Android BYOD Security based on Trusted Network Connect » History » Version 18
Andreas Steffen, 08.04.2013 14:51
| 1 | 1 | Andreas Steffen | h1. Android BYOD Security based on Trusted Network Connect |
|---|---|---|---|
| 2 | 1 | Andreas Steffen | |
| 3 | 16 | Andreas Steffen | An experimental "BYOD version":http://www.strongswan.org/byod/strongswan-byod-1.2.0.apk of the popular "strongSwan Android VPN Client":https://play.google.com/store/apps/details?id=org.strongswan.android allows the collection of integrity measurements on Android 4.x devices. A special Android BYOD IMC written in Java communicates via the TNC IF-M 1.0 Measurement protocol with an Operating System IMV and a Port Scanner IMV. The strongSwan Android VPN Client transports the IF-M messages (RFC 5792 PA-TNC) in IF-TNCCS 2.0 Client/Server protocol batches (RFC 5793 PB-TNC) via the IF-T for Tunneled EAP Methods 1.1 Transport protocol protected by IKEv2 EAP-TTLS. |
| 4 | 2 | Andreas Steffen | |
| 5 | 10 | Andreas Steffen | h2. VPN Client Configuration |
| 6 | 9 | Andreas Steffen | |
| 7 | 9 | Andreas Steffen | !strongswan-config_small.png!:http://www.strongswan.org/byod/strongswan-config.png |
| 8 | 9 | Andreas Steffen | |
| 9 | 18 | Andreas Steffen | The Android VPN client profile *BYOD* has the following properties: |
| 10 | 18 | Andreas Steffen | |
| 11 | 18 | Andreas Steffen | * The hostname of the VPN gateway is *byod.strongswan.org*. |
| 12 | 17 | Andreas Steffen | |
| 13 | 17 | Andreas Steffen | * The user authentication is based on *IKEv2 EAP-MD5*. |
| 14 | 17 | Andreas Steffen | |
| 15 | 17 | Andreas Steffen | * Possible user names are *john* or *jane* and the user password is *byod-test*. |
| 16 | 17 | Andreas Steffen | |
| 17 | 17 | Andreas Steffen | * The *byod.strongswan.org* server certificate is issued by the *strongSwan 2009* certification authority. |
| 18 | 17 | Andreas Steffen | |
| 19 | 17 | Andreas Steffen | Therefore the "strongSwan 2009 CA certificate":http://www.strongswan.org/byod/strongswan-cert.crt must be imported into the Android certificate trust store before the first connection can be attempted. |
| 20 | 2 | Andreas Steffen | |
| 21 | 11 | Andreas Steffen | h2. Unrestricted Access (TNC recommendation is allow) |
| 22 | 2 | Andreas Steffen | |
| 23 | 12 | Andreas Steffen | !connected_small.png!:http://www.strongswan.org/byod/screenshot-01-connected.png |
| 24 | 2 | Andreas Steffen | |
| 25 | 11 | Andreas Steffen | h2. Restricted Access (TNC recommendation is isolate) |
| 26 | 2 | Andreas Steffen | |
| 27 | 8 | Andreas Steffen | * "Non-Market-Apps Security Setting":http://www.strongswan.org/byod/screenshot-09-non-market-apps-setting.png |
| 28 | 6 | Andreas Steffen | |
| 29 | 7 | Andreas Steffen | * "Install Web Server App":http://www.strongswan.org/byod/screenshot-10-kws-webserver.png |
| 30 | 6 | Andreas Steffen | |
| 31 | 14 | Andreas Steffen | !restricted_small.png!:http://www.strongswan.org/byod/screenshot-02-restricted.png !restricted-remediation_small.png!:http://www.strongswan.org/byod/screenshot-03-restricted-remediation.png !restricted-remediation-details_small.png!:http://www.strongswan.org/byod/screenshot-04-restricted-remediation-details.png |
| 32 | 2 | Andreas Steffen | |
| 33 | 11 | Andreas Steffen | h2. Blocked Access (TNC recommendation is block) |
| 34 | 2 | Andreas Steffen | |
| 35 | 5 | Andreas Steffen | * "Start Android Web Server":http://www.strongswan.org/byod/screenshot-08-webserver-active.png |
| 36 | 4 | Andreas Steffen | |
| 37 | 15 | Andreas Steffen | !failed_small.png!:http://www.strongswan.org/byod/screenshot-05-failure.png !failed-remediation_small.png!:http://www.strongswan.org/byod/screenshot-06-failure-remediation.png !failed-remediation-details_small.png!:http://www.strongswan.org/byod/screenshot-07-failure-remediation-details.png |