BlackBerry Enterprise Solution for IBM Lotus Domino v4.0 ... · BlackBerry Enterprise Solution for...

BlackBerry Enterprise Solution for IBM Lotus Domino v4.0

Advanced Security Features

Presented by:Peter MitchelmoreRegional Technical Manager

BlackBerry for Lotus Domino

Agenda

• Setting The Stage• BlackBerry Solves Security Issues• Enterprise Server Security• Wireless Security• Handheld Security• Hot Topic: Bluetooth


Setting The Stage

• What If:– Your Corporate Network Spanned The Globe?– Public Kiosks Connected To Your Network Were On

Every Corner? – Kiosks Are Unlocked And Anyone Can Walk Up And

Gain Access To Your Network?– Confidential Information Was Sent To Kiosks On

Insecure Networks?


Setting The Stage

• What If That Kiosk:– Fits in the palm of your hand– You can wear it on your hip– Works virtually anywhere in the world– Maintains a constant connection to your network– Is outside of your firewall

How many people are worried?


Setting The Stage

• BlackBerry is a powerful tool that goes beyond email

• End users expect:– ‘Always On, Always Connected®‘– Open And Extensible Platform – Downloadable Applications

• IMPACT: Traditional security boundaries must be expanded to match user reality


Agenda



BlackBerry Solves Security IssuesIndustry Validated Security

• Dedicated Internal Security Team– There is a dedicated security team focused on maintaining security

leadership within the BlackBerry product line

• Industry Validated Security Model– FIPS Validated

• All BlackBerry handhelds as well as the BlackBerry Enterprise Server™have received FIPS (Federal Information Processing) 140-2 security validation by the U.S. Government’s National Institute of Standards and Technology (NIST)

– Independently Audited by a Third Party• @stake, Inc. performed a detailed security audit and validated all

aspects of the BlackBerry Enterprise Solution™ security model

• Cryptographic Certifications (NIST1 FIPS2 140 Standards)


BlackBerry Solves Security IssuesAnatomy of an End-to-End Solution

• Server Security – Secure control point in the corporation’s control behind the firewall

(anchor point for encryption)

• Wireless and Transmission Security– Proven encryption standards over any network technology

• Device Security– Provide choice of devices while keeping control within the corporation

EnterpriseServer

CorporateFirewall

WirelessNetwork

BlackBerryDevices


BlackBerry Solves Security IssuesIn-Depth Look at the Anatomy

• BlackBerry Enterprise Server– Establishes and maintains a connection to the wireless network(s)– Forwards and receives datagram's from the handheld

• Firewall/Internet/Wireless Network– Datagrams are transmitted through Port 3101 on the firewall– Outbound initiated, bi-directional connection– Connection travels across the Internet, then routed to the wireless

network; datagrams routed to and from the BlackBerry handhelds

• BlackBerry Handhelds– Datagrams received are decrypted, decompressed and displayed on

the handheld– Datagrams created on the handheld are compressed, encrypted and

sent through the BlackBerry Enterprise Server for delivery to the final destination


BlackBerry Solves Security IssuesDetails on BlackBerry Solution

• How BlackBerry Works– Each user randomly generates an encryption key – stored on their

device (final step of provisioning a user)– The encryption key and the users’ device PIN are also stored at the

server– The PIN and the encryption key form the basis for verifying traffic

conforms to CIA principles (as it constitutes a shared secret)• When the BlackBerry Enterprise Server receives a

datagram– The datagram’s packet header is examined– The header contains the PIN which is used to lookup that user’s

encryption key– With the user specific encryption key, the BlackBerry Enterprise

Server attempts to decrypt the datagram – if it fails, the unsuccessful attempt is logged and the packet dropped


BlackBerry Solves Security Issues…More Details

• The encryption key generated as part of the provisioning process is NOT used to encrypt message traffic – a cryptographically sound two-key mechanism is utilized

– Every 2KB datagram is actually encrypted using a randomly generated “transmission or session key”

– This key itself is then encrypted using the longer lived “Master Key”– Routing Information is sent in Clear Text (SRP, PIN)


BlackBerry Solves Security IssuesDevice Java Virtual Machine (JVM)

– A cryptographically robust code signing scheme has been designed into the BlackBerry solution:

– Protects the Operational environment• OS, JVM and Radio code are digitally

signed – the public key to verify the signature and the code to check the signature is embedded in hardware in the Boot ROM

– API Access Control• The JVM performs all other checks for

digital signatures to ensure integrity of executed code, program is authorized to execute API calls


Agenda



Enterprise Server SecurityEncryption Standards

• Triple DES (Data Encryption Standard)– 128-bit encryption key

• AES (Advanced Encryption Standard)– 256-bit encryption key– Available when both BlackBerry Enterprise Server and BlackBerry

Device Software at v4.0


• Currently, messages encrypted with Notes Native Encryption or S/MIME cannot be read on BlackBerry handhelds

• BlackBerry Enterprise Server v4.1 will leverage new API’s available in Domino 7.0 to support the viewing of encrypted messages on handhelds

• Requirements: – BlackBerry Enterprise Server v4.1 for Domino– BlackBerry Handheld Applications v4.1– Domino 7.0

Enterprise Server SecurityNotes Native and S/MIME Encryption in v4.1


Existing BlackBerry End-to-End Security Model:

With v4.1 Notes Native and S/MIME support:

Notes Native orS/MIME Encryption

BlackBerry Encryption

Enterprise Server SecurityNotes Native and S/MIME Encryption in v4.1


• PGP Support Package– Software add-on to BlackBerry Device software v4.1

that adds PGP Desktop and PGP Universal support.– Allows companies to extend their existing PGP

infrastructure to BlackBerry wireless devices.• Minimum System Requirements

– BlackBerry Device Software v4.1– BlackBerry Desktop Software v4.0.x or higher– BlackBerry Enterprise Server v4.1 for Lotus Domino

Enterprise Server SecurityPGP – Advanced Security in v4.1


• Existing BlackBerry End-to-End Security Model

• With the Addition of the PGP Support Package

Enterprise Server SecurityPGP – Technical Overview (1 of 3)


• PGP Universal Server in “Gateway Mode”– This architecture already works with BlackBerry and joint

documentation from PGP and RIM exists to inform customers on how to best set up their network for BlackBerry and PGP Universal Gateway Mode

– See http://www.pgp.com/news/2004/universal12.html



• PGP Universal Server in “Standard Mode”– The standard architecture for setting up a PGP Universal server is to

place it between the mail server and users allowing the server to manage the security for each user without any user interaction.

– PGP Universal is automatic and transparent, allowing companies to encrypt some or all of their confidential email based on an enforceable sever-based security policy.



Enterprise Server SecurityControlling Handheld Software Applications

• Software Configurations:– Define which applications are installed on handhelds

• Application Control Policies:– Control third-party software applications– Send third-party applications to handhelds wirelessly.– Policies:

• Allow Third Party Apps to Use Serial Port• Allow Third Party Apps to Use Persistent Store• Desktop Allow Desktop Add-Ins• Disallow Third Party Application Downloads


Enterprise Server SecurityMobile Data Service

• Leverages all the strengths of the traditional BlackBerry Solution

• Managing Data Connections– MDS Connection Settings– Manage connections through a proxy server

• Managing Authentication:– HTTP Authentication

• Enable MDS to perform authentication with the proxy server or content server on behalf of handhelds

– Network Authentication• Requires users to log in with a user name and password.• Supports HTTP basic authentication, NTLM, and Kerberos

authentication methods.

• Managing Push/Pull


Enterprise Server SecurityAdditional Firewall Configuration Option

BlackBerryEnterprise

Server

CorporateApplication

Servers

MailServers

BlackBerryRouter

(Installed in DMZ)

BlackBerry UserWorkstation with

BlackBerryHandheld Manager

Serial/USB

SRP

BlackBerryInfrastructure

2.5GNetworks

2GNetworks

• Use BlackBerry router in DMZ on separate hardware• External connection in DMZ• Mail server connection inside corporate firewall


Enterprise Server SecurityWireless IT Policies

• Over 190 Policies• Policy/Regulatory Compliance• Device Security

– Force Content Protection– Enforce Password Rules

• Configuration Management– Wireless Synchronization Options– Default/Mandatory Settings– Application Controls


Enterprise Server SecurityWireless IT Policies Examples

• Allow Outgoing Call When Locked– Specifies whether users can place calls when the device is securely

locked• Disable Forwarding Between Services

– Prevents the user from forwarding of replying to a message via adifferent BlackBerry Enterprise Server than the one that delivered

• Confirm On Send– Requires users to confirm before sending an email, PIN, SMS or

MMS message• Disable IP Modem

– Disables the IP modem feature on applicable devices• Disable JavaScript in Browser

– Disables execution of JavaScript scripts in the browser


Agenda



Wireless SecurityOTA Key Exchange

• “Good old” wired key creation process– The Shared Secret Key is passed from the desktop to

the device over a very short cable…– And to the BlackBerry Enterprise Server over the

customer’s intranet• During Wireless Key creation, no such convenient

conduits exists– Need a way to share the “Master” or Shared Secret Key

between device and BlackBerry Enterprise Server…without passing it over the air


• IT adds user to BlackBerry Enterprise Server• Provides user with password out-of-band• User enters email address and Shared Secret• SPEKE (Simple Password-authenticated

Exponential Key Exchange) used to build secure context to continue provisioning

– SPEKE uses Zero Knowledge Password Proof (ZKPP) to safely verify password over wireless network

– IEEE P1363.2 Password-based Public Key Cryptographic Standard

• Begins loading information to device– Generates Master (Shared Secret) Key,

exchanges/compares hash– IT Policies are applied, Service Books populated,

data is synced

Wireless SecurityOTA Key Exchange Cont…


Agenda



Device SecurityFeatures

• Device Password Security– Important feature for securing device data

• J2ME, Java-based Platform– Third-party applications can only access persistent storage or user

data, or communicate with other applications, through specific application programming interfaces (APIs).

– Applications that use these sensitive APIs must be digitally signed by RIM

• Attachment Service– Designed to prevent malicious applications from accessing data on

the BlackBerry device by using only -BINARY- format parsing to open the attachments and prepare them to be sent to the BlackBerry device for rendering


• Device Wipe

• Regenerate Encryptions Key– Controlled by end user

• Password Keeper– Optional Application– AES Encrypted

Device SecurityFeatures


• Local encryption of all user data (messages, contacts, calendar, memos, tasks, etc…) on the device

– Leverages the user’s existing password protection– * Controlled via IT Policy (Content Protection Strength)– When enabled there will be performance impacts due to encrypting

and un-encrypting data– Extensible to 3rd party applications

Device SecurityContent Protection


Agenda



• What is Bluetooth®?– A high-speed but very short-range wireless technology for

exchanging data between desktop and mobile computers, PDAs and other devices.

• Exploiting the object exchange (OBEX)– “Bluesnarfing” – The theft of information from a wireless device

through a Bluetooth connection– “Bluejacking” – The ability for a user to send a message to a

Bluetooth phone without authorisation– “Bluebugging” - allows the attacker to initiate phone calls, send and

read SMS, read and write phonebook contacts, eavesdrop on phone conversations and access the Internet without detection

– Allowing unwanted access to data on a mobile device

Hot topic - BluetoothBluetooth Security Concerns


• Bluetooth is disabled by default– User must enable under Options>Bluetooth

• Device pairing is required for communication– Encryption enabled by default

• Data transfer is controlled– Additional software and ability to use serial connection– Will look additional options once the Bluetooth SIG has

ratified a standard• Extensive list of IT Policies

– Lets take a look…

Hot topic - BluetoothHow BlackBerry Addresses These Concerns


• Allow Outgoing Calls• Disable Address Book Transfer

– Prevents the exchange of address book data via Bluetooth

• Disable Bluetooth• Disable Desktop Connectivity

– Prevents the use of Bluetooth to connect to the BlackBerry Desktop Manager.

• Disable Discoverable Mode• Disable Handsfree Profile

– Disables the use of Bluetooth handsfree peripherals

Hot topic - BluetoothBluetooth Wireless IT Policies


• Disable Pairing• Disable Serial Port Profile

– Disables Bluetooth Serial Port Profile (SPP), which is required for establishing a serial connection between a BlackBerry and a Bluetooth-enabled device

• Disable Wireless Bypass– Disables wireless bypass using Bluetooth technology.

• Require Password for enabling Bluetooth Support• Require Password for Discoverable Mode

Hot topic - BluetoothBluetooth Wireless IT Policies



Thank you for attending!

For more resources, please visit:www.blackberry.com/go/dominowww.blackberry.com/go/dominoresources

Date post:	30-Mar-2020
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

BlackBerry Enterprise Solution for IBM Lotus Domino v4.0 ... · BlackBerry Enterprise Solution for...

Documents