RE: Lotus Notes - Is this a bad thing?

From: Holmes, Ben (Ben.Holmes@getronics.com)
Date: 08/12/02 

Date: Mon, 12 Aug 2002 19:42:09 +1000
From: "Holmes, Ben" <Ben.Holmes@getronics.com>
To: <security-basics@securityfocus.com>

<Lots of people> wrote:

> Notes is quite secure and can be secured without VPN.
>
> Make sure you have your firewall set up right...

The thing I was mostly after was about encryption.. thanks to all that
replied here is what I have recommended..

1. Remember that something secure today may not be tomorrow so, although
I don't see any current problems with having notes exposed on the
internet, to *cut down* risks of future problems, make sure the firewall
is restricted to only allow access from the server that is supposed to
be replicating and no other IPs.
2. Try cutting UDP access to the server completely, although the IANA
port listing say it is used by Domino (1352 TCP and UDP), if it still
works without it, block it :) [if it needs it, it needs it, I still have
no info there, but that one is easy to test]
3. Use a current version, apparently old servers used hopeless
encryption for the data
4. Make sure port encryption is enabled on the servers
5. Nobody on this list seems to have ever come across a well set up
notes server being compromised in real life, and most people are happily
running it with no problems.

Notes seems very proprietary.. besides the normal app fuzz testing I
wouldn't know how to even start on it... I feared that this may use a
little security through obscurity. With point 1 and hopefully 2 closed
up, the future script kiddie armed with the latest "Domino Remote Buffer
Overflow" script wouldn't hurt this site doing a scan of every IP that
is known to man for port 1352...

Once again, thanks for replying to this... may your boxes never be
owned.

-- Benjamin Holmes
Technical Specialist
Managed Services Division

Getronics Australia Pty Limited
27 James Street
Fortitude Valley QLD 4006
Australia
Tel: +61 7 3251 7430
Fax: +61 7 3251 7499
E-Mail: brisbane.workshop@getronics.com
www.getronics.com.au

The information transmitted is intended only for use by the addressee
and may contain confidential and/or privileged material. Any review,
re-transmission, dissemination or other use of it, or the taking of any
action in reliance upon this information by persons and/or entities
other than the intended recipient is prohibited. If you received this in
error, please inform the sender and/or addressee immediately and delete
the material.

Thank you.

Relevant Pages

  • Re: Created on Access 2003, but.......................
    ... But that's not secure under any scenario, as any port scanner ... Well, you still need a userid, password and database name. ... You're assuming the server remains in a secured configuration. ...
    (comp.databases.ms-access)
  • Re: 553 sorry, relaying denied from your location
    ... connection on port 465. ... Newly created server is on port 465, ... iterations of secure, always secure, 128 bit encryption, etc. ... that doesn't appear to be an Exchange response. ...
    (microsoft.public.exchange.setup)
  • Re: Terminal server and http
    ... The easiest and most secure way to do this is to drop in a SSL VPN device ... client being able to communicate over port 3389. ... Of course you cannot use an IP address where you also have a Web Server ... This action depends on the firewall you're using. ...
    (microsoft.public.windows.terminal_services)
  • Re: VPN Windows 2000
    ... Just to throw my 2 cents worth here, PPTP is not nearly as secure as ... data stream or a publicly available server. ... I have personnaly used port forwarding for PPTP to access my ...
    (microsoft.public.win2000.networking)
  • Re: NT4 -> Win2K3 question
    ... disable SMB signing for the Workstation or Server service on a domain ... Get Secure! ... The File Replication Service Event log test ... controller to the following destination domain ...
    (microsoft.public.windows.server.migration)