Skip to main content

HCL Domino and Security

Yesterday, I posted about attending a Domino Jam for the first time in six years and my feelings on how HCL has turned the product around. Today I want to touch on the security aspect discussed at the Jam and add my thoughts to the mix. 

Secure by Design

Immediately following the roadmap presentation, the jam looked at Domino's legacy and where it is today. One of the key takeaways from this was a discussion of the incredible security in Domino. We have seen this in our organization but it was nice to hear HCL and other organizations (via quotes and stories) saying the same thing.

There are many good reasons for the high security score but two of the best are 

  • Multi-layered security from the very beginning of the product.
  • Domino being "on-prem" rather than web hosted. 

There were a couple of interesting stories and observations, including one about a penetration test on one of the new tools (Volt) where the auditors talked about the many layers of security in the Domino back-end and the fact that it was simply not worth a hacker's time to get through all of them when there are much easier targets. 

There was talk of the many standards that Domino currently supports and new standards being supported in the next upgrade (DKIM and others). HCL claims that Domino is still unbeaten in internal mail security. It's a bold statement but it has some merit, particularly when the on-prem systems support tough encryption and could be run in a completely firewalled internal environment. 

One of the participants remarked to me during a break that it was interesting that the organizations that hold onto Domino tended to be the types of organizations to whom security is considered a high priority. From what I've seen, it's true. If you're willing to move off domino, you also have to accept that your security will take a hit. 

Maintaining Security 

Inevitably, there was a question about why anyone should upgrade if the security was so good. I sighed inwardly at that one. If you're still running Domino 9, then you're running a system that was designed for Windows Server 2012 (or Windows PC 8). Those operating systems had holes in them like Swiss cheese and it would be dangerous to run those platforms today.  

It's not just windows that has been upgraded and patched though. Domino has had its fair share of fixes and new security features since release 9. This includes 

  • Mitigations for BEAST, POODLE and GOLDENDOODLE SSL and TLS vulnerabilities 
  • Retirement of older protocols (and introduction of new ones)
  • Mitigation for Cross Site Scripting (at R12). 

If you're running anything below R12.0.1 plus fixes, you're not doing your best to deal with your security issues. That's why it's so important to keep up your maintenance with HCL current. 

Testing Security

It's not enough to simply maintain security. You also need to keep testing for vulnerabilities. There's a bulletin on the HCL site which you can subscribe to that will send you notices of vulnerabilities when they are found. It's worth subscribing to keep "in the know".

If your domino server is hosting portals, web or extranet pages, it needs to be running SSL throughout but that's not enough. You need to be checking it regularly (at least six-monthly) against the excellent SSL tester from Qualys. Anything less than an A rating is not good enough and needs to be patched. If you're struggling with this, ask HCL for advice on lifting your rating. 


Then there are audits and penetration tests. We run these at least annually but we also run them whenever we deploy new systems (we build them into the development costs). You should be reading the output of your penetration tests and acting on the advice you have been given. 

You also need to consider the following;

  • Domino Versions and fix packs - also your client versions.
  • Protocols in use - did you know that you can (and should) disable old protocols.
  • Notes.ini - this can have outdated entries that should be removed. You can also improve security with a few choice lines in this file. 
  • Site documents - Are all your sites still in use? Are all the settings there still relevant?
  • Encryption levels within IDs
There's a whole lot more. If you're looking for some great people who can do this in Australia, get in touch with me and I'll make a recommendation. For everywhere else, talk to your Domino partners or HCL directly. 

Extending Security

The buck doesn't stop with Domino however. If your domino server is going to be internet connected, particularly if it's going to participate in internet mail, you need to look at some third-party solutions. 

The most obvious of these solutions is a mail scanner program. Over the years we've tried several including Mail Scanners that sat on the server and web based ones. These were from various companies including Symantec/Norton, Kaspersky, Veritas and Mimecast.

The web-based scanners open a small security hole (in that your mail could potentially be accessible to a third party - the scanning company). Sure, they all say that they don't do this but often when you read the fine print, there's an escape clause.

Nevertheless, I'd strongly recommend a web based filtering service (Mimecast would be my choice). Offsetting the potential security hole is the fact that you can set your domino server to only send to one IP range and only receive from one IP range. This immediately adds a whole layer of mail protection to your server. It also means that you don't lose mail if the server goes down (as it queues in the cloud) and aren't running extra software on your server that might do unexpected things or make troubleshooting more complex. Keep it simple. 

Apart from mail security, there are other security options available to you including firewalls, anti-virus and configuration watchers. These are all worth investigating. 

Separate from security and yet still part of it is disaster recovery and business continuity. Sure most of us Domino Admins can probably stand a replacement domino server up in no time but if the server is doing important work, consider a clustered environment or at least streaming backups and a warm DR environment. 

Yes, Domino has some of the best security in the world but it's still important to keep it up to date, regularly reviewed and frequently tested. 

Comments

Popular posts from this blog

How to Create an Auto-Response Mail Message in Lotus Notes 8.5.3+

Why would you do this? Suppose that you have an externally accessible generic email address for your company; support@mycompany.com or info@mycompany.com. You might expose this to the web and allow people to send messages to you. Setting up an auto-response email will tell the senders that their message reached its destination and that it will be dealt with accordingly.  It's also good practice to include links to FAQs or other useful information. Why 8.5.3 The techniques we'll be using here work in older versions of Notes but some of the options seem to have moved around in 8.5.3.  I figured it was a good time to show you where they've moved to. The Procedure Start Domino Designer and open the Mail file to be modified.  A really quick way to do this is to right-click on the application tab and choose "Open in Designer". In the Left hand panel of designer, expand Code and then double-click Agents.  A new window should appear. Click the action

How to Change Your Notification Options for New Lotus Notes Mail in version 8.x

Don't worry, I'm not patronizing you (my readers), I just decided to re-document this for one of our internal users and thought you might want to be able to use it in your own user documentation. WHAT IS THIS DOCUMENT ABOUT? Some people who don't get a lot of mail, like to be notified when such an event occurs. Notification can be; via a sound via a pop-up box via the system tray (where the computer clock is) The pop up box looks like this; Other people, who like myself, get too much mail would rather not be notified. The aim of this document is to tell you how (and where) to turn these options on and off. CHANGING YOUR SETTINGS To change your settings from the Notes 8.x client; On the Menu, click File , then Preferences... On the left hand side , click on the little plus sign to the left of Mail to expand the options. Click on the option marked Sending and Receiving . In the middle section, under receiving, you can control your notifications. If you untick the

How to Do a Mail Merge to Email using Lotus Notes

Why do one? In today's "green" world, it makes much better sense to send out emails than letters but you still want to personalize them. Sadly, by itself Lotus Notes doesn't support mail merge to email. Of course, we know that outlook does (but then it lets anyone and anything send emails for you - even when you don't want them to). So, how to do it in Notes? OpenNTF The first port of call is OpenNTF ( http://www.openntf.org/ ). This place is full of great things but most of them are really badly documented. Still, these guys give things away for free and they develop in their spare time, so we should be grateful for what we get. There's a great little project there called MailMerge Excel to Notes . Go there, click on releases and download the ZIP file. Getting to the Code The installation is tricky though I've noted that since I asked the author about the install, it's been updated (so maybe these steps are less necessary). Unzip the files to som