S 2.206 Planning the use of Lotus Notes

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT Security Management, Administrator

Before Lotus Notes can be implemented it is necessary to decide the purposes for which Lotus Notes will be used. The way in which the system is to be used will affect the software that has to be purchased (e.g. Domino Application Server or Domino Mail Server), the security guidelines to be specified and also the type and scope of planning for operation of the system.

In general a rough distinction can be made between three different variants:

1. Use as intranet server with access via Notes clients

In this scenario, the main focus of attention is on the use of Lotus Notes as an internal system for office communications (data management, e-mail, appointment fixing, co-ordination of teamwork).

2. Use as intranet server with access via browser

In this scenario the main focus of attention is on Web access to a Notes server. Since quite different security mechanisms are used on the Web interface of the Notes server from those applicable to variant 1, the secure configuration of this interface is considered as a separate scenario.

3. Use as Internet server with access via browser

In addition to the primary use of a Notes server as an intranet server, it may also be desirable to use it as an information server to which there is public access over the Internet. Due to the exposed position of such a server, this type of use requires particular attention to the system configuration. In particular, the Notes server must be set up in a demilitarised zone (DMZ), i.e. in an area that is protected by firewalls against unauthorised access both from within and without (see also S 2.211 Planning the use of Lotus Notes in a demilitarised zone).

Within each of these operational scenarios a further distinction can be made as to which Notes functions should be used (e.g. database access, Notes Mail, Internet mail, LDAP server, HTML server). No distinction will be made at that level here. Generally, however, it can be said that each part of the functionality that is to be used must be planned separately, including consideration of the relevant security aspects. For some of the aforementioned functions there are separate modules in the IT Baseline Protection Manual, which should be considered if those functions are used, e.g. Sections 7.4 "E-mail" and 7.5 "WWW Server".

Generally, when planning how the system will be used, the following aspects should be considered:

• Lotus Notes sets up a separate namespace which enables splitting into so-called Notes domains. In order that this namespace can be used efficiently, planning of the domains is necessary. In addition, a hierarchical certificate structure is established through the Notes certificates which is independent of the way the domain is split up and therefore requires separate planning. The aspects which need to be considered here are described in safeguard S 2.208 Planning of the domains and certificate hierarchy of Lotus Notes.

• Concurrently with planning of the Lotus Notes namespace and the desired operational scenario, a Notes-specific set of security guidelines must be drawn up. The aspects which need to be considered here are summarised in safeguard S 2.207 Defining security guidelines for Lotus Notes.

• Detailed planning must be carried out for the desired operational scenario. The relevant recommendations for each scenario are covered in the following safeguards:

• S 2.209 Planning the use of Lotus Notes in an intranet

• S 2.210 Planning the use of Lotus Notes in an intranet with browser access

• S 2.211 Planning the use of Lotus Notes in a demilitarised zone

Planning of the Notes system can only be regarded as complete when the detailed system roll-out has also been planned. The roll-out plan specifies the sequence in which the individual Notes servers and all the Notes clients will be installed. Particular care must be taken over planning the roll-out of the certification authorities if correct use of the certification hierarchy is to be possible.

The decisions made which will affect future operation of the system should be documented in order that it is possible subsequently to check whether these have been implemented in full. In particular, they should be documented in such a manner that the reasoning underlying the decisions is clear.

Additional controls:

• Was a requirements analysis carried out for the use of Lotus Notes?