Slashdot Mirror

← Back to Stories (view on slashdot.org)

Securing Android For the Enterprise

Posted by Soulskill on from the lcars-cream-sandwich dept.

Orome1 writes "While many companies use IPsec for secure remote access to their networks, no integrated IPsec VPN client is available on Android. Apple has already fixed this shortcoming in iOS, in part, because it wanted make the iPhone attractive for businesses. The Android operating system doesn't just lack an integrated IPsec VPN client, it also makes installing and configuring third-party VPN software quite complicated. IPsec VPN clients have to be integrated into the kernel of each device, and the client software has to be installed specifically for a memory area. This means that the firmware of each Android smartphone or tablet has to be modified accordingly. Until a 'real' IPsec VPN client is available, Android users can use their devices' integrated VPN clients based on PPTP or L2TP, which is deployed over IPsec. A 'real' IPsec VPN connection, however, is more secure because it encrypts data prior to authentication."

34 of 136 comments (clear)

  1. Oh by deep9x · · Score: 5, Funny

    I really thought this article was going to be about Data.

    1. Re:Oh by 93+Escort+Wagon · · Score: 4, Funny

      I really thought this article was going to be about Data.

      I thought even the PHB types had given up ending sentencies with 'for the Enterprise'.

      I thought... WHOOSH!

      Would you have gotten the joke if he'd used "Lore" instead of "Data"?

      --
      #DeleteChrome
    2. Re:Oh by dotancohen · · Score: 3, Insightful

      I got the joke so go employ that dumb WHOOSH meme elsewhere, or better not at all.

      I mearly commented that the use of the phrase 'for the Enterprise' is stupid for reasons other than star trek references.

      You mean that you replies to the top-most thread with an off-topic post instead of starting a new thread so that your post would show up at the top of the page?

      --
      It is dangerous to be right when the government is wrong.
  2. It's not just about the VPN aspect by geekylinuxkid · · Score: 5, Insightful

    Android needs some sort of remote wipe software to make it even remotely feasible for most businesses. For example, the government requires remote wipe, and some sort of encryption. Until Android has a solution for these two, the VPN-less capability is moot.

    1. Re:It's not just about the VPN aspect by afidel · · Score: 5, Informative

      There are MDM's that provide those capabilities, heck just hook most Android phones up to any ActiveSync compatible server or service and you get basic remote wipe. If it weren't for the fact that we provide Citrix for remote access the limitations on getting most Android devices working with ASA would have been a serious redmark against adoption, but as it stands the huge number of usability problems we ran into trumped everything else. Android is great as a geek OS, and fairly good for a consumer OS (my wife likes her Optimus V just fine), but the persistent issues like WiFi clients that randomly failed to work or the email clients that just stopped receiving email from the Exchange server and required a device wipe and resync to reestablish communications to the weird certificate errors we would get all made it so we were not going to foist it as a platform on our users. We offered them iOS or Blackberry and 2/3rds chose to stay on Blackberry for the superior core email capabilities. Personally I'm still on my Android test device because for me the small nagging flaws are outweighed by a physical keyboard (big plus over an iphone) and huge selection of applications and a decent browser (big win over Blackberry).

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    2. Re:It's not just about the VPN aspect by BulletMagnet · · Score: 3, Informative

      Android needs some sort of remote wipe software to make it even remotely feasible for most businesses. For example, the government requires remote wipe, and some sort of encryption. Until Android has a solution for these two, the VPN-less capability is moot.

      Like this?

    3. Re:It's not just about the VPN aspect by Anonymous Coward · · Score: 5, Informative

      Remote wipe has apparently been supported via activesync since android 2.2

    4. Re:It's not just about the VPN aspect by spamking · · Score: 2

      You are correct, folks shouldn't be storing sensitive data on a portable device of any kind. Our laptops are required to be encrypted using a FIPS 140-2 certified product to prevent loss of any information because not everyone follows the "don't store sensitive data on your laptop" policy.

      With our blackberries we have access to our intranet, I guess the remote wipe feature would be helpful if someone happened to crack a password in less than 6 attempts and gain access to our intranet and possibly other internal systems/data.

  3. OpenSSH by 1s44c · · Score: 4, Informative

    Use OpenSSH. You can tunnel TCP over SSH, it works very nicely on iphones and nokia n900's. I've not tested it on android but It should work.

    The very last thing anyone should be doing is bridging their networks to a mobile phone.

    1. Re:OpenSSH by Karma's+A+Bitch · · Score: 5, Informative

      Hi, new poster here but have been lurking for about a decade -- but as fucked up as IPSec is, there are some important benefits:

      * IPSec tunnels your traffic over an unreliable datagram protocol (either IP protocol ESP or over some UDP port -- I forget the number). This avoids the performance problems of running a reliable protocol (TCP) over another reliable protocol (TCP). Some time since I looked at this, but IIRC, retransmits in the upper protocol kill you. Probably not too bit a problem if you aren't running significant traffic.

      * IPSec is processed in kernel mode which improves processing performance. This isn't as important on the client which is only handling one tunnel as it is on the gateway which is handling many connections and where the CPU load could be important. Disadvantage is that a bug in IPSec is a bug in kernelspace.

      * Of course anyone doing something like this should terminate the IPSec connection on a network outside their LAN and should also consider blocking comms between indials.

      Just wish whoever designed IPSec had done a proper job.

    2. Re:OpenSSH by jimicus · · Score: 4, Interesting

      because any simple solution like OpenSSH must be bad

      The problem with OpenSSH - indeed the problem with most of these "simple" solutions is that they're only simple from the perspective of the IT department. They utterly fail the Marcus test.

      (Before you ask - "Marcus" is a hypothetical employee. He is a man of perfectly normal intelligence but relatively little in the way of computer skills. If you're expecting him to do anything clever with his computer such as connect to the corporate network remotely, you need the instructions to be as short as possible, as easy to follow as possible with the bare minimum of extra boxes to tick or dialogs to fill in. Anything that gets in the way of that is a Bad Thing. If your instructions for Marcus are 30 steps spread across 6 pages of closely-typed text with no illustrations, he's got precisely zero chance of following them.)

    3. Re:OpenSSH by Prof.Phreak · · Score: 2

      ...little in the way of computer skills.

      An employee needing corporate network access who has ``little in the way of computer skills'' shouldn't be accessing the network.

      If all they need is email, I'm sure a corp can provide a web-based ssl thing for that. If they need to read docs, I'm sure a web-based ssl doc thing (like an in-house version of google docs) would work. But to put a computer illiterate employee "on the network" from a remote location is just stupid (and yes, we've all been there; still doesn't mean it's a good idea).

      Personally I'd be fairly happy to get a plain and simple SSH login (with pre-set keys if needed), as opposed to the citrix crap everyone-but-windows-admins hates.

      --

      "If anything can go wrong, it will." - Murphy

  4. Re:Not surprised by Anonymous Coward · · Score: 5, Informative

    You're actually more misinformed now. Android does in fact have IPsec capabilities, as well as PPTP and L2TP. Its had this for a while. I don't know why no one's not mentioned that the article is just plain wrong.

    It does lack OpenVPN, though, which has been a bit of a thorn in my side - software exists to add this functionality, but so far they all require root privileges, as far as I know.

  5. Cisco IPSec VPN now supported in Android 4.0 (ICS) by daern · · Score: 4, Informative

    "Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine.

    I'm running an AOSP (kang) 4.0.3 here and this has now been fixed. I believe the official 4.0.3 is just around the corner, so yey! This has been my top #1 feature request since Android day 1 and I bought the GN specifically because of it. Yey Glooge!

    Daern

  6. Re:Cisco IPSec VPN now supported in Android 4.0 (I by maccodemonkey · · Score: 3, Funny

    ""Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine."

    You say "works very well." I don't think it means what you think it means.

  7. I must be from another dimension by Anonymous Coward · · Score: 2, Informative

    I am doing IPSec on my stock ICS phone right now.

  8. Not the problem by ryanov · · Score: 2

    My University doesn't support Android phones because there's no at-rest encryption (or at least they say there isn't -- I personally don't want one anyway and so haven't investigated).

    1. Re:Not the problem by thegarbz · · Score: 3, Informative

      It's not standard as part of Android (or at least it wasn't in 2.0 - 2.3), there is however the option on the AOSP port of ICS (4.0.3) to do full device encryption, so that may be a standard feature now.

      That said there are many phones who have supported this for a long time, but the feature was added by the vendor and not a default function of Android itself.

  9. Re:Not surprised by aXis100 · · Score: 5, Informative

    I thought the same thing, I've been using the integrated L2TP client on my android phone, and it's only Froyo.

