Re: [fw-wiz] Blackberry MDS Connection Bypassing firewall

The dmz was going to be my next suggestion : )


On Jan 19, 2008, at 7:28 AM, Miedaner wrote:


Thanks for the response.

We will be doing the client side lockdown with policies. Although for obvious reasons we really wanted to use a server side solution, and were hoping that the BES MDS Connectrion service supported fine grained ACL filtering. As far as we can tell it is all or none on the TCP ACL for the MDS connecrion service.

The idea of Blackberries bypassing the firewall and VPN's also makes us want to move the server into an isolated DMZ so that consistent logging can be mainteained..

Thanks again.
-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx ]On Behalf Of Chris Myers
Sent: Thursday, January 17, 2008 5:55 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Blackberry MDS Connection Bypassing firewall

If you don't want any 3rd party app : ) It looks like if they already have it then another approach needs looked at, but the Blackberry seems to have its own IT Policy. The URL below shows how to get the SSH running if it does not work, but reverse engineering it will tell you what you can put in place that causes these errors, hence not allowing access outbound for SSH for the Blackberry.

1. Open the BlackBerry Manager.
2. On the Tree tab, right-click the BlackBerry Enterprise Server server and select IT Policy. The IT Policy settings for BlackBerry Server window appears.
3. Click Edit. The Edit IT Policy window appears.
4. Clear the Disallow Third Party Application Downloads checkbox.
5. Click OK.

Note: Depending on the version of your BlackBerry Enterprise Server, this IT Policy setting may also be called DisallowThirdPartyAppDownloads or Disallow 3rd Party Applications.

On Jan 17, 2008, at 10:38 AM, Erik LaBianca wrote:

My guess is that the best way to solve this problem would be to isolate the BES on its own system (blackberry recommends this anyway) and then restrict that computers egress access as necessary. All BES/MDS connections coming in from RIMM and through the proxy will then get handled by your regular firewall.
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx ] On Behalf Of miedaner
Sent: Friday, January 11, 2008 10:47 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Blackberry MDS Connection Bypassing firewall
Wondering if anyone has dealt with this problem with BES.
Blackberry enterprise server is configured by default to allow TCP traffic from the Blackberry clients through the encrypted BES connection to a internal network. As the Blackberries are java based some clever folks have built things like SSH clients for them.
The problem is that this type of access bypasses firewall and VPN rules.
I know that there are ACL's possible on the MDS connection service that allows this but I am told that it is either block all tcp or block none.
I am wondering if anyone knows if the BES ACl really is all or none and if anyone has implemented a solution to restrict internal network access through BES to only protocols like http or hhtps.
firewall-wizards mailing list

firewall-wizards mailing list

firewall-wizards mailing list