Securing Android For the Enterprise

Orome1 writes "While many companies use IPsec for secure remote access to their networks, no integrated IPsec VPN client is available on Android. Apple has already fixed this shortcoming in iOS, in part, because it wanted make the iPhone attractive for businesses. The Android operating system doesn't just lack an integrated IPsec VPN client, it also makes installing and configuring third-party VPN software quite complicated. IPsec VPN clients have to be integrated into the kernel of each device, and the client software has to be installed specifically for a memory area. This means that the firmware of each Android smartphone or tablet has to be modified accordingly. Until a 'real' IPsec VPN client is available, Android users can use their devices' integrated VPN clients based on PPTP or L2TP, which is deployed over IPsec. A 'real' IPsec VPN connection, however, is more secure because it encrypts data prior to authentication."

Oh

[deep9x]

I really thought this article was going to be about Data.

Re:Oh

[93+Escort+Wagon]

I really thought this article was going to be about Data.

I thought even the PHB types had given up ending sentencies with 'for the Enterprise'.

I thought... WHOOSH!

Would you have gotten the joke if he'd used "Lore" instead of "Data"?

It's not just about the VPN aspect

[geekylinuxkid]

Android needs some sort of remote wipe software to make it even remotely feasible for most businesses. For example, the government requires remote wipe, and some sort of encryption. Until Android has a solution for these two, the VPN-less capability is moot.

Re:It's not just about the VPN aspect

[afidel]

There are MDM's that provide those capabilities, heck just hook most Android phones up to any ActiveSync compatible server or service and you get basic remote wipe. If it weren't for the fact that we provide Citrix for remote access the limitations on getting most Android devices working with ASA would have been a serious redmark against adoption, but as it stands the huge number of usability problems we ran into trumped everything else. Android is great as a geek OS, and fairly good for a consumer OS (my wife likes her Optimus V just fine), but the persistent issues like WiFi clients that randomly failed to work or the email clients that just stopped receiving email from the Exchange server and required a device wipe and resync to reestablish communications to the weird certificate errors we would get all made it so we were not going to foist it as a platform on our users. We offered them iOS or Blackberry and 2/3rds chose to stay on Blackberry for the superior core email capabilities. Personally I'm still on my Android test device because for me the small nagging flaws are outweighed by a physical keyboard (big plus over an iphone) and huge selection of applications and a decent browser (big win over Blackberry).

Re:It's not just about the VPN aspect

Remote wipe has apparently been supported via activesync since android 2.2

OpenSSH

[1s44c]

Use OpenSSH. You can tunnel TCP over SSH, it works very nicely on iphones and nokia n900's. I've not tested it on android but It should work.

The very last thing anyone should be doing is bridging their networks to a mobile phone.

Re:OpenSSH

[Karma's+A+Bitch]

Hi, new poster here but have been lurking for about a decade -- but as fucked up as IPSec is, there are some important benefits:

* IPSec tunnels your traffic over an unreliable datagram protocol (either IP protocol ESP or over some UDP port -- I forget the number). This avoids the performance problems of running a reliable protocol (TCP) over another reliable protocol (TCP). Some time since I looked at this, but IIRC, retransmits in the upper protocol kill you. Probably not too bit a problem if you aren't running significant traffic.

* IPSec is processed in kernel mode which improves processing performance. This isn't as important on the client which is only handling one tunnel as it is on the gateway which is handling many connections and where the CPU load could be important. Disadvantage is that a bug in IPSec is a bug in kernelspace.

* Of course anyone doing something like this should terminate the IPSec connection on a network outside their LAN and should also consider blocking comms between indials.

Just wish whoever designed IPSec had done a proper job.

Re:OpenSSH

[jimicus]

because any simple solution like OpenSSH must be bad

The problem with OpenSSH - indeed the problem with most of these "simple" solutions is that they're only simple from the perspective of the IT department. They utterly fail the Marcus test.

(Before you ask - "Marcus" is a hypothetical employee. He is a man of perfectly normal intelligence but relatively little in the way of computer skills. If you're expecting him to do anything clever with his computer such as connect to the corporate network remotely, you need the instructions to be as short as possible, as easy to follow as possible with the bare minimum of extra boxes to tick or dialogs to fill in. Anything that gets in the way of that is a Bad Thing. If your instructions for Marcus are 30 steps spread across 6 pages of closely-typed text with no illustrations, he's got precisely zero chance of following them.)

Re:Not surprised

You're actually more misinformed now. Android does in fact have IPsec capabilities, as well as PPTP and L2TP. Its had this for a while. I don't know why no one's not mentioned that the article is just plain wrong.

It does lack OpenVPN, though, which has been a bit of a thorn in my side - software exists to add this functionality, but so far they all require root privileges, as far as I know.

Cisco IPSec VPN now supported in Android 4.0 (ICS)

[daern]

"Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine.

I'm running an AOSP (kang) 4.0.3 here and this has now been fixed. I believe the official 4.0.3 is just around the corner, so yey! This has been my top #1 feature request since Android day 1 and I bought the GN specifically because of it. Yey Glooge!

Daern

Re:Not surprised

[aXis100]

I thought the same thing, I've been using the integrated L2TP client on my android phone, and it's only Froyo.

Re:Stupid article is stupid

[thegarbz]

Stupid article is stupid because the *current* version of Android actually has full native IPSec support. I wish this is just a case of Slashdot being late to post, but TFA is dated Jan 3rd 2012 so it must just be a blogger who's not up with the times.

Already there

[Namarrgon]

Exchange-based remote wipe support was added in Android 2.2. Encrypted storage and password policies were added in Android 3.0. Full-device encryption was added in Android 4.0, along with an API for third-party VPN solutions, and IPsec support for the built-in VPN client.

Re:Cisco IPSec VPN now supported in Android 4.0 (I

[daern]

""Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine."

You say "works very well." I don't think it means what you think it means.

To clarify: It works very well indeed, but in 4.0.1 and 4.0.2 it only works with WiFi. Apparently, the 4.0.2 LTE version works fine on both WiFi and cellular connections.

In 4.0.3 it works very well on both WiFi and 3G and is a monumentally excellent feature to be added :-)

Sigh, this is normal for IPSec

[rdebath]

IPSec was designed as an add-on for IPv6 back in the '90's and backported to IPv4. Unfortunately, it wasn't one of the well tested parts of the standard with many years of experience behind it, instead it was a recognition than encryption would become more important, and hopefully ubiquitous.

But nothing has happened. Instead of becoming the normal way to encrypt data across the internet it's been sidelined to enterprise VPNs were it does quite well because of the very long protocol documentation it has. This is perfect for breaking the finger pointing crap that is so common in that environment. For general use encryption is still done at the application level.

I think the worst problem is the usual suspect: key distribution. There is no reasonable way of ensuring that the right key data gets to the right clients. Though I had hopes for DNSSEC...

But the problem here isn't that. The problem is the original expectation that ALL data would become encrypted. Because of this they inserted the encryption into the middle of the IP stack (a shim if you will) which sometimes converts TCP/IP packets into TCP/IPSec/IP packets without changing the IP addresses or routing or anything else. Because of this design decision the exact version/variant of the IPSec protocol HAS to exist in the kernel binary. You can't work around this.

Every other VPN solution does it the right way. Actually creating a Virtual Private Network Adaptor for a Virtual Private Network Wire onto a Virtual Private Network. So you actually have a visible private network and you can see the routing and you can enforce firewall rules (or reverse path rules). What's more because of this every single one of them can easily be altered to work purely in userspace repurposing whatever virtual adaptor may be available on the platform be it PPP/SLIP/TAP or someone else's VPN adaptor. With this the horrific complexity that is IPSec can be avoided because you can run two versions of the VPN client on the same machine preserving compatibility by keeping old (put patched) versions of the software rather than creating a rats nest of compatibility hacks within the standard itself.

The end result, IPSec is avoided unless somebody "requires" this enterprisey solution AND will be paying for it.

article is out of date - Android 4.0 ICS update

[gru3hunt3r]

This article is out of date the following IPsec VPN options are available on a Google Nexus Galaxy from Verizon running Android ICS (4.0)

IPsec XAUTH PSK
IPsec XAUTH RSA
IPSEC Hybrid RSA

Android 4.0 supports standard IP sec gateways as well as Cisco's proprietary Xauth -- and unlike apple the android release does NOT require a company go out and buy a new Cisco Pix running IOS 7.0 or higher like the Apple iPhone 4 does (Iphone doesn't support xauth rsa profile).
This little .. ahem, oversight on the iPhone made it so our company chose NOT to reimburse employees for iPhones since they can't be used for work -- so at least for our company if employees want reimbursement for phones, they need to purchase a device that's compatible.

While I'm ranting-- I figured I'd also say that I wish either vendor apple/cisco natively supported OpenVPN so I could kill off my IPSec VPN I'd be thrilled, and the first vendor who does will receive the "recommended device" status for our employees.

IPSec is my last choice, not my first - it's not well suited for modern day deployments anyway since it doesn't work through some NAT gateways (at many hotels), and it *never* works [by design] if two people on the same network are connecting to the same endpoint from behind the same nat firewall (ex: two employees at the same coffee shop both trying to do their work.. or a husband wife who both work for the same company trying to concurrently connect to their own home network)

As NAT becomes more and more common (aren't we out of IPv4 addresses?) IPsec will cede way to more flexible solutions like OpenVPN.