Monday, January 26, 2009

firewall-wizards Digest, Vol 33, Issue 9

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Blackberry MDS Connection Bypassing firewall (Chris Myers)


----------------------------------------------------------------------

Message: 1
Date: Sat, 19 Jan 2008 18:17:26 -0600
From: Chris Myers <clmmacunix@charter.net>
Subject: Re: [fw-wiz] Blackberry MDS Connection Bypassing firewall
To: miedaner@twcny.rr.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <6523550E-C120-4E99-BD5B-B4784AB31688@charter.net>
Content-Type: text/plain; charset="us-ascii"; Format="flowed";
DelSp="yes"

The dmz was going to be my next suggestion : )

Chris

On Jan 19, 2008, at 7:28 AM, Miedaner wrote:

> Hi,
>
> Thanks for the response.
>
> We will be doing the client side lockdown with policies. Although
> for obvious reasons we really wanted to use a server side solution,
> and were hoping that the BES MDS Connectrion service supported fine
> grained ACL filtering. As far as we can tell it is all or none on
> the TCP ACL for the MDS connecrion service.
>
> The idea of Blackberries bypassing the firewall and VPN's also makes
> us want to move the server into an isolated DMZ so that consistent
> logging can be mainteained..
>
> Thanks again.
> -----Original Message-----
> From: firewall-wizards-bounces@listserv.cybertrust.com [mailto:firewall-wizards-bounces@listserv.cybertrust.com
> ]On Behalf Of Chris Myers
> Sent: Thursday, January 17, 2008 5:55 PM
> To: Firewall Wizards Security Mailing List
> Subject: Re: [fw-wiz] Blackberry MDS Connection Bypassing firewall
>
> If you don't want any 3rd party app : ) It looks like if they
> already have it then another approach needs looked at, but the
> Blackberry seems to have its own IT Policy. The URL below shows how
> to get the SSH running if it does not work, but reverse engineering
> it will tell you what you can put in place that causes these errors,
> hence not allowing access outbound for SSH for the Blackberry.
>
> 1. Open the BlackBerry Manager.
> 2. On the Tree tab, right-click the BlackBerry Enterprise Server
> server and select IT Policy. The IT Policy settings for BlackBerry
> Server window appears.
> 3. Click Edit. The Edit IT Policy window appears.
> 4. Clear the Disallow Third Party Application Downloads checkbox.
> 5. Click OK.
>
> Note: Depending on the version of your BlackBerry Enterprise Server,
> this IT Policy setting may also be called
> DisallowThirdPartyAppDownloads or Disallow 3rd Party Applications.
>
>
> http://www.rovemobile.com/support/faqs/ssh/
>
>
>
> On Jan 17, 2008, at 10:38 AM, Erik LaBianca wrote:
>
>> My guess is that the best way to solve this problem would be to
>> isolate the BES on its own system (blackberry recommends this
>> anyway) and then restrict that computers egress access as
>> necessary. All BES/MDS connections coming in from RIMM and through
>> the proxy will then get handled by your regular firewall.
>> --erik
>> From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com
>> ] On Behalf Of miedaner
>> Sent: Friday, January 11, 2008 10:47 AM
>> To: firewall-wizards@listserv.cybertrust.com
>> Subject: [fw-wiz] Blackberry MDS Connection Bypassing firewall
>> Hi,
>> Wondering if anyone has dealt with this problem with BES.
>> Blackberry enterprise server is configured by default to allow TCP
>> traffic from the Blackberry clients through the encrypted BES
>> connection to a internal network. As the Blackberries are java
>> based some clever folks have built things like SSH clients for them.
>> The problem is that this type of access bypasses firewall and VPN
>> rules.
>> I know that there are ACL's possible on the MDS connection service
>> that allows this but I am told that it is either block all tcp or
>> block none.
>> I am wondering if anyone knows if the BES ACl really is all or none
>> and if anyone has implemented a solution to restrict internal
>> network access through BES to only protocols like http or hhtps.
>> TIA
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20080119/2e699519/attachment.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 33, Issue 9
***********************************************

No comments:

Post a Comment