Great Circle Associates Firewalls
(August 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Security with Lotus Notes 4
From: Marc Mosko <marc @ tear . com>
Date: Wed, 21 Aug 1996 09:05:41 -0700
To: Peter Yau <pyau @ carfax . ims . advantis . com>
Cc: FireWalls @ GreatCircle . COM
References: <Pine . A32 . 3 . 91 . 960821095426 . 33560B-100000 @ carfax . ims . advantis . com> 
-----BEGIN PGP SIGNED MESSAGE-----

Peter Yau wrote:
> 
> Since the replication session is udp based (port 1352 at the target end),
> what are the range of udp ports (presumably the upper range) that the source
> end (initiating) will end up opening for the replication session.  I'm
> assuming that we don't have a peer-to-peer relationship where the udp port
> 1352 is opened at each end.  If anyone can clarified this session, I'd
> appreciate it.

I don't know where you got this information, but it is not right.  Notes
is
TCP based with the daemon port of 1352 (server side).  Client side is,
as
usual, dynamically allocated.

You only need to allow TCP/1352 in through the firewall.  I do not think
this
is a supper big risk, but the sites I setup have a "firewall" notes
server
outside their Internet firewall.  This machine is in a different Notes
domain
and has it's own Name and Address book.  This way, external users do not
have
the slightest access to the corporate servers.  I only allow the
internal
servers to establish a connection OUT to the firewall Notes server for
replication and mail transfer.

> The other thing is security risk in conjunction with a client behind the
> Firewall doing a dialup session (XPC, PPP, or SLIP) to the external Notes
> Servers.  This appears safe.  Any comments, anyone.

Using Notes XPC is rather safe (assuming you trust Notes).  My
experience is
on Solaris.  Notes does not use the port monitor (zsmon) so you do not
need to enable it.  This means that if Notes dies (yes, it happens now
and then) the system does not begin listening to the modem port.  It
will just
ring.

If you use PPP or SLIP, of course, users have general TCP/IP access to
the
network.

- -- 
   Marc Mosko                   Email: marc @
 tear .
 com
                                Web:   http://www.tear.com/

   "If anyone knocks out another's eye, he shall pay him
   sixty-six shillings, six pence, and a third of a penny."
   -- Leges Henrici Primi (13th century)

           PGP Key availabe via Public Servers and
               http://www.tear.com/pgp-key.html

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMhszvfcw25QuYREdAQFjkgP+K90y8jf24ImkYU8EdMVCUkLn7+0ImPHN
iNV4cixNfUFd+a6JA/MGK3QO9pRqU/NO7FVMgw+kYwmcrgGuGeMAZZ1xZUWhlFyu
MRez1E6HhYNQBTj0FxFGe2FhtoNcxOLNbIp8h97IwqaszpPQdYcv4WzXCdtt1COP
yZ1313Y9dUc=
=hQ/3
-----END PGP SIGNATURE-----
References:
Indexed By Date Previous: RE: NT Memory (formerly NT Firewalling)
From: Chris Pugrud <ChrisP @ steldyn . com>
Next: Remove from mail list
From: plupa @ sparky . sparky . sdd . tracor . com (Paul Lupa X4184)
Indexed By Thread Previous: Security with Lotus Notes 4
From: Peter Yau <pyau @ carfax . ims . advantis . com>
Next: Relaying UDP through a TCP tunnel
From: Michael Dillon <michael @ memra . com>
Google
 
Search Internet Search www.greatcircle.com