Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Domino Security - not knowing is not an option
(AKA tame the nasty Poodles)
Darren Duke
Janitor Level 57
Simplified Techno...
About me
• AKA my favorite slide
• Started with “Lotus Notes” in R3
• Yes, really….R3
• That means 1996
• Yes, really….199...
10,000 feet view
•What we’ll (hopefully) cover
•Server Security
•SSL/TLS/SHA2
•Reverse Proxies
•Testing
•Antivirus setting...
SHA2
•SHA = Security Hashing Algorithm
•Each SSL certificate is either SHA1 or SHA2
•SHA2 far more secure than SHA1
•Most ...
Server Seurity SSL/TLS/SHA2
•SSLv3 is dead (SSLv2 has been dead for a long time)
•Unless you need it for SMTP STARTTLS com...
Server Seurity SSL/TLS/SHA2
•Don’t forget Perfect Forward Secrecy
•In cryptography, forward secrecy (FS; also known as per...
Server Seurity SSL/TLS/SHA2
•SMTP with STARTTLS
•You fix a lot of problems with
•Server notes.ini SSL_ENABLE_INSECURE_SSLV...
Server Seurity SSL/TLS/SHA2
•If you org only wants to allow TLS 1.2
•You can disable TLS 1.0 (and obviously SSLv3)
•Server...
Reverse Proxies
•What is a Reverse Proxy?
•In computer networks, a reverse proxy is a type of proxy server that
retrieves ...
Reverse Proxies
•Benefits
•You can handle more than one web server per proxy
•Reduce (potential attack) surface area
SSL o...
Reverse Proxies
•The Proxies
•NGINX (pronounced Engine X)
•Most popular today, used by Netflix, Zappos, et al
•Open source...
Reverse Proxies
•The Proxies
•IBM HTTP Server (IHS)
•No longer recommended by IBM as a front end to Windows Domino
Servers...
Reverse Proxies
•A BIG Gotcha for Traveler
•If your Traveler Server Domino name is Traveler/Org
•AND
•Your Traveler server...
Reverse Proxies
•The Real Reason to use a Proxy
•With a Proxy you may have avoided SSLv3 and this:
Date Spec Released Date...
Testing
•So you *think* you’re secure? OK…..
•Testing is what elevates belief to evidence
•QualSYS SSL Labs test site for ...
Testing
• Here is my iNotes server behind an Apache Reverse Proxy
Testing
• Here is an iNotes server native (no proxy)
Testing
• A Note about Windows XP/2003 with IE Support and ciphers
– I know, you have a plan to get off XP and 2003
– No, ...
Testing
• Test SMTP STARTTLS at CheckTLS.com
– https://www.checktls.com/testreceiver.html
– Test both send and receive
• R...
Testing
• Send
– You send email with a code in it, CheckTLS then replies to you with
the transaction
Antivirus Settings (OS)
•Domino Server Exclusions
•Transaction Logs
•Domino Data
•DAOS repository
•View Rebuild Dir folder...
Antivirus Settings (OS)
• But Darren, what about when my users click on a virus infested
email attachment?
• IBM Notes and...
User Security
•Strong Internet Passwords
•Changes how passwords are stored in the Domino Directory
•A salted hash is creat...
User Security
•Strong Internet Passwords for new users
•Edit Domino Directory Profile
User Security
•Strong Internet Passwords for existing users
•Select the users in the Domino Directory then ActionsSet Secu...
Securing LDAP
•I see a shocking amount of Domino LDAP servers NOT using LDAPS
•LDAPS is over port 636 by default
•Provided...
Securing LDAP
•Potential LDAPS issues
•Your LDAP client (copier, spam gateway, etc) may not support the new
Domino ciphers...
Securing LDAP
•Using DA to AD for internet passwords?
–Also secure this otherwise your users AD passwords are going from
D...
Java Updates
•Notes and Domino JVM still use Java 6 (or 1.6)
•Oracle ended Public Java 6 updates in Feb 2013
•IBM get cust...
Speaking of Fix Packs
•As a general rule, the newer the FP and the newer the IF, the more
secure your server or client wil...
SAML
•Security Assertion Markup Language
•Allows Notes users to go password-less
•This can be a huge selling point
•Can al...
Knowledge is Power
•Forewarned is forearmed and there are resources that allow you
to be pro-active
•IBM My Notifications
...
Knowledge is Power
•Forewarned is forearmed and there are resources that allow you
to be pro-active
–US CERT weekly email
...
Disable Things
•Anything you don’t use, disable. Anything you don’t need, disable
•Need POP3 or IMAP? No?
•Not having it i...
Notes/Domino Port Encryption
•For Domino server to server or Notes client to server
communication
•Turn on at one end, wor...
Upcoming SlideShare
Loading in …5
×

