Security Basics mailing list archives
Re: Lotus Cross-Certification
From: Philip Storry <phil () philipstorry net>
Date: Wed, 30 Apr 2003 03:52:55 +0100
Hello ullmic, Monday, April 28, 2003, 6:26:41 PM, you wrote: u> Hi everybody, u> we are using Lotus Notes as mail tool and we have a lot of contact u> to a large external company that also uses Lotus Notes. My idea to u> secure the e-mail communication between our two companies to a u> reasonable level (without rolling out PGP or S/MIME-certificates) u> is to propose a cross-certification of Lotus Notes certificates u> between our companies so that we can at least use Notes encryption. u> We already have a good level of trust with confidentiality u> agreements a.s.o. So in my eye it is only a technical u> implementation of a given trust relationship. Has anybody on this u> list experience with such a Notes-to-Notes cross-certification? Any u> hints what to look out for, how to avoid typical mistakes? (You haven't mentioned a Domino version - I'm assuming it's R5, but most of my advice is version-independant anyway.) What you want to do will be fine. The only things to look out for are: 1. Ensure that you do not cross-certify at the wrong level. It's very easy to cross-certify at the top level - /Org. And this may indeed be what you need. But if you both have organisational units, you may find that there's one - based on region, company division or whatever - that suits your needs better. For instance, if the purpose of the cross-certification is to allow your marketing people to talk to theirs, and you both have organisational units, you may only need to cross-certify: /Marketing/YourOrg with /Marketing/TheirOrg and /Servers/YourOrg with /Servers/TheirOrg (If you have separate server organisational units as well, that is. Watch out for that kind of problem. Remember that servers need to be in ACL's too for native Domino to Domino communication.) If you both have a rather flat organisation (everyone under /OrgName - i.e. "Joe Bloggs/OrgName") then you can ignore this, and if the whole company needs the link then you cvan also ignore this. But as it's good practive to never give more access than is needed, I thought this should be number one on your considerations. Maybe you should have a chat with the admins at the other company? 2. Only ever give them safe-copies to cross certify with. Yeah, I know it sounds stupid. After all, this is what safe copies are for. But time after time, the number one goof I got when handling cross-certifications with customers was being sent the actual ID file instead of safe copies. Take a moment to know that you're sending the right file, or you may look like a bit of a fool. :-) 3. Remember that cross-certification does not equal access. Cross certification is equal to granting authentication of an identity or group of identities. It does not automatically grant access to your systems. (Although, naturally, its absence will deny access as they cannot authenticate anyway.) Therefore, I recommend you check all your ACL's. They should have no access to anything but mail.box if they are just transferring mail. If they need to replicate a database, ensure that they only have access to the databases they need. You can accomplish this with the supplied group "OtherDomainServers" group - this group is usually listed with No Access on ACL's for Lotus-supplied templates anyway. However, I find this an unwieldy solution, as it tends to blanket deny access. Instead, add their servers to a new group and then add that group to all databases with No Access. Where the servers need access to a database (like mail.box or application databases they must replicate), simply move that group's access to an appropriate level such as Reader or Editor. The advantage of this over the OtherDomainServers group is that you can use the OtherDomainServers group to deny access to other servers that they may have, to prevent any unauthorised access. It also means you don't need to change OtherDomainServers from No Access on all your databases - which could be handy if you find yourself in a similar situation with another company in future. Also, if you have more than one server, ensure that they only have access to your bridgehead server and any other servers they may require. Pay particular attention to making sure your Passthru access is secured. (Check the Domino Administrator help for details on that.) 4. Given that you wish to exchange email, you should also consider exchanging Domino Directory information. If at all possible, try to replicate as little of your Domino Directory as you can. Use replication formulas to restrict them to replicating only documents from the People and Groups views. This is because the Domino Directory contains information on how your servers are configured. It also (potentially) contains information on your network addressing (via DNS addresses/NetBIOS names/IP addresses) and how your WANs/LANs may be set up could be inferred from this. You trust these people now, but how about in three year's time? Only the paranoid survive. :-) The replica will still work for email addressing without problems, even with replication formulas in place. It just won't contain any server or domain documents - which is fine, as they need to add such documents to their own Domino Directory to get the routing working - not to see yours. The same applies to you, naturally. *grins* (By the way, you don't have to type in a formula - you can just select the views you want to replicate to and from the server. I hate to be repetitive, but the Domino Administrator help can tell you all about selective replication... *grins*) You should use Domino Directory Assistance to make the replicated Domino Directory databases available to your end users for email addressing. This is, again, documented in the Domino Administrator Help. 5. Ensure you are certain of the encryption you require. You say you want encryption. And that's a fine thing. But Notes/Domino port encryption (enabled on either server making the connection) only requires a cross-certification and will encrypt all traffic. It's not quite as modern an algorithm as you might find in a VPN, but it'll certainly stop any casual sniffing of traffic. However, I suspect that you were hoping for the encryption of emails. That's going to REQUIRE Domino Directory Assistance and the replication of the Domino Directory to each server. (Well, you may not have to replicate - they could access each other's Domino Directory's on-demand, but replication would probably be more convenient and take less bandwidth.) And remember that the encryption will require the Notes Certificate field to be populated for each recipient in their Person document. That's something beyond your control, as it's not actually your Domino Directory to edit. So make sure you have good communication with the other company's administrators, so that empty certificate fields can be quickly solved. I'm sure they'll be happy to provide quick fixes if you return the courtesy. So maybe you should make sure that all users have a Notes Certificate in the right field before you let them take a replica, eh? *grins* 6. On anything you are unsure of... Read the Domino Administrator help database! Consider indexing it, and use it as your Domino admin bible. It's a very good resource. I'm not trying to fob you off here - if you want something it says clarified, by all means feel free to ask me. It's not an infallible resource, and it certainly won't have advised you on the sorts of things I just have. But it will give you the procedural advice for "How do I do that". I'm more than happy to answer any "Why do I do that" type of questions you may have, but I do so hate retyping the help database for "How do I do that" queries... *grins* I think that's all. But I'm rather tired (It's 03:50 as I type this where I am) and I suppose I could have missed something... -- Best regards, Philip mailto:phil () philipstorry net --------------------------------------------------------------------------- FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ----------------------------------------------------------------------------
Current thread:
- Lotus Cross-Certification ullmic (Apr 29)
- Re: Lotus Cross-Certification Philip Storry (Apr 30)