Firewall Wizards mailing list archives
Re: Lotus Domino as an access control to internal network
From: Aleph One <aleph1 () dfw net>
Date: Tue, 24 Feb 1998 15:25:38 -0600 (CST)
On Mon, 23 Feb 1998 dharris () kcp com wrote:
I have been asked to help our internal e-mail team provide external access to internal e-mail. They want to use a Lotus Domino server connected to a set of dial-up access points. The Lotus Domino server would also connect to our internal network. The e-mail team claims that, because the NT box which supports the Lotus Domino server has no dial-up software loaded, the Lotus Domino server cannot be suborned into acting as a gateway to our internal network. I would greatly appreciate comments on the wisdom or stupidity of this desire. I would prefer that access to the Lotus Domino server be provided via token-based authentication at a dial-up server but I am willing to be persuaded by reasonable arguments. TIA for your help.
[ Disclaimer: I am not a Lotus Notes expert, nor I have installed Lotus Notes as a dialup server. I have installed Lotus Notes, and we do use a similar setup here on which I have commented from a security perspective. ] We have a similar setup in your environment. I do not know what you mean by using a Lotus Domino server as a dialup, as Domino is the web component of Notes. What we have is a Notes server on an NT box allowing remote users to dialup and access the notes databases, including e-mail. As far as I could ascertain (granted I did not delve into it much as it is not part of my job) it seems to be a secure mechanism. First, RAS is not installed in NT in this setup. The Lotus Notes server it self handles managing the modem. This makes the NT box incapable of routing any network protocols via the dialup adapter. Second, Lotus Notes in essence uses two factor authentication. The dial-up user must have his ID file (the file containing his public/private key) as well as the password to unlock it. In the event that the laptop used by the end user were stolen or that his password was stolen by shoulder surfing the system would be secure. It is only when both of these things happen that you are in trouble. I would be glad to hear if anyone thinks my analysis is incorrect or has other comments.
Delmer D. Harris dharris () kcp com
Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Lotus Domino as an access control to internal network dharris (Feb 24)
- Re: Lotus Domino as an access control to internal network Aleph One (Feb 24)
- Re: Lotus Domino as an access control to internal network Roger Nebel (Feb 25)
- <Possible follow-ups>
- Re: Lotus Domino as an access control to internal network Bart Smit (Feb 25)
- Re: Lotus Domino as an access control to internal network chuck (Feb 27)
- Re: Lotus Domino as an access control to internal network Aleph One (Feb 28)
- Re: Lotus Domino as an access control to internal network chuck (Feb 27)
- Re: Lotus Domino as an access control to internal network Aleph One (Feb 24)