Firewall Wizards mailing list archives

Re: Lotus Domino as an access control to internal network

From: Aleph One <aleph1 () dfw net>
Date: Tue, 24 Feb 1998 15:25:38 -0600 (CST)

On Mon, 23 Feb 1998 dharris () kcp com wrote:

I have been asked to help our internal e-mail team provide external access 
to internal e-mail.  They want to use a Lotus Domino server connected to a 
set of dial-up access points.  The Lotus Domino server would also connect 
to our internal network.  The e-mail team claims that, because the NT box 
which supports the Lotus Domino server has no dial-up software loaded, the 
Lotus Domino server cannot be suborned into acting as a gateway to our 
internal network.

I would greatly appreciate comments on the wisdom or stupidity of this 
desire.  I would prefer that access to the Lotus Domino server be provided 
via token-based authentication at a dial-up server but I am willing to be 
persuaded by reasonable arguments.

TIA for your help.


[ Disclaimer: I am not a Lotus Notes expert, nor I have installed Lotus
  Notes as a dialup server. I have installed Lotus Notes, and we do use a
  similar setup here on which I have commented from a security
  perspective. ]

We have a similar setup in your environment. I do not know what you mean
by using a Lotus Domino server as a dialup, as Domino is the web component
of Notes. What we have is a Notes server on an NT box allowing remote
users to dialup and access the notes databases, including e-mail.

As far as I could ascertain (granted I did not delve into it much as it is
not part of my job) it seems to be a secure mechanism. First, RAS is not
installed in NT in this setup. The Lotus Notes server it self handles
managing the modem. This makes the NT box incapable of routing any network
protocols via the dialup adapter. Second, Lotus Notes in essence uses two
factor authentication. The dial-up user must have his ID file (the file
containing his public/private key) as well as the password to unlock it.
In the event that the laptop used by the end user were stolen or 
that his password was stolen by shoulder surfing the system would be
secure. It is only when both of these things happen that you are in
trouble.

I would be glad to hear if anyone thinks my analysis is incorrect or has
other comments.

                                Delmer D. Harris
                                dharris () kcp com


Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

Current thread:

Lotus Domino as an access control to internal network dharris (Feb 24)
- Re: Lotus Domino as an access control to internal network Aleph One (Feb 24)
  - Re: Lotus Domino as an access control to internal network Roger Nebel (Feb 25)
- <Possible follow-ups>
- Re: Lotus Domino as an access control to internal network Bart Smit (Feb 25)
  - Re: Lotus Domino as an access control to internal network chuck (Feb 27)
    - Re: Lotus Domino as an access control to internal network Aleph One (Feb 28)