S 2.211 Planning the use of Lotus Notes in a demilitarised zone

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT Security Management, Administrator

The data stored in the databases of the Notes server can also be made available for public access from the Internet. This imposes special requirements on the security of the Notes server used for this purpose.

Where a Notes server is to be directly accessed from the Internet, in general the following points should be noted:

• It must not be possible to access a Notes server in the local network directly from the Internet. All internal Notes servers must be protected against direct access from the Internet with a firewall (see also module 7.4 "Firewall").

• Notes servers which are accessed directly from the Internet must be placed in a separate network (a so-called demilitarised zone, DMZ). Access to the server must be protected by a firewall (see also S 2.77 Secure configuration of other components).

Connection to the Internet can create security problems with serious consequences (see T 5.100 Hacking Lotus Notes). Therefore opening Notes servers up to access from the Internet should be avoided. If nevertheless a Notes server is used in a DMZ, special care must be taken over configuration of the security settings. Particular note must be made of the following points here:

• A security concept for the linking of Notes servers to the Internet must be developed, in which amongst other things the security objectives and the basic preconditions are specified, the necessary network structure is described and all the organisational provisions are defined.

• The Notes server should reside in a separate Notes domain.

• Separate certification should be obtained for the server so that it does not possess any authorisations giving access within the intranet of the organisation.

• The Notes server in the DMZ must not be replicated onto internal Notes servers. File-based mechanisms can be used for data transfer, e.g. FTP.

• The firewall configuration must prohibit the initiation of connections from the Notes server to the internal network. If it is necessary to exchange data between internal systems and the Notes server in the DMZ, then it should only be possible to initiate connections from the internal systems. Moreover, the use of Notes mechanisms for data exchange should be avoided in order to enforce a change of protocol.

• Databases also contain executable program code, such as agents and scripts, which can be used to compromise the internal network. Databases which are transferred from the Notes server in the DMZ to the internal network for further processing should therefore be subjected to a security check.

• If only HTML pages (and no Notes databases) are to be offered through the server, then a pure WWW server product should be used. A Notes server offers complex functions and mechanisms which cannot all be disabled and hence could be used as possible points of attack. For example, connection is always possible using the Notes protocol.

• The Notes system should be monitored like all other systems that are in the DMZ.

In addition to the aspects listed here, use of a Notes system in an exposed location can produce other problems as well. It is recommended carefully considering the specific risks applicable, bearing in mind the protection requirements of the IT applications and information.

Additional controls:

• Are there any compelling reasons for allowing Internet access to Notes servers?

• Has IT Security Management been involved in this decision?

• Does a security concept exist for the use of Lotus Notes in the DMZ?