SlideShare a Scribd company logo

Server Security and Reverse Proxies: Protecting Domino with Modern Best Practices

Download as PPTX, PDF
Darren Duke
Darren Duke

This document provides a summary of security best practices for Domino servers, including enabling SHA2 certificates, upgrading to TLS 1.2, enabling perfect forward secrecy and HTTP strict transport security, disabling insecure protocols like SSLv3, using a reverse proxy for SSL offloading and load balancing, and thoroughly testing configurations with tools like SSL Labs. It also covers antivirus exclusions needed for Domino servers and clients, securing LDAP connections to Active Directory, and new security features expected in future Domino releases like Java 8 support and encrypted Notes RPC.

Technology
1 of 37
Darren Duke Janitor Level 57 56 Simplified Technology Solutions, Inc Domino Security - not knowing is not an option Updated and all new (well, some new)
10,000 feet view •What we’ll (hopefully) cover •Server Security •SSL/TLS/SHA2 •Reverse Proxies •Testing •Antivirus settings on the client and server
1 Slide Review •Get a SHA2 certificate •Remove any SSLCipherSpec settings from notes.ini •Upgrade to 9.0.1 FP6 IFx •Restart HTTP •Get a “B” on SSL Labs •Ignore the rest of this presentation •But you’ll miss a lot of snark……And how to get an “A+”
About Me • I’m just a poor boy • From a poor family • He’s just a poor boy from a poor family • Spare him his life from this monstrosity • Easy come, easy go, will you let me go
About Me • AKA my favorite slide • Started with “Lotus Notes” in R3 • Yes, really….R3 • That means 1996 • Yes, really….1996 • Founder of STS (2005) based in Atlanta • Sometime blogger, ranting Tweeter, ex-co-host of This Week In Lotus, Speaker (?), soon to be born-again podcaster • http://blog.darrenduke.net • Twitter @darrenduke
Disclaimer • Everything in MY presentations are REAL – Except maybe the 9.0.1 FP7 parts – No real need to have lawyers interject a crappy slide here – But as not having unreadable garbage on this slide may diminish my professional reputation, here you go • Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed rhoncus interdum leo, in aliquet velit mattis porttitor. Mauris vestibulum suscipit aliquam. Suspendisse sed euismod eros. Vestibulum pharetra vestibulum fermentum. Phasellus malesuada maximus libero, sit amet egestas justo vestibulum non. Vivamus at nisl id est consectetur sodales vitae nec quam. Nunc et consectetur nibh. • Cras nec ultricies risus. Maecenas condimentum, tortor at venenatis elementum, lectus turpis mattis enim, et egestas nisl sem et turpis. Vivamus blandit tristique tortor, eu cursus augue. Donec lacinia mi id malesuada lobortis. Vivamus tristique, tellus id tincidunt feugiat, justo nulla commodo risus, in commodo enim augue non metus. Proin varius rutrum velit, ac pretium lorem efficitur a. Nulla non sem arcu. Suspendisse eleifend dui at lacus scelerisque, et scelerisque elit accumsan. Nullam eu iaculis nibh. Etiam ac diam quis mauris tincidunt bibendum. Pellentesque eleifend laoreet ultricies. Cras sollicitudin, quam vel fermentum ullamcorper, nisl metus volutpat odio, et lobortis eros eros id leo. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Curabitur sollicitudin ac massa efficitur eleifend. • Cras orci lorem, tempus quis maximus ut, fermentum sit amet odio. Integer dolor diam, ullamcorper sit amet dignissim eu, facilisis rhoncus erat. In condimentum viverra accumsan. Maecenas metus mi, porta non augue nec, finibus finibus arcu. Integer quis augue quis massa fringilla ullamcorper feugiat et massa. Aenean et neque ante. Nam tristique elementum ipsum, ac tempus lorem euismod vitae. Ut ornare enim a nibh tincidunt cursus. Suspendisse at enim sodales, ullamcorper justo vitae, semper lectus. Nullam ex felis, sollicitudin vel lacinia quis, ultricies cursus turpis. Nullam elementum blandit risus vel porta. Nullam tempus eget augue a fringilla. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. • Integer a ipsum a nisl eleifend dapibus. Nunc porttitor mi quis urna euismod consectetur. Donec placerat nisl gravida odio lacinia, non scelerisque urna aliquam. Sed dolor justo, varius id fermentum ut, fermentum ac mi. Curabitur eu sollicitudin nunc. Proin sodales, metus non dictum mollis, justo lectus sagittis quam, elementum fringilla est erat nec felis. Sed non euismod lorem, in hendrerit arcu. Donec eu euismod metus. Cras justo est, faucibus ut posuere quis, viverra a dolor. • Sed gravida velit lacus, sed volutpat metus venenatis quis. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec iaculis accumsan ante eget porta. Duis sit amet commodo velit. Integer est tortor, euismod congue sem quis, lobortis convallis erat. Aliquam erat volutpat. Mauris pretium rutrum interdum. Nullam non magna nunc. • Generated 5 paragraphs, 408 words, 2794 bytes of Lorem Ipsum
SHA2 •SHA = Security Hashing Algorithm •Each SSL certificate is either SHA1 or SHA2 •SHA2 far more secure than SHA1 •SHA1 is dead. Browsers now have issues with SHA1. •SHA2 Support in Domino •If you are on 8.5.3, upgrade to 9.0.1 or put a proxy in front of it •For 9.0.1 FP3+ you can now create SHA2 CSR’s and import SHA2 certificates in Domino. Go to at least 9.0.1 FP5 •This is a very different process than what you are used to •See Gab’s excellent step-by-step on how to do this: –http://turtleblog.info/2015/06/22/creating-sha-2-4096-ssl-certificates-for- domino/ –http://www-01.ibm.com/support/docview.wss?uid=swg21418982
Server Security SSL/TLS/SHA2 •SSLv3 is dead (SSLv2 has been dead for a long time) •Unless you need it for SMTP STARTTLS compatibility •Disable it if you can (you can….no really, you can) •Server notes.ini DISABLE_SSLV3=1
Server Security SSL/TLS/SHA2 •TLS is King, long live the King –TLS 1.0 via IF for the following releases •With 8.5.3 FP6 •9.0 •9.0.1 FP2+ –TLS 1.2 for •9.0.1 FP3 (plus IF) •9.0.1 FP4+ •Perfect Forward Secrecy/HSTS •Additional (more secure) ciphers •SHA2
Server Security SSL/TLS/SHA2 •Don’t forget Perfect Forward Secrecy •In cryptography, forward secrecy (FS; also known as perfect forward secrecy, or PFS) is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. (via wikipedia) •Domino now supports it as of 9.0.1 FP3 IF2/3 and higher •The data is secure even of the server private key is compromised in the future •This is a good thing. Use it.
Server Security SSL/TLS/SHA2 •Don’t forget HSTS •HTTPS Strict Transport Security •It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol (via wikipedia) •Domino now supports HSTS as of 9.0.1 FP4+ •Add these to the server notes.ini –HTTP_HSTS_INCLUDE_SUBDOMAINS=1 –HTTP_HSTS_MAX_AGE=63072000 •Will get you an A+ on SSL Labs with Domino native HTTP stack •Also see https://blog.darrenduke.net/Darren/DDBZ.nsf/dx/domino-adds- hsts-to-its-security-arsenal.htm
Server Security SSL/TLS/SHA2 •Don’t forget OSCP Stapling •What is it? •OCSP stapling, formally known as the TLS Certificate Status Request extension, is an alternative approach to the Online Certificate Status Protocol (OCSP) for checking the revocation status of X.509 digital certificates.[1] It allows the presenter of a certificate to bear the resource cost involved in providing OCSP responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS Handshake, eliminating the need for clients to contact the CA •Go faster strips for HTTPS connections •Domino now supports OSCP Stapling as of 9.0.1 FP4+ •To configure see – https://blog.darrenduke.net/Darren/DDBZ.nsf/dx/supercharge-your- domino-servers-with-ocsp-stapling-real-go-faster-stripes.htm
Server Security SSL/TLS/SHA2 •SMTP with STARTTLS •You fix a lot of problems with •Server notes.ini SSL_ENABLE_INSECURE_SSLV2_HELLO=1 •Ciphers –No longer controlled in the Server/Internet doc (9.0.1). Now a notes.ini, but you don’t really need to anymore –Domino server now dictates the preferred cipher list •For < 9.0.1 FP3 Server notes.ini SSLCipherSpec=AABBCCDDEE..ZZ •Just upgrade to FP4+ and remove the SSLCipherSpec setting •For all TLS 1.2 options see –http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2 –http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration read this one!!
Server Security SSL/TLS/SHA2 •If you org only wants to allow TLS 1.2 •You can disable TLS 1.0 (and obviously SSLv3) •Server notes.ini SSL_DISABLE_TLS_10 –This could cause SMTP STARTTLS issues so beware –All recent browsers have TLS 1.2 enabled by default now •Older browsers (IE on XP) may not
Reverse Proxies •What is a Reverse Proxy? •In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though they originated from the proxy server itself - Wikipedia
Reverse Proxies •Benefits •You can handle more than one web server per proxy •Reduce (potential attack) surface area SSL offloading •Have the reverse proxy handle all your SSL/TLS •When security issue detected, one place to fix –Security •Hide version/platform/application from the browser •No direct access to backend servers •Restrict URL access to Domino for only required URLs for –iNotes –Traveler –Domino web applications (allow Quickr to work with “modern browsers” –Load balancing •Provide HA for iNotes, Traveler, etc
Reverse Proxies •The Proxies •NGINX (pronounced Engine X) •Most popular today, used by Netflix, Zappos, et al •Open source •Can do mail and other TCP connections, not just HTTP(S) –IMAP –SMTP (including STARTTLS) –Apache •Most famous •Open source •I have a free Apache VM using Ubuntu you can use as starting point: –http://blog.darrenduke.net/darren/ddbz.nsf/dx/here-is-a-freely-available- vm-to-reverse-proxy-domino-shoot-the-poodle.htm –I would normally use HAProxy in addition to the above to provide HA functions (on the same Linux Ubuntu server)
Reverse Proxies •The Proxies •IBM HTTP Server (IHS) •No longer recommended by IBM as a front end to Windows Domino Servers –Was in 9.0 –But only on Windows •Never extended to other platforms –Shocker, I know –This was IBM’s original fix in Domino 9 to add TLS1.0 •Don’t do this anymore –Websphere Edge Proxy •It has the word “Websphere” in the title so won’t touch it unless someone connects a car battery to my genitals
Reverse Proxies •The Real Reason to use a Proxy •With a Proxy you may have avoided SSLv3 and this: Date Spec Released Date IBM Added to Domino Time Taken by IBM (in years) TLS 1.0 1999 2014* 15 TLS 1.2 2008 2015 7 PFS 2011* 2015 4
Testing •So you *think* you’re secure? OK….. •Testing is what elevates belief to evidence •QualSYS SSL Labs test site for web sites •https://www.ssllabs.com/ssltest/ •Scan a server, get a grade •Will take a few minutes •Also lists potential remediation •Tons of useful information •If you get a “A” or higher you’re good •Scan every quarter or so. Things change! •Use on sites other that your own •Be scared. Be real scared.
Testing • Here is my iNotes server behind an Apache Reverse Proxy
Testing • Here is an iNotes server via SSL on Domino native (no proxy)
Testing • A Note about Windows XP/2003 with IE Support and ciphers – I know, you have a plan to get off XP and 2003 – No, really, we believe you – Yes, I know you need to sunset your Windows 98 SE workstations first…. – Most people think you need RC4 to support XP with IE – YOU DON’T!!! • 3DES will provide support for XP/2003 with IE • Domino now enables RC4 ONLY if TLS 1.2 is disabled • Chrome and FF on XP can do better than 3DES • The issue with embedding a browser into an OS…..
Testing • Test SMTP STARTTLS at CheckTLS.com – https://www.checktls.com/testreceiver.html – Test both send and receive • Receive
Testing • Send – You send email with a code in it, CheckTLS then replies to you with the transaction
Antivirus Settings (OS) •Domino Server Exclusions •Transaction Logs •Domino Data •DAOS repository •View Rebuild Dir folder –See https://www- 304.ibm.com/support/docview.wss?uid=swg21417504 •Notes Client Exclusions –Notesframework –Notesdataworkspace.configorg.eclipse.osgi –JAR files –See http://www- 01.ibm.com/support/docview.wss?uid=swg21407945
Antivirus Settings (OS) • But Darren, what about when my users click on a virus infested email attachment? • IBM Notes and Attachments – All Notes attachments are saved to %TEMP% on Windows – So long as the OS AV has real time scanning of %TEMP% you are safe – Remember, %TEMP% could be different per user
Securing LDAP •Using DA to AD for internet passwords? –Also secure this otherwise your users AD passwords are going from Domino to AD in plain text –Just checking the box in DA.NSF is not sufficient!!!! –You also need to import your AD server SSL certificate in your server.id file •See http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/solution-domino- directory-assistance-to-active-directory-when-using-ssl-does-not-break- with-9.0.1-fp4.htm for details on how to do this (it’s really not obvious)
Arriving in 9.0.1 FP7 •Java •Java 8 support •First to the server, then a few “weeks” later to the client
Arriving in 9.0.1 FP7 •Notes NRPC Port Security •AES support •It’s currently 128 bit RC4 •Which you could find out in technote 1097816 –BUT IBM DELETED IT •I would expect 128 bit AES, with maybe an option to enable 256 bit AES
Speaking of Fix Packs •As a general rule, the newer the FP and the newer the IF, the more secure your server or client will be •Fix Packs are cumulative. FP6 contains FP5 *and* some new stuff •IBM are most likely changing the nomenclature around fix packs in the next few months •I doubt this includes making them easier to find on PPA or FC though •Strongly consider going to 9.0.1 FP5/6 •SHA2 •TLS 1.2/PFS/much higher quality ciphers •You are most likely paying for it anyway •News Flash!!!! No new security features are coming to 9.0 or 8.5.x •Fixpacks, IFs and Java updates are on IBM Fix Central
SAML •Security Assertion Markup Language •Allows Notes users to go password-less •This can be a huge selling point •Can also be set up so that the Notes ID is never stored on the user’s PC •It gets downloaded and stored in memory each time the user starts Notes (well…..) •User NEVER has to enter password •You need 9.0.1, ID Vault, patience •No password = no post-it note with password written on it!
Knowledge is Power •Forewarned is forearmed and there are resources that allow you to be pro-active •IBM My Notifications •Sign up to receive emails from IBM on new product releases, fix packs, etc •See http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/do-you-subscribe- to-the-ibm-daily-product-update-newletter-you-should.htm for details on setting up
Knowledge is Power •Forewarned is forearmed and there are resources that allow you to be pro-active –US CERT weekly email •Be afraid, be very afraid (especially of Flash, Acrobat, AIR and Java) •See https://www.us-cert.gov/ to sign up
Disable Things •Anything you don’t use, disable. Anything you don’t need, disable •Need POP3 or IMAP? No? •Not having it in the Notes.ini will not start those tasks….BUT… •They can still be started •load pop3 –This is not sufficient, disable it in the Domino Directory •Now load pop3 won’t actually load anything
Notes/Domino Port Encryption •For Domino server to server or Notes client to server communication •Turn on at one end, works at both •128 bit RC4 encryption •128 bit AES will may surface in 9.0.2 9.0.1 FP7 –WAN accelerators don’t link this –Still, provides more then adequate channel encryption for almost organization –Test via a trace in the Notes Client or the Server console
The END • It’s security so there are no stupid questions, just compromised servers • Q&A time • @DarrenDuke on Twitter • https://blog.darrenduke.net • info@simplified-tech.com to hire me. Which you should. I’m hillerious

Recommended

Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Notes, domino and the single sign on soup
Notes, domino and the single sign on soupNotes, domino and the single sign on soup
Notes, domino and the single sign on soupDarren Duke
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableDarren Duke
 
Fun With SHA2 Certificates
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 CertificatesGabriella Davis
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinarWolfgang Kandek
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Maximizing SPDY and SSL Performance (June 2014)
Maximizing SPDY and SSL Performance (June 2014)Maximizing SPDY and SSL Performance (June 2014)
Maximizing SPDY and SSL Performance (June 2014)Zoompf
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 

Recommended

Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Notes, domino and the single sign on soup
Notes, domino and the single sign on soupNotes, domino and the single sign on soup
Notes, domino and the single sign on soupDarren Duke
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableDarren Duke
 
Fun With SHA2 Certificates
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 CertificatesGabriella Davis
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinarWolfgang Kandek
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Maximizing SPDY and SSL Performance (June 2014)
Maximizing SPDY and SSL Performance (June 2014)Maximizing SPDY and SSL Performance (June 2014)
Maximizing SPDY and SSL Performance (June 2014)Zoompf
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!WordCamp Cape Town
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and morepanagenda
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
Microsoft Windows 10 Bootcamp - Active directory
Microsoft Windows 10 Bootcamp - Active directoryMicrosoft Windows 10 Bootcamp - Active directory
Microsoft Windows 10 Bootcamp - Active directoryOlav Tvedt
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
LS11 Show101
LS11 Show101LS11 Show101
LS11 Show101Darren Duke
 
IBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 EditionIBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 Editionpanagenda
 
Hey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemHey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemColdFusionConference
 
B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installationRonan Dunne, CEH, SSCP
 
Running and Scaling Magento on AWS
Running and Scaling Magento on AWSRunning and Scaling Magento on AWS
Running and Scaling Magento on AWSAOE
 
Realtime with-websockets-2015
Realtime with-websockets-2015Realtime with-websockets-2015
Realtime with-websockets-2015ColdFusionConference
 
High-Performance Magento in the Cloud
High-Performance Magento in the CloudHigh-Performance Magento in the Cloud
High-Performance Magento in the CloudAOE
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFMichele Orru
 
IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)Austin Chang
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections AdministratorGabriella Davis
 

More Related Content

What's hot

Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!WordCamp Cape Town
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and morepanagenda
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
Microsoft Windows 10 Bootcamp - Active directory
Microsoft Windows 10 Bootcamp - Active directoryMicrosoft Windows 10 Bootcamp - Active directory
Microsoft Windows 10 Bootcamp - Active directoryOlav Tvedt
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
IBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 EditionIBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 Editionpanagenda
 
Hey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemHey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemColdFusionConference
 
Running and Scaling Magento on AWS
Running and Scaling Magento on AWSRunning and Scaling Magento on AWS
Running and Scaling Magento on AWSAOE
 
High-Performance Magento in the Cloud
High-Performance Magento in the CloudHigh-Performance Magento in the Cloud
High-Performance Magento in the CloudAOE
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFMichele Orru
 

What's hot (20)

Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and more
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
 
Microsoft Windows 10 Bootcamp - Active directory
Microsoft Windows 10 Bootcamp - Active directoryMicrosoft Windows 10 Bootcamp - Active directory
Microsoft Windows 10 Bootcamp - Active directory
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 
LS11 Show101
LS11 Show101LS11 Show101
LS11 Show101
 
IBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 EditionIBM Connections Adminblast - Soccnx 12 Edition
IBM Connections Adminblast - Soccnx 12 Edition
 
Hey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemHey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the Problem
 
B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installation
 
Running and Scaling Magento on AWS
Running and Scaling Magento on AWSRunning and Scaling Magento on AWS
Running and Scaling Magento on AWS
 
Realtime with-websockets-2015
Realtime with-websockets-2015Realtime with-websockets-2015
Realtime with-websockets-2015
 
High-Performance Magento in the Cloud
High-Performance Magento in the CloudHigh-Performance Magento in the Cloud
High-Performance Magento in the Cloud
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEF
 

Viewers also liked

IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)Austin Chang
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections AdministratorGabriella Davis
 
ISBG The 3 S's a guide to single sign on
ISBG The 3 S's a guide to single sign onISBG The 3 S's a guide to single sign on
ISBG The 3 S's a guide to single sign onGabriella Davis
 
