PermaLinkThe Real Issue Regarding Security of Port 1352
10:44:55 PM

Wow... an actual technical post from The Power of The Schwartz! It sure has been a long time since I did one.

A pair of posts, yesterday and today by Luis Guirigay caught my attention on Planet Lotus this morning. They reminded me of a conversation I once had with Charlie Kaufman in the atrium outside the main conference room at Lotusphere, several years ago.

I told Charlie that I had come to the conclusion that there was no such thing as a security expert.  There are only insecurity experts, because no true expert will ever say "this solution is secure".

Charlie, ever so wise, responded that the mark of a true expert is someone who can say "this solution is secure against known threats, when properly configured".


Anyhow, in response to Luis, the question really isn't whether NRPC on port 1352 is secure. It isn't even whether it is secure against known threats when properly configured.

For all practical purposes, the question that matters is this: Is it possible, with reasonable effort and with proper references to independent security authorities, to convince an IT security staff -- whose professional standards specifically demand that they start with the assumption of insecurity -- that NRPC on port 1352 is secure against known threats when properly configured, and that the system will always be properly configured, and that the probability of unknown threats is close enough to zero to be ignored?  

There are numerous problems inherent in that question.

Problem number one is the lack of independent authorities. Although information about the authentication and encryption mechanisms used by NRPC has been made public, the protocol itself is not public and I don't know of any independent authority who is going to vouch for it.

The second problem is the requirement that the system must always be properly configured. Accidents do happen.

The third problem is the unknown threats, and even if the other two problems could be overcome, this one is the killer. The unknown threat scenario basically boils down to this: First, an attacker exploits a previously unknown Domino bug, a buffer overflow perhaps, inserting his own code into the Domino server to take over management of port 1352 communications. From this point on, all bets are off. The attacker has an open port 1352 through which he can talk to his own code and do just about anything he wants.,

And the fact that IBM, who of all organizations should definitely know how secure NRPC is, requires a VPN (last I heard, anyhow) for their employees to replicate, strongly suggests that the answer is that it isn't possible, with reasonable effort -- or perhaps with any level of effort -- to make the case.

This page has been accessed 395 times. .
Comments :v

1. Mick Moignard09/05/2008 03:47:22 AM

I think you'll find that the reason that IBM require a VPN for Notes replication is because large companies do that, and the VPN is there for security of other things that go on down the conection. I'd suggest that having a non-VPN connection for replication only and a VPN connection for other things and Notes traffic would just look absurd. And I'd not read any more than that from the statement.


2. vesoftware11/05/2013 10:20:40 PM

Agen Bola Promo 100% SBOBET IBCBET Casino Poker Tangkas Online
ITUPOKER.COM AGEN POKER ONLINE INDONESIA TERPERCAYA : Toko belanja online murah, Promo heboh jual barang hanya Rp 1,-

3. dongdong811/17/2017 11:19:01 PM

4. lzm00312/27/2017 01:12:07 AM kate spade outlet online pandora jewelry tory burch Jewelry Armoire - Official Wholesale Outlet Sale coach outlet burberry outlet kate spade outlet online coach outlet online kate spade outlet jimmy choo shoes yeezy boots 350 Nike Air Max Enfant Wave Prophecy 2 Shoes shop mlb oakley outlet chrome store nike outlet michael kors outlet ray ban sunglasses sale Ray Ban sunglasses Chaussures pour Femme ray-ban sunglasses prada outlet sale Nike Air Max Enfant coach outlet Air Jordan 11 Femme Wholesale womens autumn winter clothing jimmy choo uk coach outlet jimmy choo australia Nike Air Jordan Enfants ray ban australia coach outlet Nike Air Max Femme Nike Free Run burberry sale yeezy shoes boulder shoes sew repair Nike Air Max 1 coach outlet online michael kors handbags puma sneakers michael kors bags coach outlet online kate spade outlet sale rayban sunglasses Air Max 90 rayban prescription glasses birkenstock sandals canada goose outlet backlink burberry outlet sale armani outlet Louis Vuitton handbags louis vuitton outlet coach outlet store michael kors outlet online ugg boots Jordan Fusion Femme nike outlet Wedding Rings- Official rolex watch prada outlet online Nike Air Max 2017 hermes outlet michael kors bags online nike jordan shoes puma shoes breitling watches prada outlet online clearance school bags on sale michael kors outlet pandora australia Nike Air Force 1 Homme nike factory outlet Nike Free Run Lunette Oakley Nike Air Max Chase black friday michael kors Air Max Enfants under armour burberry factory outlet burberry outlet Brighton Jewelry - Official Brighton Jewelry - Official kate spade outlet Nike Air Max chaussure pas cher pandora bracelets charms pandoracharms kate spade outlet online handbags online sale ray ban australia michael kors gucci watches michael kors bags black friday kate spade outlet bags pandora jewelry uk timberland outlet michael kors factory outlet Premier Jewelry - Official Green Cleaned The Retail Compliance Association China wholesale kate spade outlet cheap ray bans Nike Air Max 90 pandora australia louis vuitton outlet ray ban polarized coach outlet online sale nike running nike outlet online versace outlet payless shoes online Family Name Research kate spade outlet store Adidas Outlet pandora australia mode damenschuhe tory burch Nike Air Jordan Enfants

Enter Comments^

Email addresses provided are not made available on this site.

You can use UUB Code in your posts.

[b]bold[/b]  [i]italic[/i]  [u]underline[/u]  [s]strikethrough[/s]

URL's will be automatically converted to Links

:-x :cry: :laugh: :-( :cool: :huh: :-) :angry: :-D ;-) :-p :grin: :rolleyes: :-\ :emb: :lips: :-o
bold italic underline Strikethrough

Remember me    

Monthly Archive
Responses Elsewhere

About The Schwartz


All opinions expressed here are my own, and do not represent positions of my employer.