[282] in Intrusion Detection Systems
Re: Lotus notes ids?
daemon@ATHENA.MIT.EDU (Mark_W_Loveless@smtp.bnr.com)
Fri Jul 21 16:52:31 1995
From: Mark_W_Loveless@smtp.bnr.com
Date: Fri, 21 Jul 95 08:08:10 CST
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
Brian,
On 1., the answer is no. I pick up a lot of extra security consulting
because of Notes. A good policy and common sense protect it. But no,
none that I know of. Typically on OS/2 Notes servers (mainly what I've
seen) and the Windows station that administers the NLM version, well,
once you're there you can bypass most security. On the NLM version if
Netware itself isn't set up secure you can bypass a good chunk of
security.
On 2., there is not a lot. The KnowledgeBase database that customers
replicate down from Lotus is a good source of techie info, but not a
lot on security that isn't covered in the manual or in classes. The
biggest one is when you cross certify with other companies, use a
non-hierarchical certifier. Here's the problem -
Vendor A cross certifies with Customer A and Customer B. Vendor A is
providing pricing info and order tracking for both customers in
replicating Notes databases. All cross certifications are done with
hierarchical certifiers. Because of the way public keys are exchanged,
Customer A has direct access to Customer B. Customer A can then set up
a dummy server to "look" like Vendor A and call Customer B,
replicating all pricing info and order tracking, because Customer A
has Vendor A's public key that Customer B is looking for. I believe
Lotus has corrected this in later versions of Notes, but there you
have the worse bug I'm aware of.
Mark
Mark_W_Loveless@smtp.bnr.com
______________________________ Reply Separator _________________________________
Subject: Lotus notes ids?
Author: ids@uow.edu.au at internet
Date: 7/17/95 5:04 PM
1. Is there an intrusion detection system already developled for Lotus Notes?
2. Can anyone point me to a source or reference that describes the main areas
of security concern in Lotus Notes and the patches or products that fix the
areas of concern?
Brian Smith, DOS Dummy
