email files outside the firewall

Incident response
Intrusion management
Lotus Domino
Network security
There is some discussion here of putting e-mail files on our email relay server which is outside the company firewall. People currently access via a dialup VPN but would like to not carry a laptop around all the time. Some people question the security of this. Have you any suggestions or can you be of any assistance in providing a more secure access?

Answer Wiki

Thanks. We'll let you know when a new response is added.

This is a very vunerable position to put your email files in as they are no longer protected and easily accessible from the outside. In our company, we have Lotus Domino R6 and using the iNotes template on all mail files. Then we installed the product called Whale and configured it so that you could be at any internet kiosk or internet connection and gain access to your email in a totally secured environment. Even if you don’t choose this scenario, I would personally recommend keeping your mail files secured. Hope this helps.

Discuss This Question: 5  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Jeffersweldon
    I wouldn't leave my mail files totally unsecured. We have opened a couple of ports on our firewall to go to certain servers that are running their own firewalls plus I use what security is available in Domino. The real server addresses are hidden in addition to everything else. This works for us but it is a lot of work to set up.
    0 pointsBadges:
  • Phigmentb
    With any enterprise level mail system, you should be able to provide web browser based access to mail. If security is an issue, SSL should be used as at a minimum. Putting your email files outside the firewall is about as smart as not having a firewall in the first place.
    0 pointsBadges:
    KMS Response-- We recently did this for a government client. Issues included email access by employees and public access to certain applications/forms submittal outside the firewall. What follows Michael is a quick review of the existing situation and an outline of the approach we took. Let me know if you need anything further on this and whether this answer was helpful. KMS reviewed the existing infrastructure and attempts by the client to allow remote access to mail accounts. The following information was provided by IS. The client uses a Checkpoint firewall that has client-less VPN capability. The client-less VPN uses a device-generated SSL certificate to encrypt traffic on the untrusted side of the firewall. It is unclear whether the trusted connection is encrypted as well. The client configured the firewall to use a static file for authentication. According to client, the firewall supports LDAP lookup for VPN authentication. The client-less VPN does not create a VPN 'tunnel,' i.e., it does not prevent access to other foreign addresses while the VPN is engaged. The client was able to execute a proof-of-concept installation in which a browser on an untrusted address could authenticate with the VPN and access unrestricted HTTP content on an internal server. When attempting to access the Domino server via the VPN, the remote user is not able to get past the authentication dialog presented by the browser when first connecting to the Domino server. All affected users have their mail files on a certain server. ++++++ KMS recommended the following approach, and received approval to begin. Since the benefit of the client-less VPN is restricted to SSL encryption, the same benefit can be achieved by allowing SSL connections to the A certain serverserver without the use of the VPN. The certain server will be configured with a self-generated SSL certificate. The firewall will be configured to allow traffic to the A certain server on port 443 (HTTPS). Once the capability to access the server has been established, additional steps will be taken to enhance security: 1. Session-based authentication will be enabled. This allows the server to close a session after a specified period, which is important if the connection is established from a public computer. 2. Domino Off-Line Services will be disabled so that users cannot make local copies of their mail files on public computers. 3. A password change mechanism will be developed and installed to enforce minimum-complexity rules on Domino Internet passwords. 4 A mechanism for alerting the user when they log in from a web browser will be implemented. This may provide for early warning if a password has been compromised. This approach can be extended as follows: 1 The Domino server will be configured to serve the Domino directory to internal hosts via LDAP. 2 The firewall can be configured to use the Domino Directory for authentication, and the resulting VPN capability may be useful for accessing non-Domino resources from outside the firewall. 3 LDAP inter-operability can form the basis for consolidating and synchronizing the many user accounts currently in place at the client Estimates to complete were in the range of 24 ? 40 hours including testing and training with/by the client.
    0 pointsBadges:
  • EXPERTJohnBrandt
    For what my opinion is worth, it's pretty simple. Hacking anything outside of a firewall is a fairly simple task. Hacking what's behind a firewall is more difficult, but not impossible. Hacking through VPN is still possible, but not probable. I have personally turned down efforts such as those described above. I have found that customers who understand security simply know better than to expose data or applications outside of a firewall. We have a difficult enough time chasing viruses for those with inadequate protection, validating and tracing internal security violations and securing applications when the client is aware of what the potential risks are to exposure. If you don't value your e-mail data, do what you want. But do not be surprised when your e-mail data is compromised and posted at a hacker's website. Of course, I wouldn?t know. I?m just a flunky programmer.
    2,530 pointsBadges:
  • SnLNotesMan
    If the issue is simply users not wanting to carry around a laptop, have you given any thought to a hanheld device such as a Blackberry? It provides a simple solution while not compromising your security and the integretion is quite easy. We've done that for our "road warriors" and it's been a very popular solution.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: