This is a multi-part message in MIME format.
--===============1432984902==
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0009_01C85A75.4508B090"
This is a multi-part message in MIME format.
------=_NextPart_000_0009_01C85A75.4508B090
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Hi,
Thanks for the response.
We will be doing the client side lockdown with policies. Although for
obvious reasons we really wanted to use a server side solution, and were
hoping that the BES MDS Connectrion service supported fine grained ACL
filtering. As far as we can tell it is all or none on the TCP ACL for the
MDS connecrion service.
The idea of Blackberries bypassing the firewall and VPN's also makes us want
to move the server into an isolated DMZ so that consistent logging can be
mainteained..
Thanks again.
-----Original Message-----
From: firewall-wizards-bounces@listserv.cybertrust.com
[mailto:firewall-wizards-bounces@listserv.cybertrust.com]On Behalf Of Chris
Myers
Sent: Thursday, January 17, 2008 5:55 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Blackberry MDS Connection Bypassing firewall
If you don't want any 3rd party app : ) It looks like if they already have
it then another approach needs looked at, but the Blackberry seems to have
its own IT Policy. The URL below shows how to get the SSH running if it does
not work, but reverse engineering it will tell you what you can put in place
that causes these errors, hence not allowing access outbound for SSH for the
Blackberry.
1. Open the BlackBerry Manager.
2. On the Tree tab, right-click the BlackBerry Enterprise Server server
and select IT Policy. The IT Policy settings for BlackBerry Server window
appears.
3. Click Edit. The Edit IT Policy window appears.
4. Clear the Disallow Third Party Application Downloads checkbox.
5. Click OK.
Note: Depending on the version of your BlackBerry Enterprise Server, this
IT Policy setting may also be called DisallowThirdPartyAppDownloads or
Disallow 3rd Party Applications.
http://www.rovemobile.com/support/faqs/ssh/
On Jan 17, 2008, at 10:38 AM, Erik LaBianca wrote:
My guess is that the best way to solve this problem would be to isolate
the BES on its own system (blackberry recommends this anyway) and then
restrict that computers egress access as necessary. All BES/MDS connections
coming in from RIMM and through the proxy will then get handled by your
regular firewall.
--erik
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
miedaner
Sent: Friday, January 11, 2008 10:47 AM
To: firewall-wizards@listserv.cybertrust.com
Subject: [fw-wiz] Blackberry MDS Connection Bypassing firewall
Hi,
Wondering if anyone has dealt with this problem with BES.
Blackberry enterprise server is configured by default to allow TCP
traffic from the Blackberry clients through the encrypted BES connection to
a internal network. As the Blackberries are java based some clever folks
have built things like SSH clients for them.
The problem is that this type of access bypasses firewall and VPN rules.
I know that there are ACL's possible on the MDS connection service that
allows this but I am told that it is either block all tcp or block none.
I am wondering if anyone knows if the BES ACl really is all or none and
if anyone has implemented a solution to restrict internal network access
through BES to only protocols like http or hhtps.
TIA
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards
------=_NextPart_000_0009_01C85A75.4508B090
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
charset=3Dus-ascii">
style=3D"WORD-WRAP: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space">
class=3D328582113-19012008>Hi,
class=3D328582113-19012008>
class=3D328582113-19012008>Thanks=20
for the response.
class=3D328582113-19012008>
class=3D328582113-19012008>We=20
will be doing the client side lockdown with policies. Although for =
obvious=20
reasons we really wanted to use a server side solution, and were hoping =
that the=20
BES MDS Connectrion service supported fine grained ACL filtering. =
As far=20
as we can tell it is all or none on the TCP ACL for the MDS =
connecrion=20
service.
class=3D328582113-19012008>
class=3D328582113-19012008>The=20
idea of Blackberries bypassing the firewall and VPN's also makes =
us want to=20
move the server into an isolated DMZ so that consistent logging can be=20
mainteained..
size=3D2>Thanks=20
again.
If you don't want any 3rd party app : ) It looks like if they =
already=20
have it then another approach needs looked at, but the Blackberry =
seems to=20
have its own IT Policy. The URL below shows how to get the SSH running =
if it=20
does not work, but reverse engineering it will tell you what you can =
put in=20
place that causes these errors, hence not allowing access outbound for =
SSH for=20
the Blackberry.
1. =
Open the=20
BlackBerry Manager.
2. On =
the Tree=20
tab, right-click the BlackBerry Enterprise Server server and select IT =
Policy.=20
The IT Policy settings for BlackBerry Server window appears.
3. Click =
Edit. The=20
Edit IT Policy window appears.
4. Clear =
the=20
Disallow Third Party Application Downloads checkbox.
5. Click =
OK.
Helvetica">
Note: Depending on =
the version=20
of your BlackBerry Enterprise Server, this IT Policy setting may also =
be=20
called DisallowThirdPartyAppDownloads or Disallow 3rd Party=20
Applications.
class=3Dwebkit-block-placeholder>
class=3Dwebkit-block-placeholder>
