lawrence livermore national laboratory lee neely cissp, msp isso llnl-pres-412835 lawrence livermore...

Lawrence Livermore National Laboratory

Lee NeelyCISSP, MSP ISSO

LLNL-PRES-412835

Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551

This work performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344

iPhone vs. BlackBerry:young upstart meets old standard

June 2, 2009

2LLNL-PRES-412835


Why are we here?

LLNL Users are asking for the iPhone LLNL BlackBerry implementation not production Claims were made the iPhone can be implemented for

“free” Rumors of using personally owned iPhones doing LLNL

work

3LLNL-PRES-412835


Examine the devices

Basic assumptions• Corporate email/VPN pre-exists• ActiveSync/Exchange on internal network• Blackberry Enterprise Server (BES) can reach

Internet• Not looking at “illegal” device configurations

What to look at:• Device focus• Device startup• Device configuration status• Device security settings

4LLNL-PRES-412835


Device Focus

BlackBerry “Corporate” device Many security features Business applications –

new app store released Optimized for centralized

management Runs device specific

software CDMA/GSM/Wi-Fi Verizon/AT&T/Sprint/etc.

iPhone “Consumer” device Nominal security Lots of “new and cool”

apps Optimized for individual

management Runs a version of Mac

OS X GSM/Wi-Fi AT&T service only

5LLNL-PRES-412835


Device Startup – minimal impact

BlackBerry Use Blackberry Internet

Service (BIS) to get mail to device – user configures

If using Wi-Fi, use VPN to reach corporate apps

Time• Per device – ten minutes• Pre-setup – nominal

iPhone Configure built-in VPN to

access corporate network (Configuration can be sent to device)

Device accesses existing services – user configures• ActiveSync if Exchange• POP/IMAP services if using• Web Applications

Time • Per device – ten minutes• Pre-setup – configuration setting

file (optional)

6LLNL-PRES-412835


Device Startup – “full” corporate integration

BlackBerry Install and configure BES Enterprise Activate device

• Email/Calendar/etc. configured

• Applications pushed/white listed

Corporate application access depends on MDS

Time• Per device – enterprise

activation time (5-20 minutes)• Pre-setup – BES

iPhone Create configuration w/iPhone

Configuration Utility (ICU) and deploy to secure web server in DMZ

Edit iPhone policies in Exchange (optional)

Install and configure ActiveSync in DMZ

User finalizes configuration (Username/Passwords)

Time • Per device – “two” minutes• Pre-setup – configuration,

ActiveSync, etc.

7LLNL-PRES-412835


Simplified Infrastructure: Exchange access

8LLNL-PRES-412835


Simplified Infrastructure: Application access

9LLNL-PRES-412835


Where does that leave you?

BlackBerry Managed when

connected to BES – which is full time

Continuous user content push

Immediate access to corporate applications

Security policies “permanent”

iPhone Managed when it can

reach ActiveSync (VPN, DMZ, or hole in firewall.)

User content updates only when it can reach ActiveSync – DMZ solves

Access to corporate applications when VPN connected.

Settings can be removed – deletion removes data

10LLNL-PRES-412835


Security Features

Function BlackBerry iPhoneSecure Contents Content Encryption (memory card separate) Need application e.g.: Sybase iAnywhere

Mobile Office Suite

Security Configuration store BES Exchange Policies/iPhone Configuration Utility (ICU)

Communication Model Device connects to RIM then to BES, BES is corporate gateway.

Device connects to ActiveSync over VPN and/or Internet. VPN for corporate apps

Live Policy Updates BES provides – “continuous connection” - tight coupling

When ActiveSync is reachable, over VPN or Internet– loosely coupled

Wipe Yes, Remote or manual - BES initiates –has DOD spec wipe. Memory card separate

Yes, remote must be connected to ActiveSync, manual – has erase option.

Inactivity Lock BES configures Policy can be pushed from ActiveSync

Remote Lock Yes, BES initiates N/A

Sync email/calendar/notes Via BES Via ActiveSync

Encrypted communications Certificate Exchange – PKI protects end-to-end

ActiveSync server connected via SSL. IPSec VPN to corporate network.

Web Browser functionality MDS provides gateway, some applications work, BES admin must configure

Business Applications work, need VPN or gateway, device configured

Access to internal Net BES /MDS Need VPN or gateway device configured

11LLNL-PRES-412835


Security Features cont.

Function BlackBerry iPhoneConfiguration BES pushes to device Policy can be pushed from ActiveSync

S/MIME Works- with right SW, and exportable cert. Need application – e.g.: Sybase iAnyware Mobile Office Suite

Wireless WEP, WPA personal & enterprise, WPA2 personal & enterprise

WEP, WPA personal & enterprise, WPA2 personal & enterprise, 802.1X – EAP, PEAP & LEAP

VPN IPSec VPN – some models works with Wi-Fi, not required with BES/MDS

Cisco IPSec, L2TP/IPSec, PPTP

L/Q Building Remove Battery Only option is airplane mode

Startup BES/MDS (Centralized) VPN (Decentralized) or ICU configuration

Device Management and Software Updates BES or Desktop Manager iTunes SW update

Target Audience Business user Consumer

Applications Many – business focus. Can control tightly. Many – consumer focused. Issue of personally licensed software and introduction of Malware

Application restrictions Lock w/BES, white list No limit

12LLNL-PRES-412835


Conclusion

BlackBerry Moderate setup Moderate entry fee Strongly managed “Always on” synchronization Structured device software

updates BES or Desktop Software can

restore configuration Limited application compatibility –

you may need a laptop for full functionality

Content protection or S/MIME support -native

iPhone Quick Startup Low entry fee Loosely managed Syncs when ActiveSync reachable Immediate device software updates iTunes can restore configuration

(from desktop) High degree of application

compatibility – are able to run most business apps/webmail.

Content protection or S/MIME support – additional application.

13LLNL-PRES-412835


Questions?

My contact information:

Email: [email protected]

Phone: (925) 422-0140

mailto:[email protected]

lawrence livermore national laboratory lee neely cissp, msp isso llnl-pres-412835 lawrence livermore...

Documents