Slashdot Mirror
Securing Android For the Enterprise
Orome1 writes "While many companies use IPsec for secure remote access to their networks, no integrated IPsec VPN client is available on Android. Apple has already fixed this shortcoming in iOS, in part, because it wanted make the iPhone attractive for businesses. The Android operating system doesn't just lack an integrated IPsec VPN client, it also makes installing and configuring third-party VPN software quite complicated. IPsec VPN clients have to be integrated into the kernel of each device, and the client software has to be installed specifically for a memory area. This means that the firmware of each Android smartphone or tablet has to be modified accordingly. Until a 'real' IPsec VPN client is available, Android users can use their devices' integrated VPN clients based on PPTP or L2TP, which is deployed over IPsec. A 'real' IPsec VPN connection, however, is more secure because it encrypts data prior to authentication."
I really thought this article was going to be about Data.
Android needs some sort of remote wipe software to make it even remotely feasible for most businesses. For example, the government requires remote wipe, and some sort of encryption. Until Android has a solution for these two, the VPN-less capability is moot.
SSH is all you'll ever fucking need. You can do anything you need over SSH, including a true VPN or just VPN-like functionality. And it's as secure as it gets.
I manage all of my servers from my android devices, and have done so for a long time. What the hell is this guy complaining about?
Regarding the guy talking about the remote wipe ... well, that's a stupid concept. A lost/stolen phone usually doesn't have network access, and even if you do it as a deads man switch, it's not really secure. Just encrypt whatever important data you have on your device, or even better, just keep it in the cloud and access it from anywhere. All you have to do is wipe your cache regularly.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Use OpenSSH. You can tunnel TCP over SSH, it works very nicely on iphones and nokia n900's. I've not tested it on android but It should work.
The very last thing anyone should be doing is bridging their networks to a mobile phone.
You're actually more misinformed now. Android does in fact have IPsec capabilities, as well as PPTP and L2TP. Its had this for a while. I don't know why no one's not mentioned that the article is just plain wrong.
It does lack OpenVPN, though, which has been a bit of a thorn in my side - software exists to add this functionality, but so far they all require root privileges, as far as I know.
It must be one of those eps featuring his evil twin brother
Can OpenVPN be installed without rooting the phone and therefore voiding the device's warrant and your provider's support?
"Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine.
I'm running an AOSP (kang) 4.0.3 here and this has now been fixed. I believe the official 4.0.3 is just around the corner, so yey! This has been my top #1 feature request since Android day 1 and I bought the GN specifically because of it. Yey Glooge!
Daern
""Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine."
You say "works very well." I don't think it means what you think it means.
His security history isn't perfect:
Stardate: 42437.5 ''Data is possessed by the consciousness of a brilliant scientist. However, it has a disturbing impact on Data's personality.
Stardate: 45571.2 "Data, O'Brien, and the chick in the low cut top are possessed by aliens from a prison planet and run around trying to free all the other prisoner aliens."
I think they know exactly what it means ... the Galaxy Nexus is due to be updated to 4.0.3 in which ... it works very well. IN .01 and .02 it has a 3G but wifi works fine. So yes ... they knew what they were saying and said it. Friggin troll.
I am doing IPSec on my stock ICS phone right now.
My University doesn't support Android phones because there's no at-rest encryption (or at least they say there isn't -- I personally don't want one anyway and so haven't investigated).
I thought the same thing, I've been using the integrated L2TP client on my android phone, and it's only Froyo.
There *is* a stock IPSec (Cisco) client for Android, though it lacks a lot of functionality. Ice Cream Sandwich release addresses those failings. As for connecting to a non-Cisco IPSec device, well, that's a different kettle of fish of another color, if you will.
for this. customised and all, to operators or companies. if it's really enterprise, the enterprise should afford that anyways.
world was created 5 seconds before this post as it is.
The Android operating system doesn't just lack an integrated IPsec VPN client
someone should actually do come fact checking before posting these stories.
http://en.flossmanuals.net/basic-internet-security/ch050_vpn-on-android/
Anons need not reply. Questions end with a question mark.
We reviewed Android and iOS for a very large, very well known global company. After a lot of research Android was pretty much laughed out of the room. Any corporation that uses it for their issued device and has information to protect is not paying attention.
1. Android has next to nothing in the way of large scale management and configuration tools.
2. The OS itself is highly insecure allowing all sorts of application and OS interactions regardless of resource usage or malware possibilities.
3. Google rolled over for the carriers allowing them to modify Android phones with bloatware and in other ways that make them insecure, unreliable, and resource pigs.
4. Malware fest.
5. Corporations don't want the carriers or Google tracking their devices but Android allows this to an unprecedented degree. We don't allow company data to be stored in Google Apps and we don't allow our vendors to use it either for this very reason.
Android is just a mess of cobbled together code. It cannot be taken seriously in enterprise environments. Not surprising really since that is not Googles aim. Android users and their activities are the product no the devices themselves. Even the few Android fanboys on the team couldn't put up an argument for why it should be used when it so clearly violates many of our security standards for devices, OS, and apps.
iOS sailed right through and will be a new standard devices since nobody wants Blackberries any more.
