Presentation on theme: "Lawrence Livermore National Laboratory Lee Neely CISSP, MSP ISSO LLNL-PRES-412835 Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA."— Presentation transcript:
Lawrence Livermore National Laboratory Lee Neely CISSP, MSP ISSO LLNL-PRES-412835 Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551 This work performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344 iPhone vs. BlackBerry: young upstart meets old standard June 2, 2009
2 LLNL-PRES-412835 Lawrence Livermore National Laboratory Why are we here? LLNL Users are asking for the iPhone LLNL BlackBerry implementation not production Claims were made the iPhone can be implemented for “free” Rumors of using personally owned iPhones doing LLNL work
3 LLNL-PRES-412835 Lawrence Livermore National Laboratory Examine the devices Basic assumptions Corporate email/VPN pre-exists ActiveSync/Exchange on internal network Blackberry Enterprise Server (BES) can reach Internet Not looking at “illegal” device configurations What to look at: Device focus Device startup Device configuration status Device security settings
4 LLNL-PRES-412835 Lawrence Livermore National Laboratory Device Focus BlackBerry “Corporate” device Many security features Business applications – new app store released Optimized for centralized management Runs device specific software CDMA/GSM/Wi-Fi Verizon/AT&T/Sprint/etc. iPhone “Consumer” device Nominal security Lots of “new and cool” apps Optimized for individual management Runs a version of Mac OS X GSM/Wi-Fi AT&T service only
5 LLNL-PRES-412835 Lawrence Livermore National Laboratory Device Startup – minimal impact BlackBerry Use Blackberry Internet Service (BIS) to get mail to device – user configures If using Wi-Fi, use VPN to reach corporate apps Time Per device – ten minutes Pre-setup – nominal iPhone Configure built-in VPN to access corporate network (Configuration can be sent to device) Device accesses existing services – user configures ActiveSync if Exchange POP/IMAP services if using Web Applications Time Per device – ten minutes Pre-setup – configuration setting file (optional)
6 LLNL-PRES-412835 Lawrence Livermore National Laboratory Device Startup – “full” corporate integration BlackBerry Install and configure BES Enterprise Activate device Email/Calendar/etc. configured Applications pushed/white listed Corporate application access depends on MDS Time Per device – enterprise activation time (5-20 minutes) Pre-setup – BES iPhone Create configuration w/iPhone Configuration Utility (ICU) and deploy to secure web server in DMZ Edit iPhone policies in Exchange (optional) Install and configure ActiveSync in DMZ User finalizes configuration (Username/Passwords) Time Per device – “two” minutes Pre-setup – configuration, ActiveSync, etc.
7 LLNL-PRES-412835 Lawrence Livermore National Laboratory Simplified Infrastructure: Exchange access
8 LLNL-PRES-412835 Lawrence Livermore National Laboratory Simplified Infrastructure: Application access
9 LLNL-PRES-412835 Lawrence Livermore National Laboratory Where does that leave you? BlackBerry Managed when connected to BES – which is full time Continuous user content push Immediate access to corporate applications Security policies “permanent” iPhone Managed when it can reach ActiveSync (VPN, DMZ, or hole in firewall.) User content updates only when it can reach ActiveSync – DMZ solves Access to corporate applications when VPN connected. Settings can be removed – deletion removes data
10 LLNL-PRES-412835 Lawrence Livermore National Laboratory Security Features FunctionBlackBerryiPhone Secure ContentsContent Encryption (memory card separate) Need application e.g.: Sybase iAnywhere Mobile Office Suite Security Configuration storeBES Exchange Policies/iPhone Configuration Utility (ICU) Communication Model Device connects to RIM then to BES, BES is corporate gateway. Device connects to ActiveSync over VPN and/or Internet. VPN for corporate apps Live Policy Updates BES provides – “continuous connection” - tight coupling When ActiveSync is reachable, over VPN or Internet– loosely coupled Wipe Yes, Remote or manual - BES initiates –has DOD spec wipe. Memory card separate Yes, remote must be connected to ActiveSync, manual – has erase option. Inactivity LockBES configuresPolicy can be pushed from ActiveSync Remote LockYes, BES initiatesN/A Sync email/calendar/notesVia BESVia ActiveSync Encrypted communications Certificate Exchange – PKI protects end-to- end ActiveSync server connected via SSL. IPSec VPN to corporate network. Web Browser functionality MDS provides gateway, some applications work, BES admin must configure Business Applications work, need VPN or gateway, device configured Access to internal NetBES /MDSNeed VPN or gateway device configured
11 LLNL-PRES-412835 Lawrence Livermore National Laboratory Security Features cont. FunctionBlackBerryiPhone ConfigurationBES pushes to devicePolicy can be pushed from ActiveSync S/MIMEWorks- with right SW, and exportable cert. Need application – e.g.: Sybase iAnyware Mobile Office Suite Wireless WEP, WPA personal & enterprise, WPA2 personal & enterprise WEP, WPA personal & enterprise, WPA2 personal & enterprise, 802.1X – EAP, PEAP & LEAP VPN IPSec VPN – some models works with Wi-Fi, not required with BES/MDS Cisco IPSec, L2TP/IPSec, PPTP L/Q BuildingRemove BatteryOnly option is airplane mode StartupBES/MDS (Centralized)VPN (Decentralized) or ICU configuration Device Management and Software UpdatesBES or Desktop ManageriTunes SW update Target AudienceBusiness userConsumer ApplicationsMany – business focus. Can control tightly. Many – consumer focused. Issue of personally licensed software and introduction of Malware Application restrictionsLock w/BES, white listNo limit
12 LLNL-PRES-412835 Lawrence Livermore National Laboratory Conclusion BlackBerry Moderate setup Moderate entry fee Strongly managed “Always on” synchronization Structured device software updates BES or Desktop Software can restore configuration Limited application compatibility – you may need a laptop for full functionality Content protection or S/MIME support -native iPhone Quick Startup Low entry fee Loosely managed Syncs when ActiveSync reachable Immediate device software updates iTunes can restore configuration (from desktop) High degree of application compatibility – are able to run most business apps/webmail. Content protection or S/MIME support – additional application.
13 LLNL-PRES-412835 Lawrence Livermore National Laboratory Questions? My contact information: Email: firstname.lastname@example.org@llnl.gov Phone: (925) 422-0140