IT Baseline Protection Manual Chapter 7.7 Lotus Notes
7.7 Lotus Notes
Description
Lotus Notes is a product used to support workgroups. It provides facilities enabling office work routines that occur within an organisation to be supported and organised. All the communications, data transmission and data keeping that are necessary for this can be processed using Lotus Notes. The Notes concept is based on a client/server architecture whereby users connect themselves to the Domino server from a Notes client or browser and work in this mode.
In earlier versions of Lotus Domino/Notes, proprietary communications protocols were used. By contrast, the latest version (currently 5.0.5) incorporates standard Internet protocols. Since Version 4.5 it has also been possible to gain access to the data in a Lotus Domino server over the Internet from any browser, using a new Web interface. Access here is not restricted to read access, but write access and Administrator access to the server are also possible. From a security viewpoint, the most important change in the release update from version 5.0.3 to version 5.0.4 is the fact that, as a result of a change in US export policy, there is now a single, global version supplied with strong encryption mechanisms, as opposed to separate versions for the North American and international markets.
A brief summary is provided below of the current (as of November 2000) product designations of Lotus Domino/Notes components, as in the course of the last release update Lotus renamed some of the components. In the descriptions of the threats and security safeguards which follow, the terms Lotus Domino Server and Lotus Notes Server should be viewed as synonyms.
Server products:
Domino Application Server. This is the actual successor of the original Lotus Notes Server. Application Server has a modular design and, in addition to the components for database access, it also offers other modules, including an SMTP server module, an HTTP server module and an LDAP server module.
Domino Mail Server. The e-mail functionality is a constituent part of Domino Application Server. This configuration variant makes the functionality of an e-mail server also available independently of the other server modules.
Domino Enterprise Server. This enhanced version of Domino Application Server was previously known as Domino Advanced Services. This enhanced version includes functions for high availability, partitioning, server networks (clustering) and accounting information (billing).
Lotus QuickPlace.QuickPlace is a special configuration variant that is aimed at setting up Web-based team workstations rapidly and without problems. QuickPlace is a constituent part of Domino Application Server and Domino Enterprise Server.
Client products:
Notes Client. This is the "classic" client for accessing the Domino/Notes server and processing e-mail, appointments, contacts and much more. Notes Client also contains a browser component which can be used to display Web content. On the basis of the client query this is loaded from any Web server by the Web Retriever and passed on to the client.
Domino Administrator Client. Domino Administrator Client is not an independent client, but is contained in Domino Server R5 and Domino Designer R5 as an optional component. Domino Administrator Client is a central tool for the administration of security for the Domino server.
Domino Designer.Domino Designer is a development tool for the creation of Web applications. Domino applications can be created using Java, JavaScript, HTML4, C++, CORBA/IIOP, OLE and LotusScript.
From the point of view of security, the following aspects are relevant to Lotus Notes:
Access security. Only authorised users should be able to access the data held on a Notes server. To ensure that this is the case, access to a Notes server is controlled by the server itself. This means it is possible to control which users may in principle access which Notes server.
Access control. As well as control of server access, control of access to databases constitutes another important security mechanism. The methods provided by Lotus Notes permit in-depth control as to which users (or which user groups) are allowed to execute what actions on a particular database.
Communications security. When a client accesses a database on a server, the data retrieved is transmitted over a network connection. To ensure the confidentiality and integrity of the data, Lotus Notes provides encryption algorithms.
Availability. Use of a Notes system as an office communication medium by business units within an organisation imposes certain requirements as to availability. On the one hand there is a need to minimise the damage that could be caused by a failure through redundant data keeping or physical redundancy of computers, while on the other hand there is a requirement for a contingency plan which provides guidance and directions enabling rapid recovery of the system in the event of failure.
Threat Scenario
The following typical threats are assumed for the IT baseline protection of a Notes system:
To implement IT baseline protection, selection of the required packages of safeguards ("modules") is recommended, as described in Sections 2.3 and 2.4.
As well as protecting the Lotus Notes , however, it is also necessary to draw up a specific security policy which must be integrated into the existing security policy. the Notes system must implement existing security requirements while at the same time necessitating the creation of new, Notes-specific security provisions.
A Notes system will generally be used in the environment of other systems which serve to control access to the internal network from outside. Examples of other systems with which a Notes system has to work are firewall systems and remote maintenance systems. For this reason, when implementing the Notes-specific safeguards, the safeguards from the relevant modules of the affected systems must also be considered. In addition to the relevant modules from Chapters 5 and 6, the following modules should also be mentioned:
7.3 "Firewall", if Notes systems are used in a firewall environment (see also S 2.211 Planning the use of Lotus Notes in a demilitarised zone).
7.6 "Remote Access" if access to the Notes system is over dial-in lines.
The safeguards listed in module 9.2 "Databases" are not 100% applicable to Lotus Notes, as Notes is a proprietary database system.
In order to successfully set up a Notes system, a series of measures should be taken, starting with the design, then going on to installation and operation. The steps involved here and the safeguards which should be considered at each of the steps are listed below.
Following the decision to use Lotus Notes as an internal communications
system, it is necessary to purchase the software and any additional hardware
required. As Lotus Notes is available in a number of different configuration
variants (see above) the software to be purchased will depend also on the
planned operational scenarios. The following safeguards should therefore be
implemented:
At the outset it is necessary to plan exactly how the Notes system will
be used (see safeguard S 2.206
Planning the use of Lotus Notes).
In parallel to this, security guidelines which interpret the already
existing security guidelines in a Lotus Notes specific manner while also
including any additional Notes-specific provisions that may be necessary
must be written (see safeguard S 2.207 Defining security guidelines for Lotus Notes).
Prior to actual implementation of the Notes system, the users and Administrators
must be prepared for working with Lotus Notes through appropriate training.
In particular, due to the complexity of administering a Notes system,
in-depth training is recommended for Administrators. This should include
giving the Administrators detailed system knowledge (see S 3.24
Training on the Lotus Notes system architecture for Administrators),
so that they are in a position to manage the system consistently and correctly.
Users should be informed of the use of the security mechanisms within
Lotus Notes (see S 3.25 Training
on Lotus Notes security mechanisms for users).
After the organisational and planning preliminary work has been completed,
the Notes system can be installed. The following measures should be noted
here:
The installation can only be regarded as complete when the Lotus Notes
systems have been made secure (see S 4.116
Secure installation of Lotus Notes). This will ensure that
in the subsequent configuration phase only authorised Administrators can
access the Notes system.
After the "raw installation" the Notes system, comprising the
servers (see S 4.117 Secure configuration
of a Lotus Notes server) and clients (see S 4.126
Secure configuration of a Lotus Notes client and S 4.127
Secure configuration of browser access to Lotus Notes), has
to be configured for the first time.
Following the initial installation and a test operation phase, normal operation
commences. From a security point of view the following aspects should be taken
into account here:
A Notes system is normally subject to continuous changes. This means
that security-relevant configuration parameters require constant modification.
In addition, in a client/server-based system security also depends on
the security of all the subsystems - in this case, particularly, the clients.
The safeguards that are relevant to secure operation are summarised in
S 4.128 Secure operation of Lotus
Notes and the safeguards for the protection of communications (see
S 5.84 Use of encryption procedures
for Lotus Notes communication, S 5.85
Use of encryption procedures for Lotus Notes e-mail and S 5.86
Use of encryption procedures with browser access to Lotus Notes).
As well as protection during ongoing operations, however, contingency
planning also plays an important role as the only way of containing damage
in the event of an emergency. Information on contingency planning will
be found in S 6.73 Creation of a contingency
plan for failure of the Lotus Notes system.
The safeguards package for the "Lotus Notes" module is presented below.
Infrastructure:
S 1.29 (1) Adequate siting of an IT system (server)