Slashdot Mirror
Securing Android For the Enterprise
Orome1 writes "While many companies use IPsec for secure remote access to their networks, no integrated IPsec VPN client is available on Android. Apple has already fixed this shortcoming in iOS, in part, because it wanted make the iPhone attractive for businesses. The Android operating system doesn't just lack an integrated IPsec VPN client, it also makes installing and configuring third-party VPN software quite complicated. IPsec VPN clients have to be integrated into the kernel of each device, and the client software has to be installed specifically for a memory area. This means that the firmware of each Android smartphone or tablet has to be modified accordingly. Until a 'real' IPsec VPN client is available, Android users can use their devices' integrated VPN clients based on PPTP or L2TP, which is deployed over IPsec. A 'real' IPsec VPN connection, however, is more secure because it encrypts data prior to authentication."
I really thought this article was going to be about Data.
Android needs some sort of remote wipe software to make it even remotely feasible for most businesses. For example, the government requires remote wipe, and some sort of encryption. Until Android has a solution for these two, the VPN-less capability is moot.
SSH is all you'll ever fucking need. You can do anything you need over SSH, including a true VPN or just VPN-like functionality. And it's as secure as it gets.
I manage all of my servers from my android devices, and have done so for a long time. What the hell is this guy complaining about?
Regarding the guy talking about the remote wipe ... well, that's a stupid concept. A lost/stolen phone usually doesn't have network access, and even if you do it as a deads man switch, it's not really secure. Just encrypt whatever important data you have on your device, or even better, just keep it in the cloud and access it from anywhere. All you have to do is wipe your cache regularly.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Use OpenSSH. You can tunnel TCP over SSH, it works very nicely on iphones and nokia n900's. I've not tested it on android but It should work.
The very last thing anyone should be doing is bridging their networks to a mobile phone.
I thought the Enterprise's android was already secure. What gives?
"If no IPsec VPN is available, it is possible to set up a VPN connection based on the SSL protocol. In this case, the user accesses the corporate network via a mobile browser. When it comes to the encryption of the transmitted data, this process does not provide the same security level as an IPsec VPN. Therefore, it is recommended that SSL only be used if no IPsec VPN client is available. "
"Not the same level of security?" really? I don't see why OpenVPN is any less secure than IPSec, and it's a hell of a lot easier to set up, will pass NAT without proprietary extensions etc..
GET YER FACTS!
You're actually more misinformed now. Android does in fact have IPsec capabilities, as well as PPTP and L2TP. Its had this for a while. I don't know why no one's not mentioned that the article is just plain wrong.
It does lack OpenVPN, though, which has been a bit of a thorn in my side - software exists to add this functionality, but so far they all require root privileges, as far as I know.
It must be one of those eps featuring his evil twin brother
"Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine.
I'm running an AOSP (kang) 4.0.3 here and this has now been fixed. I believe the official 4.0.3 is just around the corner, so yey! This has been my top #1 feature request since Android day 1 and I bought the GN specifically because of it. Yey Glooge!
Daern
""Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine."
You say "works very well." I don't think it means what you think it means.
"Android users can use their devices' integrated VPN clients based on PPTP or L2TP, which is deployed over IPsec."
What does this mean exactly?
I think they know exactly what it means ... the Galaxy Nexus is due to be updated to 4.0.3 in which ... it works very well. IN .01 and .02 it has a 3G but wifi works fine. So yes ... they knew what they were saying and said it. Friggin troll.
I am doing IPSec on my stock ICS phone right now.
My University doesn't support Android phones because there's no at-rest encryption (or at least they say there isn't -- I personally don't want one anyway and so haven't investigated).
I thought the same thing, I've been using the integrated L2TP client on my android phone, and it's only Froyo.
There *is* a stock IPSec (Cisco) client for Android, though it lacks a lot of functionality. Ice Cream Sandwich release addresses those failings. As for connecting to a non-Cisco IPSec device, well, that's a different kettle of fish of another color, if you will.
Settings / Wireless and Networks / VPN / Add VPN network.
You will find IPSec Xauth PSK, IPSec Xauth RSA, IPSec Hybrid RSA. Also PPTP and L2TP/IPSec PSK, L2TPIPSec RSA choices.
This is in Ice Cream Sandwich. If you're still using Froyo why not wake up from the 16th century?
for this. customised and all, to operators or companies. if it's really enterprise, the enterprise should afford that anyways.
world was created 5 seconds before this post as it is.
The Android operating system doesn't just lack an integrated IPsec VPN client
someone should actually do come fact checking before posting these stories.
http://en.flossmanuals.net/basic-internet-security/ch050_vpn-on-android/
Anons need not reply. Questions end with a question mark.
We reviewed Android and iOS for a very large, very well known global company. After a lot of research Android was pretty much laughed out of the room. Any corporation that uses it for their issued device and has information to protect is not paying attention.
1. Android has next to nothing in the way of large scale management and configuration tools.
2. The OS itself is highly insecure allowing all sorts of application and OS interactions regardless of resource usage or malware possibilities.
3. Google rolled over for the carriers allowing them to modify Android phones with bloatware and in other ways that make them insecure, unreliable, and resource pigs.
4. Malware fest.
5. Corporations don't want the carriers or Google tracking their devices but Android allows this to an unprecedented degree. We don't allow company data to be stored in Google Apps and we don't allow our vendors to use it either for this very reason.
Android is just a mess of cobbled together code. It cannot be taken seriously in enterprise environments. Not surprising really since that is not Googles aim. Android users and their activities are the product no the devices themselves. Even the few Android fanboys on the team couldn't put up an argument for why it should be used when it so clearly violates many of our security standards for devices, OS, and apps.
iOS sailed right through and will be a new standard devices since nobody wants Blackberries any more.
Exchange-based remote wipe support was added in Android 2.2. Encrypted storage and password policies were added in Android 3.0. Full-device encryption was added in Android 4.0, along with an API for third-party VPN solutions, and IPsec support for the built-in VPN client.
Why would anyone engrave "Elbereth"?
""Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine."
You say "works very well." I don't think it means what you think it means.
To clarify: It works very well indeed, but in 4.0.1 and 4.0.2 it only works with WiFi. Apparently, the 4.0.2 LTE version works fine on both WiFi and cellular connections.
In 4.0.3 it works very well on both WiFi and 3G and is a monumentally excellent feature to be added :-)
a) Since when did "proper vpn" equal somethings that is "Cisco compatible"? I run IPsec/L2TP to my Juniper ScreenOS fw just fine b) I don't think L2TP over IPsec is particulary insecure. L2TP authentication/setup is also secured by IPsec transport mode. The article says that the authentication is not protected, which is wrong, since the authentication occurs first by IPsec Certificate or PSK and then by L2TP username/pw (which is protected by IPsec SA). http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol#L2TP.2FIPsec However, I would have prefered IPSec tunnel mode with XAUTH instead, the current do work.
IPSec was designed as an add-on for IPv6 back in the '90's and backported to IPv4. Unfortunately, it wasn't one of the well tested parts of the standard with many years of experience behind it, instead it was a recognition than encryption would become more important, and hopefully ubiquitous.
But nothing has happened. Instead of becoming the normal way to encrypt data across the internet it's been sidelined to enterprise VPNs were it does quite well because of the very long protocol documentation it has. This is perfect for breaking the finger pointing crap that is so common in that environment. For general use encryption is still done at the application level.
I think the worst problem is the usual suspect: key distribution. There is no reasonable way of ensuring that the right key data gets to the right clients. Though I had hopes for DNSSEC...
But the problem here isn't that. The problem is the original expectation that ALL data would become encrypted. Because of this they inserted the encryption into the middle of the IP stack (a shim if you will) which sometimes converts TCP/IP packets into TCP/IPSec/IP packets without changing the IP addresses or routing or anything else. Because of this design decision the exact version/variant of the IPSec protocol HAS to exist in the kernel binary. You can't work around this.
Every other VPN solution does it the right way. Actually creating a Virtual Private Network Adaptor for a Virtual Private Network Wire onto a Virtual Private Network. So you actually have a visible private network and you can see the routing and you can enforce firewall rules (or reverse path rules). What's more because of this every single one of them can easily be altered to work purely in userspace repurposing whatever virtual adaptor may be available on the platform be it PPP/SLIP/TAP or someone else's VPN adaptor. With this the horrific complexity that is IPSec can be avoided because you can run two versions of the VPN client on the same machine preserving compatibility by keeping old (put patched) versions of the software rather than creating a rats nest of compatibility hacks within the standard itself.
The end result, IPSec is avoided unless somebody "requires" this enterprisey solution AND will be paying for it.
What is it that mobile devices get all this special treatment?
Or are all these large "enterprises" applying the same rules that corporate laptops that hold far more valuable data? Sure some companies actually have policies for full disc encryption, but remote wipe? And some of the other policies that seem to be "required" for mobile devices to be accepted in the enterprise.
Fortunately more and more companies, including the Fortune 500 are accepting or even encouraging "bring your own device".
Yey Glooge!
Glooge?
http://slashdot.org/~bonch
yeah, it does... cyanogenmod 9 on my phone lists:
PPTP
L2TP/IPSec PSK
L2TP/IPSec RSA
IPSec Xauth PSK
IPSec Xauth RSA
IPSec Xauth Hybrid
And that's build off of the ice cream sandwich (android 4.0) source for a device that doesn't have ICS from the phone maker.. and not long after the AOSP android source was released.
This article is out of date the following IPsec VPN options are available on a Google Nexus Galaxy from Verizon running Android ICS (4.0)
IPsec XAUTH PSK
IPsec XAUTH RSA
IPSEC Hybrid RSA
Android 4.0 supports standard IP sec gateways as well as Cisco's proprietary Xauth -- and unlike apple the android release does NOT require a company go out and buy a new Cisco Pix running IOS 7.0 or higher like the Apple iPhone 4 does (Iphone doesn't support xauth rsa profile). .. ahem, oversight on the iPhone made it so our company chose NOT to reimburse employees for iPhones since they can't be used for work -- so at least for our company if employees want reimbursement for phones, they need to purchase a device that's compatible.
This little
While I'm ranting-- I figured I'd also say that I wish either vendor apple/cisco natively supported OpenVPN so I could kill off my IPSec VPN I'd be thrilled, and the first vendor who does will receive the "recommended device" status for our employees.
IPSec is my last choice, not my first - it's not well suited for modern day deployments anyway since it doesn't work through some NAT gateways (at many hotels), and it *never* works [by design] if two people on the same network are connecting to the same endpoint from behind the same nat firewall (ex: two employees at the same coffee shop both trying to do their work.. or a husband wife who both work for the same company trying to concurrently connect to their own home network)
As NAT becomes more and more common (aren't we out of IPv4 addresses?) IPsec will cede way to more flexible solutions like OpenVPN.
Can you get it in BSD?
The original poster thinks that IPsec is more secure, but has he ever seen case of other VPN's encryption being cracked? The answer is no. All data does not need to be encrypted. If either end of the VPN connection does not have the correct key the game is up. IPsec is less convenient and only provides additional security to an already uncrackable system.
Since the release of ICS, users are able to roll-out their custom VPN solutions. I bet OpenVPN is in the works.
http://developer.android.com/reference/android/net/VpnService.html
This is false, since Android 4.0 there is an API to add new VPN clients without need to build kernel modules
Enhancements for Enterprise
VPN client API
Developers can now build or extend their own VPN solutions on the platform using a new VPN API and underlying secure credential storage. With user permission, applications can configure addresses and routing rules, process outgoing and incoming packets, and establish secure tunnels to a remote server. Enterprises can also take advantage of a standard VPNclientbuilt into the platform that provides access to L2TP and IPSec protocols.
In Windows 7 ,you can't force all internet traffic to go through the VPN, so if the VPN failed to connect, it sends the traffic over the regular internet connection.
It's garbage.
Out of date and biased. Would prefer more technical details as well - seems very generic in certain areas. Boo.
Assuming that you can root you device and you device is supported, you can install cyanogenmod that supports openvpn.
If it was simply nonfunctional in 3G, you'd have some justification for this statement. Something that *crashes the whole phone* when you try to use it in 3G cannot, under any standards, be said to "work very well."
It's open source, can port forward, can use pubkey auth (shared key auth) and doesn't require you to "modify" kernels or root the device.
http://code.google.com/p/connectbot/
Join the Slashcott! Feb 10 thru Feb 17!
it was never was secure to begin with!!!
put that on the BOX COVER!!!
In preliminary testing, we've been able to get some Android devices connected using Juniper VPN. It does appear there are some variations depending on device and version of Android that is running, but in most cases things do appear to work well. The only issue some of the power users have is that the Pulse client needs to have fairly significant access to the device to install correctly...
"There *IS* no patch for stupidity" -www.sqlsecurity.com
Bingo. CyanogenMod provides all sorts of additional features to make Android attractive to business. OpenVPN tunneling, IPSec, L2TP, PPTP, SIP, full ActiveSync support (including client certificates), and more.
Besides, you're probably buying high-end phones from your execs, and cheap phones for the rest of your employees. Galaxy S II and Samsung Captivate respectively from AT&T, for example, fit both roles, and have CM support.
I use ssh via connectbot with port forwarding and connect to whatever I want through that. There are plenty of file managers, email aps, and remote desktop aps etc available, all you have to do is configure the server.
It lacks CISCO IPSEC support, which is what many, if not most, businesses use for their VPNs. It does support AnyConnect and it supports conventional IPSEC for quite some time now though.
AJ Henderson
MS does get it and once they get WP7 fully working, it's going to be on most of the corporate phones as it'll include an Exchange Client, Remote Wipe, Can be locked down by an Active Directory Server tighter then a Black Berry. Simply put, Apple and Google don't get the corporate culture and that's what keeps MS alive.
Mod me up/Mod me down: I wont frown as I've no crown
I'll need a screwdriver, a pliers, a one gallon (US) bucket of epoxy, a roll of duct tape, two ice picks, a bottle of rubbing alcohol, a copy of Grey's Anatomy (the book, not the TV show), one hundred sixty feet of sterile gauze, a dentist's chair (or a barber's chair in a pinch), and two round-trip tickets to a country favorable to unlicensed medical procedures.
If you want me to secure an entire enterprise infrastructure I will need more.
/bounces with excitement
ah, fuckit, never mind.
Spellcheck over IPSEC.
I wouldn't be surprised if compatibility to CISCO IPSEC manifested magically relatively soon. Either on the client or server side.
But this is just a guess based on the fact that Cisco has a new IP Phone/Tablet with Android on it. Especially since they even mention the word 'Android' in their specifications, their enterprise customers might want to know why their 'Android' phones don't work.
Very true. If you run CyanogenMod, you've got openvpn as well.
If you use SonicWALL firewalls then check out NetExtender which they call a "layer 3 VPN client". I use it all of the time to connect to my work desktop from home on my ASUS Transformer and it works perfectly. They also have a version specifically for their SonicWALL Aventail SRA E-Class SSL VPN Appliances.
Nevermore.
Yey Glooge!
Glooge?
Yes, Glooge.
Glad to have cleared that up.
Wondering f anyone has had the 'pleasure' of installing GOODLINK on iPHONEs 4 or ANY Android based mobile??
Alan L
levine.ag@gmail.com