BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 08-16-2006, 08:52 AM   #1 (permalink)
Thumbs Must Hurt
 
Join Date: Apr 2005
Location: Philadelphia
Model: 7290
Posts: 67
Post Thanks: 0
Thanked 0 Times in 0 Posts
Angry Placing the BES in the DMZ?

Please Login to Remove!

Since the recent articles about the exploit that was released this week for blackberry devices, my company would like to place our BES in the DMZ.

Does anyone know what ports we need to open up to do this succesfully?

Thanks
__________________
Matt
Blackberry 8700c
Bes 4.1 / Exchange 2003 SP2
Offline  
Old 08-16-2006, 09:04 AM   #2 (permalink)
CrackBerry Addict
 
|||||||'s Avatar
 
Join Date: Jun 2006
Model: 7100
Carrier: Rogers
Posts: 615
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

NO DON"T DO IT,

Okay I fell better. If you have an issue with MDS, then disable it putting the BES in the DMZ opens up a whole whack of ports (specifically Exchange BES) and your BES is open to the outside world. If you read the articles the best way to stop it is to set an IT policy to disallow 3rd party apps.
Offline  
Old 08-16-2006, 09:30 AM   #3 (permalink)
Knows Where the Search Button Is
 
Join Date: Jul 2006
Model: 7290
Carrier: T-Mobile
Posts: 36
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

This article mentions placing the Blackberry Router in the DMZ. It shows how you would want to segment the network in order to heighten security.
Livelink - Redirection

Placing the router in the DMZ and segmenting off the separate services cuts down access to only the needed ports. But putting the whole server in the DMZ is actually less secure.
Offline  
Old 08-16-2006, 10:33 AM   #4 (permalink)
Knows Where the Search Button Is
 
Join Date: Aug 2006
Location: North of Mizzou
Model: 9700
OS: 5.0.0.330
Carrier: T-Mobile
Posts: 48
Post Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy Gah...Me, Too!

I'm fighting this as best I can, too. However, the discussions with our "information security" department and firewall guys will be starting up again at the end of the month.

My biggest struggle is getting them to understand how it is actually less secure to place the BES in a DMZ than it is to tightly manage software configuration, application policy and IT policy and leave BES inside.

My one consolation is that at least I won't be the one managing the acl between the BES servers in the DMZ and our Exchange servers inside.

Any ideas on how I can convice our security gurus that it will be ok? We run a pretty tight ship with the IT policy (no app loader, no 3rd party apps)
Offline  
Old 08-16-2006, 10:57 AM   #5 (permalink)
CrackBerry Addict
 
|||||||'s Avatar
 
Join Date: Jun 2006
Model: 7100
Carrier: Rogers
Posts: 615
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Okay play it out like this, you have to open enough ports for someone to open an outlook client in your DMZ and be able to access their mail. I think that in itself proves the problem with their "solution".
Offline  
Old 08-16-2006, 11:01 AM   #6 (permalink)
Knows Where the Search Button Is
 
Join Date: Jul 2006
Model: 7290
Carrier: T-Mobile
Posts: 36
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

With the server outside of the DMZ you would have more ports open in your firewall from the DMZ to internal. That and the communication between the other services would not be secured.

Quote:
The BlackBerry Router is designed so that you can securely place it in the DMZ, a neutral subnetwork that you separate from the corporate LAN by a firewall. An authentication protocol that is unique to the BlackBerry Router authenticates the connections between the BlackBerry Enterprise Server and the BlackBerry device. The BlackBerry Router uses this authentication protocol to verify that the BlackBerry device has the correct master encryption key. The value of the master encryption key that the BlackBerry device and the BlackBerry Enterprise Server share is not available to the BlackBerry Router; therefore, no master encryption key information is stored in or transferred through the BlackBerry Router.
This design is for the router only, all other communication would not take place under these conditions and should then be considered insecure.

This is especially a consideration if you use remote SQL with the Mixed Mode Authentication (I believe this is required for MDS?)

Another way (not AS secure, but easier) would be to drop the server into a vlan separate from the network but not DMZ. You could then limit traffic between the vlan and your lan.

The port requirements are listed in pages 8 to 14 of the previous doc.
Offline  
Old 08-16-2006, 12:57 PM   #7 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Feb 2005
Model: 7280
Carrier: cingular, no wait, AT&T
Posts: 300
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

If you're worried about the attack mentioned by the recent articles (and you should be), use IT Policy to disable installation of third party applications. The suits in your org might complain that they can't install the latest stupid little game, but they don't know any better anyhow.
Offline  
Old 08-16-2006, 01:04 PM   #8 (permalink)
CrackBerry Addict
 
|||||||'s Avatar
 
Join Date: Jun 2006
Model: 7100
Carrier: Rogers
Posts: 615
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by DoomBringer
If you're worried about the attack mentioned by the recent articles (and you should be), use IT Policy to disable installation of third party applications. The suits in your org might complain that they can't install the latest stupid little game, but they don't know any better anyhow.

Well the presentation that Jesse did on the exploit is supposed to be a tic tac toe game.
Offline  
Old 08-16-2006, 01:57 PM   #9 (permalink)
x14
BlackBerry Extraordinaire
 
Join Date: Jul 2005
Location: NYC
Model: 9800
OS: 6.0.0.546
Carrier: AT&T
Posts: 2,344
Post Thanks: 0
Thanked 17 Times in 16 Posts
Default

Quote:
Originally Posted by |||||||
Well the presentation that Jesse did on the exploit is supposed to be a tic tac toe game.
Doesn't matter what the game is. If the application is not signed by RIM you won't be able to download it. We tested this function.

Problem for us is we have a custom app.
Offline  
Old 08-16-2006, 02:12 PM   #10 (permalink)
CrackBerry Addict
 
|||||||'s Avatar
 
Join Date: Jun 2006
Model: 7100
Carrier: Rogers
Posts: 615
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by x14
Doesn't matter what the game is. If the application is not signed by RIM you won't be able to download it. We tested this function.

Problem for us is we have a custom app.
The one that Jesse did is signed. Fortunatly Norton picks it up as a virus.
Offline  
Old 08-16-2006, 06:06 PM   #11 (permalink)
Knows Where the Search Button Is
 
Join Date: Jul 2006
Model: 7290
Carrier: T-Mobile
Posts: 36
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

There are two ways to do this...

You can flip-flop between policies that allow/disallow third party apps when you want to install software. Downside to this is you are wide open for 4+ hours when you wireless push.

Or you can use Software Configurations to disallow all software at the top level and then set require/optional for applications you would like to make available. (This should also remove all non-approved applications.) Downside to this is you still have to flip the policy if you want to do a wired installation. (the Software config only gets to the device OTA during the polling period, not like the IT policy that goes through the wire. meh.)

Using Software config also gives you more granular control over polices applied to each piece of software as opposed to one rule fits all.
Offline  
Old 08-17-2006, 07:47 AM   #12 (permalink)
Knows Where the Search Button Is
 
Join Date: Aug 2006
Location: North of Mizzou
Model: 9700
OS: 5.0.0.330
Carrier: T-Mobile
Posts: 48
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Unbelievably, I've had the whole "outlook client in the DMZ" conversation and they're ok with that...assuming they can set up point to point rules on the internal firewall, only opening the necessary ports between our BES servers and our Exchange servers & SQL environment.

Does the desktop handheld manager or desktop manager communicate with BES at all, or is it only with Exchange...I can't remember. That would ice it, LOL.

Moving the Router out to the DMZ is the one thing I'm holding on to. Also considering compromising a little and creating a BES segment (DMZ-like) that is separate from the corporate DMZ and separate from the internal LAN, but gives them the separation they want. Still a huge pain for managing the access control lists, though! Imagine the work that must be done every time a new application for BlackBerrys gets rolled out that needs to talk to some app server somewhere via MDS.

I've played with the Software Configuration and App Policy and think there is definite potential there. I'm not too worried about that latest "flaw" that certain media channels jumped all over...we run a very tight ship with our IT Policies and disabling App Loader/3rd party app downloads, etc. BUT, the Software Config and App Policy would help improve that security immensely if using a blacklist/whitelist type of approach.
Offline  
Old 08-17-2006, 01:51 PM   #13 (permalink)
Knows Where the Search Button Is
 
Join Date: Aug 2006
Location: North of Mizzou
Model: 9700
OS: 5.0.0.330
Carrier: T-Mobile
Posts: 48
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

support.microsoft.com/?kbid=833799 (I haven't posted 10 times yet, doh!)

If Outlook can be configured to use static ports for communicating to Exchange...can BES, too? Sounds like I need to push on RIM a bit more...or find some other way to describe why it's a bad idea to put BES in a DMZ (hey, it's like putting OL in a DMZ...think of all the holes I'd have to punch in that internal firewall...oh, wait...you can set OL to use static ports...).

Offline  
Old 08-18-2006, 05:57 PM   #14 (permalink)
CrackBerry Addict
 
|||||||'s Avatar
 
Join Date: Jun 2006
Model: 7100
Carrier: Rogers
Posts: 615
Post Thanks: 0
Thanked 0 Times in 0 Posts
Thumbs down

Quote:
Originally Posted by twinkiefan
support.microsoft.com/?kbid=833799 (I haven't posted 10 times yet, doh!)

If Outlook can be configured to use static ports for communicating to Exchange...can BES, too? Sounds like I need to push on RIM a bit more...or find some other way to describe why it's a bad idea to put BES in a DMZ (hey, it's like putting OL in a DMZ...think of all the holes I'd have to punch in that internal firewall...oh, wait...you can set OL to use static ports...).

They are okay with Outlook in the DMZ? Where is SQL going to be? I recently dealt with someone who got nailed with a sql vulnerability because 1433 was open to the outside world. No you can't tell BES which ports to use. For the work you will have to do it would be easier to disable MDS for everybody. Or if you run BES 4.1 put an MDS service in the DMZ instead.

Please call RIM if you haven't already and get them to send you an email on why this is a bad idea. I know this will only cause you pain in the future.

Oh and the Handheld manager portion of Desktop Manager connects to the BES as well over port 4101. This connection saves your company money in data costs because email is delivered over the wire while plugged in.

Last edited by ||||||| : 08-18-2006 at 05:59 PM.
Offline  
Old 08-21-2006, 05:35 PM   #15 (permalink)
Knows Where the Search Button Is
 
Join Date: Aug 2006
Location: North of Mizzou
Model: 9700
OS: 5.0.0.330
Carrier: T-Mobile
Posts: 48
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

No...sorry...didn't mean to imply that anyone here is ok with OL in the corporate DMZ! They just threw out the thought that since they could lock down ports for OL/Exchange communication across our external firewall (for remote Exchange box and local OL client(s)) that perhaps the same could be done for BES/Exchange communication across the internal firewall. I've since spoken with RIM and clarified that we'd still need UDP ports 10xx to 65xxx open from Exchange to BES, so that shoots that theory down, eh?

Unless of course they really want that gaping hole in the internal firewall...even IF it's just point to point. I'm leaning more towards more of a proxied control of MDS traffic between BES and internal IP addresses...that's where their major concern lies, methinks.
Offline  
Old 08-22-2006, 11:16 AM   #16 (permalink)
Thumbs Must Hurt
 
Join Date: Apr 2005
Location: Philadelphia
Model: 7290
Posts: 67
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I dont really know how to address this issue then. We have 3rd-party apps that we develop here, so that's out. Plus we cant disable MDS..

What's the answer?
__________________
Matt
Blackberry 8700c
Bes 4.1 / Exchange 2003 SP2
Offline  
Old 08-22-2006, 11:26 AM   #17 (permalink)
CrackBerry Addict
 
|||||||'s Avatar
 
Join Date: Jun 2006
Model: 7100
Carrier: Rogers
Posts: 615
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

You have to create two application policies for software configurations. Add all your allowed software and give it the allowed policy. Set the application level to Disallowed and presto your users can only use software that you can wirelessly push.
Offline  
Old 08-22-2006, 11:30 AM   #18 (permalink)
Thumbs Must Hurt
 
Join Date: Apr 2005
Location: Philadelphia
Model: 7290
Posts: 67
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by |||||||
You have to create two application policies for software configurations. Add all your allowed software and give it the allowed policy. Set the application level to Disallowed and presto your users can only use software that you can wirelessly push.
That could probably work, i havent delved into policy and such like that, is there any sort of concise walkthrough for something like that?
__________________
Matt
Blackberry 8700c
Bes 4.1 / Exchange 2003 SP2
Offline  
Old 08-22-2006, 11:38 AM   #19 (permalink)
CrackBerry Addict
 
|||||||'s Avatar
 
Join Date: Jun 2006
Model: 7100
Carrier: Rogers
Posts: 615
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by exiled
That could probably work, i havent delved into policy and such like that, is there any sort of concise walkthrough for something like that?
That was the concise walk through right there. If you have wireless application push set up, it will take 5 minutes. I'll see if I can get a screen shot together.

Edit: screenshot:


Last edited by ||||||| : 08-22-2006 at 11:47 AM.
Offline  
Old 08-22-2006, 12:11 PM   #20 (permalink)
Knows Where the Search Button Is
 
Join Date: Aug 2006
Location: North of Mizzou
Model: 9700
OS: 5.0.0.330
Carrier: T-Mobile
Posts: 48
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Yep, that's exactly where I had landed myself...more granular control via a set of application policies (or simply and "allow" and a "disallow" app policy as shown in your SS). I'll pitch that and see where we land.

Thanks for listening...this has been an internal battle here and I sometimes wonder if I'm just not stating things clearly enough to my network and info security guys. They just keep insisting that the BES needs to be segmented off.

I appreciate the discussion.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.