This month's security tip has two parts:
1.) A follow-up to last month?s tip about security scanners;
2.) A discussion about the two types of data encryption. Special thanks to Frederic Dahm at Lotus, for pointing out that this is often confusing to people.
1.) A DOMINO-SPECIFIC SECURITY SCANNER
A Domino security scanner looks specifically for databases and URLs that often are vulnerable on Domino-based Web sites. For example, it is well known that some Domino servers allow anyone to issue the ?Open URL and browse a list of all databases on the server. Also, any knowledgeable cracker knows that Domino servers contain a log.nsf file, which contains all sorts of valuable information about the contents and activities of the server. A Domino security scanner looks for these known problems and reports which exist on your server or Web site.
Before taking you to a Domino security scanner, I want to repeat last month's warning...
*** You should only use security scanners on your own servers and Web sites. Breaking this rule is bad ethics, possibly illegal, and will get you kicked off many Internet service providers. ***
The best Domino scanner I have seen is called DomiLock and is located here:
DomiLock attempts to open a long list of common databases on your Domino Web server, and reports on those that it was able to open. The resulting report shows clearly in red which databases it could open, and in green those databases that it attempted to open but could not.
If any readers know about other useful Domino security scanners, please let me know and I will include them in future tips.
2.) TRAFFIC ENCRYPTION VERSUS STORAGE ENCRYPTION
I have received several questions about "encrypting e-mail messages" or "encrypting Web mail." These terms can mean two different things: protection of the mail data as it is moving over the Internet wires; or protection of the mail message after it reaches its destination and is stored there.
"Protection of mail data as it is moving over the Internet wires" is sometimes called traffic encryption, and its purpose is to prevent someone from eavesdropping on your message as it moves past them on the way from you to the intended receiver (or on its way from a sender to you). The most common method for traffic encryption is SSL. Its purpose is to hide data as it moves from point A to point B.
SSL is limited however, in that once the data reaches the receiver, it is no longer encrypted. If you want to prevent someone else at the your company from reading your email messages (once they are in your mailbox), you need to encrypt the data where it is stored. There are several ways to do this, including S/MIME, Domino local database encryption, and Domino field-level encryption. The choice depends on just what you are trying to accomplish.
As you are planning the security strategy for your organization, be aware of this distinction. Do you want to hide your data as it moves through some wires, or do you want to hide the data once it gets somewhere? Often you want to do both.
Chuck Connell is president of CHC-3 Consulting http://www.chc-3.com, a consultancy that helps organizations with all aspects of Domino and Notes, especially security.