|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Open Lotus Port inbound?
Hi, lotus domino also offers a web based link to the mailboxes of the users. If the lotus relay server is in an additional dmz, externals can be allowed to connect to this web server using SSL (128 Bit) and strong authentication (Secure ID or Active Card). The DMZ Lotus domino server itself replicates the databases with the internal and central lotus server. To determine whether this is a appropriate solution you need to discuss the security level you need. Against the usual onsets at the network layer this design offers appropriate protection. But what about the application security? The external opens a SSL connection. Everybody must be allowed to do this. After this connection is established the user must authenticate himself via one time password. So the application security also should be adequate. But this is part of a concept which discusses these considerations. robert On Fri, 1 Sep 2000, Warren Barrow wrote: > > It's my personal opinion you should throw the implementer and his crew out > of the project (and out of your office). SecuRemote is definitely not hard > to set up; a monkey could click through the setup options and define a site. > If you use securemote to get to the lotus server-- that's alright. I highly > suggest you -NOT- allow any other traffic other than SMTP from the internet > to that lotus server. It would be optimal to stick an smtp relay in the DMZ > to forward the incoming mail to the lotus server. The lotus server should > definitely sit on the internal network because it contains too much > information to be in the DMZ. The relay in the DMZ would greatly reduce the > risk of compromise since no one would be allowed to connect to the internal > network. > > Why would you want to allow lotus traffic to the server from the Internet? > > -Warren. > > -----Original Message----- > From: Peter Goodridge [mailto:[email protected]] > Sent: Friday, September 01, 2000 10:40 AM > To: firewall list > Subject: [FW1] Open Lotus Port inbound? > > > > We are installing Lotus Notes to replace our current > e-mail system. The people running the project want > allow employees to come though the firewall using a > browser and/or the lotus client without using > Securemote, etc. Their claim is that because it is > encrypted it's perfectly safe, and SR is too hard to > install. > > I can probably talk them out of of the web server > idea, but opening the lotus port inbound is going to > be a harder battle. I doubt they'll want to set up a > server in the DMZ either. > > Could I get some input on how disingenuous, I'm mean > counter productive, I'm mean contra-indicated....O.K. > how stupid this idea is? > > THX, > Pete Goodridge > > __________________________________________________ > Do You Yahoo!? > Yahoo! Mail - Free email you can access from anywhere! > http://mail.yahoo.com/ > > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > ---------------------------------------- Robert Binder IT-Security Consultant Integralis, Niederlassung München Gutenbergstr. 1 D-85737 Ismaning Tel: +49-89-94573-235 Fax: +49-89-94573-119 http://www.integralis.de/ A member of the Articon-Integralis Group ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