Domino Security - not knowing is not an option - MWLUG 2015

6,652 views

Published on

There have been a ton of changes to Domino security over the past few months. See what they are, why you need them and how to implement them, including but not limited to: SSL/TLS Notes port encryption reverse proxies SHA2 certificates SAML/NFL Perfect Forward Secrecy Learn. Implement. Sleep well.

Published in: Technology
  • Be the first to comment

Domino Security - not knowing is not an option - MWLUG 2015

  1. 1. Domino Security - not knowing is not an option (AKA tame the nasty Poodles) Darren Duke Janitor Level 57 Simplified Technology Solutions, Inc
  2. 2. About me • AKA my favorite slide • Started with “Lotus Notes” in R3 • Yes, really….R3 • That means 1996 • Yes, really….1996 • Founder of STS (2005) based in Atlanta • Sometime blogger, ranting Tweeter, ex-co-host of This Week In Lotus, Speaker, Fixture at “Ask the PM’s” • http://blog.darrenduke.net • Twitter @darrenduke
  3. 3. 10,000 feet view •What we’ll (hopefully) cover •Server Security •SSL/TLS/SHA2 •Reverse Proxies •Testing •Antivirus settings on the client and server •User Security •Strong Internet passwords •SAML •Directory Assistance •Port Encryption
  4. 4. SHA2 •SHA = Security Hashing Algorithm •Each SSL certificate is either SHA1 or SHA2 •SHA2 far more secure than SHA1 •Most SSL vendors have stopped issuing SHA1 SSL certificates (around Dec 31 2014) •SHA2 Support in Domino •No support for for SHA2 in 8.5.3. Never. Nada. Not going to happen •For 9.0.1 FP3 and above you can now create SHA2 CSR’s and import SHA2 certificates in Domino •This is a very different process than what you are used to •See Gab’s excellent step-by-step on how to do this: –http://turtleblog.info/2015/06/22/creating-sha-2-4096-ssl-certificates-for- domino/ –http://www-01.ibm.com/support/docview.wss?uid=swg21418982
  5. 5. Server Seurity SSL/TLS/SHA2 •SSLv3 is dead (SSLv2 has been dead for a long time) •Unless you need it for SMTP STARTTLS compatibility •Disable it if you can •Server notes.ini DISABLE_SSLV3=1 •TLS is King, long live the King –TLS 1.0 via IF for the following releases •With 8.5.3 FP6 •9.0 •9.0.1 FP2 –TLS 1.2 via IF for •9.0.1 FP3 •Perfect Forward Secrecy •Additional (more secure) ciphers •SHA2
  6. 6. Server Seurity SSL/TLS/SHA2 •Don’t forget Perfect Forward Secrecy •In cryptography, forward secrecy (FS; also known as perfect forward secrecy, or PFS) is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. (via wikipedia) •Domino now supports it as of 9.0.1 FP3 IF2/3 •The data is secure even of the server private key is compromised in the future •This is a good thing. Use it.
  7. 7. Server Seurity SSL/TLS/SHA2 •SMTP with STARTTLS •You fix a lot of problems with •Server notes.ini SSL_ENABLE_INSECURE_SSLV2_HELLO=1 •Ciphers –No longer controlled in the Server/Internet doc (9.0.1). Now a notes.ini –Domino server now dictates the preferred cipher list •Server notes.ini SSLCipherSpec=AABBCCDDEE..ZZ •I usually start with: –SSLCipherSpec=9D9C3D3C352F3339676B9E9F –DISABLE_SSLV3=1 •For all TLS 1.2 options see –http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2 –http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration –http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/tls-1.2-in-domino-and-the- settings-i-use.htm
  8. 8. Server Seurity SSL/TLS/SHA2 •If you org only wants to allow TLS 1.2 •You can disable TLS 1.0 (and obviously SSLv3) •Server notes.ini SSL_DISABLE_TLS_10 –This could cause SMTP STARTTLS issues so beware –All recent browsers have TLS 1.2 enabled by default now •Older browers (IE on XP) may not
  9. 9. Reverse Proxies •What is a Reverse Proxy? •In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though they originated from the proxy server itself - Wikipedia
  10. 10. Reverse Proxies •Benefits •You can handle more than one web server per proxy •Reduce (potential attack) surface area SSL offloading •Have the reverse proxy handle all your SSL/TLS •When security issue detected, one place to fix –Security •Hide version/platform/application from the browser •No direct access to backend servers •Restrict URL access to Domino for only required URLs for –iNotes –Traveler –Domino web applications –Load balancing •Provide HA for iNotes, Traveler, etc
  11. 11. Reverse Proxies •The Proxies •NGINX (pronounced Engine X) •Most popular today, used by Netflix, Zappos, et al •Open source •Can do mail and other TCP connections, not just HTTP(S) –IMAP –SMTP (including STARTTLS) –Apache •Most famous •Open source •I have a free Apache VM using Ubuntu you can use as starting point: –http://blog.darrenduke.net/darren/ddbz.nsf/dx/here-is-a-freely-available- vm-to-reverse-proxy-domino-shoot-the-poodle.htm
  12. 12. Reverse Proxies •The Proxies •IBM HTTP Server (IHS) •No longer recommended by IBM as a front end to Windows Domino Servers •Never extended to other platforms •IBM fixed TLS in Domino which made this redundant –This was IBM’s original fix in Domino 9 to add TLS1.0 •Don’t do this anymore
  13. 13. Reverse Proxies •A BIG Gotcha for Traveler •If your Traveler Server Domino name is Traveler/Org •AND •Your Traveler server URL hostname == the CN of the Domino server •So if Domino == Traveler/Org AND Traveler URL == Traveler.blah.com –Then there seems to be a bug in Traveler that won’t allow a reverse proxy to work •See http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/using-ibm-lotus- traveler-with-a-proxy....food-for-thought-before-you-do-this.htm for details and fix/workaround –This makes is harder to reverse proxy Traveler, but it is still worth doing
  14. 14. Reverse Proxies •The Real Reason to use a Proxy •With a Proxy you may have avoided SSLv3 and this: Date Spec Released Date Domino Added Time Taken by IBM (in years) TLS 1.0 1999 2014* 15 TLS 1.2 2008 2015 7 PFS 2011* 2015 4
  15. 15. Testing •So you *think* you’re secure? OK….. •Testing is what elevates belief to evidence •QualSYS SSL Labs test site for web sites •https://www.ssllabs.com/ssltest/ •Scan a server, get a grade •Will take a few minutes •Also lists potential remediation •Tons of useful information •If you get a A- or higher you’re good •Scan every quarter or so. Things change! •Use on sites other that your own •Be scared. Be real scared.
  16. 16. Testing • Here is my iNotes server behind an Apache Reverse Proxy
  17. 17. Testing • Here is an iNotes server native (no proxy)
  18. 18. Testing • A Note about Windows XP/2003 with IE Support and ciphers – I know, you have a plan to get off XP and 2003 – No, really, we believe you – Most people think you need RC4 to support XP with IE – YOU DON’T!!! • 3DES will provide support for XP/2003 with IE • So disable RC4 and enable 3DES
  19. 19. Testing • Test SMTP STARTTLS at CheckTLS.com – https://www.checktls.com/testreceiver.html – Test both send and receive • Receive
  20. 20. Testing • Send – You send email with a code in it, CheckTLS then replies to you with the transaction
  21. 21. Antivirus Settings (OS) •Domino Server Exclusions •Transaction Logs •Domino Data •DAOS repository •View Rebuild Dir folder –See https://www- 304.ibm.com/support/docview.wss?uid=swg21417504 •Notes Client Exclusions –Notesframework –Notesdataworkspace.configorg.eclipse.osgi –JAR files –See http://www- 01.ibm.com/support/docview.wss?uid=swg21407945
  22. 22. Antivirus Settings (OS) • But Darren, what about when my users click on a virus infested email attachment? • IBM Notes and Attachments – All Notes attachments are saved to %TEMP% on Windows – So long as the OS AV has real time scanning of %TEMP% you are safe – Remember, %TEMP% could be different per user
  23. 23. User Security •Strong Internet Passwords •Changes how passwords are stored in the Domino Directory •A salted hash is created for each user –@Password has starts a hex digit ('0' - '9', 'A'-'F'), with Domino 4.5 –@Password2 hash starts with 'G‘, with Domino 4.6+ –@Password3 hash starts with 'H‘, with Domino 8.5.1+ –Obviously if you want ‘G’ or preferably ‘H’ •Go from this •To this
  24. 24. User Security •Strong Internet Passwords for new users •Edit Domino Directory Profile
