Re: Notes Domino Server Platform for e-commerce?

[rrpermeh () RCONNECT COM (Ryan R Permeh)]

notes on ibm and notes
(ps, i personally don't care for notes, but have had to deal with it
periodically)

1. domino go server is horrible(personal opinion based mostly on
performance, not security), the notes database product isn't bad, for what
it does.
2. if you are wondering about firewalling your notes web server, realize
that people will be attempting to attack via the web servrice, which by
nature, you want open.  Use some type of domino aware IDS, which may or may
not work for you (see all the work on avoiding IDS by rfp, a recent note on
ntbugtraq by greg hoglund, and the classic work on why NIDS doesn't work
that well: Insertion, Evasion, and Denial of Service: Eluding Network
Intrusion Detection -
http://www.nai.com/media/pdf/nai_labs/ids.pdf)

one other note:  IBM is investing a lot of time and effort into apache, and
i belive that their websphere package runs on top of apache( or a slightly
modified version)  It seems that their version of apache is apache +
ssl.  and coincidentally, apache has had it's share of vulnerabilities.

another note:  IBM does know crypto, they have an AES submission called
MARS.  this does not imply that this is what lotus is using, but it does
show that ibm does use public review in the crypto community.  I am not
certain what encryption schemes they use to hold their passwords locally,
but as far as i know nobody external to lotus has attempted to cryptanalyze
their crypto, so as it stands, it is apparently untested(They recently
signed a deal with RSA, anounced at the recent lotusphere, rsa uses correct
public crypto review,etc)  I'd say evidence is pretty strong that the local
password system on the domino host is probably at least as vulnerable to
attack as the domino password system.  Which can also usually be said to be
true about apache.

As i've said before, i am not a domino/notes/ibm backer, but i don't feel
it is wise to place much of anything above notes/domino for what it
does.  It's a niche market, and as for ecommerce, if you don't mind
investing millions in hardware to run it, go at it, it's not much worse
than most of the other ecommerce platforms availibe in the security
realm(as evidenced by cduniverse, etc).

Ryan Permeh

At 02:04 PM 02/09/2000 -0200, Marc Esipovich wrote:
> > To date I have seen 0 issues with password problems and Notes/Domino.
>
> Does it mean that there are 0 (zero) issues? I'm not so sure.
> Was that Domino server ever audited?, are there overflows hidden deep
> within? I'm sure there are.
>
> What you're saying is, you're just running Domino, sitting and waiting for
> someone to come up with exploits for it, way to go.
>
> Can you trust a software which you don't have sources to? absolutely not.
>
> > The
> > Notes password is stored in an ID file.  For Inet use, the password is
> > like I said, stored within a database which is encrypted in a field. (64bit
> > International/128bit North American).
>
> What kind of algorithm are we talking about here, size doesn't *awalys*
> matter ;)
>
> > If you want a more robust web server, try WebSphere.  IBM's HTTPD.  A
> > great 'E-Commerce' webserver with tons going for it.  Check it out.
>
> No, if you want a more robust webserver, try apache, I'm *positive* it was
> audited far more than any webserver on the planet, WebSphere included.
>
> Doesn't apache have *tons* going for it too? think about it.
>
> If you absolutely *must* have a commercial webserver (I see no reason),
> try Stronghold from C2Net.
>
>
>
>         Marc Esipovich.
>
> ---
> root is only a few clicks away...