Project

General

Profile

Android BYOD Security based on Trusted Network Connect » History » Version 22

Andreas Steffen, 08.04.2013 16:14

1 1 Andreas Steffen
h1. Android BYOD Security based on Trusted Network Connect
2 1 Andreas Steffen
3 16 Andreas Steffen
An experimental "BYOD version":http://www.strongswan.org/byod/strongswan-byod-1.2.0.apk of the popular "strongSwan Android VPN Client":https://play.google.com/store/apps/details?id=org.strongswan.android allows the collection of integrity measurements on Android 4.x devices. A special Android BYOD IMC written in Java communicates via the TNC IF-M 1.0 Measurement protocol with an Operating System IMV and a Port Scanner IMV. The strongSwan Android VPN Client transports the IF-M messages (RFC 5792 PA-TNC) in IF-TNCCS 2.0 Client/Server protocol batches (RFC 5793 PB-TNC) via the IF-T for Tunneled EAP Methods 1.1 Transport protocol protected by IKEv2 EAP-TTLS.
4 2 Andreas Steffen
5 10 Andreas Steffen
h2. VPN Client Configuration
6 9 Andreas Steffen
7 9 Andreas Steffen
!strongswan-config_small.png!:http://www.strongswan.org/byod/strongswan-config.png
8 9 Andreas Steffen
9 18 Andreas Steffen
The Android VPN client profile *BYOD* has the following properties:
10 18 Andreas Steffen
11 18 Andreas Steffen
* The hostname of the VPN gateway is *byod.strongswan.org*.
12 17 Andreas Steffen
13 17 Andreas Steffen
* The user authentication is based on *IKEv2 EAP-MD5*.
14 17 Andreas Steffen
15 17 Andreas Steffen
* Possible user names are *john* or *jane* and the user password is *byod-test*.
16 17 Andreas Steffen
17 17 Andreas Steffen
* The *byod.strongswan.org* server certificate is issued by the *strongSwan 2009* certification authority.
18 17 Andreas Steffen
19 17 Andreas Steffen
Therefore the "strongSwan 2009 CA certificate":http://www.strongswan.org/byod/strongswan-cert.crt must be imported into the Android certificate trust store before the first connection can be attempted.
20 2 Andreas Steffen
21 11 Andreas Steffen
h2. Unrestricted Access (TNC recommendation is allow)
22 2 Andreas Steffen
23 12 Andreas Steffen
!connected_small.png!:http://www.strongswan.org/byod/screenshot-01-connected.png
24 2 Andreas Steffen
25 19 Andreas Steffen
If the BYOD IMC (Integrity Measurement Collector) does not detect and report any security issues to the OS, Scanner and Attestation IMVs (Integrity Measurement Verifiers) via the IF-M message protocol then the TNC Server located in the combinded strongSwan PDP/PEP decides to give the VPN client full access to the corporate network.
26 19 Andreas Steffen
27 11 Andreas Steffen
h2. Restricted Access (TNC recommendation is isolate)
28 2 Andreas Steffen
29 21 Andreas Steffen
User *John* now makes the following changes on his Android phone:
30 1 Andreas Steffen
31 21 Andreas Steffen
!non-market-apps-setting_small.png!:http://www.strongswan.org/byod/screenshot-09-non-market-apps-setting.png !kws-webserver_small.png!:http://www.strongswan.org/byod/screenshot-10-kws-webserver.png
32 20 Andreas Steffen
33 21 Andreas Steffen
* If the *Unknown sources* flag is activated in the *Settings/Security* configuration menu of the Android device then a user might be lured into downloading malicious Apps via manipulated links. Setting this flag therefore poses a grave security risk.
34 20 Andreas Steffen
35 21 Andreas Steffen
* The user also decides to download and install an Android Web Server from the official Google play store.
36 20 Andreas Steffen
37 20 Andreas Steffen
The next time *John* tries to access his home network, he is granted only restricted access and his VPN Client is directed to a remediation network.
38 6 Andreas Steffen
39 14 Andreas Steffen
!restricted_small.png!:http://www.strongswan.org/byod/screenshot-02-restricted.png !restricted-remediation_small.png!:http://www.strongswan.org/byod/screenshot-03-restricted-remediation.png !restricted-remediation-details_small.png!:http://www.strongswan.org/byod/screenshot-04-restricted-remediation-details.png
40 2 Andreas Steffen
41 11 Andreas Steffen
h2. Blocked Access (TNC recommendation is block)
42 2 Andreas Steffen
43 22 Andreas Steffen
User *John* now starts the installed Android Web Server because he wants to manage his phone remotely in a much more comfortable way from his laptop computer. The Web Server is listening on TCP port 8080, potentially allowing a hacker to access the phone and take full control of it:
44 22 Andreas Steffen
45 22 Andreas Steffen
!webserver-active_small.png!:http://www.strongswan.org/byod/screenshot-08-webserver-active.png
46 22 Andreas Steffen
47 22 Andreas Steffen
Since this poses a severe security breach, user *John* is blocked from accessing the network and the VPN connection setup fails.
48 4 Andreas Steffen
49 15 Andreas Steffen
!failed_small.png!:http://www.strongswan.org/byod/screenshot-05-failure.png !failed-remediation_small.png!:http://www.strongswan.org/byod/screenshot-06-failure-remediation.png !failed-remediation-details_small.png!:http://www.strongswan.org/byod/screenshot-07-failure-remediation-details.png