  25. 25. User Security •Strong Internet Passwords for existing users •Select the users in the Domino Directory then ActionsSet Secure Internet Password •Then the top (8.0.1) option (but I think it started working in 8.5.1)
  26. 26. Securing LDAP •I see a shocking amount of Domino LDAP servers NOT using LDAPS •LDAPS is over port 636 by default •Provided Domino has been set up for SSL, enable LDAPS •If your LDAP clients supports LDAPS USE IT!
  27. 27. Securing LDAP •Potential LDAPS issues •Your LDAP client (copier, spam gateway, etc) may not support the new Domino ciphers •DEBUG_SSL_ALL=3 is your friend when testing this •You may have to enable SSLv3 and RC4 on Domino LDAP to get around these issues
  28. 28. Securing LDAP •Using DA to AD for internet passwords? –Also secure this otherwise your users AD passwords are going from Domino to AD in plain text –Just checking the box in DA.NSF is not sufficient!!!! –You also need to import your AD server SSL certificate in your server.id file •See http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/solution-domino- directory-assistance-to-active-directory-when-using-ssl-does-not-break- with-9.0.1-fp4.htm for details on how to do this (it’s really not obvious)
  29. 29. Java Updates •Notes and Domino JVM still use Java 6 (or 1.6) •Oracle ended Public Java 6 updates in Feb 2013 •IBM get customized Java 6 fixes Oracle •These are then bundled into fixes for the client and server •N/D 9.0.2 (N/D Next?) may get an updated (Java 8?) JVM •These are important to install •Usually contain fixes for CVSS rated high risk (may are 10.0, the highest possible risk level •These are Fix Pack based –A fix pack will usually ship with a new, updated JVM –IBM then build custom installers to patch the FP JVM to fix vulnerabilities •These Java installers can fail. Often. Too often. –Only way to address is to revert back to base Domino version (say 9.0.1, by reapplying the current FP and reverting) then reapply fix pack, then apply JVM patch
  30. 30. Speaking of Fix Packs •As a general rule, the newer the FP and the newer the IF, the more secure your server or client will be •If you are running anything earlier than 8.5.3 FP6 IF9, you are doing it wrong •Strongly consider going to 9.0.1 FP3/4 •SHA2 •TLS 1.2/PFS/much higher quality ciphers •You are most likely paying for it anyway •News Flash!!!! No new features are coming to 9.0 or 8.5.x •Fixpacks, IFs and Java updates are on IBM Fix Central
  31. 31. SAML •Security Assertion Markup Language •Allows Notes users to go password-less •This can be a huge selling point •Can also be set up so that the Notes ID is never stored on the user’s PC •It gets downloaded and stored in memory each time the user starts Notes •User NEVER has to enter password •You need 9.0.1, ID Vault, patience •No password = no post-it note with password written on it!
  32. 32. Knowledge is Power •Forewarned is forearmed and there are resources that allow you to be pro-active •IBM My Notifications •Sign up to receive emails from IBM on new product releases, fix packs, etc •See http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/do-you-subscribe- to-the-ibm-daily-product-update-newletter-you-should.htm for details on setting up
  33. 33. Knowledge is Power •Forewarned is forearmed and there are resources that allow you to be pro-active –US CERT weekly email •Be afraid, be very afraid (especially of Flash, Acrobat, AIR and Java) •See https://www.us-cert.gov/ to sign up
  34. 34. Disable Things •Anything you don’t use, disable. Anything you don’t need, disable •Need POP3 or IMAP? No? •Not having it in the Notes.ini will not start those tasks….BUT… •They can still be started •load pop3 –This is not sufficient, disable it in the Domino Directory •Now load pop3 won’t actually load anything
  35. 35. Notes/Domino Port Encryption •For Domino server to server or Notes client to server communication •Turn on at one end, works at both •128 bit RC4 encryption •128 bit AES may surface in 9.0.2 –WAN accelerators don’t link this –Still, provides more then adequate channel encryption for almost organization –Test via a trace in the Notes Client or the Server console

×