Front cover - IBM Redbooks

More documents

Recommendations

Info

418 Lotus Security Handbook ► Unauthorized users should not have the ability to use the server console. ► Domino administrators should only access the Domino servers via the Administration Tools provided by Lotus (that is, the Domino Administration 6 Client or, for administrators using a Web browser, the Web Administrator 6 tool using the WebAdmin.nsf database). ► Users should not be allowed access to the programs or data on the server via any means other than using the Notes client or a Web browser (that is, no Telnet, FTP, or file sharing access). 10.3 Logical security Logical security is concerned with restricting access to the networking and Notes data components, as illustrated in Figure 10-4. Figure 10-4 Logical security We discuss network security and Notes security separately because each has specific elements that must be understood and applied for security to be effective within the new architecture. 10.3.1 Network security Network security applies to the technologies and equipment that permit the communication of data between devices. This can be communications between servers; it can be also between clients and servers. In regard to the client/server communications, it can be from a Notes client to a Domino server or a Web browser to a Domino server. While networks have the ability to provide peer-to-peer services (that is, server-to-server and client-to-client), in the Notes
networking model there is no Notes-to-Notes communications. Figure 10-5 shows the area of applicability of network security. Figure 10-5 Network security The following sections describe the elements that provide network security. Firewalls There are two different kinds of firewalls: routers and gateways. Routers are the common firewalls because they control network access. Application gateways are software-only firewalls that supply access control, logging of users, and authentication on the network. A router is a type of device used to create a permanent Internet connection to the outside world. Routers work by controlling traffic at the IP level, selectively passing or blocking data packets based on destination address or port information in the packet’s header. Routers are not always effective in excluding everything that you want them to. There are various protocols used on the Internet that are not handled well by network routers. These include protocols such as FTP, DNS (Domain Name System), and X11. The second kind of firewall is a gateway, which consists of using a computer rather than a router. This type offers more capabilities, such as logging all activity over the gateway. While a router-based firewall screens data packets at the IP level, gateways exert control at an application level where traffic can be examined more thoroughly. Using a gateway as a firewall calls for specialized software applications and service proxies. Proxies are stripped-down versions of original programs. For example, a standard UNIX SendMail utility could have up to 20,000 lines of code, Chapter 10. The Notes/Domino security model 419
Page 1:
Key security concepts and best prac
Page 4 and 5:
Note: Before using this information
Page 6 and 7:
iv Lotus Security Handbook Chapter
Page 8 and 9:
vi Lotus Security Handbook 6.1.3 No
Page 10 and 11:
viii Lotus Security Handbook 9.4.9
Page 12 and 13:
x Lotus Security Handbook 12.4 Lotu
Page 14 and 15:
xii Lotus Security Handbook
Page 16 and 17:
Trademarks The following terms are
Page 18 and 19:
xvi Lotus Security Handbook underst
Page 20 and 21:
xviii Lotus Security Handbook Find
Page 22 and 23:
2 Lotus Security Handbook
Page 24 and 25:
1.1 Introduction 4 Lotus Security H
Page 26 and 27:
6 Lotus Security Handbook Protectio
Page 28 and 29:
8 Lotus Security Handbook ► Work
Page 30 and 31:
Vulnerabilities 4,000 3,000 2,000 1
Page 32 and 33:
1.2.3 IT infrastructure 12 Lotus Se
Page 34 and 35:
14 Lotus Security Handbook ► The
Page 36 and 37:
16 Lotus Security Handbook people h
Page 38 and 39:
1.3.1 Data integrity 18 Lotus Secur
Page 40 and 41:
20 Lotus Security Handbook ► Cert
Page 42 and 43:
22 Lotus Security Handbook In gener
Page 44 and 45:
24 Lotus Security Handbook characte
Page 46 and 47:
26 Lotus Security Handbook Symmetri
Page 48 and 49:
28 Lotus Security Handbook cipher t
Page 50 and 51:
30 Lotus Security Handbook As a fol
Page 52 and 53:
32 Lotus Security Handbook Note: In
Page 54 and 55:
34 Lotus Security Handbook Hybrid a
Page 56 and 57:
36 Lotus Security Handbook What use
Page 58 and 59:
38 Lotus Security Handbook discover
Page 60 and 61:
40 Lotus Security Handbook has beco
Page 62 and 63:
42 Lotus Security Handbook We are n
Page 64 and 65:
2.1 Approaches to IT security 44 Lo
Page 66 and 67:
2.1.2 Risk mitigation 46 Lotus Secu
Page 68 and 69:
48 Lotus Security Handbook The same
Page 70 and 71:
50 Lotus Security Handbook There ar
Page 72 and 73:
52 Lotus Security Handbook manageme
Page 74 and 75:
54 Lotus Security Handbook 10.Secur
Page 76 and 77:
56 Lotus Security Handbook ► Part
Page 78 and 79:
58 Lotus Security Handbook requirem
Page 80 and 81:
60 Lotus Security Handbook known as
Page 82 and 83:
62 Lotus Security Handbook within C
Page 84 and 85:
64 Lotus Security Handbook Security
Page 86 and 87:
66 Lotus Security Handbook ► Cont
Page 88 and 89:
Figure 2-7 Access control and subsy
Page 90 and 91:
70 Lotus Security Handbook Identity
Page 92 and 93:
72 Lotus Security Handbook the solu
Page 94 and 95:
Figure 2-11 The normal and imperile
Page 96 and 97:
76 Lotus Security Handbook motivati
Page 98 and 99:
Figure 2-13 Ensuring correct and re
Page 100 and 101:
2.4.10 Use cases 80 Lotus Security
Page 102 and 103:
Figure 2-15 Three-tier client/serve
Page 104 and 105:
Figure 2-16 Sample PKI digital cert
Page 106 and 107:
86 Lotus Security Handbook ► Secu
Page 108 and 109:
88 Lotus Security Handbook The thre
Page 110 and 111:
90 Lotus Security Handbook security
Page 112 and 113:
92 Lotus Security Handbook 6. Defin
Page 114 and 115:
2.6 Summary 94 Lotus Security Handb
Page 116 and 117:
Page 118 and 119:
3.1 The need for secure infrastruct
Page 120 and 121:
100 Lotus Security Handbook Encrypt
Page 122 and 123:
102 Lotus Security Handbook “visi
Page 124 and 125:
104 Lotus Security Handbook Once yo
Page 126 and 127:
106 Lotus Security Handbook Utilizi
Page 128 and 129:
108 Lotus Security Handbook ► Sec
Page 130 and 131:
110 Lotus Security Handbook remotel
Page 132 and 133:
112 Lotus Security Handbook become
Page 134 and 135:
3.3 Summary 114 Lotus Security Hand
Page 136 and 137:
4.1 Infrastructure components 116 L
Page 138 and 139:
118 Lotus Security Handbook Note th
Page 140 and 141:
120 Lotus Security Handbook Client
Page 142 and 143:
122 Lotus Security Handbook Note: W
Page 144 and 145:
124 Lotus Security Handbook alarmin
Page 146 and 147:
126 Lotus Security Handbook subnets
Page 148 and 149:
128 Lotus Security Handbook These h
Page 150 and 151:
4.1.6 Enterprise access management
Page 152 and 153:
Internet 132 Lotus Security Handboo
Page 154 and 155:
