Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Blackberry MDS Connection Bypassing firewall

From: "Miedaner" <miedaner () twcny rr com>
Date: Sat, 19 Jan 2008 08:28:29 -0500
Hi,

Thanks for the response.

We will be doing the client side lockdown with policies.  Although for
obvious reasons we really wanted to use a server side solution, and were
hoping that the BES MDS Connectrion service supported fine grained ACL
filtering.  As far as we can tell it is all or none on the TCP ACL for the
MDS connecrion service.

The idea of Blackberries bypassing the firewall and VPN's also makes us want
to move the server into an isolated DMZ so that consistent logging can be
mainteained..

Thanks again.
  -----Original Message-----
  From: firewall-wizards-bounces () listserv cybertrust com
[mailto:firewall-wizards-bounces () listserv cybertrust com]On Behalf Of Chris
Myers
  Sent: Thursday, January 17, 2008 5:55 PM
  To: Firewall Wizards Security Mailing List
  Subject: Re: [fw-wiz] Blackberry MDS Connection Bypassing firewall


  If you don't want any 3rd party app : ) It looks like if they already have
it then another approach needs looked at, but the Blackberry seems to have
its own IT Policy. The URL below shows how to get the SSH running if it does
not work, but reverse engineering it will tell you what you can put in place
that causes these errors, hence not allowing access outbound for SSH for the
Blackberry.


     1. Open the BlackBerry Manager.
     2. On the Tree tab, right-click the BlackBerry Enterprise Server server
and select IT Policy. The IT Policy settings for BlackBerry Server window
appears.
     3. Click Edit. The Edit IT Policy window appears.
     4. Clear the Disallow Third Party Application Downloads checkbox.
     5. Click OK.


  Note: Depending on the version of your BlackBerry Enterprise Server, this
IT Policy setting may also be called DisallowThirdPartyAppDownloads or
Disallow 3rd Party Applications.




  http://www.rovemobile.com/support/faqs/ssh/






  On Jan 17, 2008, at 10:38 AM, Erik LaBianca wrote:


    My guess is that the best way to solve this problem would be to isolate
the BES on its own system (blackberry recommends this anyway) and then
restrict that computers egress access as necessary. All BES/MDS connections
coming in from RIMM and through the proxy will then get handled by your
regular firewall.

    --erik

    From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of
miedaner
    Sent: Friday, January 11, 2008 10:47 AM
    To: firewall-wizards () listserv cybertrust com
    Subject: [fw-wiz] Blackberry MDS Connection Bypassing firewall

    Hi,

    Wondering if anyone has dealt with this problem with BES.


    Blackberry enterprise server is configured by default to allow TCP
traffic from the Blackberry clients through the encrypted BES connection to
a internal network.  As the Blackberries are java based some clever folks
have built things like SSH clients for them.

    The problem is that this type of access bypasses firewall and VPN rules.

    I know that there are ACL's possible on the MDS connection service that
allows this but I am told that it is either block all tcp or block none.

    I am wondering if anyone knows if the BES ACl really is all or none and
if anyone has implemented a solution to restrict internal network access
through BES to only protocols like http or hhtps.

    TIA
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards () listserv icsalabs com
    https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: