compliant LDAPUntitled DocumentNovell BorderManager 3.87directories to simplify VPN management andadministration. Novell BorderManager is highlyscalable it can support up to 256 sites per tunneland can more than 1,500 remote users per gateway.Novell BorderManager includes VPN clients forWindows 98, NT 4.0, 2000, Me and XP . You can alsoconnect to the BorderManager server using third-party VPN clients for the MAC* OS (VPN Tracker www.equinox.com) and Linux (Openswan www.openswan.org). Support for these clients leveragesthe use of either pre-shared secrets or X.509certificates for authentication.The VPN component provides remote userswith access to network resources, and NovellBorderManager includes Novell Client Firewall 2.0to protect remote users VPN access.VPN Architecture Novell BorderManager VPN services are built on astandards-based architecture that is integrated withNovell eDirectory and supports any fully compliantLDAP directory. This ensures maximum flexibility,simplifies VPN management and administration andallows you to authenticate users against any LDAPdirectory, such as eDirectory, Microsoft ActiveDirectory* or iPlanet*. Advanced Authentication MethodsWith its inclusion of Novell Modular AuthenticationService (NMAS") Enterprise Edition, NovellBorderManager supports more than 50 advanced-authentication methods, easily surpassing thenumber offered by any other VPN solution on the market. As a result, your mobile employeescan use tokens, smart cards, x.509 certificates,biometrics, proximity cards and other supportedmethods alone or in combination to securelyaccess data via the VPN.The solution also allows you to lock downremote workstations in accordance with yourcorporate security policies. For example, if aremote workstation has been inactive for a certainperiod of time, the user will have to authenticateagain before regaining access.Standards-basedAs an IPSec-based VPN service, Novell BorderManagerinteroperates with any IPSec certified product,including VPN equipment from Cisco, Check Point,Nokia and dozens of others. Its VPN tunneling isbased on Internet Key Exchange (IKE) and the SimpleKey Management for Internet Protocols (SKIP).Novell BorderManager uses Novell InternationalCryptographic Infrastructure (NICI) on both theclient and server with a FIPS 140-validatedencryption engine. Novell BorderManager supports the following hashfunctions and shared-secret key and data encryption: BITSHASH FUNCTION192 Triple-DES in CBC 160Keyed SHA1HMAC SHA1128Keyed MD5HMAC-MD5RC2 in CBCRC5 in CBC64RC2 in CBCRC5 in CBCDES in CBC40RC2 in CBCRC5 in CBCUntitled DocumentNovellBorderManager 3.88Directory IntegratedNovell BorderManager authenticates all usersthrough Novell eDirectory or an LDAP-compliantdirectory to ensure that only authorized VPNcommunity members are permitted to use the VPN.Administrators control access to the VPN througha user ACL stored in the directory. This means that administrators can manage VPN users in the same directory tree that they use to manageother network users; they don t have to maintaina separate directory for VPN users.VPN ConfigurationNovell BorderManager allows a company to cost-effectively connect local area networks (LANs)and remote users by using the Internet as a low-cost backbone. Two possible VPN configurationsare available: site-to-site and client-to-site.Site-to-site VPNUsing a site-to-site VPN, a company can connectindependent LAN segments into a single, cohesiveWAN, using the Internet as the linking medium. A site-to-site VPN is implemented by installing a Novell BorderManager server at each site andconnecting the servers through the Internet. The servers can be connected in a mesh or starconfiguration. A company can also use the site-to-site VPN configuration to create an extranet thatconnects the corporate network with its businesspartners networks. Client-to-site VPNBy implementing a client-to-site VPN, a companycan give remote users economical and secure accessto the network resources they need, regardless ofthe users location or the location of resources. To use a client-to-site VPN, a user with theNovell BorderManager client connects to theBorderManager Server via the public Internet from anywhere using any ISP . That server acts as a gateway to the VPN. To ensure optimum performance, the NovellBorderManager client can be configured to usesplit tunneling in which it encrypts only theinformation sent to and from protected networks(instead of encrypting all data being sent,regardless of destination). Untitled DocumentNovell BorderManager 3.89FI R E WA L L Traditionally, firewalls were designed as barriersto keep people out. In today s world of eBusiness,however, a firewall must be more selective. It stillneeds to keep out unauthorized users, but it alsoneeds to make your network resources availableto customers, partners, suppliers and employees.The Novell BorderManager firewall is ICSA certifiedand offers proven protection against undesirableWeb content.Novell BorderManager employs several types of filtering so that you can determine with a highdegree of granularity which traffic can cross yourborder. This granularity is necessary to protectagainst viruses and a number of malicious attacks,including crippling denial-of-service attacks. With filtering you can also control which sites your employees access, thereby eliminating the temptation to visit inappropriate sites oncompany time. Novell BorderManager filters are easy to configure, with an easy-to-use Webbrowser interface. " When you extend the boundaries of yourcompany s network with VPN services, users client machines become entry points to yourcompany s network. Novell BorderManagerincludes enhanced firewall functionality toprotect VPN clients from unauthorized access.Novell BorderManager includes the followingfirewall-filtering components: Figure 3: Implementation ofNovell BorderManager VPNas a Low-Cost WANImplementing Novell BorderManager VPN ServicesThe following illustration depicts how you could use the Internet as a backbone to connect multiple,geographically separate LANs and remote users into a large, private, yet low-cost WAN:Untitled DocumentNovellBorderManager 3.810" Packet filtering " Static packet filtering " Stateful packet filtering " Fragmented packet filtering " TCP ACK bit filtering " Virus pattern filtering " Content filtering " Packet filteringNovell BorderManager employs packet-filteringtechniques to provide a basic level of networksecurity for your organization. Novell BorderManagerpacket filtering is based on IP addresses, enablingyou to reject user requests for unauthorized Webapplications. For example, you can prevent usersfrom accessing AOL Instant Messenger* or Webradio stations during regular business hours.Novell BorderManager utilizes several differentmethods of packet filtering, including:" Static packet filtering " Stateful packet filtering" Fragmented packet filtering " TCP ACK bit filteringEach type of filtering has its own strengths andlimitations, as described in the following sections.Novell BorderManager provides you with thestrongest possible packet filtering by using all four types in combination.Static Packet FilteringThe least sophisticated of the filtering types,static packet filtering accepts or denies packetsbased on four criteria:" Protocol ID (e.g., Transmission ControlProtocol [TCP], User Datagram Protocol [UDP]and Internet Control Message Protocol [ICMP]) " Source IP address and port number " Destination IP address and port number " Router interface for the incoming or outgoing packetThe rules for static packet filtering areextremely simple either all packets pass or nonepass. For example, you accept all TCP packets or you accept none, or you permit all requests to a particular Internet host or you permit none.This type of filtering is useful when blockingtraffic to entire Internet sites such as The DilbertZone or eBay. Its simplicity also makes it highlyefficient, requiring fewer computational andbandwidth resources than other types of filtering.Connections for various services, such as e-mail,FTP and Telnet can be denied by filtering thepackets attempting to use that service or port number.Firewalls based on static packet filtering areNetwork-layer devices that cannot process higher-layer information. They cannot check for applicationrequests, nor can they keep track of applicationstate information. A static packet-filtering firewallcannot determine, simply by examining the headerof an incoming packet, whether the packet is thefirst packet from an external client to an internalserver or a response from an external server to aninternal client. The level of protection providedby this type of firewall is limited.Untitled DocumentNovell BorderManager 3.811Stateful packet filteringNovell BorderManager stateful packet filteringovercomes the limitations imposed by the all-or-nothing rules of static packet filtering. This typeof filtering permits an internal client to initiate asession with an external Internet host but does notallow that host to initiate sessions with internalclients. When an outgoing packet is transmitted to the Internet, a reverse filter is dynamicallycreated to allow the response packet to return.The reverse filter is created by extracting thefollowing packet information:" Source IP address " Source interface " Source port " Destination IP address " Destination interface " Destination port " Protocol typeThis information is stored in a table, which iscompared against the reply. If an incoming messageis not a reply to the original request, then it isdropped. This dynamically created filter set isused to determine the subsequent packet transfersuntil the connection is closed.To be counted as a response, the incomingpacket must be from the host and port to whichthe outbound packet was sent. Stateful packetfiltering supports both connection-oriented andconnectionless protocols (TCP , UDP , ICMP , etc.). " Stateful packet filtering monitors eachconnection and creates a temporary (time-limited) inbound filter exception for the connection. This allows you to blockincoming traffic originating from a particularport number and address while still allowingreturn traffic from that same port numberand address.Fragmented Packet FilteringThe Novell BorderManager fragmented packetfiltering component helps to protect your networkagainst denial-of-service attacks by examining allpackets and packet fragments. One method oflaunching a denial-of-service attack is to takeadvantage of packet fragments. Some Layer-2datagrams are longer than the allowed limit, so they are broken up into fragments. The firstfragment has the complete header and transportinformation, but the subsequent packets indicateonly to which fragment they belong and in whichorder. Typical firewalls only examine the firstpacket and allow the subsequent fragments topass through unchecked. If the first fragment is disallowed, the later fragments cannot bereassembled by the target host, and no connectioncan be made. Now, however, malicious users floodnetworks with fragment packets consuming enoughcomputing resources and bandwidth to slow oreven stop legitimate network traffic.Unchecked fragments also leave your networkvulnerable to port scans. Port scans give malicioususers information about the software that isrunning on a machine, which in turn can reveal ahost s vulnerabilities. By setting the fragment biton a non-fragmented packet, would-be intruderscan send packets through firewalls and get returnpackets that contain port information. Untitled DocumentNovellBorderManager 3.812To protect against fragment attacks, Novell BorderManager examines all packets,including fragments. When the first packet isdiscarded, Novell BorderManager also discards the subsequent fragments that share the samesource and destination IP addresses and interfaces.This capability is built into the IP stack instead ofthe filtering facility, thereby creating a superiorsecurity system.Transmission Control Protocol ACK (TCP ACK)Bit FilteringTCP is a connection-oriented, reliable transportprotocol. When TCP ACK bit filtering is enabled,you can prevent incoming TCP request packets fromentering your company s network. This preventsintruders from initiating TCP sessions with internalservers or clients, while still allowing internalusers to initiate TCP sessions with the outsideworld. In addition, setting the TCP ACK bit filterprotects your network from common attacks such as synchronize (SYN) flooding. Content FilteringAs part of its access-control functionality, Novell BorderManager supports more than 40Internet content-filtering categories from partnerssuch as SurfControl, N2H2 and Connectotel. It alsosupports free databases such as the squidGuardBlacklist through integration with ConnectotelLinkWall. This support prevents undesirable andpotentially dangerous content from entering your network, disrupting operations anddistracting employees.Administrators define access rules using thecategories from their chosen content filteringsolution. Rules that use the content filteringcategories can be placed on server, organizationalunit or organization objects.Virus Pattern FilteringNovell BorderManager also includes virus-pattern-filtering functionality that protects against HTTP-based viruses, such as Nimda.MO N I TO R A N D L O G I N T E R N E T A C T I V I T YIn today s increasingly regulated businessenvironment, Novell BorderManager increases yourability to avoid liability exposure. It does morethan just allow you to keep offensive content offthe network to avoid creating a potential hostileenvironment or to prevent illegal activities fromoriginating from within your network. It includessupport for Novell Nsure Audit to allow you tomonitor and log all Internet activity, providing you proof to support disciplinary actions againstemployees or to demonstrate regulatory compliance.This forensically robust logging of all activityprovides non-reputable evidence of what goes onwithin your network, providing your organizationthe protection it needs.N O V E L L N S U R E S E C U R E I D E N T I T YM A N A G E M E N T S O L U T I O N S Novell BorderManager is just one of acomprehensive set of Novell Nsure secure identitymanagement solutions, a robust combination of the Novell security products you need toprotect your network resources. All of the NovellNsure secure identity management solutions aredirectory-based, which means that you controlUntitled DocumentNovell BorderManager 3.813access to your network resources according tocompany policies and user identities. Novell Nsuresecure identity management solutions include thefollowing products:" Novell eDirectory. Enables you to capture,store, organize and leverage all of the identityinformation needed to assign individual accessrights to employees, customers and partners" Novell Account Management. Integrates allthe platforms within your network so they can be managed through the identities inNovell eDirectory " Novell iChain. Helps control personalizedaccess to applications, Web resources andnetwork resources across your organization " Novell Modular Authentication Service(NMAS). Integrated into Novell BorderManager ,NMAS allows you to implement a variety ofauthentication methods for the highest levelsof network security " Novell SecureLogin. Allows users to accessmultiple resources with a single sign-on" Novell BorderManager. Regulates employeeaccess to the Internet and accelerates digital-content delivery " Novell Nsure Identity Manager. Unifiesidentity across resource and location barriers,giving enterprises the foundation to securelydeliver the right resources to the right people anytime, anywhere " Novell Portal Services. Consolidates allnetwork resources into a convenient, easilyaccessible Web page" Novell Nsure Audit. Provides secure loggingand auditing to help you reduce yourorganization s liability and risk by ensuringcompliance with governmental regulationsand business-driven security policies" Novell Nsure Resources". Automates theprocess of granting or revoking employeeaccess to business resourcesWith Novell Nsure secure identity managementsolutions, you can realize the one Net vision: yourintranet, extranet and the Internet will worktogether securely as one Net. You can simplify thecomplexities of your business processes andprovide your customers, partners and employeesworldwide with secure, seamless access tonetwork resources. C O N C L U S I O N Novell BorderManager firewall and VPN servicesprovide unparalleled security against bothexternal and internal attacks. Its forward-proxydesign and caching features increase theefficiency and speed of Internet access for yourusers and also allow you to filter out harmful orundesirable Web content. Novell BorderManagerallows you to give all of your users employees,customers, partners and suppliers secure, remoteaccess via the Web or VPN to the right resourcesbased on their role or relationship with yourenterprise so they can do business productively.S Y S T E M R E Q U I R E M E N T S Server Hardware Requirements" Server-class PC with Pentium* II or higherprocessor Untitled Document462-001379-001 2004 Novell, Inc. All rights reserved.Novell, the Novell logo, NetWare,BorderManager and iChain are registeredtrademarks, and eDirectory, NMAS,Nsure, Nsure Resources and the N logoare trademarks of Novell, Inc. in theUnited States and other countries.*Linux is a registered trademark ofLinus Torvalds. Windows andMicrosoft Active Directory areregistered trademarks of MicrosoftCorporation. UNIX is a registeredtrademark of X/Open Company Ltd.SurfControl is a registered trademarkof SurfControl Plc. RealAudio is aregistered trademark and RealVideo is a trademark of RealNetworks, Inc.AOL Instant Messenger is a servicemark of America Online, Inc. Mac is a registered trademark of AppleComputer, Inc. Pentium is a registeredtrademark of Intel Corporation. iPlanetis a trademark of Sun Microsystems.N2H2 is a trademark of N2H2, Inc.All other third-party trademarks arethe property of their respective owners.Novell Product Trainingand Support ServicesFor more information aboutNovell s worldwide producttraining, certification programs,consulting and technical supportservices, please visit:www.novell.com/ngageFor More InformationPlease contact your local NovellAuthorized Reseller", systemhouse, or service provider. Or visitus at: http://www.novell.com/products/bordermanagerYou may also call Novell at:1 888 321 4272 US/Canada1 801 861 4272 Worldwide1 801 861 8473 FacsimileNovell, Inc.1800 South Novell PlaceProvo, Utah 84606 USA www.novell.com" Super VGA or higher resolution display adapter" One or more network boards installed " CD-ROM drive" PS/2 or serial mouse" DOS partition with at least 250MB " 4GB SYS volume recommended " Minimum 2 GB dedicated CACHE volumerecommended " 256 MB RAM recommended Server Software Requirements" NetWare 5.1 SP6, NetWare 6.0 SP3 or NetWare 6.5" eDirectory 8.6.2 (Minimum) or 8.7.1(Recommended) with LDAP enabledWorkstation Requirements" Most NBM services may be used by any IP-enabled computer regardless of hardwareor operating system " Proxy single sign-on is provided for Windowsworkstations running the NetWare Client. " VPN Clients are provided for Windows 98, NT 4, 2000, Me and XPNovell BorderManager 3.814