134 Lotus Security Handbook SSL ses
Page 156 and 157:
136 Lotus Security Handbook Firewal
Page 158 and 159:
138 Lotus Security Handbook Note: I
Page 160 and 161:
140 Lotus Security Handbook - The r
Page 162 and 163:
4.2.3 Zone boundaries 142 Lotus Sec
Page 164 and 165:
144 Lotus Security Handbook Recomme
Page 166 and 167:
146 Lotus Security Handbook At this
Page 168 and 169:
148 Lotus Security Handbook One fin
Page 170 and 171:
150 Lotus Security Handbook Channel
Page 172 and 173:
152 Lotus Security Handbook - X - N
Page 174 and 175:
154 Lotus Security Handbook 3. Prox
Page 176 and 177:
156 Lotus Security Handbook 5. Data
Page 178 and 179:
158 Lotus Security Handbook 7. Data
Page 180 and 181:
160 Lotus Security Handbook The las
Page 182 and 183:
162 Lotus Security Handbook For the
Page 184 and 185:
164 Lotus Security Handbook sample
Page 186 and 187:
5.1 Proxies defined 166 Lotus Secur
Page 188 and 189:
168 Lotus Security Handbook From a
Page 190 and 191:
5.3.5 Reverse proxies 170 Lotus Sec
Page 192 and 193:
172 Lotus Security Handbook cache d
Page 194 and 195:
174 Lotus Security Handbook For mor
Page 196 and 197:
176 Lotus Security Handbook The rev
Page 198 and 199:
178 Lotus Security Handbook When SS
Page 200 and 201:
180 Lotus Security Handbook If you
Page 202 and 203:
182 Lotus Security Handbook With th
Page 204 and 205:
184 Lotus Security Handbook This is
Page 206 and 207:
Page 208 and 209:
6.1 The Notes PKI 188 Lotus Securit
Page 210 and 211:
190 Lotus Security Handbook Since L
Page 212 and 213:
192 Lotus Security Handbook Certifi
Page 214 and 215:
194 Lotus Security Handbook doesn
Page 216 and 217:
196 Lotus Security Handbook cryptog
Page 218 and 219:
198 Lotus Security Handbook Figure
Page 220 and 221:
6.1.4 Notes passwords 200 Lotus Sec
Page 222 and 223:
202 Lotus Security Handbook To set
Page 224 and 225:
204 Lotus Security Handbook Passwor
Page 226 and 227:
206 Lotus Security Handbook Setting
Page 228 and 229:
Page 230 and 231:
210 Lotus Security Handbook Two dom
Page 232 and 233:
212 Lotus Security Handbook ► Cro
Page 234 and 235:
Page 236 and 237:
216 Lotus Security Handbook Encrypt
Page 238 and 239:
Page 240 and 241:
Page 242 and 243:
222 Lotus Security Handbook A final
Page 244 and 245:
224 Lotus Security Handbook 1. The
Page 246 and 247:
226 Lotus Security Handbook Note: T
Page 248 and 249:
228 Lotus Security Handbook new ran
Page 250 and 251:
6.2.1 Internet standards 230 Lotus
Page 252 and 253:
232 Lotus Security Handbook The com
Page 254 and 255:
Figure 6-17 PKI Components 234 Lotu
Page 256 and 257:
236 Lotus Security Handbook common
Page 258 and 259:
238 Lotus Security Handbook Standar
Page 260 and 261:
240 Lotus Security Handbook An Inte
Page 262 and 263:
242 Lotus Security Handbook An exam
Page 264 and 265:
244 Lotus Security Handbook Table 6
Page 266 and 267:
246 Lotus Security Handbook Session
Page 268 and 269:
248 Lotus Security Handbook access
Page 270 and 271:
250 Lotus Security Handbook ► Aut
Page 272 and 273:
252 Lotus Security Handbook Once th
Page 274 and 275:
254 Lotus Security Handbook The SSL
Page 276 and 277:
256 Lotus Security Handbook and who
Page 278 and 279:
258 Lotus Security Handbook Note: I
Page 280 and 281:
260 Lotus Security Handbook For Net
Page 282 and 283:
262 Lotus Security Handbook Content
Page 284 and 285:
264 Lotus Security Handbook Improve
Page 286 and 287:
266 Lotus Security Handbook Message
Page 288 and 289:
6.2.9 Secure messaging with S/MIME
Page 290 and 291:
270 Lotus Security Handbook encrypt
Page 292 and 293:
272 Lotus Security Handbook Two thi
Page 294 and 295:
274 Lotus Security Handbook Interop
Page 296 and 297:
276 Lotus Security Handbook 3. The
Page 298 and 299:
Page 300 and 301:
Page 302 and 303:
282 Lotus Security Handbook ► A s
Page 304 and 305:
284 Lotus Security Handbook Passwor
Page 306 and 307:
286 Lotus Security Handbook This RF
Page 308 and 309:
288 Lotus Security Handbook Data Va
Page 310 and 311:
7.2.2 Access control 290 Lotus Secu
Page 312 and 313:
292 Lotus Security Handbook Debuggi
Page 314 and 315:
7.3 X.509 certificates 294 Lotus Se
Page 316 and 317:
7.3.2 Access control 7.4 DSAPI 296
Page 318 and 319:
298 Lotus Security Handbook initial
Page 320 and 321:
300 Lotus Security Handbook can als
Page 322 and 323:
302 Lotus Security Handbook A DSAPI
Page 324 and 325:
7.5.1 Authentication 7.5.2 Access c
Page 326 and 327:
306 Lotus Security Handbook To then
Page 328 and 329:
308 Lotus Security Handbook LTPA ha
Page 330 and 331:
8.1 Directory fundamentals 310 Lotu
Page 332 and 333:
312 Lotus Security Handbook ► Com
Page 334 and 335:
314 Lotus Security Handbook modific
Page 336 and 337:
8.3.1 Data sources 8.3.2 Object cla
Page 338 and 339:
318 Lotus Security Handbook destina
Page 340 and 341:
8.3.3 Attributes 320 Lotus Security
Page 342 and 343:
322 Lotus Security Handbook Multipl
Page 344 and 345:
324 Lotus Security Handbook interne
Page 346 and 347:
8.3.6 Event-driven synchronization
Page 348 and 349:
328 Lotus Security Handbook various
Page 350 and 351:
330 Lotus Security Handbook The bro
Page 352 and 353:
332 Lotus Security Handbook choose
Page 354 and 355:
334 Lotus Security Handbook - Lotus
Page 356 and 357:
336 Lotus Security Handbook Directo
Page 358 and 359:
338 Lotus Security Handbook highlig
Page 360 and 361:
340 Lotus Security Handbook Identif
Page 362 and 363:
CN=David Hinkle EmpID=1234 Dept=ISS
Page 364 and 365:
CN=David Hinkle EmpID=1234 Dept=ISS
Page 366 and 367:
346 Lotus Security Handbook DN= uid
Page 368 and 369:
8.4.1 Account provisioning 348 Lotu
Page 370 and 371:
350 Lotus Security Handbook mention
Page 372 and 373:
352 Lotus Security Handbook - Poten
Page 374 and 375:
9.1 Hardening fundamentals 354 Lotu
Page 376 and 377:
356 Lotus Security Handbook and is
Page 378 and 379:
358 Lotus Security Handbook securit
Page 380 and 381:
360 Lotus Security Handbook Operati
Page 382 and 383:
362 Lotus Security Handbook These b
Page 384 and 385:
364 Lotus Security Handbook problem
Page 386 and 387:
366 Lotus Security Handbook precaut
Page 388 and 389: 368 Lotus Security Handbook - Netwo
Page 390 and 391: 370 Lotus Security Handbook ► Do
Page 392 and 393: 372 Lotus Security Handbook HKEY_LO
Page 394 and 395: 374 Lotus Security Handbook Schedul
Page 396 and 397: 376 Lotus Security Handbook entered
Page 398 and 399: 378 Lotus Security Handbook meets t
Page 400 and 401: 380 Lotus Security Handbook version
Page 402 and 403: 382 Lotus Security Handbook Patchin
Page 404 and 405: 384 Lotus Security Handbook Windows
Page 406 and 407: 386 Lotus Security Handbook ► If
Page 408 and 409: 388 Lotus Security Handbook - MacOS
Page 410 and 411: 390 Lotus Security Handbook change;
Page 412 and 413: 392 Lotus Security Handbook It’s
Page 414 and 415: 394 Lotus Security Handbook ► Red
Page 416 and 417: 396 Lotus Security Handbook The fol
Page 418 and 419: 398 Lotus Security Handbook Ignorin
Page 420 and 421: 400 Lotus Security Handbook demands
Page 422 and 423: 402 Lotus Security Handbook ► Min
Page 424 and 425: 404 Lotus Security Handbook Setting
Page 426 and 427: 406 Lotus Security Handbook the TCB
