Securing Android For the Enterprise 136
Orome1 writes "While many companies use IPsec for secure remote access to their networks, no integrated IPsec VPN client is available on Android. Apple has already fixed this shortcoming in iOS, in part, because it wanted make the iPhone attractive for businesses. The Android operating system doesn't just lack an integrated IPsec VPN client, it also makes installing and configuring third-party VPN software quite complicated. IPsec VPN clients have to be integrated into the kernel of each device, and the client software has to be installed specifically for a memory area. This means that the firmware of each Android smartphone or tablet has to be modified accordingly. Until a 'real' IPsec VPN client is available, Android users can use their devices' integrated VPN clients based on PPTP or L2TP, which is deployed over IPsec. A 'real' IPsec VPN connection, however, is more secure because it encrypts data prior to authentication."
OpenSSH (Score:5, Informative)
Use OpenSSH. You can tunnel TCP over SSH, it works very nicely on iphones and nokia n900's. I've not tested it on android but It should work.
The very last thing anyone should be doing is bridging their networks to a mobile phone.
Re:It's not just about the VPN aspect (Score:5, Informative)
Re:It's not just about the VPN aspect (Score:4, Informative)
Android needs some sort of remote wipe software to make it even remotely feasible for most businesses. For example, the government requires remote wipe, and some sort of encryption. Until Android has a solution for these two, the VPN-less capability is moot.
Like this? [good.com]
Re:It's not just about the VPN aspect (Score:5, Informative)
Remote wipe has apparently been supported via activesync since android 2.2
Re:Not surprised (Score:5, Informative)
You're actually more misinformed now. Android does in fact have IPsec capabilities, as well as PPTP and L2TP. Its had this for a while. I don't know why no one's not mentioned that the article is just plain wrong.
It does lack OpenVPN, though, which has been a bit of a thorn in my side - software exists to add this functionality, but so far they all require root privileges, as far as I know.
Cisco IPSec VPN now supported in Android 4.0 (ICS) (Score:5, Informative)
"Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine.
I'm running an AOSP (kang) 4.0.3 here and this has now been fixed. I believe the official 4.0.3 is just around the corner, so yey! This has been my top #1 feature request since Android day 1 and I bought the GN specifically because of it. Yey Glooge!
Daern
I must be from another dimension (Score:2, Informative)
I am doing IPSec on my stock ICS phone right now.
Re:Not surprised (Score:5, Informative)
I thought the same thing, I've been using the integrated L2TP client on my android phone, and it's only Froyo.
Re:Not the problem (Score:4, Informative)
It's not standard as part of Android (or at least it wasn't in 2.0 - 2.3), there is however the option on the AOSP port of ICS (4.0.3) to do full device encryption, so that may be a standard feature now.
That said there are many phones who have supported this for a long time, but the feature was added by the vendor and not a default function of Android itself.
Re:Stupid article is stupid (Score:5, Informative)
Stupid article is stupid because the *current* version of Android actually has full native IPSec support. I wish this is just a case of Slashdot being late to post, but TFA is dated Jan 3rd 2012 so it must just be a blogger who's not up with the times.
Already there (Score:5, Informative)
Re:Cisco IPSec VPN now supported in Android 4.0 (I (Score:5, Informative)
""Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine."
You say "works very well." I don't think it means what you think it means.
To clarify: It works very well indeed, but in 4.0.1 and 4.0.2 it only works with WiFi. Apparently, the 4.0.2 LTE version works fine on both WiFi and cellular connections.
In 4.0.3 it works very well on both WiFi and 3G and is a monumentally excellent feature to be added :-)
Re:OpenSSH (Score:5, Informative)
Hi, new poster here but have been lurking for about a decade -- but as fucked up as IPSec is, there are some important benefits:
* IPSec tunnels your traffic over an unreliable datagram protocol (either IP protocol ESP or over some UDP port -- I forget the number). This avoids the performance problems of running a reliable protocol (TCP) over another reliable protocol (TCP). Some time since I looked at this, but IIRC, retransmits in the upper protocol kill you. Probably not too bit a problem if you aren't running significant traffic.
* IPSec is processed in kernel mode which improves processing performance. This isn't as important on the client which is only handling one tunnel as it is on the gateway which is handling many connections and where the CPU load could be important. Disadvantage is that a bug in IPSec is a bug in kernelspace.
* Of course anyone doing something like this should terminate the IPSec connection on a network outside their LAN and should also consider blocking comms between indials.
Just wish whoever designed IPSec had done a proper job.
Re:It's not just about the VPN aspect (Score:2, Informative)
Android has by-far the best cryptography suite [guardianproject.info] amongst all phone/tablet OSs, well unless your running vanilla Linux on a tablet.
VPN Client API (Score:4, Informative)
This is false, since Android 4.0 there is an API to add new VPN clients [android.com] without need to build kernel modules
Enhancements for Enterprise
VPN client API
Developers can now build or extend their own VPN solutions on the platform using a new VPN API and underlying secure credential storage. With user permission, applications can configure addresses and routing rules, process outgoing and incoming packets, and establish secure tunnels to a remote server. Enterprises can also take advantage of a standard VPNclientbuilt into the platform that provides access to L2TP and IPSec protocols.
Re:Stupid article is stupid (Score:4, Informative)
I'm running Gingerbread and have a VPN option with PPTP, L2TP, & OpenVPN. Could be a CyanogenMod feature but I don't think so.
OpenVPN is a Cyanogenmod addition: [source] [wikipedia.org]