Wow... an actual technical post from The Power of The Schwartz! It sure has been a long time since I did one.

A pair of posts, yesterday and today by Luis Guirigay caught my attention on Planet Lotus this morning. They reminded me of a conversation I once had with Charlie Kaufman in the atrium outside the main conference room at Lotusphere, several years ago.

I told Charlie that I had come to the conclusion that there was no such thing as a security expert.  There are only insecurity experts, because no true expert will ever say "this solution is secure".

Charlie, ever so wise, responded that the mark of a true expert is someone who can say "this solution is secure against known threats, when properly configured".

Anyhow, in response to Luis, the question really isn't whether NRPC on port 1352 is secure. It isn't even whether it is secure against known threats when properly configured.

For all practical purposes, the question that matters is this: Is it possible, with reasonable effort and with proper references to independent security authorities, to convince an IT security staff -- whose professional standards specifically demand that they start with the assumption of insecurity -- that NRPC on port 1352 is secure against known threats when properly configured, and that the system will always be properly configured, and that the probability of unknown threats is close enough to zero to be ignored?  

There are numerous problems inherent in that question.

Problem number one is the lack of independent authorities. Although information about the authentication and encryption mechanisms used by NRPC has been made public, the protocol itself is not public and I don't know of any independent authority who is going to vouch for it.

The second problem is the requirement that the system must always be properly configured. Accidents do happen.

The third problem is the unknown threats, and even if the other two problems could be overcome, this one is the killer. The unknown threat scenario basically boils down to this: First, an attacker exploits a previously unknown Domino bug, a buffer overflow perhaps, inserting his own code into the Domino server to take over management of port 1352 communications. From this point on, all bets are off. The attacker has an open port 1352 through which he can talk to his own code and do just about anything he wants.,

And the fact that IBM, who of all organizations should definitely know how secure NRPC is, requires a VPN (last I heard, anyhow) for their employees to replicate, strongly suggests that the answer is that it isn't possible, with reasonable effort -- or perhaps with any level of effort -- to make the case.

1. Mick Moignard09/05/2008 03:47:22 AM
Homepage: http://www.mickmoignard.com

Richard
I think you'll find that the reason that IBM require a VPN for Notes replication is because large companies do that, and the VPN is there for security of other things that go on down the conection. I'd suggest that having a non-VPN connection for replication only and a VPN connection for other things and Notes traffic would just look absurd. And I'd not read any more than that from the statement.

Mick