Lotus Notes and Domino (Building Internet Firewalls, 2nd Edition)

16.5. Lotus Notes and Domino

Like Exchange, Lotus Notes is not just an electronic mail system; it provides a large number of services, including calendar management and document sharing. In addition, it is integrated with a web server, allowing it to provide forms and documents to web browsers. Although Notes was originally designed to be a groupware product, enabling groups to work together better, current versions also use the web server to provide services to Internet users. The name "Domino" was introduced as part of this change and refers to the new versions of the server (the client software is still known as Lotus Notes). When Domino is used as an Internet web server, it should be treated like any other web server; see Chapter 15, "The World Wide Web".

Notes clients can use Notes RPC to speak to servers, but in recent versions, they can also use HTTP, SMTP, and/or POP3, to speak to Notes/Domino servers or to other servers. This provides extra options for supporting Notes clients over the Internet.

Notes uses public key encryption for authentication and does not send passwords across the network. By default, Notes does not encrypt other information, but it can be set to use encryption for all network traffic on a given port. This can be forced by the server; if the server is configured to use encryption, the clients will encrypt, regardless of the client setting. In addition, users and application designers can decide to encrypt individual documents, whether or not all network traffic is being encrypted. Notes can use a number of different encryption algorithms (RSA for public key encryption, DES, triple DES, RC2, and RC4 for secret key encryption) and a number of different key lengths depending on the type of encryption in use and the location of servers and clients. Encryption algorithms are discussed further in Appendix C, "Cryptography".

Notes documents may contain embedded code in a language called "LotusScript". LotusScript does not provide any security controls by itself (it can call external programs and do anything that the user running Notes can do). Originally, Notes clients would execute LotusScript programs received in mail without notification or security controls. Starting in release 4.5, Notes provides controls on what programs can do, based on the digital signature of the document containing the program. Configurations can be set up for specific signatures, for a default that applies to signed documents with unknown signatures, and for unsigned documents. All Notes clients should be configured with maximum restrictions for the default and for unsigned documents.

16.5.1. Packet Filtering Characteristics of Lotus Notes

Native Notes transactions are done over a protocol called Notes RPC using TCP at port 1352. Connections between servers follow the same pattern as client/server connections.

Direction
SourceAddr.
Dest.Addr.
Protocol
SourcePort
Dest.Port
ACKSet
Notes

In
Ext
Int
TCP
>1023
1352
[62]

Incoming Notes connection, client to server

Out
Int
Ext
TCP
1352
>1023
Yes
Incoming Notes connection, server to client

Out
Int
Ext
TCP
>1023
1352
[62]
Outgoing Notes connection, client to server

In
Ext
Int
TCP
1352
>1023
Yes
Outgoing Notes connection, server to client

Direction	SourceAddr.	Dest.Addr.	Protocol	SourcePort	Dest.Port	ACKSet	Notes
In	Ext	Int	TCP	>1023	1352	[62]	Incoming Notes connection, client to server
Out	Int	Ext	TCP	1352	>1023	Yes	Incoming Notes connection, server to client
Out	Int	Ext	TCP	>1023	1352	[62]	Outgoing Notes connection, client to server
In	Ext	Int	TCP	1352	>1023	Yes	Outgoing Notes connection, server to client

[62]ACK is not set on the first packet of this type (establishing connection) but will be set on the rest.

16.5.2. Proxying Characteristics of Lotus Notes

As of release 4.5, Lotus Notes clients are shipped with support for SOCKS v4. Lotus also has what they call a Passthru server, which is an application-aware proxy server; you can use this as a modified-procedure proxy by having the client connect to the Passthru server by name. You can also configure a Notes client to tunnel Notes RPC using an HTTP proxy, either using CONNECT or using a special Notes server that does HTTP. Some commercial firewalls also include Notes proxies.

You can also use a generic proxy, but this requires modifying the client configuration. Notes clients expect that the greeting from the server will match the name that they are configured with. You can get around this problem by using a connection document on the client which specifies what name to expect.

16.5.3. Network Address Translation Characteristics of Lotus Notes

Lotus Notes RPC does not include embedded IP addresses and will work without modification through a network address translation system. It does include embedded hostnames, which may release information that you expected to be concealed by the network address translation system. However, those embedded hostnames must not be changed, since they are used as part of server authentication.

16.5.4. Summary of Recommendations for Lotus Notes

If you need to pass Lotus Notes through your firewall, use a proxy server.

If you are using Notes RPC across the Internet, set the server to use encryption on all traffic.

Configure clients with maximum restrictions on LotusScript in unsigned documents and documents with unknown signatures.

Follow normal recommendations for web browsers when configuring Notes as a web browser, and normal recommendations for web servers when configuring Domino as a web server.


16.4. Microsoft Exchange		16.6. Post Office Protocol