Installing & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSInstalling & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSDevin Olson
 
HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS)HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS)Michal Špaček
 
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnGabriella Davis
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile ExperienceGabriella Davis
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The FrontGabriella Davis
 
Upgrading to Sametime 9.0.1
Upgrading to Sametime 9.0.1Upgrading to Sametime 9.0.1
Upgrading to Sametime 9.0.1Gabriella Davis
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Gabriella Davis
 

Viewers also liked (13)

IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections Administrator
 
ISBG The 3 S's a guide to single sign on
ISBG The 3 S's a guide to single sign onISBG The 3 S's a guide to single sign on
ISBG The 3 S's a guide to single sign on
 
Installing & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSInstalling & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOS
 
HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS)HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS)
 
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign On
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile Experience
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The Front
 
Upgrading to Sametime 9.0.1
Upgrading to Sametime 9.0.1Upgrading to Sametime 9.0.1
Upgrading to Sametime 9.0.1
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017
 

Similar to Server Security and Reverse Proxies: Protecting Domino with Modern Best Practices

Bit_Bucket_x31_Final
Bit_Bucket_x31_FinalBit_Bucket_x31_Final
Bit_Bucket_x31_FinalSam Knutson
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
Day 2 General Session Presentations RedisConf
Day 2 General Session Presentations RedisConfDay 2 General Session Presentations RedisConf
Day 2 General Session Presentations RedisConfRedis Labs
 
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/MinAdvanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/MinMasahiro Nagano
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Siva Arunachalam
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat Security Conference
 
ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)
ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)
ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)Nexcess.net LLC
 
Silverlight vs HTML5 - Lessons learned from the real world...
Silverlight vs HTML5 - Lessons learned from the real world...Silverlight vs HTML5 - Lessons learned from the real world...
Silverlight vs HTML5 - Lessons learned from the real world...Peter Gfader
 
Design for Scale / Surge 2010
Design for Scale / Surge 2010Design for Scale / Surge 2010
Design for Scale / Surge 2010Christopher Brown
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLZoompf
 
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration DisastersBSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disastersinfodox
 
Application Performance Troubleshooting 1x1 - Von Schweinen, Schlangen und Pa...
Application Performance Troubleshooting 1x1 - Von Schweinen, Schlangen und Pa...Application Performance Troubleshooting 1x1 - Von Schweinen, Schlangen und Pa...
Application Performance Troubleshooting 1x1 - Von Schweinen, Schlangen und Pa...rschuppe
 

Similar to Server Security and Reverse Proxies: Protecting Domino with Modern Best Practices (20)

Distributed "Web Scale" Systems
Distributed "Web Scale" SystemsDistributed "Web Scale" Systems
Distributed "Web Scale" Systems
 
Bit_Bucket_x31_Final
Bit_Bucket_x31_FinalBit_Bucket_x31_Final
Bit_Bucket_x31_Final
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Day 2 General Session Presentations RedisConf
Day 2 General Session Presentations RedisConfDay 2 General Session Presentations RedisConf
Day 2 General Session Presentations RedisConf
 
Confidence web
Confidence webConfidence web
Confidence web
 
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/MinAdvanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
Advanced nginx in mercari - How to handle over 1,200,000 HTTPS Reqs/Min
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
 
SSL overview
SSL overviewSSL overview
SSL overview
 
Http2 in practice
Http2 in practiceHttp2 in practice
Http2 in practice
 
ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)
ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)
ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)
 
Silverlight vs HTML5 - Lessons learned from the real world...
Silverlight vs HTML5 - Lessons learned from the real world...Silverlight vs HTML5 - Lessons learned from the real world...
Silverlight vs HTML5 - Lessons learned from the real world...
 
Design for Scale / Surge 2010
Design for Scale / Surge 2010Design for Scale / Surge 2010
Design for Scale / Surge 2010
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
XMPP Academy #3
XMPP Academy #3XMPP Academy #3
XMPP Academy #3
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSL
 
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration DisastersBSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
 
Application Performance Troubleshooting 1x1 - Von Schweinen, Schlangen und Pa...
Application Performance Troubleshooting 1x1 - Von Schweinen, Schlangen und Pa...Application Performance Troubleshooting 1x1 - Von Schweinen, Schlangen und Pa...
Application Performance Troubleshooting 1x1 - Von Schweinen, Schlangen und Pa...
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

Server Security and Reverse Proxies: Protecting Domino with Modern Best Practices

  • 1. Darren Duke Janitor Level 57 56 Simplified Technology Solutions, Inc Domino Security - not knowing is not an option Updated and all new (well, some new)
  • 2. 10,000 feet view •What we’ll (hopefully) cover •Server Security •SSL/TLS/SHA2 •Reverse Proxies •Testing •Antivirus settings on the client and server
  • 3. 1 Slide Review •Get a SHA2 certificate •Remove any SSLCipherSpec settings from notes.ini •Upgrade to 9.0.1 FP6 IFx •Restart HTTP •Get a “B” on SSL Labs •Ignore the rest of this presentation •But you’ll miss a lot of snark……And how to get an “A+”
  • 4. About Me • I’m just a poor boy • From a poor family • He’s just a poor boy from a poor family • Spare him his life from this monstrosity • Easy come, easy go, will you let me go
  • 5. About Me • AKA my favorite slide • Started with “Lotus Notes” in R3 • Yes, really….R3 • That means 1996 • Yes, really….1996 • Founder of STS (2005) based in Atlanta • Sometime blogger, ranting Tweeter, ex-co-host of This Week In Lotus, Speaker (?), soon to be born-again podcaster • http://blog.darrenduke.net • Twitter @darrenduke
  • 6. Disclaimer • Everything in MY presentations are REAL – Except maybe the 9.0.1 FP7 parts – No real need to have lawyers interject a crappy slide here – But as not having unreadable garbage on this slide may diminish my professional reputation, here you go • Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed rhoncus interdum leo, in aliquet velit mattis porttitor. Mauris vestibulum suscipit aliquam. Suspendisse sed euismod eros. Vestibulum pharetra vestibulum fermentum. Phasellus malesuada maximus libero, sit amet egestas justo vestibulum non. Vivamus at nisl id est consectetur sodales vitae nec quam. Nunc et consectetur nibh. • Cras nec ultricies risus. Maecenas condimentum, tortor at venenatis elementum, lectus turpis mattis enim, et egestas nisl sem et turpis. Vivamus blandit tristique tortor, eu cursus augue. Donec lacinia mi id malesuada lobortis. Vivamus tristique, tellus id tincidunt feugiat, justo nulla commodo risus, in commodo enim augue non metus. Proin varius rutrum velit, ac pretium lorem efficitur a. Nulla non sem arcu. Suspendisse eleifend dui at lacus scelerisque, et scelerisque elit accumsan. Nullam eu iaculis nibh. Etiam ac diam quis mauris tincidunt bibendum. Pellentesque eleifend laoreet ultricies. Cras sollicitudin, quam vel fermentum ullamcorper, nisl metus volutpat odio, et lobortis eros eros id leo. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Curabitur sollicitudin ac massa efficitur eleifend. • Cras orci lorem, tempus quis maximus ut, fermentum sit amet odio. Integer dolor diam, ullamcorper sit amet dignissim eu, facilisis rhoncus erat. In condimentum viverra accumsan. Maecenas metus mi, porta non augue nec, finibus finibus arcu. Integer quis augue quis massa fringilla ullamcorper feugiat et massa. Aenean et neque ante. Nam tristique elementum ipsum, ac tempus lorem euismod vitae. Ut ornare enim a nibh tincidunt cursus. Suspendisse at enim sodales, ullamcorper justo vitae, semper lectus. Nullam ex felis, sollicitudin vel lacinia quis, ultricies cursus turpis. Nullam elementum blandit risus vel porta. Nullam tempus eget augue a fringilla. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. • Integer a ipsum a nisl eleifend dapibus. Nunc porttitor mi quis urna euismod consectetur. Donec placerat nisl gravida odio lacinia, non scelerisque urna aliquam. Sed dolor justo, varius id fermentum ut, fermentum ac mi. Curabitur eu sollicitudin nunc. Proin sodales, metus non dictum mollis, justo lectus sagittis quam, elementum fringilla est erat nec felis. Sed non euismod lorem, in hendrerit arcu. Donec eu euismod metus. Cras justo est, faucibus ut posuere quis, viverra a dolor. • Sed gravida velit lacus, sed volutpat metus venenatis quis. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec iaculis accumsan ante eget porta. Duis sit amet commodo velit. Integer est tortor, euismod congue sem quis, lobortis convallis erat. Aliquam erat volutpat. Mauris pretium rutrum interdum. Nullam non magna nunc. • Generated 5 paragraphs, 408 words, 2794 bytes of Lorem Ipsum
  • 7. SHA2 •SHA = Security Hashing Algorithm •Each SSL certificate is either SHA1 or SHA2 •SHA2 far more secure than SHA1 •SHA1 is dead. Browsers now have issues with SHA1. •SHA2 Support in Domino •If you are on 8.5.3, upgrade to 9.0.1 or put a proxy in front of it •For 9.0.1 FP3+ you can now create SHA2 CSR’s and import SHA2 certificates in Domino. Go to at least 9.0.1 FP5 •This is a very different process than what you are used to •See Gab’s excellent step-by-step on how to do this: –http://turtleblog.info/2015/06/22/creating-sha-2-4096-ssl-certificates-for- domino/ –http://www-01.ibm.com/support/docview.wss?uid=swg21418982
  • 8. Server Security SSL/TLS/SHA2 •SSLv3 is dead (SSLv2 has been dead for a long time) •Unless you need it for SMTP STARTTLS compatibility •Disable it if you can (you can….no really, you can) •Server notes.ini DISABLE_SSLV3=1
  • 9. Server Security SSL/TLS/SHA2 •TLS is King, long live the King –TLS 1.0 via IF for the following releases •With 8.5.3 FP6 •9.0 •9.0.1 FP2+ –TLS 1.2 for •9.0.1 FP3 (plus IF) •9.0.1 FP4+ •Perfect Forward Secrecy/HSTS •Additional (more secure) ciphers •SHA2
  • 10. Server Security SSL/TLS/SHA2 •Don’t forget Perfect Forward Secrecy •In cryptography, forward secrecy (FS; also known as perfect forward secrecy, or PFS) is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. (via wikipedia) •Domino now supports it as of 9.0.1 FP3 IF2/3 and higher •The data is secure even of the server private key is compromised in the future •This is a good thing. Use it.
  • 11. Server Security SSL/TLS/SHA2 •Don’t forget HSTS •HTTPS Strict Transport Security •It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol (via wikipedia) •Domino now supports HSTS as of 9.0.1 FP4+ •Add these to the server notes.ini –HTTP_HSTS_INCLUDE_SUBDOMAINS=1 –HTTP_HSTS_MAX_AGE=63072000 •Will get you an A+ on SSL Labs with Domino native HTTP stack •Also see https://blog.darrenduke.net/Darren/DDBZ.nsf/dx/domino-adds- hsts-to-its-security-arsenal.htm
  • 12. Server Security SSL/TLS/SHA2 •Don’t forget OSCP Stapling •What is it? •OCSP stapling, formally known as the TLS Certificate Status Request extension, is an alternative approach to the Online Certificate Status Protocol (OCSP) for checking the revocation status of X.509 digital certificates.[1] It allows the presenter of a certificate to bear the resource cost involved in providing OCSP responses by appending ("stapling") a time-stamped OCSP response signed by the CA to the initial TLS Handshake, eliminating the need for clients to contact the CA •Go faster strips for HTTPS connections •Domino now supports OSCP Stapling as of 9.0.1 FP4+ •To configure see – https://blog.darrenduke.net/Darren/DDBZ.nsf/dx/supercharge-your- domino-servers-with-ocsp-stapling-real-go-faster-stripes.htm
  • 13. Server Security SSL/TLS/SHA2 •SMTP with STARTTLS •You fix a lot of problems with •Server notes.ini SSL_ENABLE_INSECURE_SSLV2_HELLO=1 •Ciphers –No longer controlled in the Server/Internet doc (9.0.1). Now a notes.ini, but you don’t really need to anymore –Domino server now dictates the preferred cipher list •For < 9.0.1 FP3 Server notes.ini SSLCipherSpec=AABBCCDDEE..ZZ •Just upgrade to FP4+ and remove the SSLCipherSpec setting •For all TLS 1.2 options see –http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2 –http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration read this one!!
  • 14. Server Security SSL/TLS/SHA2 •If you org only wants to allow TLS 1.2 •You can disable TLS 1.0 (and obviously SSLv3) •Server notes.ini SSL_DISABLE_TLS_10 –This could cause SMTP STARTTLS issues so beware –All recent browsers have TLS 1.2 enabled by default now •Older browsers (IE on XP) may not
  • 15. Reverse Proxies •What is a Reverse Proxy? •In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though they originated from the proxy server itself - Wikipedia
  • 16. Reverse Proxies •Benefits •You can handle more than one web server per proxy •Reduce (potential attack) surface area SSL offloading •Have the reverse proxy handle all your SSL/TLS •When security issue detected, one place to fix –Security •Hide version/platform/application from the browser •No direct access to backend servers •Restrict URL access to Domino for only required URLs for –iNotes –Traveler –Domino web applications (allow Quickr to work with “modern browsers” –Load balancing •Provide HA for iNotes, Traveler, etc
  • 17. Reverse Proxies •The Proxies •NGINX (pronounced Engine X) •Most popular today, used by Netflix, Zappos, et al •Open source •Can do mail and other TCP connections, not just HTTP(S) –IMAP –SMTP (including STARTTLS) –Apache •Most famous •Open source •I have a free Apache VM using Ubuntu you can use as starting point: –http://blog.darrenduke.net/darren/ddbz.nsf/dx/here-is-a-freely-available- vm-to-reverse-proxy-domino-shoot-the-poodle.htm –I would normally use HAProxy in addition to the above to provide HA functions (on the same Linux Ubuntu server)
  • 18. Reverse Proxies •The Proxies •IBM HTTP Server (IHS) •No longer recommended by IBM as a front end to Windows Domino Servers –Was in 9.0 –But only on Windows •Never extended to other platforms –Shocker, I know –This was IBM’s original fix in Domino 9 to add TLS1.0 •Don’t do this anymore –Websphere Edge Proxy •It has the word “Websphere” in the title so won’t touch it unless someone connects a car battery to my genitals
  • 19. Reverse Proxies •The Real Reason to use a Proxy •With a Proxy you may have avoided SSLv3 and this: Date Spec Released Date IBM Added to Domino Time Taken by IBM (in years) TLS 1.0 1999 2014* 15 TLS 1.2 2008 2015 7 PFS 2011* 2015 4
  • 20. Testing •So you *think* you’re secure? OK….. •Testing is what elevates belief to evidence •QualSYS SSL Labs test site for web sites •https://www.ssllabs.com/ssltest/ •Scan a server, get a grade •Will take a few minutes •Also lists potential remediation •Tons of useful information •If you get a “A” or higher you’re good •Scan every quarter or so. Things change! •Use on sites other that your own •Be scared. Be real scared.