Page 428 and 429: 408 Lotus Security Handbook Removin
Page 430 and 431: 410 Lotus Security Handbook Enablin
Page 432 and 433: 412 Lotus Security Handbook So, it
Page 434 and 435: 414 Lotus Security Handbook
Page 436 and 437: 10.1 Components of the Notes/Domino
Page 440 and 441: 420 Lotus Security Handbook but a S
Page 442 and 443: 422 Lotus Security Handbook Certifi
Page 444 and 445: 424 Lotus Security Handbook databas
Page 446 and 447: 10.4 Conclusion 426 Lotus Security
Page 448 and 449: 428 Lotus Security Handbook ► Roa
Page 450 and 451: New for Domino 6 430 Lotus Security
Page 454 and 455: 434 Lotus Security Handbook If a us
Page 456 and 457: 436 Lotus Security Handbook Table 1
Page 458 and 459: 438 Lotus Security Handbook Run sim
Page 460 and 461: 440 Lotus Security Handbook Figure
Page 462 and 463: 442 Lotus Security Handbook Using e
Page 464 and 465: 444 Lotus Security Handbook ► Con
Page 466 and 467: 446 Lotus Security Handbook If you
Page 468 and 469: 448 Lotus Security Handbook but the
Page 470 and 471: 450 Lotus Security Handbook organiz
Page 472 and 473: 452 Lotus Security Handbook install
Page 474 and 475: 454 Lotus Security Handbook You con
Page 476 and 477: 456 Lotus Security Handbook The Dom
Page 480 and 481: 460 Lotus Security Handbook server,
Page 482 and 483: 462 Lotus Security Handbook Client
Page 484 and 485: 464 Lotus Security Handbook form, g
Page 486 and 487: 466 Lotus Security Handbook Table 1
Page 488 and 489:
11.8 Notes ID recovery 468 Lotus Se
Page 490 and 491:
470 Lotus Security Handbook For eac
Page 492 and 493:
472 Lotus Security Handbook ► Ses
Page 494 and 495:
11.9.2 Multi-server session-based a
Page 496 and 497:
476 Lotus Security Handbook 4. Save
Page 498 and 499:
478 Lotus Security Handbook databas
Page 500 and 501:
480 Lotus Security Handbook Similar
Page 502 and 503:
482 Lotus Security Handbook How ser
Page 504 and 505:
Page 506 and 507:
486 Lotus Security Handbook NextExp
Page 508 and 509:
488 Lotus Security Handbook Connect
Page 510 and 511:
490 Lotus Security Handbook At this
Page 512 and 513:
Page 514 and 515:
494 Lotus Security Handbook Example
Page 516 and 517:
11.10.4 More details 496 Lotus Secu
Page 518 and 519:
498 Lotus Security Handbook servers
Page 520 and 521:
500 Lotus Security Handbook Anonymo
Page 522 and 523:
502 Lotus Security Handbook of whet
Page 524 and 525:
504 Lotus Security Handbook To ente
Page 526 and 527:
506 Lotus Security Handbook Replica
Page 528 and 529:
New for Domino 6 508 Lotus Security
Page 530 and 531:
510 Lotus Security Handbook and the
Page 532 and 533:
512 Lotus Security Handbook even wh
Page 534 and 535:
514 Lotus Security Handbook Prefix
Page 536 and 537:
Table 11-13 Conflict between denied
Page 538 and 539:
518 Lotus Security Handbook Control
Page 540 and 541:
520 Lotus Security Handbook “Deny
Page 542 and 543:
11.12.2 Mail policy management New
Page 544 and 545:
Table 11-15 Rule conditions 524 Lot
Page 546 and 547:
Action name Description Change rout
Page 548 and 549:
Table 11-17 DOLS security options O
Page 550 and 551:
530 Lotus Security Handbook For inf
Page 552 and 553:
532 Lotus Security Handbook If the
Page 554 and 555:
Page 556 and 557:
12.1 Lotus Team Workplace (QuickPla
Page 558 and 559:
538 Lotus Security Handbook Externa
Page 560 and 561:
Page 562 and 563:
542 Lotus Security Handbook ► Ena
Page 564 and 565:
12.2.2 Proxy support for Sametime c
Page 566 and 567:
546 Lotus Security Handbook ► By
Page 568 and 569:
548 Lotus Security Handbook If the
Page 570 and 571:
12.3 Domino Web Access (iNotes) 12.
Page 572 and 573:
12.3.2 Encrypting a mail file on a
Page 574 and 575:
12.3.5 Protection against malicious
Page 576 and 577:
12.4 Lotus Workplace 556 Lotus Secu
Page 578 and 579:
12.5 IBM WebSphere Portal 12.5.1 Au
Page 580 and 581:
560 Lotus Security Handbook WebSphe
Page 582 and 583:
12.5.2 Authorization 562 Lotus Secu
Page 584 and 585:
564 Lotus Security Handbook externa
Page 586 and 587:
566 Lotus Security Handbook this ti
Page 588 and 589:
12.5.4 Securing installation and co
Page 590 and 591:
570 Lotus Security Handbook Authent
Page 592 and 593:
572 Lotus Security Handbook Using T
Page 594 and 595:
574 Lotus Security Handbook ► Con
Page 596 and 597:
576 Lotus Security Handbook ► Den
Page 598 and 599:
578 Lotus Security Handbook ► Lot
Page 600 and 601:
Page 602 and 603:
13.1 The scenario described 582 Lot
Page 604 and 605:
Figure 13-2 Mail file 584 Lotus Sec
Page 606 and 607:
586 Lotus Security Handbook certain
Page 608 and 609:
588 Lotus Security Handbook Domino-
Page 610 and 611:
590 Lotus Security Handbook benefic
Page 612 and 613:
Page 614 and 615:
14.1 Basic internal collaboration (
Page 616 and 617:
Figure 14-2 Web SSO configuration b
Page 618 and 619:
598 Lotus Security Handbook The HTT
Page 620 and 621:
Page 622 and 623:
14.2.2 WebSphere Edge Server config
Page 624 and 625:
604 Lotus Security Handbook still b
Page 626 and 627:
Figure 14-17 Basic Settings 606 Lot
Page 628 and 629:
Figure 14-19 Request Routing 608 Lo
Page 630 and 631:
Figure 14-21 Firewall rules 14.3 In
Page 632 and 633:
612 Lotus Security Handbook The fol
Page 634 and 635:
Page 636 and 637:
616 Lotus Security Handbook 5. Modi
Page 638 and 639:
Page 640 and 641:
620 Lotus Security Handbook mapping
Page 642 and 643:
Page 644 and 645:
624 Lotus Security Handbook ► rem
Page 646 and 647:
Page 648 and 649:
Page 650 and 651:
630 Lotus Security Handbook ► It
Page 652 and 653:
14.7 Summary 632 Lotus Security Han
Page 654 and 655:
Page 656 and 657:
636 Lotus Security Handbook Two opt
Page 658 and 659:
Page 660 and 661:
640 Lotus Security Handbook complet
Page 662 and 663:
642 Lotus Security Handbook 3. To t
Page 664 and 665:
* Notes SDK include files */ #inclu
Page 666 and 667:
} /*--- * filter termination */ uns
Page 668 and 669:
*/ if (authData->userName && authDa
Page 670 and 671:
goto NoUnlockExit; pLookup = (char
Page 672 and 673:
} } ValueLength -= sizeof(WORD); /*
Page 674 and 675:
* *********************************
Page 676 and 677:
if (getspnam_r(userName, &result, b
Page 678 and 679:
658 Lotus Security Handbook Restric
Page 680 and 681:
660 Lotus Security Handbook You nee
Page 682 and 683:
662 Lotus Security Handbook . Figur
Page 684 and 685:
Page 686 and 687:
Page 688 and 689:
Page 690 and 691:
Page 692 and 693:
672 Lotus Security Handbook The plu
Page 694 and 695:
674 L
Page 696 and 697:
Hostname="localhost.dotnsf.com" Por
Page 698 and 699:
[Mon Jun 09 12:06:54 2003] 00000d54
Page 700 and 701:
[Mon Jun 09 12:07:18 2003] 00000d54
Page 702 and 703:
[Mon Jun 09 12:07:18 2003] 00000d54
Page 704 and 705:
Other publications Online resources
Page 706 and 707:
Page 708 and 709:
Certificate authorities Domino 260
Page 710 and 711:
kFilterParsedRequest Event 299 kFil
Page 712 and 713:
object classes 316 objectclass eDom
Page 714 and 715:
and iNotes 498 events 492 flowchart
Page 716 and 717:
and WebSphere Portal 622 benefits 2
Page 718 and 719:
Page 722:
Lotus Security Handbook Key securit
show all

Front cover - IBM Redbooks

Create successful ePaper yourself

Delete template?

Save as template?