  10. Re:Stupid article is stupid by thegarbz · · Score: 5, Informative

    Stupid article is stupid because the *current* version of Android actually has full native IPSec support. I wish this is just a case of Slashdot being late to post, but TFA is dated Jan 3rd 2012 so it must just be a blogger who's not up with the times.

  11. Re:Stupid article is stupid by Skapare · · Score: 3, Insightful

    Restricting access to particular services is best done by those services themselves doing the authentication. They would know what users are authorized for what functions. The remote Android user is in no position to sniff the server networks, so the fact that the traffic within the LANs is not encrypted does not matter as long as you trust your network admins ... if you don't, you better be using an SSL layer to the server and trust your server admins.

    If the remote user has ANY means to access the internet on the phone, either directly through the telco data bandwidth provider, or even proxied or routed through the VPN, then the phone MUST be considered unsafe, and it would be entirely inappropriate for it to be accessing any home base servers that don't authenticate (but that's just totally stupid to run that way under any circumstance).

    --
    now we need to go OSS in diesel cars
  12. Already there by Namarrgon · · Score: 5, Informative

    Exchange-based remote wipe support was added in Android 2.2. Encrypted storage and password policies were added in Android 3.0. Full-device encryption was added in Android 4.0, along with an API for third-party VPN solutions, and IPsec support for the built-in VPN client.

    --
    Why would anyone engrave "Elbereth"?
    1. Re:Already there by zaphirplane · · Score: 2, Funny

      The way it works is
      Server hey mr phone do you support activesync remote wipe?
      Phone sure do (ha ha ha ha)
      Server ok thank you, what about password policy?
      Phone sure whatever you want sweetie

      There are market apps they respond with yes and then bin the request
      So .... It does not count.

  13. Re:Cisco IPSec VPN now supported in Android 4.0 (I by daern · · Score: 4, Informative

    ""Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine."

    You say "works very well." I don't think it means what you think it means.

    To clarify: It works very well indeed, but in 4.0.1 and 4.0.2 it only works with WiFi. Apparently, the 4.0.2 LTE version works fine on both WiFi and cellular connections.

    In 4.0.3 it works very well on both WiFi and 3G and is a monumentally excellent feature to be added :-)

  14. Re:WTF by Skapare · · Score: 2

    It means the author of the article is confused. PPTP and L2TP and other VPN protocols can go over IPsec or they can go direct and use their own encryption. The author seems to be upset that Android doesn't use IPsec. If he knew me, he'd be upset with me, too, because I don't use IPsec, either ... anymore.

    --
    now we need to go OSS in diesel cars
  15. Sigh, this is normal for IPSec by rdebath · · Score: 4, Interesting

    IPSec was designed as an add-on for IPv6 back in the '90's and backported to IPv4. Unfortunately, it wasn't one of the well tested parts of the standard with many years of experience behind it, instead it was a recognition than encryption would become more important, and hopefully ubiquitous.

    But nothing has happened. Instead of becoming the normal way to encrypt data across the internet it's been sidelined to enterprise VPNs were it does quite well because of the very long protocol documentation it has. This is perfect for breaking the finger pointing crap that is so common in that environment. For general use encryption is still done at the application level.

    I think the worst problem is the usual suspect: key distribution. There is no reasonable way of ensuring that the right key data gets to the right clients. Though I had hopes for DNSSEC...

    But the problem here isn't that. The problem is the original expectation that ALL data would become encrypted. Because of this they inserted the encryption into the middle of the IP stack (a shim if you will) which sometimes converts TCP/IP packets into TCP/IPSec/IP packets without changing the IP addresses or routing or anything else. Because of this design decision the exact version/variant of the IPSec protocol HAS to exist in the kernel binary. You can't work around this.

    Every other VPN solution does it the right way. Actually creating a Virtual Private Network Adaptor for a Virtual Private Network Wire onto a Virtual Private Network. So you actually have a visible private network and you can see the routing and you can enforce firewall rules (or reverse path rules). What's more because of this every single one of them can easily be altered to work purely in userspace repurposing whatever virtual adaptor may be available on the platform be it PPP/SLIP/TAP or someone else's VPN adaptor. With this the horrific complexity that is IPSec can be avoided because you can run two versions of the VPN client on the same machine preserving compatibility by keeping old (put patched) versions of the software rather than creating a rats nest of compatibility hacks within the standard itself.

