RE: [fw-wiz] Re: SMTP Proxies and Application Proxies for Lotus Domino

From: Ben Nagy (ben_at_iagu.net)
Date: 06/10/03

  • Next message: Bennett Todd: "[fw-wiz] home net security (was Re: 802.11b and IPSec)"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Tue, 10 Jun 2003 10:37:04 +0200
    
    

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    > Of Joseph Steinberg
    [...]
    > Whale Communications offers a Lotus-specific proxy that
    > provides numerous
    > security functions including URL filtering, browser-side
    > security, Air Gap
    > isolation, and more. For more information please see:
    > www.whalecommunications.com/lotus

    Ah, the Air Gap. My favourite firewall snake oil.

    Actually, though, the article linked from that page (including a snazzy
    picture of Mr Steinberg) "Secure Remote Access to Domino" is a very good
    overview, if you cover your ears and go 'la la la la' when you get to the
    'airgap' bits.

    > Message: 2
    > Reply-To: <bolesjb@yahoo.com>
    > From: "Jeff B" <bolesjb@yahoo.com>
    [...]
    > Proxying
    > domino is a
    > big unknown - anybody seen/done this, or have recommendations?

    For Domino webstuff there are lots of nonobvious URLs and characters that
    you need to block. Litchfield did a good article which covers a lot of
    stuff, but it's a bit old, and I hope never to have to do Domino work again,
    so I haven't researched this for a while.

    http://www.nextgenss.com/papers/hpldws.pdf

    Essentially, the basic "put another domino server in the DMZ and replicate"
    architecture works sort of OK, but I'd be less happy with the "put a reverse
    proxy in front of the domino part of the important box" idea. The really
    critical thing is not to let the Internet talk on 1352 to your Notes box.

    I once played with a very simple mail relay that was COTS for NT4, but I
    forget the name now. :( The point is that there does exist a windoze
    solution that does nothing but simple SMTP relay. Jeff - clearly you know
    you should use a stripped open source box running qmail or postfix. Why not
    pay a local place to paint something red? ;)

    ben

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Bennett Todd: "[fw-wiz] home net security (was Re: 802.11b and IPSec)"