Exchange-based remote wipe support was added in Android 2.2. Encrypted storage and password policies were added in Android 3.0. Full-device encryption was added in Android 4.0, along with an API for third-party VPN solutions, and IPsec support for the built-in VPN client.
Why would anyone engrave "Elbereth"?
""Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine."
You say "works very well." I don't think it means what you think it means.
To clarify: It works very well indeed, but in 4.0.1 and 4.0.2 it only works with WiFi. Apparently, the 4.0.2 LTE version works fine on both WiFi and cellular connections.
In 4.0.3 it works very well on both WiFi and 3G and is a monumentally excellent feature to be added :-)
It means the author of the article is confused. PPTP and L2TP and other VPN protocols can go over IPsec or they can go direct and use their own encryption. The author seems to be upset that Android doesn't use IPsec. If he knew me, he'd be upset with me, too, because I don't use IPsec, either ... anymore.
now we need to go OSS in diesel cars
a) Since when did "proper vpn" equal somethings that is "Cisco compatible"? I run IPsec/L2TP to my Juniper ScreenOS fw just fine b) I don't think L2TP over IPsec is particulary insecure. L2TP authentication/setup is also secured by IPsec transport mode. The article says that the authentication is not protected, which is wrong, since the authentication occurs first by IPsec Certificate or PSK and then by L2TP username/pw (which is protected by IPsec SA). http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol#L2TP.2FIPsec However, I would have prefered IPSec tunnel mode with XAUTH instead, the current do work.
IPSec was designed as an add-on for IPv6 back in the '90's and backported to IPv4. Unfortunately, it wasn't one of the well tested parts of the standard with many years of experience behind it, instead it was a recognition than encryption would become more important, and hopefully ubiquitous.
But nothing has happened. Instead of becoming the normal way to encrypt data across the internet it's been sidelined to enterprise VPNs were it does quite well because of the very long protocol documentation it has. This is perfect for breaking the finger pointing crap that is so common in that environment. For general use encryption is still done at the application level.
I think the worst problem is the usual suspect: key distribution. There is no reasonable way of ensuring that the right key data gets to the right clients. Though I had hopes for DNSSEC...
But the problem here isn't that. The problem is the original expectation that ALL data would become encrypted. Because of this they inserted the encryption into the middle of the IP stack (a shim if you will) which sometimes converts TCP/IP packets into TCP/IPSec/IP packets without changing the IP addresses or routing or anything else. Because of this design decision the exact version/variant of the IPSec protocol HAS to exist in the kernel binary. You can't work around this.
Every other VPN solution does it the right way. Actually creating a Virtual Private Network Adaptor for a Virtual Private Network Wire onto a Virtual Private Network. So you actually have a visible private network and you can see the routing and you can enforce firewall rules (or reverse path rules). What's more because of this every single one of them can easily be altered to work purely in userspace repurposing whatever virtual adaptor may be available on the platform be it PPP/SLIP/TAP or someone else's VPN adaptor. With this the horrific complexity that is IPSec can be avoided because you can run two versions of the VPN client on the same machine preserving compatibility by keeping old (put patched) versions of the software rather than creating a rats nest of compatibility hacks within the standard itself.
The end result, IPSec is avoided unless somebody "requires" this enterprisey solution AND will be paying for it.
I'm looking for an Android phone. None have Ice Cream Sandwich from the vendor. So I would need to upgrade (probably should, anyway). Which download should I use to do so since the vendor would not have it?
now we need to go OSS in diesel cars
yeah, it does... cyanogenmod 9 on my phone lists:
PPTP
L2TP/IPSec PSK
L2TP/IPSec RSA
IPSec Xauth PSK
IPSec Xauth RSA
IPSec Xauth Hybrid
And that's build off of the ice cream sandwich (android 4.0) source for a device that doesn't have ICS from the phone maker.. and not long after the AOSP android source was released.
Nexus S sure does via the OEM.
Many others are receiving updates to ICS.
Those "not supported" such as my Galaxy S have 3rd party options (I'm running CyanogenMod 9 build 12 made from AOSP with some stuff pulled/added in from the Nexus S (camera app/driver though I believe that's changed)
This article is out of date the following IPsec VPN options are available on a Google Nexus Galaxy from Verizon running Android ICS (4.0)
IPsec XAUTH PSK
IPsec XAUTH RSA
IPSEC Hybrid RSA
Android 4.0 supports standard IP sec gateways as well as Cisco's proprietary Xauth -- and unlike apple the android release does NOT require a company go out and buy a new Cisco Pix running IOS 7.0 or higher like the Apple iPhone 4 does (Iphone doesn't support xauth rsa profile). .. ahem, oversight on the iPhone made it so our company chose NOT to reimburse employees for iPhones since they can't be used for work -- so at least for our company if employees want reimbursement for phones, they need to purchase a device that's compatible.
This little
While I'm ranting-- I figured I'd also say that I wish either vendor apple/cisco natively supported OpenVPN so I could kill off my IPSec VPN I'd be thrilled, and the first vendor who does will receive the "recommended device" status for our employees.
IPSec is my last choice, not my first - it's not well suited for modern day deployments anyway since it doesn't work through some NAT gateways (at many hotels), and it *never* works [by design] if two people on the same network are connecting to the same endpoint from behind the same nat firewall (ex: two employees at the same coffee shop both trying to do their work.. or a husband wife who both work for the same company trying to concurrently connect to their own home network)
As NAT becomes more and more common (aren't we out of IPv4 addresses?) IPsec will cede way to more flexible solutions like OpenVPN.
The original poster thinks that IPsec is more secure, but has he ever seen case of other VPN's encryption being cracked? The answer is no. All data does not need to be encrypted. If either end of the VPN connection does not have the correct key the game is up. IPsec is less convenient and only provides additional security to an already uncrackable system.
Since the release of ICS, users are able to roll-out their custom VPN solutions. I bet OpenVPN is in the works.
http://developer.android.com/reference/android/net/VpnService.html
Soon it will be. At leas ICS already provides custom VPN solution SPI.
This is false, since Android 4.0 there is an API to add new VPN clients without need to build kernel modules
Enhancements for Enterprise
VPN client API
Developers can now build or extend their own VPN solutions on the platform using a new VPN API and underlying secure credential storage. With user permission, applications can configure addresses and routing rules, process outgoing and incoming packets, and establish secure tunnels to a remote server. Enterprises can also take advantage of a standard VPNclientbuilt into the platform that provides access to L2TP and IPSec protocols.
Out of date and biased. Would prefer more technical details as well - seems very generic in certain areas. Boo.
It's open source, can port forward, can use pubkey auth (shared key auth) and doesn't require you to "modify" kernels or root the device.
http://code.google.com/p/connectbot/
Join the Slashcott! Feb 10 thru Feb 17!
In preliminary testing, we've been able to get some Android devices connected using Juniper VPN. It does appear there are some variations depending on device and version of Android that is running, but in most cases things do appear to work well. The only issue some of the power users have is that the Pulse client needs to have fairly significant access to the device to install correctly...
"There *IS* no patch for stupidity" -www.sqlsecurity.com
And don't forget the episode where we found out his creator left a backdoor in both of his androids, forcing them to go to him at will regardless of the consequences.
End of lesson. You may press the button.
It lacks CISCO IPSEC support, which is what many, if not most, businesses use for their VPNs. It does support AnyConnect and it supports conventional IPSEC for quite some time now though.
AJ Henderson
MS does get it and once they get WP7 fully working, it's going to be on most of the corporate phones as it'll include an Exchange Client, Remote Wipe, Can be locked down by an Active Directory Server tighter then a Black Berry. Simply put, Apple and Google don't get the corporate culture and that's what keeps MS alive.
Mod me up/Mod me down: I wont frown as I've no crown
/bounces with excitement
ah, fuckit, never mind.
I'll need a screwdriver, a pliers, a one gallon (US) bucket of epoxy, a roll of duct tape, two ice picks, a bottle of rubbing alcohol, a copy of Grey's Anatomy (the book, not the TV show), one hundred sixty feet of sterile gauze, a dentist's chair (or a barber's chair in a pinch), and two round-trip tickets to a country favorable to unlicensed medical procedures.
If you want me to secure an entire enterprise infrastructure I will need more.
Way to fail, n00b. You forgot the WD-40.
Don't do that again.
Faster! Faster! Faster would be better!
Oh, maybe that's what you meant when you need more stuff for Enterprise things.
Sorry, my bad.
Faster! Faster! Faster would be better!
Spellcheck over IPSEC.
If you use SonicWALL firewalls then check out NetExtender which they call a "layer 3 VPN client". I use it all of the time to connect to my work desktop from home on my ASUS Transformer and it works perfectly. They also have a version specifically for their SonicWALL Aventail SRA E-Class SSL VPN Appliances.
Nevermore.
Yey Glooge!
Glooge?
Yes, Glooge.
Glad to have cleared that up.
None? For example there's Samsung Galaxy Nexus which has ICS.
Or you can get a Samsung Nexus S. It comes with Gingerbread. Then check the Android mailing lists for the update zip URL (or google it up, it was some google.com address). Download the .zip. Put it to your phone SD card as update.zip, boot into recovery mode (volumeup+power). Select to upgrade the update.zip. Let it upgrade the system. Done.
As a bonus all your data will be there, if you didn't wipe it.
I don't have a smart phone, yet (so no data to save). I have started looking around. But I'm only looking at unlocked phones because that's the only acceptable way. I won't be signing up with any provider term plan. I know most can do month to month to start (a friend of mine works as a rep for one of them and says they are not allow to offer M2M but should sign up whoever asks for it). I only want SIM-compatible phones, so Verizon is off the radar.
You know where to order one of these phones online, unlocked, w/o a provider plan?
now we need to go OSS in diesel cars
And don't forget the episode where we found out his creator left a backdoor in both of his androids, forcing them to go to him at will regardless of the consequences.
Wow! Data IS fully functional and programmed in a number of techniques!