If you already have ports like SMTP, HTTP, HTTPS, FTP, etc..... You need to make sure the systems (not the ports) using them have been configured properly from the security perspective...well.. with Domino and 1352 is the same.
Let me explain....
Port 1352 over TCP is just like any other port, but according to The Internet Assigned Numbers Authority (IANA) this port has been registered to be used with Lotus Notes. However, if you are a Developer (a Java developer for example), and you create your own application and it uses port 1352 over TCP to handle packets, that's OK, but be aware you can not register the port with the IANA and it may give you conflicts if your organization already uses Notes and Domino.
Imagine a hihgway with thousands of lanes.... well.. the highway is the TCP Protocol and each lane is a different port. Now, all ports can handle the same packets, but the Software companies have agreed to use particular ports for their applications and that's why the use IANA as the main controller. Just like in the Highway example, each lane could allow traffic of any kind of vehicle, but if you want to have control and order, you would assign each lane for a particular kind of vehicle: Lane 1 = Cars, Lane 2=Trucks, Lane 3 = Motorcycles , etc.... Imagine every single company company out there wanting to use its own selection of ports for SMTP and HTTP.. that would be a mess!
Back to 1352...
There are different ways to achieve a higher level of security (regarding Domino and NRPC) if your organization is too worried about users accessing the Domino servers over the Internet and/or data being accessed without authorization. My recommendations to increase your security would be any combination of the following:
- Use a Passthru server outside the firewall. (In order to allow incoming requests over 1352 from just one external IP Address)
- Use a Passthru server outside the firewall with a Configuration Only Address Book. (Minimum data will be in the Passthru server's names.nsf)
- On the firewall, control how requests over 1352 should be handled (redirection rules)
- Encrypt the communication between the Notes clients and the Domino servers and/or between Domino servers.
- Compare public keys during authentication
- Not allow anonymous connections (enabled by default)
- Check Password on Notes IDs
- Security Policies
- Well defined Access Control Lists (ACL)
- Extended ACL
- Built-in data encryption inside the Notes Database
- Good development and data architecture.
- any other ?
I did some additional research and this is the only IBM Technote I found regarding a known issue with port 1352 and: 1- It has been fixed already .... 2- As a best practice you shouldn't keep the Id files in your Address Book.
IBM Lotus Notes information leakage on port 1352
Posts
2 comments:
1352 is now often used deliberately by people using P2P software such as BitTorrent clients.
The idea is that, if they set up P2P to listen on TCP/1352, anyone inspecting the traffic will assume that a Domino server is present and will rule out P2P.
Sadly, this has led to the blocking of port 1352 by some ISPs as a P2P countermeasure.
There being no option to change the NRPC port or to tunnel NRPC through, say, HTTP, this can make Notes/Domino connectivity via public networks a somewhat hit and miss affair even though it can, as you say, be accomplished quite securely.
You could of course leave your DOino server outside the firewall and connect it to an internal one using a serial connection and thus maintain it's security as well.
simple really.
Post a Comment