lawrence livermore national laboratory lee neely cissp, msp isso llnl-pres-412835 lawrence livermore...
TRANSCRIPT
Lawrence Livermore National Laboratory
Lee NeelyCISSP, MSP ISSO
LLNL-PRES-412835
Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551
This work performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344
iPhone vs. BlackBerry:young upstart meets old standard
June 2, 2009
2LLNL-PRES-412835
Lawrence Livermore National Laboratory
Why are we here?
LLNL Users are asking for the iPhone LLNL BlackBerry implementation not production Claims were made the iPhone can be implemented for
“free” Rumors of using personally owned iPhones doing LLNL
work
3LLNL-PRES-412835
Lawrence Livermore National Laboratory
Examine the devices
Basic assumptions• Corporate email/VPN pre-exists• ActiveSync/Exchange on internal network• Blackberry Enterprise Server (BES) can reach
Internet• Not looking at “illegal” device configurations
What to look at:• Device focus• Device startup• Device configuration status• Device security settings
4LLNL-PRES-412835
Lawrence Livermore National Laboratory
Device Focus
BlackBerry “Corporate” device Many security features Business applications –
new app store released Optimized for centralized
management Runs device specific
software CDMA/GSM/Wi-Fi Verizon/AT&T/Sprint/etc.
iPhone “Consumer” device Nominal security Lots of “new and cool”
apps Optimized for individual
management Runs a version of Mac
OS X GSM/Wi-Fi AT&T service only
5LLNL-PRES-412835
Lawrence Livermore National Laboratory
Device Startup – minimal impact
BlackBerry Use Blackberry Internet
Service (BIS) to get mail to device – user configures
If using Wi-Fi, use VPN to reach corporate apps
Time• Per device – ten minutes• Pre-setup – nominal
iPhone Configure built-in VPN to
access corporate network (Configuration can be sent to device)
Device accesses existing services – user configures• ActiveSync if Exchange• POP/IMAP services if using• Web Applications
Time • Per device – ten minutes• Pre-setup – configuration setting
file (optional)
6LLNL-PRES-412835
Lawrence Livermore National Laboratory
Device Startup – “full” corporate integration
BlackBerry Install and configure BES Enterprise Activate device
• Email/Calendar/etc. configured
• Applications pushed/white listed
Corporate application access depends on MDS
Time• Per device – enterprise
activation time (5-20 minutes)• Pre-setup – BES
iPhone Create configuration w/iPhone
Configuration Utility (ICU) and deploy to secure web server in DMZ
Edit iPhone policies in Exchange (optional)
Install and configure ActiveSync in DMZ
User finalizes configuration (Username/Passwords)
Time • Per device – “two” minutes• Pre-setup – configuration,
ActiveSync, etc.
8LLNL-PRES-412835
Lawrence Livermore National Laboratory
Simplified Infrastructure: Application access
9LLNL-PRES-412835
Lawrence Livermore National Laboratory
Where does that leave you?
BlackBerry Managed when
connected to BES – which is full time
Continuous user content push
Immediate access to corporate applications
Security policies “permanent”
iPhone Managed when it can
reach ActiveSync (VPN, DMZ, or hole in firewall.)
User content updates only when it can reach ActiveSync – DMZ solves
Access to corporate applications when VPN connected.
Settings can be removed – deletion removes data
10LLNL-PRES-412835
Lawrence Livermore National Laboratory
Security Features
Function BlackBerry iPhoneSecure Contents Content Encryption (memory card separate) Need application e.g.: Sybase iAnywhere
Mobile Office Suite
Security Configuration store BES Exchange Policies/iPhone Configuration Utility (ICU)
Communication Model Device connects to RIM then to BES, BES is corporate gateway.
Device connects to ActiveSync over VPN and/or Internet. VPN for corporate apps
Live Policy Updates BES provides – “continuous connection” - tight coupling
When ActiveSync is reachable, over VPN or Internet– loosely coupled
Wipe Yes, Remote or manual - BES initiates –has DOD spec wipe. Memory card separate
Yes, remote must be connected to ActiveSync, manual – has erase option.
Inactivity Lock BES configures Policy can be pushed from ActiveSync
Remote Lock Yes, BES initiates N/A
Sync email/calendar/notes Via BES Via ActiveSync
Encrypted communications Certificate Exchange – PKI protects end-to-end
ActiveSync server connected via SSL. IPSec VPN to corporate network.
Web Browser functionality MDS provides gateway, some applications work, BES admin must configure
Business Applications work, need VPN or gateway, device configured
Access to internal Net BES /MDS Need VPN or gateway device configured
11LLNL-PRES-412835
Lawrence Livermore National Laboratory
Security Features cont.
Function BlackBerry iPhoneConfiguration BES pushes to device Policy can be pushed from ActiveSync
S/MIME Works- with right SW, and exportable cert. Need application – e.g.: Sybase iAnyware Mobile Office Suite
Wireless WEP, WPA personal & enterprise, WPA2 personal & enterprise
WEP, WPA personal & enterprise, WPA2 personal & enterprise, 802.1X – EAP, PEAP & LEAP
VPN IPSec VPN – some models works with Wi-Fi, not required with BES/MDS
Cisco IPSec, L2TP/IPSec, PPTP
L/Q Building Remove Battery Only option is airplane mode
Startup BES/MDS (Centralized) VPN (Decentralized) or ICU configuration
Device Management and Software Updates BES or Desktop Manager iTunes SW update
Target Audience Business user Consumer
Applications Many – business focus. Can control tightly. Many – consumer focused. Issue of personally licensed software and introduction of Malware
Application restrictions Lock w/BES, white list No limit
12LLNL-PRES-412835
Lawrence Livermore National Laboratory
Conclusion
BlackBerry Moderate setup Moderate entry fee Strongly managed “Always on” synchronization Structured device software
updates BES or Desktop Software can
restore configuration Limited application compatibility –
you may need a laptop for full functionality
Content protection or S/MIME support -native
iPhone Quick Startup Low entry fee Loosely managed Syncs when ActiveSync reachable Immediate device software updates iTunes can restore configuration
(from desktop) High degree of application
compatibility – are able to run most business apps/webmail.
Content protection or S/MIME support – additional application.
13LLNL-PRES-412835
Lawrence Livermore National Laboratory
Questions?
My contact information:
Email: [email protected]
Phone: (925) 422-0140