BlackBerry Enterprise Server poses network risk
by Steve Ragan - Mar 13 2008, 09:00
NTA Monitor, known for their work in the penetration testing arena, said that recent testing shows that IT managers are not setting up the BlackBerry Enterprise Server (BES) properly. According to NTA, the insecure configurations leave the network open, allowing several avenues of attack. (IMG: RIM/J.Anderson)
NTA Monitor, known for their work in the penetration testing arena, said that recent testing shows that IT managers are not setting up the BlackBerry Enterprise Server (BES) properly. According to NTA, the insecure configurations leave the network open, allowing several avenues of attack.
The BlackBerry architecture can be insecure if no firewalls are used to separate the BES router component from the central BES server on the internal network. If the BES is compromised and there is no separation of the BES router, this can lead to the whole network becoming insecure.
One example of this setup would be IT managers who open ports on the firewall to allow BES to communicate with Exchange, a practice that is very common on larger networks. By opening unencrypted ports, data would pass though to the network unfiltered, and with no policy. NTA says that can lead to IP spoofing, session hijacking, or plain and simple interception.
"A hacker could potentially use this back channel to move around inside an organization undetected, removing confidential information or installing malware on to the network,” said Roy Hills, Technical Director at NTA.
"The way to ensure optimum security is to create a Demilitarised Zone (DMZ) and separate the router component from the BES. If the BES router gets compromised, the DMZ will ensure that there is no direct access to the Local Area Network,” he adds.
Additional steps for protection, NTS says, is to enable content encryption protecting the handheld data. Password policy enforcement should be enabled. For example, using the forbidden password option and preventing simple patterns and passwords. (They also suggest passwords be kept to a nine character minimum.)
Block third party downloads and manage the software allowing approved applications. Messaging services, other than those that are needed, need blocked. Prevent services based on P2P such as ICQ and Google Talk. Finally, NTA says that Bluetooth, because of inherent vulnerabilities, should never be allowed.
Comment on this Story