Android BYOD Security based on Trusted Network Connect » History » Version 23
Version 22 (Andreas Steffen, 08.04.2013 16:14) → Version 23/32 (Andreas Steffen, 08.04.2013 16:26)
h1. Android BYOD Security based on Trusted Network Connect
An experimental "BYOD version":http://www.strongswan.org/byod/strongswan-byod-1.2.0.apk of the popular "strongSwan Android VPN Client":https://play.google.com/store/apps/details?id=org.strongswan.android allows the collection of integrity measurements on Android 4.x devices. A special Android BYOD IMC written in Java communicates via the TNC IF-M 1.0 Measurement protocol with an Operating System IMV and a Port Scanner IMV. The strongSwan Android VPN Client transports the IF-M messages (RFC 5792 PA-TNC) in IF-TNCCS 2.0 Client/Server protocol batches (RFC 5793 PB-TNC) via the IF-T for Tunneled EAP Methods 1.1 Transport protocol protected by IKEv2 EAP-TTLS.
h2. VPN Client Configuration
!strongswan-config_small.png!:http://www.strongswan.org/byod/strongswan-config.png
The Android VPN client profile *BYOD* has the following properties:
* The hostname of the VPN gateway is *byod.strongswan.org*.
* The user authentication is based on *IKEv2 EAP-MD5*.
* Possible user names are *john* or *jane* and the user password is *byod-test*.
* The *byod.strongswan.org* server certificate is issued by the *strongSwan 2009* certification authority.
Therefore the "strongSwan 2009 CA certificate":http://www.strongswan.org/byod/strongswan-cert.crt must be imported into the Android certificate trust store before the first connection can be attempted.
h2. Unrestricted Access (TNC recommendation is allow)
!connected_small.png!:http://www.strongswan.org/byod/screenshot-01-connected.png
If the BYOD IMC (Integrity Measurement Collector) does not detect and report any security issues to the OS, Scanner and Attestation IMVs (Integrity Measurement Verifiers) via the IF-M message protocol then the TNC Server located in the combinded strongSwan PDP/PEP decides to give the VPN client full access to the corporate network.
h2. Restricted Access (TNC recommendation is isolate)
User *John* now makes the following changes on his Android phone:
!non-market-apps-setting_small.png!:http://www.strongswan.org/byod/screenshot-09-non-market-apps-setting.png !unknown-sources-warning_small.png!:http://www.strongswan.org/byod/screenshot-11-unknown-sources-warning.png !kws-webserver_small.png!:http://www.strongswan.org/byod/screenshot-10-kws-webserver.png
* If the *Unknown sources* flag is activated in the *Settings/Security* configuration menu of the Android device then a user might be lured into downloading malicious Apps via manipulated links. Setting this flag therefore poses a grave security risk.
* The user also decides to download and install an Android Web Server from the official Google play store.
The next time *John* tries to access his home network, he is granted only restricted access and his VPN Client is directed to a remediation network.
!restricted_small.png!:http://www.strongswan.org/byod/screenshot-02-restricted.png !restricted-remediation_small.png!:http://www.strongswan.org/byod/screenshot-03-restricted-remediation.png !restricted-remediation-details_small.png!:http://www.strongswan.org/byod/screenshot-04-restricted-remediation-details.png
h2. Blocked Access (TNC recommendation is block)
User *John* now starts the installed Android Web Server because he wants to manage his phone remotely in a much more comfortable way from his laptop computer. The Web Server is listening on TCP port 8080, potentially allowing a hacker to access the phone and take full control of it:
!webserver-active_small.png!:http://www.strongswan.org/byod/screenshot-08-webserver-active.png
Since this poses a severe security breach, user *John* is blocked from accessing the network and the VPN connection setup fails.
!failed_small.png!:http://www.strongswan.org/byod/screenshot-05-failure.png !failed-remediation_small.png!:http://www.strongswan.org/byod/screenshot-06-failure-remediation.png !failed-remediation-details_small.png!:http://www.strongswan.org/byod/screenshot-07-failure-remediation-details.png
An experimental "BYOD version":http://www.strongswan.org/byod/strongswan-byod-1.2.0.apk of the popular "strongSwan Android VPN Client":https://play.google.com/store/apps/details?id=org.strongswan.android allows the collection of integrity measurements on Android 4.x devices. A special Android BYOD IMC written in Java communicates via the TNC IF-M 1.0 Measurement protocol with an Operating System IMV and a Port Scanner IMV. The strongSwan Android VPN Client transports the IF-M messages (RFC 5792 PA-TNC) in IF-TNCCS 2.0 Client/Server protocol batches (RFC 5793 PB-TNC) via the IF-T for Tunneled EAP Methods 1.1 Transport protocol protected by IKEv2 EAP-TTLS.
h2. VPN Client Configuration
!strongswan-config_small.png!:http://www.strongswan.org/byod/strongswan-config.png
The Android VPN client profile *BYOD* has the following properties:
* The hostname of the VPN gateway is *byod.strongswan.org*.
* The user authentication is based on *IKEv2 EAP-MD5*.
* Possible user names are *john* or *jane* and the user password is *byod-test*.
* The *byod.strongswan.org* server certificate is issued by the *strongSwan 2009* certification authority.
Therefore the "strongSwan 2009 CA certificate":http://www.strongswan.org/byod/strongswan-cert.crt must be imported into the Android certificate trust store before the first connection can be attempted.
h2. Unrestricted Access (TNC recommendation is allow)
!connected_small.png!:http://www.strongswan.org/byod/screenshot-01-connected.png
If the BYOD IMC (Integrity Measurement Collector) does not detect and report any security issues to the OS, Scanner and Attestation IMVs (Integrity Measurement Verifiers) via the IF-M message protocol then the TNC Server located in the combinded strongSwan PDP/PEP decides to give the VPN client full access to the corporate network.
h2. Restricted Access (TNC recommendation is isolate)
User *John* now makes the following changes on his Android phone:
!non-market-apps-setting_small.png!:http://www.strongswan.org/byod/screenshot-09-non-market-apps-setting.png !unknown-sources-warning_small.png!:http://www.strongswan.org/byod/screenshot-11-unknown-sources-warning.png !kws-webserver_small.png!:http://www.strongswan.org/byod/screenshot-10-kws-webserver.png
* If the *Unknown sources* flag is activated in the *Settings/Security* configuration menu of the Android device then a user might be lured into downloading malicious Apps via manipulated links. Setting this flag therefore poses a grave security risk.
* The user also decides to download and install an Android Web Server from the official Google play store.
The next time *John* tries to access his home network, he is granted only restricted access and his VPN Client is directed to a remediation network.
!restricted_small.png!:http://www.strongswan.org/byod/screenshot-02-restricted.png !restricted-remediation_small.png!:http://www.strongswan.org/byod/screenshot-03-restricted-remediation.png !restricted-remediation-details_small.png!:http://www.strongswan.org/byod/screenshot-04-restricted-remediation-details.png
h2. Blocked Access (TNC recommendation is block)
User *John* now starts the installed Android Web Server because he wants to manage his phone remotely in a much more comfortable way from his laptop computer. The Web Server is listening on TCP port 8080, potentially allowing a hacker to access the phone and take full control of it:
!webserver-active_small.png!:http://www.strongswan.org/byod/screenshot-08-webserver-active.png
Since this poses a severe security breach, user *John* is blocked from accessing the network and the VPN connection setup fails.
!failed_small.png!:http://www.strongswan.org/byod/screenshot-05-failure.png !failed-remediation_small.png!:http://www.strongswan.org/byod/screenshot-06-failure-remediation.png !failed-remediation-details_small.png!:http://www.strongswan.org/byod/screenshot-07-failure-remediation-details.png