Domino Security - not knowing is not an option - MWLUG 2015

Domino Security - not knowing is not an option
(AKA tame the nasty Poodles)
Darren Duke
Janitor Level 57
Simplified Technology Solutions, Inc

About me
• AKA my favorite slide
• Started with “Lotus Notes” in R3
• Yes, really….R3
• That means 1996
• Yes, really….1996
• Founder of STS (2005) based in Atlanta
• Sometime blogger, ranting Tweeter, ex-co-host of This Week In
Lotus, Speaker, Fixture at “Ask the PM’s”
• http://blog.darrenduke.net
• Twitter @darrenduke

10,000 feet view
•What we’ll (hopefully) cover
•Server Security
•SSL/TLS/SHA2
•Reverse Proxies
•Testing
•Antivirus settings on the client and server
•User Security
•Strong Internet passwords
•SAML
•Directory Assistance
•Port Encryption

SHA2
•SHA = Security Hashing Algorithm
•Each SSL certificate is either SHA1 or SHA2
•SHA2 far more secure than SHA1
•Most SSL vendors have stopped issuing SHA1 SSL certificates (around
Dec 31 2014)
•SHA2 Support in Domino
•No support for for SHA2 in 8.5.3. Never. Nada. Not going to happen
•For 9.0.1 FP3 and above you can now create SHA2 CSR’s and import
SHA2 certificates in Domino
•This is a very different process than what you are used to
•See Gab’s excellent step-by-step on how to do this:
–http://turtleblog.info/2015/06/22/creating-sha-2-4096-ssl-certificates-for-
domino/
–http://www-01.ibm.com/support/docview.wss?uid=swg21418982

Server Seurity SSL/TLS/SHA2
•SSLv3 is dead (SSLv2 has been dead for a long time)
•Unless you need it for SMTP STARTTLS compatibility
•Disable it if you can
•Server notes.ini DISABLE_SSLV3=1
•TLS is King, long live the King
–TLS 1.0 via IF for the following releases
•With 8.5.3 FP6
•9.0
•9.0.1 FP2
–TLS 1.2 via IF for
•9.0.1 FP3
•Perfect Forward Secrecy
•Additional (more secure) ciphers
•SHA2

•Don’t forget Perfect Forward Secrecy
•In cryptography, forward secrecy (FS; also known as perfect forward
secrecy, or PFS) is a property of key-agreement protocols ensuring that
a session key derived from a set of long-term keys cannot be
compromised if one of the long-term keys is compromised in the
future. (via wikipedia)
•Domino now supports it as of 9.0.1 FP3 IF2/3
•The data is secure even of the server private key is compromised in the
future
•This is a good thing. Use it.

•SMTP with STARTTLS
•You fix a lot of problems with
•Server notes.ini SSL_ENABLE_INSECURE_SSLV2_HELLO=1
•Ciphers
–No longer controlled in the Server/Internet doc (9.0.1). Now a
notes.ini
–Domino server now dictates the preferred cipher list
•Server notes.ini SSLCipherSpec=AABBCCDDEE..ZZ
•I usually start with:
–SSLCipherSpec=9D9C3D3C352F3339676B9E9F
–DISABLE_SSLV3=1
•For all TLS 1.2 options see
–http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2
–http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration
–http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/tls-1.2-in-domino-and-the-
settings-i-use.htm

•If you org only wants to allow TLS 1.2
•You can disable TLS 1.0 (and obviously SSLv3)
•Server notes.ini SSL_DISABLE_TLS_10
–This could cause SMTP STARTTLS issues so beware
–All recent browsers have TLS 1.2 enabled by default now
•Older browers (IE on XP) may not

Reverse Proxies
•What is a Reverse Proxy?
•In computer networks, a reverse proxy is a type of proxy server that
retrieves resources on behalf of a client from one or more servers.
These resources are then returned to the client as though they
originated from the proxy server itself - Wikipedia

Reverse Proxies
•Benefits
•You can handle more than one web server per proxy
•Reduce (potential attack) surface area
SSL offloading
•Have the reverse proxy handle all your SSL/TLS
•When security issue detected, one place to fix
–Security
•Hide version/platform/application from the browser
•No direct access to backend servers
•Restrict URL access to Domino for only required URLs for
–iNotes
–Traveler
–Domino web applications
–Load balancing
•Provide HA for iNotes, Traveler, etc

Reverse Proxies
•The Proxies
•NGINX (pronounced Engine X)
•Most popular today, used by Netflix, Zappos, et al
•Open source
•Can do mail and other TCP connections, not just HTTP(S)
–IMAP
–SMTP (including STARTTLS)
–Apache
•Most famous
•Open source
•I have a free Apache VM using Ubuntu you can use as starting point:
–http://blog.darrenduke.net/darren/ddbz.nsf/dx/here-is-a-freely-available-
vm-to-reverse-proxy-domino-shoot-the-poodle.htm

Reverse Proxies
•The Proxies
•IBM HTTP Server (IHS)
•No longer recommended by IBM as a front end to Windows Domino
Servers
•Never extended to other platforms
•IBM fixed TLS in Domino which made this redundant
–This was IBM’s original fix in Domino 9 to add TLS1.0
•Don’t do this anymore

Reverse Proxies
•A BIG Gotcha for Traveler
•If your Traveler Server Domino name is Traveler/Org
•AND
•Your Traveler server URL hostname == the CN of the Domino server
•So if Domino == Traveler/Org AND Traveler URL == Traveler.blah.com
–Then there seems to be a bug in Traveler that won’t allow a reverse
proxy to work
•See http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/using-ibm-lotus-
traveler-with-a-proxy....food-for-thought-before-you-do-this.htm for
details and fix/workaround
–This makes is harder to reverse proxy Traveler, but it is still worth
doing

Reverse Proxies
•The Real Reason to use a Proxy
•With a Proxy you may have avoided SSLv3 and this:
Date Spec Released Date Domino
Added
Time Taken by IBM
(in years)
TLS 1.0 1999 2014* 15
TLS 1.2 2008 2015 7
PFS 2011* 2015 4

Testing
•So you *think* you’re secure? OK…..
•Testing is what elevates belief to evidence
•QualSYS SSL Labs test site for web sites
•https://www.ssllabs.com/ssltest/
•Scan a server, get a grade
•Will take a few minutes
•Also lists potential remediation
•Tons of useful information
•If you get a A- or higher you’re good
•Scan every quarter or so. Things change!
•Use on sites other that your own
•Be scared. Be real scared.

Testing
• Here is my iNotes server behind an Apache Reverse Proxy

Testing
• Here is an iNotes server native (no proxy)

Testing
• A Note about Windows XP/2003 with IE Support and ciphers
– I know, you have a plan to get off XP and 2003
– No, really, we believe you
– Most people think you need RC4 to support XP with IE
– YOU DON’T!!!
• 3DES will provide support for XP/2003 with IE
• So disable RC4 and enable 3DES

Testing
• Test SMTP STARTTLS at CheckTLS.com
– https://www.checktls.com/testreceiver.html
– Test both send and receive
• Receive

Testing
• Send
– You send email with a code in it, CheckTLS then replies to you with
the transaction

Antivirus Settings (OS)
•Domino Server Exclusions
•Transaction Logs
•Domino Data
•DAOS repository
•View Rebuild Dir folder
–See https://www-
304.ibm.com/support/docview.wss?uid=swg21417504
•Notes Client Exclusions
–Notesframework
–Notesdataworkspace.configorg.eclipse.osgi
–JAR files
–See http://www-
01.ibm.com/support/docview.wss?uid=swg21407945

Antivirus Settings (OS)
• But Darren, what about when my users click on a virus infested
email attachment?
• IBM Notes and Attachments
– All Notes attachments are saved to %TEMP% on Windows
– So long as the OS AV has real time scanning of %TEMP% you are
safe
– Remember, %TEMP% could be different per user

User Security
•Strong Internet Passwords
•Changes how passwords are stored in the Domino Directory
•A salted hash is created for each user
–@Password has starts a hex digit ('0' - '9', 'A'-'F'), with Domino 4.5
–@Password2 hash starts with 'G‘, with Domino 4.6+
–@Password3 hash starts with 'H‘, with Domino 8.5.1+
–Obviously if you want ‘G’ or preferably ‘H’
•Go from this
•To this

User Security
•Strong Internet Passwords for new users
•Edit Domino Directory Profile

User Security
•Strong Internet Passwords for existing users
•Select the users in the Domino Directory then ActionsSet Secure
Internet Password
•Then the top (8.0.1) option (but I think it started working in 8.5.1)

Securing LDAP
•I see a shocking amount of Domino LDAP servers NOT using LDAPS
•LDAPS is over port 636 by default
•Provided Domino has been set up for SSL, enable LDAPS
•If your LDAP clients supports LDAPS USE IT!

Securing LDAP
•Potential LDAPS issues
•Your LDAP client (copier, spam gateway, etc) may not support the new
Domino ciphers
•DEBUG_SSL_ALL=3 is your friend when testing this
•You may have to enable SSLv3 and RC4 on Domino LDAP to get around
these issues

Securing LDAP
•Using DA to AD for internet passwords?
–Also secure this otherwise your users AD passwords are going from
Domino to AD in plain text
–Just checking the box in DA.NSF is not sufficient!!!!
–You also need to import your AD server SSL certificate in your
server.id file
•See http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/solution-domino-
directory-assistance-to-active-directory-when-using-ssl-does-not-break-
with-9.0.1-fp4.htm for details on how to do this (it’s really not obvious)

Java Updates
•Notes and Domino JVM still use Java 6 (or 1.6)
•Oracle ended Public Java 6 updates in Feb 2013
•IBM get customized Java 6 fixes Oracle
•These are then bundled into fixes for the client and server
•N/D 9.0.2 (N/D Next?) may get an updated (Java 8?) JVM
•These are important to install
•Usually contain fixes for CVSS rated high risk (may are 10.0, the highest
possible risk level
•These are Fix Pack based
–A fix pack will usually ship with a new, updated JVM
–IBM then build custom installers to patch the FP JVM to fix vulnerabilities
•These Java installers can fail. Often. Too often.
–Only way to address is to revert back to base Domino version (say 9.0.1, by
reapplying the current FP and reverting) then reapply fix pack, then apply
JVM patch

Speaking of Fix Packs
•As a general rule, the newer the FP and the newer the IF, the more
secure your server or client will be
•If you are running anything earlier than 8.5.3 FP6 IF9, you are
doing it wrong
•Strongly consider going to 9.0.1 FP3/4
•SHA2
•TLS 1.2/PFS/much higher quality ciphers
•You are most likely paying for it anyway
•News Flash!!!! No new features are coming to 9.0 or 8.5.x
•Fixpacks, IFs and Java updates are on IBM Fix Central

SAML
•Security Assertion Markup Language
•Allows Notes users to go password-less
•This can be a huge selling point
•Can also be set up so that the Notes ID is never stored on the
user’s PC
•It gets downloaded and stored in memory each time the user starts
Notes
•User NEVER has to enter password
•You need 9.0.1, ID Vault, patience
•No password = no post-it note with
password written on it!

Knowledge is Power
•Forewarned is forearmed and there are resources that allow you
to be pro-active
•IBM My Notifications
•Sign up to receive emails from IBM on new product releases, fix packs,
etc
•See http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/do-you-subscribe-
to-the-ibm-daily-product-update-newletter-you-should.htm for details on
setting up

Knowledge is Power
•Forewarned is forearmed and there are resources that allow you
to be pro-active
–US CERT weekly email
•Be afraid, be very afraid (especially of Flash, Acrobat, AIR and Java)
•See https://www.us-cert.gov/ to sign up

Disable Things
•Anything you don’t use, disable. Anything you don’t need, disable
•Need POP3 or IMAP? No?
•Not having it in the Notes.ini will not start those tasks….BUT…
•They can still be started
•load pop3
–This is not sufficient, disable it in the Domino Directory
•Now load pop3 won’t actually load anything

Notes/Domino Port Encryption
•For Domino server to server or Notes client to server
communication
•Turn on at one end, works at both
•128 bit RC4 encryption
•128 bit AES may surface in 9.0.2
–WAN accelerators don’t link this
–Still, provides more then adequate channel encryption for almost
organization
–Test via a trace in the Notes Client
or the Server console

Domino Security - not knowing is not an option - MWLUG 2015

More Related Content

What's hot (20)

Similar to Domino Security - not knowing is not an option - MWLUG 2015 (20)

More from Darren Duke (6)

Recently uploaded (20)

Domino Security - not knowing is not an option - MWLUG 2015