Operation n

A couple days ago I had to have a look into vulnerabilities associated with Blackberrys - see my post "Blackberry Insecurities".

While its fresh in my mind, I’ll discuss some brief security strategies and techniques supported by BES (Blackberry Enterprise Server).

Blackberry security at the enterprise level should include (at minumum):

• Good Design & Architecure
• A Strong BlackBerry IT Policy (similar to MS Windows Group Policy)
• Policy and Procedures

This could probably make a nice whitepaper, but who has time! :)

The BES server is the central point to manage registered Blackberry devices. From here, you can view the current settings of the BlackBerry, change its password, check its software, lock it and much more. The BES server is made up of a number of components and generally these components are installed on the same server but do not have to be. It is recommended that the BES server router component be placed in a DMZ, allowing port 3101 through the firewall at both ends. However, there are other more complex designs which may be preferable.

Passwords must be used on the devices to mitigate risks in the event that they are stolen. A really strong IT policy should be in place which dictates what software is permitted on the user’s Blackberry. BES actually allows you to deny the user access to the Blackberry should it not meet the IT policy requirements.

Some basic policies and guidelines should be in place, such as having the user contact the IT department in the event that the Blackberry is stolen, and a process for the IT department to follow, dictating how to lock the phone out of the network.

You basically have two choices for BlackBerry connectivity, Wireless (G) or GPRS. GPRS, doesn’t introduce new holes into your network, however, Wireless (G) does, as you then have to worry about how the Wireless is configured. Regardless of what solution you choose, remember that additional holes will have to be punched in your firewall regardless. With this in mind, let me encourage you to really think about your Network Design and Architecture before plugging in your BES server and please remember, the BlackBerry should be treated like any laptop of mobile device.