    The end result, IPSec is avoided unless somebody "requires" this enterprisey solution AND will be paying for it.

  16. article is out of date - Android 4.0 ICS update by gru3hunt3r · · Score: 4, Interesting

    This article is out of date the following IPsec VPN options are available on a Google Nexus Galaxy from Verizon running Android ICS (4.0)

    IPsec XAUTH PSK
    IPsec XAUTH RSA
    IPSEC Hybrid RSA

    Android 4.0 supports standard IP sec gateways as well as Cisco's proprietary Xauth -- and unlike apple the android release does NOT require a company go out and buy a new Cisco Pix running IOS 7.0 or higher like the Apple iPhone 4 does (Iphone doesn't support xauth rsa profile).
    This little .. ahem, oversight on the iPhone made it so our company chose NOT to reimburse employees for iPhones since they can't be used for work -- so at least for our company if employees want reimbursement for phones, they need to purchase a device that's compatible.

    While I'm ranting-- I figured I'd also say that I wish either vendor apple/cisco natively supported OpenVPN so I could kill off my IPSec VPN I'd be thrilled, and the first vendor who does will receive the "recommended device" status for our employees.

    IPSec is my last choice, not my first - it's not well suited for modern day deployments anyway since it doesn't work through some NAT gateways (at many hotels), and it *never* works [by design] if two people on the same network are connecting to the same endpoint from behind the same nat firewall (ex: two employees at the same coffee shop both trying to do their work.. or a husband wife who both work for the same company trying to concurrently connect to their own home network)

    As NAT becomes more and more common (aren't we out of IPv4 addresses?) IPsec will cede way to more flexible solutions like OpenVPN.

    1. Re:article is out of date - Android 4.0 ICS update by JAlexoi · · Score: 2

      VpnService is a base class for applications to extend and build their own VPN solutions. In general, it creates a virtual network interface, configures addresses and routing rules, and returns a file descriptor to the application. Each read from the descriptor retrieves an outgoing packet which was routed to the interface. Each write to the descriptor injects an incoming packet just like it was received from the interface. The interface is running on Internet Protocol (IP), so packets are always started with IP headers. The application then completes a VPN connection by processing and exchanging packets with the remote server over a tunnel.

      http://developer.android.com/reference/android/net/VpnService.html

  17. IPsec is not more secure by Kludge · · Score: 2

    The original poster thinks that IPsec is more secure, but has he ever seen case of other VPN's encryption being cracked? The answer is no. All data does not need to be encrypted. If either end of the VPN connection does not have the correct key the game is up. IPsec is less convenient and only provides additional security to an already uncrackable system.

  18. Android 4 includes custom VPN provider support by JAlexoi · · Score: 2

    Since the release of ICS, users are able to roll-out their custom VPN solutions. I bet OpenVPN is in the works.
    http://developer.android.com/reference/android/net/VpnService.html

  19. VPN Client API by robmv · · Score: 3, Informative

    This is false, since Android 4.0 there is an API to add new VPN clients without need to build kernel modules

    Enhancements for Enterprise

    VPN client API

    Developers can now build or extend their own VPN solutions on the platform using a new VPN API and underlying secure credential storage. With user permission, applications can configure addresses and routing rules, process outgoing and incoming packets, and establish secure tunnels to a remote server. Enterprises can also take advantage of a standard VPNclientbuilt into the platform that provides access to L2TP and IPSec protocols.

  20. Re:Stupid article is stupid by Xugumad · · Score: 3, Insightful

    > *current* version of Android actually has full native IPSec support

    Do you mean Ice Cream Sandwich? In which case, to be fair it's not what you'd call in widespread use yet... (I have never seen anyone with an ICS device IRL, or heard of anyone having one)

  21. Re:Stupid article is stupid by csnydermvpsoft · · Score: 3, Informative

    I'm running Gingerbread and have a VPN option with PPTP, L2TP, & OpenVPN. Could be a CyanogenMod feature but I don't think so.

    OpenVPN is a Cyanogenmod addition: [source]

  22. Re:Complete lack of security by Jim+Buzbee · · Score: 2

    Hmmm... With some restrictions, the US Department of Defense has approved use of Android and not IOS: http://www.bgr.com/2011/12/28/pentagon-approves-android-device-for-department-of-defense-apple-still-awaits-clearance/