>While Notes access through firewalls is a FAQ (short answer: use your
>favorite circuit-level relay to pass traffic on port 1352 to your
>notes server), I was looking for a true application level proxy. By
>this I mean a proxy that would UNDERSTAND the protocol Notes uses,
>and allow me the functionality to:
Efficient and effective Notes firewall design best served by
understanding the Notes environment. Notes is a complex application with
granularity of access control from Server/Database/Document down to Field level.
At the application-level, Notes provides the most granularity of control. So
much so that
when you try to firewall two networks that include Notes, the network layer is
your weakest link.
NOTES FIREWALL IMPLEMENTATION EXAMPLES
N = Notes Server FW = Firewall
This would be the typical paradigm followed by firewall experts who are network
in their approach. The two Notes servers simply replicate at Port 1352. There
is no direct control
of the external Notes server.
(Private network to two firewalls in parrallel, one network level firewall,
second is Notes
In this scenario you have a Notes Firewall (pass-thru server) in parallel with
the traditional firewall. The Notes Firewall would be a dual NIC (IP Forwarding
disabled) on an NT or UNIX box .
Security mechanisms within Notes would be utilized. (Client encryption,
authentication, minimized version of Notes NAB on NFW.) No replication or
database management is necessary except defining access limitations among the
The NFW is a true application-level firewall, Notes being the application. Yes,
you are trusting the security mechanisms (and local implementations.) In some
firewall implementations, are we not trusting FTP data transfers ?
The risk is equivalent in both scenarios, the management and administration
have only been simplified. For someone to successful attack a Notes environment
they need a copy of your ID
file (stored locally) and know your password.
OUTSIDE OF SCOPE
This scenario excludes the Domino or Notes 4.5 environments. 4.5 provides
mechanisms for anonymous access and Domino permits basic authentication via