Your SlideShare is downloading. ×
0
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
I Have a Traveler Server - Maybe I Should Secure It Some?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

I Have a Traveler Server - Maybe I Should Secure It Some?

1,122

Published on

Your boss brought you his iPhone and said "make it work!". And so with no budget and no thought to security, you did. Now that Traveler's up and running, there are a lot more unsecured end points on …

Your boss brought you his iPhone and said "make it work!". And so with no budget and no thought to security, you did. Now that Traveler's up and running, there are a lot more unsecured end points on your network. Explore different options to secure Traveler in this presentation from Simplified Technology Solutions' Darren Duke.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,122
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Oh yes, that Pentium 90 under your desk is running a business critical app. Time to look at it. Darren Duke – Technical Deus - STS – June 2013
  • 2. About me  AKA my favorite slide  Started with “Lotus Notes” in R3  Yes, really….R3  Founder of STS based in Atlanta  Sometime blogger, ranting Tweeter, ex- host of This Week In Lotus, Speaker, Fixture at “Ask the PM’s”  I am obnoxious as obnoxiousness is usually required to elicit answers from IBM  “Experience is the name one gives to their mistakes” – Oscar Wilde
  • 3. Traveler, like BES = top down  Your CEO told your boss to make his iPad work  Your boss told you to make the CEO’s, and now also *his* as he needs one “for support”, iPads work  You got no budget and an old desktop server or VM and installed Traveler  After the first email, this server was business critical
  • 4. Now everyone has one  Once word was out…..  You became very popular
  • 5. iOS Devices are for “work”….  Hence the executives desire to get them to work  But we all know the real reason…
  • 6. Security Options  None. Erm….Whiskey Tango Foxtrot?  SSL on Domino  SSL on IHS in front of Domino (new in 9)  Reverse Proxy  IBM Mobile Connect  Certificate authentication**  You can always go back to BES ;)
  • 7. Traveler is “free”  Only if you don’t secure it  How much did your org spend on BES?  Server, CALs, Devices, Support….  Why do you not treat your Traveler as you did you BES?  Spend money and do it right and secure it  It’ll still come out cheaper than your BES did
  • 8. A word about DNS and SSL  Whatever solution you choose to secure your Traveler server….  Make sure DNS and protocol is the same inside and out  my_traveler_server.mycomany.com  If you use SSL on the outside, you must use it on the inside too  That means you may use more than one solution  Outside LAN : IHS + SSL + Reverse Proxy  Inside LAN : IHS + SSL
  • 9. None – aka the default  As the great Paul Mooney once said:  “Port 80 on Traveler is *very* unwise”  Your passwords (and everything else) is going across the internet in clear text  But…..  it scales well - joke  Still, I would not do this on my servers. Ever.  Even the installer warns you this is a bad idea  Free  Until you are hacked
  • 10. SSL on Domino  Everything is secure if you did it right  Redirect all traffic from 80 to SSL (443) in the server doc, ports  Self Signed SSL can be used  But cause issues on some (all?) Androids  You can get around this by side loading or maybe the via the Google Play store now  Domino SSL scaling may cause issues  Domino still “surfaced” on the internet  Reasonably cheap
  • 11. SSL on IHS in front of Domino  New in 9.0, install IBM HTTP Server (IHS)  Installed as option with Domino, on same server as Domino  Windows only for now, needs 9.0 IF1 ○ PMR if you want other OSes to get this  Will handle SSL  Fixes Domino scaling with SSL  “Allows” Domino HTTP to do TLS  IHS now surface to the internet  Reasonably cheap
  • 12. Reverse Proxy  A proxy (like Websphere Edge Server, F5 or Apache) in the DMZ forwards traffic to Traveler in the LAN/DMZ  Can also be done with IHS, not sure about the licensing of that  Domino has no surface on the internet  Proxy can handle SSL  Can be cheap, or expensive
  • 13. IBM Mobile Connect  IBM’s “headless VPN” solution  Think of it like a very secure reverse proxy  Can be used for iNotes, Connections and Quickr too  Out of the box (mostly) support for Traveler  No messy http.conf or domino.conf files  Maybe relatively cheap based on current license you have
  • 14. IBM Mobile Connect Licensing  If you have Domino Enterprise Server licensing  Full PVU or CEO  NOT Express  You get the CAL for IMC as an entitlement  Will only need to license IMC PVUs  None enterprise  You’ll need clients and PVUs
  • 15. All the previous slides were server security  What about users?  Usually the weakest link  Options  Complex internet password  Internet Password Lockout  Certificate based authentication
  • 16. Password Security  Your weakest link if you install Traveler correctly  Complex passwords are good for you  Suck for your user  Password changes are difficult to do on a device  There is a possible solution…
  • 17. Go password-less  Certificate based authentication  Well, on iOS devices  Android is on the Traveler road map (PMR it)  Really a function of the Domino HTTP server and the device  This is much easier with an MDM  Pushing certificates is easier with a MDM  You have to get the cert on the device  Make sure users have device passwords!!!
  • 18. Conclusion  You may decide to use multiple methods  Domino + IHS + IMC + Certificates  Yes, it can get complex  Yes, it can be very, very secure  Almost BES like, but not quite  You may want to evaluate MDM’s before attempting a certificate roll out  Switching from non-SSL to SSL is “difficult”  A secure, HA Traveler platform can be expensive to implement  But hey, so was BES
  • 19. Q&A and links  http://blog.darrenduke.net  Mostly useful stuff, some rants  http://www.simplified-tech.com  No rants, Lisa won’t let me  https://twitter.com/darrenduke  Mostly rants, some useful stuff  http://geldreddotcom.files.wordpress.com/2013/05/choosing-a- mdm-presentation.pdf  choosing an MDM  I like DesktopCentral for the record  Never allow Anonymous access to the Domino Directory…..ever. Never.

×