  • 21. Testing • Here is my iNotes server behind an Apache Reverse Proxy
  • 22. Testing • Here is an iNotes server via SSL on Domino native (no proxy)
  • 23. Testing • A Note about Windows XP/2003 with IE Support and ciphers – I know, you have a plan to get off XP and 2003 – No, really, we believe you – Yes, I know you need to sunset your Windows 98 SE workstations first…. – Most people think you need RC4 to support XP with IE – YOU DON’T!!! • 3DES will provide support for XP/2003 with IE • Domino now enables RC4 ONLY if TLS 1.2 is disabled • Chrome and FF on XP can do better than 3DES • The issue with embedding a browser into an OS…..
  • 24. Testing • Test SMTP STARTTLS at CheckTLS.com – https://www.checktls.com/testreceiver.html – Test both send and receive • Receive
  • 25. Testing • Send – You send email with a code in it, CheckTLS then replies to you with the transaction
  • 26. Antivirus Settings (OS) •Domino Server Exclusions •Transaction Logs •Domino Data •DAOS repository •View Rebuild Dir folder –See https://www- 304.ibm.com/support/docview.wss?uid=swg21417504 •Notes Client Exclusions –Notesframework –Notesdataworkspace.configorg.eclipse.osgi –JAR files –See http://www- 01.ibm.com/support/docview.wss?uid=swg21407945
  • 27. Antivirus Settings (OS) • But Darren, what about when my users click on a virus infested email attachment? • IBM Notes and Attachments – All Notes attachments are saved to %TEMP% on Windows – So long as the OS AV has real time scanning of %TEMP% you are safe – Remember, %TEMP% could be different per user
  • 28. Securing LDAP •Using DA to AD for internet passwords? –Also secure this otherwise your users AD passwords are going from Domino to AD in plain text –Just checking the box in DA.NSF is not sufficient!!!! –You also need to import your AD server SSL certificate in your server.id file •See http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/solution-domino- directory-assistance-to-active-directory-when-using-ssl-does-not-break- with-9.0.1-fp4.htm for details on how to do this (it’s really not obvious)
  • 29. Arriving in 9.0.1 FP7 •Java •Java 8 support •First to the server, then a few “weeks” later to the client
  • 30. Arriving in 9.0.1 FP7 •Notes NRPC Port Security •AES support •It’s currently 128 bit RC4 •Which you could find out in technote 1097816 –BUT IBM DELETED IT •I would expect 128 bit AES, with maybe an option to enable 256 bit AES
  • 31. Speaking of Fix Packs •As a general rule, the newer the FP and the newer the IF, the more secure your server or client will be •Fix Packs are cumulative. FP6 contains FP5 *and* some new stuff •IBM are most likely changing the nomenclature around fix packs in the next few months •I doubt this includes making them easier to find on PPA or FC though •Strongly consider going to 9.0.1 FP5/6 •SHA2 •TLS 1.2/PFS/much higher quality ciphers •You are most likely paying for it anyway •News Flash!!!! No new security features are coming to 9.0 or 8.5.x •Fixpacks, IFs and Java updates are on IBM Fix Central
  • 32. SAML •Security Assertion Markup Language •Allows Notes users to go password-less •This can be a huge selling point •Can also be set up so that the Notes ID is never stored on the user’s PC •It gets downloaded and stored in memory each time the user starts Notes (well…..) •User NEVER has to enter password •You need 9.0.1, ID Vault, patience •No password = no post-it note with password written on it!
  • 33. Knowledge is Power •Forewarned is forearmed and there are resources that allow you to be pro-active •IBM My Notifications •Sign up to receive emails from IBM on new product releases, fix packs, etc •See http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/do-you-subscribe- to-the-ibm-daily-product-update-newletter-you-should.htm for details on setting up
  • 34. Knowledge is Power •Forewarned is forearmed and there are resources that allow you to be pro-active –US CERT weekly email •Be afraid, be very afraid (especially of Flash, Acrobat, AIR and Java) •See https://www.us-cert.gov/ to sign up
  • 35. Disable Things •Anything you don’t use, disable. Anything you don’t need, disable •Need POP3 or IMAP? No? •Not having it in the Notes.ini will not start those tasks….BUT… •They can still be started •load pop3 –This is not sufficient, disable it in the Domino Directory •Now load pop3 won’t actually load anything
  • 36. Notes/Domino Port Encryption •For Domino server to server or Notes client to server communication •Turn on at one end, works at both •128 bit RC4 encryption •128 bit AES will may surface in 9.0.2 9.0.1 FP7 –WAN accelerators don’t link this –Still, provides more then adequate channel encryption for almost organization –Test via a trace in the Notes Client or the Server console
  • 37. The END • It’s security so there are no stupid questions, just compromised servers • Q&A time • @DarrenDuke on Twitter • https://blog.darrenduke.net • info@simplified-tech.com to hire me. Which you should. I’m hillerious