mobile admin security -...
TRANSCRIPT
Mobile Admin Security
Mobile Admin Security
www.roveit.com
IntroductionMobile Admin is an enterprise-ready IT Management solution that generates significant
cost savings by dramatically increasing the responsiveness of IT organizations facing
outages and other issues. By enabling system administrators to access over 500
functions across dozens of different types of servers, platforms and devices through
a convenient smartphone client, Mobile Admin provides a cost-effective means of
increasing the availability of mission-critical business applications. The product
enhances the efficiency of the IT team, which in turn has a direct positive impact on the
productivity of the entire user population.
Security is a fundamental concern of all IT Management solutions, and it is
of particular importance when mobile devices are used to access corporate
information across the firewall. Mobile Admin’s client-server architecture
features a fully-integrated security model that provides both data encryption and
user authentication.
Mobile Admin Security
www.roveit.com
• IBMLotusDomino
• NovelleDirectory/NDS
• BlackBerryEnterpriseServer
• BlackberryEnterpriseServer5
• Oracle
• Citrix
• RSAAuthenticationManager
• HPIntegratedLightsOut(iLO)
• BackupExec
• VMware
• VMwareVirtualInfrastructure
• Nagios
• resettingpasswords
• editingserverdocuments
• deletingmailboxmessages.
MobilecontrolofyournetworkMobile Admin is a client-server application. The Mobile Admin Server software
is installed behind your corporate firewall on any one computer that has access
toallotherserversinyournetworkthatyouwanttomanage.TheMobileAdmin
Clientsoftwareisinstalledonyourwirelessdevice.
You can use Mobile Admin to manage a wide range of computers, servers, and
systemsinyournetwork:
• MicrosoftWindowscomputersandnetworks
• MicrosoftActiveDirectory
• MicrosoftExchange2000/2003
• MicrosoftExchange2007
• MicrosoftSQLServer
• MicrosoftIIS
• MicrosoftDHCP
• MicrosoftDNS
• MicrosoftClusterServers
• MicrosoftSCOM
• MicrosoftSCMDM
• SolarWindsOrion
• AmazonElasticComputeCloud(EC2)
• managingusersandgroups,eventlogs, services, and print jobs
• rebootingservers
Mobile Admin allows you to use your wireless device to perform a full range of
administrativetasksontheseservers,including:
Mobile Admin Security
www.roveit.com
Supported devicesMobileAdmincanbeusedwithanyofthefollowingwirelesshandhelddevices:
• BlackBerrysmartphones
• AppleiOSdevices
• Androiddevices
Mobile Admin can also be used on any computer with an Internet connection
usingtheMobileAdminWebInterface(MozillaFirefoxandInternetExplorerare
thesupportedbrowsers).
Mobile Admin Security
www.roveit.com
EncryptionThe types of data encryption available to you with Mobile Admin depend on the
typeofwirelesshandhelddevicesyouuse:
• BlackBerrysmartphones,withorwithoutaBlackBerryEnterpriseServer
• AppleiOSdevices,withorwithoutaVPN
• Androiddevices,withorwithoutaVPN
EncryptionoptionsforMobileAdminonBlackBerrysmartphoneYoucanchoosetouseMobileAdminonBlackBerrysmartphoneswithor
withoutaBlackBerryEnterpriseServer.
MobileAdminwithBlackBerrysmartphonesandaBlackBerryEnterpriseServerWhenyouuseMobileAdminwithaBlackBerryEnterpriseServer,youareableto
leveragetheindustry-leadingsecurityinfrastructureoftheBlackBerrynetwork.
IfyouuseaBlackBerryEnterpriseServer,allyourMobileAdmindataissent
overtheMobileDataService(MDS),andis,bydefault,automaticallyencrypted
usingTripleDataEncryptionStandard(TDESor3DES).WhileTDESprovidesthe
highest industrystandard encryption, you can also choose additional layers of
encryption.
AllversionsoftheBlackBerryEnterpriseServeruseTDESasthedefault
encryptionforalldata.TheBlackBerryEnterpriseServer4.1,however,allows
youtochoosebetweenusingTDESandAdvancedEncryptionStandard(AES),
or both.
WhileTDESandAESaregenerallyrecognizedasthemostrobustencryptionmethods
availabletoday,theUSGovernmenthasalsocertifiedTDESandAESascompliantwith
FederalInformationProcessingStandards(FIPS).
Mobile Admin Security
www.roveit.com
The Mobile Admin Server is configured, by default, to add a layer of encryption
withHypertextTransferProtocol–Secured(HTTPS).HTTPSisHTTPencryptedwith
TransportLayerSecurity(TLS).WhenMobileAdminusesHTTPS,allMobileAdmindata
transmitted between the Mobile Admin Server and the wireless handheld is encrypted.
Architectureoverview—BlackBerrysmartphoneswithaBlackBerryEnterpriseServerFigure1-1showshowMobileAdminconnectsyourwirelessdevicetoyour
networkifyouareusingaBlackBerryEnterpriseServer.TheMobileAdmin
Server is connected to the servers and computers that you want to manage with
Mobile Admin. Information about these servers and computers is sent through
theMobileAdminServertotheBlackBerryEnterpriseServer.TheBlackBerry
EnterpriseServerencryptsthedatawithTripleDataEncryptionStandard(TDES)
orAdvancedEncryptionStandard(AES)andsendsitovertheInternetandthe
wirelessnetworktotheBlackBerrysmartphone.TheBlackBerrysmartphone
decryptsthedatasothatitcanbeviewedusingtheMobileAdminClient.
Similarly,MobileAdminClientcommandsfromtheBlackBerrysmartphoneare
encryptedthensentoverthewirelessnetworkandtheInternettotheBlackBerry
EnterpriseServer.TheBlackBerryEnterpriseServerdecryptsthecommands
and sends them to the Mobile Admin Server, which then further decrypts the
commands if required, and then performs the requested actions.
WhenMobileAdminusesHTTPS,dataisencryptedwithTLSbeforeit
istransmittedbetweentheMobileAdminServersandtheBlackBerry
smartphones.
NoteFigure1-1showstheMobileAdminServerandtheBlackBerryEnterpriseServerinstalledonseparatecomputers.However,theMobileAdminServercanbeinstalledonthesamecomputerastheBlackBerryEnterpriseServer.
Mobile Admin Security
www.roveit.com
Figure1-1 MobileAdminarchitecturewithBlackBerrysmartphonesandaBlackBerryEnterpriseServer
Protectingyournetwork when a handheld device is lostBlackBerryEnterpriseServer4.0andaboveofferstheabilityto“kill”alost
BlackBerrydevice.The“kill”commanddisablesthedevice,anddeletesallofits
stored information, including everything related to the Mobile Admin application.
The“kill”commandisoneofthehundredssupportedbyMobileAdmin,enabling
asystemadministratortouseoneBlackBerrydevicetokillanotherone.
MobileAdminwithBlackBerrysmartphoneswithoutaBlackBerryEnterpriseServerWhenyoudonotuseaBlackBerryEnterpriseServer,datasentbetweenthe
MobileAdminServerandBlackBerrysmartphonescanbeencryptedusing
HTTPS.IfyoudonotuseaBlackBerryEnterpriseServerwithyourBlackBerry
smartphones, it is strongly recommended that Mobile Admin be configured to
makeHTTPSconnections.
Mobile Admin Security
www.roveit.com
Architectureoverview—BlackBerrysmartphoneswithoutaBlackBerryEnterpriseServerFigure1-2showshowMobileAdminconnectsyourwirelessdevicetoyour
networkifyouarenotusingaBlackBerryEnterpriseServer.TheMobileAdmin
Server is connected to the servers and computers that you want to manage
withMobileAdmin.TheMobileAdminServerencryptsthedatawithHTTPS
andsendsitovertheInternetandthewirelessnetworktotheBlackBerry
smartphone.TheBlackBerrysmartphonedecryptsthedatasothatitcanbe
viewedusingtheMobileAdminClient.
Similarly,MobileAdminClientcommandsfromtheBlackBerrysmartphone
areencryptedusingHTTPS,andthensentoverthewirelessnetworkandthe
Internet. The Mobile Admin Server decrypts the commands if required, and then
performs the requested actions.
Figure1-2 MobileAdminarchitecturewithBlackBerrysmartphones
Mobile Admin Security
www.roveit.com
OtherconsiderationsIfyoudonothaveaBlackBerryEnterpriseServer,youcanchoosetoeitherrent
aBlackBerryEnterpriseServerfromahostingcompanyforamonthlyfee,orto
use Mobile Admin without one.
TouseMobileAdminwithoutaBlackBerryEnterpriseServer,youmust:
• useaBlackBerrysmartphonesmeetingMobileAdmin’s minimum system requirements
• connectfromtheMobileAdminClienthandheldtotheMobileAdminServerusingInternetTCP/IP
• makesurethatyourcarrierhastheInternetAccessPointName(APN)enabledforyourdevice
EncryptionoptionsforMobileAdminonAppleiOSandAndroiddevicesYoucanchoosetouseMobileAdminonAppleiOSandAndroiddeviceswithor
withoutaVirtualPrivateNetwork(VPN).IfyouuseaVPN,allyourMobileAdmindatais
sentovertheVPN,andis,bydefault,automaticallyencrypted.
By default, the Mobile Admin Server is configured to add a layer of encryption
withHyperTextTransportProtocol–Secured(HTTPS).HTTPSisHTTP
encryptedwithTransportLayerSecurity(TLS).WhenMobileAdminuses
HTTPS,alldatatransmittedbetweentheMobileAdminServerandthewireless
handheld is encrypted.
IfyouareusingAppleiOSdevicesorAndroiddeviceswithMobileAdmin,itisstrongly
recommendedthatyouconnecttoyournetworkthroughaVPN.Ifyoucannotusea
VPN,itisstronglyrecommendedthatMobileAdminbeconfiguredtomakeHTTPS
connections.
Mobile Admin Security
www.roveit.com
Architectureoverview-AppleiOSandAndroiddevicesFigure1-3showshowMobileAdminconnectsyourwirelesshandhelddevice
toyournetworkusingaVPNand/orHTTPS.TheMobileAdminServeris
connected to the servers and computers that you want to manage with Mobile
AdminthroughaVirtualPrivateNetwork(VPN),whichencryptsnetworkdata.
TheMobileAdminServerencryptsthedatawithHTTPSandsendsitoverthe
Internetandthewirelessnetworktothewirelesshandhelddevice.TheMobile
AdminClientdecryptsthedataonthewirelesshandhelddevicesothatitcanbe
viewed.
Similarly,MobileAdminClientcommandsfromthewirelesshandheldare
encryptedbywithHTTPS,andcanbeencryptedwithaVPN,thensentover
thewirelessnetworkandtheInternet.TheMobileAdminServerdecryptsthe
commands if required, and then performs the requested actions.
Figure1-3
Mobile Admin Security
www.roveit.com
MobileAdminproxy
TheMobileAdminproxyisaservicethatrunsonthesamecomputerasMobileAdmin
andproxiesSSH/TelnetandRDP/VNCtraffic.TheMobileAdminclientsauthenticate
transparentlytotheproxyiftheappropriaterightsandpermissionshavebeen
configured.
TheMobileAdminproxyenablesaccesstoSSH/TelnetandRDP/VNCservers
through a central port, rather than having to configure access to each individual
server.
IftheMobileAdminproxyisnotused,thenallSSH/TelnetandRDP/VNCservers
must have the appropriate firewall configuration.
OtherconsiderationsAVPNclientisprovidedbydefaultonallAppleiOSandAndroiddevices.
PortandfirewallconfigurationsMobileAdmincanuseports4054(theHTTPport),4055(theHTTPSport)or
4056(theproxyportforSSH/TelnetandRDP/VNCconnections)tocommunicate
betweentheBlackBerryEnterpriseServerandtheMobileAdminServer.Ifyou
useaBlackBerryEnterpriseServerhostingcompanyoruseMobileAdmin
withoutaBlackBerryEnterpriseServer,youwillhavetomakesurethatthe
gateway you use is able to contact your Mobile Admin Server through these
ports, which may require firewall configuration. You can also choose to configure
the ports that Mobile Admin uses; if you change these ports used by Mobile
Admin,youmustmakesurethatyourgatewayisstillabletocontactyourMobile
Admin Server.
Mobile Admin Security
www.roveit.com
AuthenticationAs well as data encryption, Mobile Admin supports three different levels of
authentication:
• primaryloginauthentication(required),fromachoiceof:
- Windowsusernameandpassword
- Mobile Admin-specific username and password
• device-levelpassword(optional)
• RSASecurID/RADIUS(optional)
PrimaryloginauthenticationMobile Admin requires that you choose a primary form of authentication that
each user must enter to log in to the Mobile Admin application, no matter what
otherformsofauthentication(suchasdevice-level,orRSASecurID)thatyou
may have configured for the user.
You can also configure how frequently the user is required to enter the primary
loginauthentication.Forexample,youcanconfigureMobileAdmintorequirethe
primary login after time-out intervals that you specify.
WindowsusernameandpasswordauthenticationAdministrative access to servers with Mobile Admin can be configured to use
theWindowsusersettingsforyournetwork.Withthisoption,usersmustalways
providetheirWindowsnetworkusernameandpasswordtologintoMobile
Admin.
IfyouchoosetousetheWindowsnetworksettings,youcanconfigureMobile
Adminuserstohaveaccesstoeither:
• exactlythesameserversandservicesinMobileAdminastheydoinyournetwork;or
• asubsetoftheserversandservicestheyhavepermissionstomanageinyournetwork.
Mobile Admin Security
www.roveit.com
Mobile Admin user name and password authenticationAdministrative access to servers with Mobile Admin can be configured to be
specifictoMobileAdmin,ifyouwouldrathernotuseWindowslogindatafor
Mobile Admin.
BecauseMobileAdminisfullyintegratedwithWindowssecurity,youmust
specifyatleastoneWindowsaccountfortheMobileAdminServertouseto
authenticate Mobile Admin users when they login with their Mobile Admin-
specific username and password.
IfyouspecifyoneWindowsaccount,MobileAdminwillusethatasthedefault
WindowsauthenticationforallMobileAdminuserswhentheyentertheirMobile
Admin-specificusernamepassword.However,foreachuser,youcanchooseto:
• usethedefaultWindowsaccount,oruseanyotherWindowsaccount
• furtherconfigureorlimitaccesstospecificnetworkservers,as long as these servers are a subset of the servers that the associatedWindowsaccounthaspermissiontomanage
Because of the many available choices, there are several ways to configure user
accesstoyournetworkifyouchoosetouseMobileAdmin-specificpasswords.
Thefollowingthreeexamplesareprovidedtoillustratesomeofthepossibilities.
Sampleconfiguration#1: • InMobileAdmin,setuponeexistingWindowsaccountasthe
default account for Mobile Admin with a wide range of permissions, such as a domain administrator or administrator account.
• InMobileAdmin,addusers,andsetupMobileAdmin specific passwords for each user.
• InMobileAdmin,configureaccessforeachusertoanappropriatesubsetofnetworkservers.
Mobile Admin Security
www.roveit.com
Sampleconfiguration#2: • InWindows,createaspecificWindowsaccountthathasthe
permissions that you want all Mobile Admin users to have.
• InMobileAdmin,setupthenewWindowsaccountas the default account for Mobile Admin.
• InMobileAdmin,addusers,andsetupMobileAdmin specific passwords for each.
Sampleconfiguration#3: • InWindows,createaspecificWindowsaccountthathasthe
permissions that you want most Mobile Admin users to have.
• InMobileAdmin,setupthenewaccountasthedefault account for Mobile Admin.
• InMobileAdmin,addusersandsetupMobileAdmin specific passwords for each.
• ForthesmallnumberofuserswhoyouwanttohavedifferentpermissionsthanthedefaultWindowsaccount,configurethemtousedifferentappropriateWindowsaccountstoauthenticatewithMobileAdmin.
Device-levelpassword authenticationMost wireless handheld devices and phones provide optional device-level
authentication.Whenthedevicepasswordfeatureisenabled,youmustentera
password before you can use the device and Mobile Admin.
Mobile Admin Security
www.roveit.com
Device-levelpasswordsforBlackBerrysmartphonesTheBlackBerrysmartphonepasswordprovidesdevice-levelauthentication
onBlackBerrysmartphones.Aftertenfailedattemptstoenterthehandheld
password, all information on the handheld is erased for security purposes.
By default, the handheld password feature is not enabled. The handheld
password can be enabled at the device level by each user. Alternatively,
yourBlackBerryEnterpriseServeradministratorcanedittheITPolicyforthe
BlackBerryEnterpriseServertorequireahandheldpasswordforsomeorall
users.
Security time-out settings define how long a handheld device must be inactive
before a user is required to enter the handheld password. These settings can
also be configured at the device level by individual users, or by modifying the IT
PolicyontheBlackBerryEnterpriseServerforsomeorallusers.
Forextrasecurity,itisrecommendedthatyouenabletheBlackBerry
smartphone password for all Mobile Admin users.
Formoreinformationabouthowtoenablethehandheldpasswordandto
configure the security time-out, please refer to the user documentation for your
BlackBerrysmartphone.
Device-levelpasswordsfor AppleiOSandAndroiddevicesBy default, device-level passwords are not usually enabled, and must be
enabled at the device level by each user.
Forextrasecurity,itisrecommendedthatallMobileAdminusersenablethe
device-level password.
Formoreinformationabouthowtoenablethedevice-levelpasswordforyour
device, please refer to the user documentation that was provided with your
device.
Mobile Admin Security
www.roveit.com
RSASecurIDandRADIUSauthenticationMobileAdminalsosupportstheoptionofusingRSASecurIDauthentication,
andhasbeenofficiallyapprovedasanRSA-Certifiedapplication.RSA
SecurIDprovides“twofactor”authentication,whichrequiresausertoentera
combinationofasecret,personalidentificationnumber(PIN)andacodefrom
aSecurIDtoken.Thetokengeneratesanew,unpredictablecodeevery60
seconds.ThesePINandcodecombinationsaresynchronizedwiththeRSA
AuthenticationManager,whichisinstalledonyournetworkandcontrolsaccess
toRSA-protectedapplicationsanddevices.
IfyouchoosetouseRSASecurIDauthenticationwithMobileAdmin,userswill
havetoentertheirPINandtokencodebeforetheycanlogintoMobileAdmin.
FormoreinformationaboutusingRSASecurIDauthentication,pleaseseewww.
rsasecurity.com.
MobileAdminalsosupportsRADIUSauthentication,whichmeansthatMobile
AdmincanactasaRADIUSclientorRADIUSdeviceforwhatevertypeof
RADIUSserverandauthenticationsystemyouareusing,suchasSafeWord.
Mobile Admin Security
www.roveit.com
CredentialandInformationLoggingin Mobile Admin
Client(MobileUser)Ifalogintothenetworkisrequired,theuserispromptedforauthentication
information.Thisauthenticationinformationtakestheformof
• (optionally)RADIUSorRSASecurID2-factorauthentication
• (optionally)device-levelauthentication
• (required)Windowscredentials
Iftheauthenticationissuccessful,theserverpassesbackatokentotheclient
that is required in subsequent transactions between the client and server. This
tokenisnotstoredonthemobiledevicebetweensessions.
Thesessionscanbeconfiguredfromtheserver–theservercanbeconfigured
toensurethatthetokenexpiresafteraperiodoftime.Thedefaulttokenlengthis
10minutes.
Whenoverridingcredentialsareusedforindividualmanagedservers,this
informationissentdirectlytotheMobileAdminserver(withinyourdatacenter)
andstoredsecurelyonit.Thisinformationisnotusedinatoken,norisitstored
on the mobile device in any way.
As well, on all mobile platforms, any state information stored by the Mobile
Adminclientisstoredincommonpersistentstorageareas–ifadeviceforany
reason becomes compromised, wiping the devices will remove all of this state
information. The only state information stored persistently is configuration and
preferenceinformation–notcredentials.
Mobile Admin Security
www.roveit.com
ServerDuringtheauthenticationprocess,oncetheserversecurelyreceivesthe
credentials, they are passed onto the relevant subsystems for validation.
Theserverstorestwotypesofdata:
• Configurationdata(userandserverpreferences,MobileAdminpolicy
information,etc)
• Servercharacteristics(portsettings,etc)
Anysensitivedatarelatedtocredentials(usernamesandpasswords)are
encryptedusingTriple-DESencryptionbeforebeingplacedinaSQLiteback-
endthatisembeddedintheMobileAdminserver.Strongkeymanagement
ishandledbytheOSand.NETAPIs,notMobileAdmin.UsersontheMobile
Admin server that have file access rights to the Mobile Admin installation folder
canaccesstheback-enddata.Thisdataisextremelywellprotected,aslongas
routineandprudentmeasuresaretakentosecuretheMobileAdminserverfrom
unauthorizedentry(aswithanyotherserverhost).
Audit and DebugLoggingTherearetwocategoriesofinformationstoredbytheMobileAdminserver:
• AuditLogs
• DebugLogs
Audit log information is maintained inside the database, but this information
does not contain any identifying data other than the user login name that
performedtheaction.Thisinformationiskeptindefinitelytosatisfycompliance
and regulation-related requirements of our users. It can be browsed and
searched from within the administration interface of the Mobile Admin server.
Mobile Admin Security
www.roveit.com
Debugginganddiagnosticinformationisstoredontheserverinatextfilein
theMobileAdmindirectory–bydefault,theserveronlylogsfordebugging
purposes information related to server activity and events. This information can
be configured to be more detailed, but this is usually only done to diagnose a
supportissue.Greatcareandtestinghavetakenplacetoensurenosensitive
information enters debug logs. These logs are not rotated or deleted unless the
user removes them manually.