Solved

Security Concerns

Posted on 2004-04-28
20
1,002 Views
Last Modified: 2013-12-18
Hi everyone,

I have a new boss not familiar with Lotus Notes and he is inquiring into how secure my Domino Web applications are.  I told him Notes has several layers of security from database, view, document, section, field, etc but he was concerned because I didn't have any SSL connection and that somebody could intercept a persons Username and Password when they signon to one of my web apps.  I don't know much about SSL but is it possible for somebody to intercept an authentication signon??  Is there other security I should be looking into besides Notes built in security I mentioned??  

Thanks,

-Patrick
0
Comment
Question by:snocross
  • 8
  • 3
  • 3
  • +5
20 Comments
 
LVL 46

Accepted Solution

by:
Sjef Bosman earned 25 total points
ID: 10940775
Yes it is possible to intercept the logon. Notes has SSL capabilities, it doesn't take that much to set it up. Please check your Admin Help on SSL and Internet keys. You don't have to set up the whole rigmarole for SSL to work.
0
 
LVL 5

Author Comment

by:snocross
ID: 10940824
Ok so is the login the only real problem area?  I've seen some other posts where users are using SSL for just login (somehow) because of performance issues.  Once authenticated is there still a need for SSL?
0
 
LVL 5

Author Comment

by:snocross
ID: 10940844
Also, can I set up SSL for just ONE single database on my server so I can test it without affecting all of my current applications?

Thanks!
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 10940920
If someone can intercept your logon, he can also capture the whole session if you logon using a secure method and switch to ordinary HTTP. How secure do you want it to be? That's for you to answer :)

The server must be enabled for SSL, not a database. Then the user will be offered the choice to use http:// or https://, the latter being Secure HTTP. There is an option in the Database Properties, under Web Access, that you can set: Require SSL connection, so the server will automatically switch to SSL.
0
 
LVL 5

Author Comment

by:snocross
ID: 10940987
Very interesting... well I don't think it is such a concern but my boss I'm sure will want it as secure as possible... I'm just afraid to play with this on our production box.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 10941209
So you have a test system as well? Read in the Admin Help, in the Index, goto SSL Servers, and look in setting up application, Setting up the Server Certificate Admin application. All the info required is also there.

It's fairly straightforward, and normally all other Domino-stuff should continue to work. You can test if SSL is already enabled by trying to use https:// on a valid URL on your system. It will probably timeout...

Why "normally"? It's Notes, ain't it? Hope the others here will agree with me.

Sjef :)
0
 
LVL 31

Assisted Solution

by:qwaletee
qwaletee earned 20 total points
ID: 10942035
The only big dea with SSL is teh source of your certificate.  Do you want to pay for a commercial one?  Do you want to self-generate... but then your users haveto accept the certificate, which can be ugly?

The only other things you will run into:

1) If you disable HTTP altogether, then any links from the outside will still point to HTTP, and they will fail -- and you may even have internal links

1) If you allow both HTTP and HTTPS, those links will work,but you have a potential hole where the HTTP traffic can still be accepted
0
 
LVL 63

Expert Comment

by:Zvonko
ID: 10942678
Hello Sno,
what version is your Domino where you want this SSL to run?

0
 
LVL 5

Author Comment

by:snocross
ID: 10942969
I believe it's 5.12
0
 
LVL 5

Author Comment

by:snocross
ID: 10942970
...and hello back!
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 63

Assisted Solution

by:Zvonko
Zvonko earned 20 total points
ID: 10943015

I have a wonderful application for SSL certificate requests workflow, but it is running with R6 :(

I lost all email addresses. Send me an email to ee@zvonko.net

0
 
LVL 13

Assisted Solution

by:CRAK
CRAK earned 20 total points
ID: 10943046
Hey bro!
Have you been out for a while?

I used to do projects at a bank (R4.5 / 4.6 era). Because of this issue we weren't allowed to distribute "critical" data over the intranet, using Notes/Domino. I don't know if SSL was ever considered and why it wasn't applied.

For the company that I actually work for, we've applied RSA's Secure ID to protect our data:
http://www.rsasecurity.com/company/news/releases/pr.asp?doc_id=347
(haven't seen any R6 related doc's easy to reach yet!)

There's an article about our protected applications too:
http://www.rsasecurity.com/products/securid/success/TISH_CP_0500.pdf#xml=http://www.rsasecurity.com/programs/texis.exe/webinator/search/xml.txt?query=domino&pr=default&order=r&cq=&id=408f72f114
The company's name "Time/Share" was later changed into "E'liantie".

Each user requires token. We used keyrings, but credit card like devices or software tokens are available too.
When the user logs on to the domino server, he/she will first get a customised login screen. This will ask for (if I remember correct) a user id and a number.
This number is generated every certain amount of time (20sec?) by an algorithm in the token, looking quite random. The username is linked to his/het tokens serial no. The server is fed with these id's and their logic, so the server is capable to generate just that number.
When the client and the server come up with a different no. their times may be off sync. The user is then required to enter the next displayed number. That's enough to get them synced again.
If the two have a matching username & token number, the user moves on to the next level: notes username (must be identical as the previous username; case sensitive too!) and domino http password.
Part of this procedure is -I believe- transmitted over SSL.

Tokens operate for about 2 years. I have never been involved with purchase (fortunately), but back then they were (again: I believe) about $80.

IFAIK we currently no longer use the tokens. A number of tokens arrived or were returned by our customers broken. They didn't look damaged, but sometimes the LCD display didn't show all digits correctly. Our customers could no longer login to our nerwork and as a result had trouble continuing their businesses. Perhaps the software tokens are more stable....
Mine died after about 3 years: flat battery. Can't replace those!

Your domino server is (was?) supposed to run on NT or 2000. Additional software installed (applets?) providing you with an administration tool for the tokens and the server side validation of token numbers.

Hope that wasn't too confusing. As long as the tokens are ok, the system works pretty good. I'm not a hacker, never tried to bypass the security (other than using my notes id with manager access to databases) and I must admit: if the price is no objection, then it'll get your system secure as... ehhhh.... Fort Knox???
0
 
LVL 5

Author Comment

by:snocross
ID: 10943100
Hi Crak, wow that's a lot to read... I actually have to leave for the day to pick up my truck at the shop so I will read this further tomorrow morning.  I will write you too Zvo...

Thanks
-Snocross
0
 
LVL 15

Assisted Solution

by:Bozzie4
Bozzie4 earned 20 total points
ID: 10943235
Create a self-certified certificate for use on your servers, and SSL is set up.  It's as simple as that.

If you use session based authentication, then it's correct that you don't send any clear-text passwords over the line, so you could only authenticate over SSL , and then work further over HTTP .  I don't recommend doing that, however.

If you want to 'see' what's transmitted over the line (and what a hacker would potentially use to break in), use ethereal or some other sniffer to check the network.  Also, do the same after you set up SSL.

A solution we sometimes use, is a SSL - Reverse proxy.  That way , the Domino servers only serve HTTP , and the Reverse Proxy puts this into an ssl tunnel .  This is possible using Apache, but there are also hardware solutions (Netscreen has one) and Websphere Edge Server (or something ) can do this too.

SSL won't protect you against brute password attacks, nor against user with bad passwords (too short, too simple), it only protects the 'transport' between the webserver and the client.  If your boss is really into security, you'll also want to build in checks against brute force attacks, policies against bad passwords, or even (as Crak mentioned) use a security token.  A good Linux system engineer can set up Apache running an SSL capable reverse proxy for your webservers in a day , hardened against some common attacks ...

cheers,

Tom
0
 
LVL 19

Assisted Solution

by:madheeswar
madheeswar earned 20 total points
ID: 10945851
here is the link on how to achieve SSL:

http://oldlook.experts-exchange.com:8080/Applications/Email/Lotus_Notes/Q_20615492.html

Hope it helps.

~madheeswar
0
 
LVL 5

Author Comment

by:snocross
ID: 10949809
Man this is going to be hard to grade with so many good comments... I have finally found the IBM redbook which is giving me all the details I think I need... posting it here for others looking in the future;

Lotus Notes and Domino R5.0 Security Infrastructure Revealed
http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/sg245341.html?OpenDocument
0
 

Expert Comment

by:DrFierce
ID: 11511076
Actually, there is a newer version of the Lotus Security redbook, which pertains to version 6, includes additional products and goes into greater details on all the security features that can be used to secured Domino applications both for Notes and the Web. I've co-written both, so I should know (try to figure which author I am).

Lotus Security Handbook
http://searchdomino.techtarget.com/originalContent/0,289142,sid4_gci850152,00.html
0
 
LVL 5

Author Comment

by:snocross
ID: 11512594
Thanks for the interesting article.
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 11531932
Chuck, have you been lurking?
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 11531987
Or, is that Fred Dahm, since there isn't anyone else listed on both redbooks?
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

You’ve got a lotus Domino web server, and you have been told that “leverage browser caching” is a must do. This means that we have to tell the browser everywhere in the web to use cache. In other words, we set (and send) an expiration date in the HT…
Lack of Storage capacity is a common problem that exists in every field of life. Here we are taking the case of Lotus Notes Emails, as we all know that we are totally depend on e-communication i.e. Emails. This article is fully dedicated to resolvin…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now