http://software.silicon.com/security/0,39024655,39170322,00.htm
By Natasha Lomas
Silicon.com
10 March 2008
Companies are being warned to make sure they correctly configure
BlackBerrys - or risk weakening their IT security.
Internet security consultancy company NTA Monitor says recent testing
showed that organisations are still failing to ensure the smart phone
devices are locked down.
It said the BlackBerry architecture can be insecure if no firewalls are
used to separate the BlackBerry Enterprise Server (BES) router component
from the central BES server on the internal network. If the BES is
compromised and there is no separation of the BES router, it can lead to
the whole network becoming insecure, it claims.
Roy Hills, technical director at NTA, said in a statement: "A hacker
could potentially use this back channel to move around inside an
organisation undetected."
Hills said the ideal scenario for BlackBerry security is to create a
'demilitarised zone' to separate the router component from the BES. He
explained: "If the BES router gets compromised, the demilitarised zone
will ensure that there is no direct access to the local area network."
But Scott Totzke, VP of global security at RIM, said while this
demilitarised zone may work for some BlackBerry customers it is just one
approach to securing the devices - stressing there is no
"one-size-fits-all answer" to security.
He told silicon.com: "We actually have customers who look at information
security in an even stricter sense - say no component should exist
without a firewall and actually distribute BlackBerrys amongst multiple
servers with multiple firewalls. And the good news is the documentation
support for that is readily available on our website.
"At the same time we have other customers who look at the risks and say
if I just control access to third party applications I can have maybe a
more simplified network infrastructure behind the firewall. There's not
going to be a one-size-fits-all answer here. But it's that flexibility
that allows us [BlackBerrys] to exist within whatever the existing IT
framework is for securing network systems and services that's built into
the platform."
Totzke said the BlackBerry platform includes more than 400 configurable
security policies - which gives customers the ability to mitigate their
own level of risk. He said: "Having something that is flexible and
adaptable and can be modified to suit the needs of your customer is
really important."
He added: "One of the biggest things that we've learned over the years
with our solution is that you have to balance security and usability -
if you make a product that's way too secure you're likely going to
compromise usability so we always look at how we can balance that."
NTA Monitor also recommends BlackBerry admins turn off Bluetooth
altogether. But Totzke said this is again down to the discretion of
individual customers, adding that the BlackBerry platform allows users
to enable parts of Bluetooth and disable others - which may be the most
appropriate response.
He added: "If you look at probably our largest and most paranoid
customer in North America - the United States Department of Defense -
they publish about a 125-page configuration guide for BlackBerry… That's
the extreme - but that's not going to be for everybody."
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn