The BES host-based or appliance firewall must be configured as required.

From BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide

Part of Configure BES firewall as required

SV-21031r3_rule The BES host-based or appliance firewall must be configured as required.

Vulnerability discussion

BlackBerry user could get access to unauthorized network resources (application and content servers, etc.) if the BES firewall is not set up as required.

Check content

Detailed Policy Requirements: The BES host-based or appliance firewall must be configured as required. The BES firewall is configured with the following rules: - Deny all except when explicitly authorized. - Internal traffic from the BES is limited to internal systems used to host the BlackBerry services (e.g., email and LDAP servers) and AO-approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized. - Internet traffic from the BES is limited to only those specified BlackBerry services (e.g., BlackBerry SRP server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the BlackBerry system and/or service. - Firewall settings listed in Section 3.13 of the BlackBerry STIG Overview will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trust IP addresses and subnets. Note: At the minimum, the IP address of the site Internet proxy server must be listed so the BlackBerry Browser can connect to the Internet. Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above. Check Procedures: Verify the firewall configuration meets approved architecture configuration requirements (or have the network reviewer do the review of the firewall). Use Table 3-5 in the BlackBerry STIG Overview when using the non-segmented architecture and Tables 3-6 and 3-7 when using the segmented architecture for required firewall rules. Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers that the BES connects to should be included on this list. If a list of trusted networks by IP address is not configured on the BES host-based firewall, this is a finding.

Fix text

The BES host-based or appliance firewall is configured as required.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer