S 5.84 Use of encryption procedures for Lotus Notes communication

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator, users

The exchange of data between Notes client and server takes place over network connections. Depending on the Notes system and network structure, the communications packets, which can contain authentication information as well as database content, can be transmitted unprotected. The data is transmitted in binary form in the data format of the unpublished Notes protocol, but in many cases this is not sufficient protection.

However, Notes Client and Server allow the use of "port encryption". If port encryption is enabled, then all communication over this communication endpoint will be encrypted. Port encryption can be enabled on the server so that communication with all Notes clients is encrypted, or else port encryption is enabled on the client. The latter option has the effect that only the communication between the client and server concerned is protected, if port encryption is not enabled on the server itself.

Moreover, communication is only encrypted on the ports for which encryption has been enabled. As a Notes server is able to accept connections over several different ports (e.g. TCP/IP, SPX, AppleTalk and COM ports) a decision must be made for every port as to whether encryption needs to be enabled.

It should be borne in mind that use of port encryption can result in performance losses on the Notes server (between 10% and 15% according to Lotus).

Communication with Web clients is not affected by port encryption. Other protection mechanisms must be used here (see S 5.86 Use of encryption procedures with browser access to Lotus Notes).

Generally it is possible for other mechanisms outside of the Notes system to also be used to protect communications, for example at operating system level or using encrypting network switching elements.

It is recommended that Lotus Notes communication is protected with encryption. However, as this entails a lot of planning and other safeguards, the decision must be made as part of the security guidelines of the relevant organisation.