[exiled]

Since the recent articles about the exploit that was released this week for blackberry devices, my company would like to place our BES in the DMZ.

Does anyone know what ports we need to open up to do this succesfully?

Thanks

[|||||||]

NO DON"T DO IT,

Okay I fell better. If you have an issue with MDS, then disable it putting the BES in the DMZ opens up a whole whack of ports (specifically Exchange BES) and your BES is open to the outside world. If you read the articles the best way to stop it is to set an IT policy to disallow 3rd party apps.

[jinksPadlock]

This article mentions placing the Blackberry Router in the DMZ. It shows how you would want to segment the network in order to heighten security.
Livelink - Redirection

Placing the router in the DMZ and segmenting off the separate services cuts down access to only the needed ports. But putting the whole server in the DMZ is actually less secure.

[twinkiefan]

I'm fighting this as best I can, too. However, the discussions with our "information security" department and firewall guys will be starting up again at the end of the month.

My biggest struggle is getting them to understand how it is actually less secure to place the BES in a DMZ than it is to tightly manage software configuration, application policy and IT policy and leave BES inside.

My one consolation is that at least I won't be the one managing the acl between the BES servers in the DMZ and our Exchange servers inside.

Any ideas on how I can convice our security gurus that it will be ok? We run a pretty tight ship with the IT policy (no app loader, no 3rd party apps)

[|||||||]

Okay play it out like this, you have to open enough ports for someone to open an outlook client in your DMZ and be able to access their mail. I think that in itself proves the problem with their "solution".

[jinksPadlock]

With the server outside of the DMZ you would have more ports open in your firewall from the DMZ to internal. That and the communication between the other services would not be secured.

Quote:

The BlackBerry Router is designed so that you can securely place it in the DMZ, a neutral subnetwork that you separate from the corporate LAN by a firewall. An authentication protocol that is unique to the BlackBerry Router authenticates the connections between the BlackBerry Enterprise Server and the BlackBerry device. The BlackBerry Router uses this authentication protocol to verify that the BlackBerry device has the correct master encryption key. The value of the master encryption key that the BlackBerry device and the BlackBerry Enterprise Server share is not available to the BlackBerry Router; therefore, no master encryption key information is stored in or transferred through the BlackBerry Router.

This design is for the router only, all other communication would not take place under these conditions and should then be considered insecure.

This is especially a consideration if you use remote SQL with the Mixed Mode Authentication (I believe this is required for MDS?)

Another way (not AS secure, but easier) would be to drop the server into a vlan separate from the network but not DMZ. You could then limit traffic between the vlan and your lan.

The port requirements are listed in pages 8 to 14 of the previous doc.

[DoomBringer]

If you're worried about the attack mentioned by the recent articles (and you should be), use IT Policy to disable installation of third party applications. The suits in your org might complain that they can't install the latest stupid little game, but they don't know any better anyhow.

[|||||||]

Quote:

Originally Posted by DoomBringer

If you're worried about the attack mentioned by the recent articles (and you should be), use IT Policy to disable installation of third party applications. The suits in your org might complain that they can't install the latest stupid little game, but they don't know any better anyhow.

Well the presentation that Jesse did on the exploit is supposed to be a tic tac toe game.

[x14]

Quote:

Originally Posted by |||||||

Well the presentation that Jesse did on the exploit is supposed to be a tic tac toe game.

Doesn't matter what the game is. If the application is not signed by RIM you won't be able to download it. We tested this function.

Problem for us is we have a custom app.

[|||||||]

Quote:

Originally Posted by x14

Doesn't matter what the game is. If the application is not signed by RIM you won't be able to download it. We tested this function.

Problem for us is we have a custom app.

The one that Jesse did is signed. Fortunatly Norton picks it up as a virus.

[jinksPadlock]

There are two ways to do this...

You can flip-flop between policies that allow/disallow third party apps when you want to install software. Downside to this is you are wide open for 4+ hours when you wireless push.

Or you can use Software Configurations to disallow all software at the top level and then set require/optional for applications you would like to make available. (This should also remove all non-approved applications.) Downside to this is you still have to flip the policy if you want to do a wired installation. (the Software config only gets to the device OTA during the polling period, not like the IT policy that goes through the wire. meh.)

Using Software config also gives you more granular control over polices applied to each piece of software as opposed to one rule fits all.

[twinkiefan]

Unbelievably, I've had the whole "outlook client in the DMZ" conversation and they're ok with that...assuming they can set up point to point rules on the internal firewall, only opening the necessary ports between our BES servers and our Exchange servers & SQL environment.

Does the desktop handheld manager or desktop manager communicate with BES at all, or is it only with Exchange...I can't remember. That would ice it, LOL.

Moving the Router out to the DMZ is the one thing I'm holding on to. Also considering compromising a little and creating a BES segment (DMZ-like) that is separate from the corporate DMZ and separate from the internal LAN, but gives them the separation they want. Still a huge pain for managing the access control lists, though! Imagine the work that must be done every time a new application for BlackBerrys gets rolled out that needs to talk to some app server somewhere via MDS.

I've played with the Software Configuration and App Policy and think there is definite potential there. I'm not too worried about that latest "flaw" that certain media channels jumped all over...we run a very tight ship with our IT Policies and disabling App Loader/3rd party app downloads, etc. BUT, the Software Config and App Policy would help improve that security immensely if using a blacklist/whitelist type of approach.

[twinkiefan]

support.microsoft.com/?kbid=833799 (I haven't posted 10 times yet, doh!)

If Outlook can be configured to use static ports for communicating to Exchange...can BES, too? Sounds like I need to push on RIM a bit more...or find some other way to describe why it's a bad idea to put BES in a DMZ (hey, it's like putting OL in a DMZ...think of all the holes I'd have to punch in that internal firewall...oh, wait...you can set OL to use static ports...).

[|||||||]

Quote:

Originally Posted by twinkiefan

support.microsoft.com/?kbid=833799 (I haven't posted 10 times yet, doh!)

If Outlook can be configured to use static ports for communicating to Exchange...can BES, too? Sounds like I need to push on RIM a bit more...or find some other way to describe why it's a bad idea to put BES in a DMZ (hey, it's like putting OL in a DMZ...think of all the holes I'd have to punch in that internal firewall...oh, wait...you can set OL to use static ports...).

They are okay with Outlook in the DMZ? Where is SQL going to be? I recently dealt with someone who got nailed with a sql vulnerability because 1433 was open to the outside world. No you can't tell BES which ports to use. For the work you will have to do it would be easier to disable MDS for everybody. Or if you run BES 4.1 put an MDS service in the DMZ instead.

Please call RIM if you haven't already and get them to send you an email on why this is a bad idea. I know this will only cause you pain in the future.

Oh and the Handheld manager portion of Desktop Manager connects to the BES as well over port 4101. This connection saves your company money in data costs because email is delivered over the wire while plugged in.

[twinkiefan]

No...sorry...didn't mean to imply that anyone here is ok with OL in the corporate DMZ! They just threw out the thought that since they could lock down ports for OL/Exchange communication across our external firewall (for remote Exchange box and local OL client(s)) that perhaps the same could be done for BES/Exchange communication across the internal firewall. I've since spoken with RIM and clarified that we'd still need UDP ports 10xx to 65xxx open from Exchange to BES, so that shoots that theory down, eh?

Unless of course they really want that gaping hole in the internal firewall...even IF it's just point to point. I'm leaning more towards more of a proxied control of MDS traffic between BES and internal IP addresses...that's where their major concern lies, methinks.

[exiled]

I dont really know how to address this issue then. We have 3rd-party apps that we develop here, so that's out. Plus we cant disable MDS..

What's the answer?

[|||||||]

You have to create two application policies for software configurations. Add all your allowed software and give it the allowed policy. Set the application level to Disallowed and presto your users can only use software that you can wirelessly push.

[exiled]

Quote:

Originally Posted by |||||||

You have to create two application policies for software configurations. Add all your allowed software and give it the allowed policy. Set the application level to Disallowed and presto your users can only use software that you can wirelessly push.

That could probably work, i havent delved into policy and such like that, is there any sort of concise walkthrough for something like that?

[|||||||]

Quote:

Originally Posted by exiled

That could probably work, i havent delved into policy and such like that, is there any sort of concise walkthrough for something like that?

That was the concise walk through right there. If you have wireless application push set up, it will take 5 minutes. I'll see if I can get a screen shot together.

Edit: screenshot:

[twinkiefan]

Yep, that's exactly where I had landed myself...more granular control via a set of application policies (or simply and "allow" and a "disallow" app policy as shown in your SS). I'll pitch that and see where we land.

Thanks for listening...this has been an internal battle here and I sometimes wonder if I'm just not stating things clearly enough to my network and info security guys. They just keep insisting that the BES needs to be segmented off.

I appreciate the discussion.