Securing Android For the Enterprise 136
Orome1 writes "While many companies use IPsec for secure remote access to their networks, no integrated IPsec VPN client is available on Android. Apple has already fixed this shortcoming in iOS, in part, because it wanted make the iPhone attractive for businesses. The Android operating system doesn't just lack an integrated IPsec VPN client, it also makes installing and configuring third-party VPN software quite complicated. IPsec VPN clients have to be integrated into the kernel of each device, and the client software has to be installed specifically for a memory area. This means that the firmware of each Android smartphone or tablet has to be modified accordingly. Until a 'real' IPsec VPN client is available, Android users can use their devices' integrated VPN clients based on PPTP or L2TP, which is deployed over IPsec. A 'real' IPsec VPN connection, however, is more secure because it encrypts data prior to authentication."
Sigh, this is normal for IPSec (Score:5, Interesting)
IPSec was designed as an add-on for IPv6 back in the '90's and backported to IPv4. Unfortunately, it wasn't one of the well tested parts of the standard with many years of experience behind it, instead it was a recognition than encryption would become more important, and hopefully ubiquitous.
But nothing has happened. Instead of becoming the normal way to encrypt data across the internet it's been sidelined to enterprise VPNs were it does quite well because of the very long protocol documentation it has. This is perfect for breaking the finger pointing crap that is so common in that environment. For general use encryption is still done at the application level.
I think the worst problem is the usual suspect: key distribution. There is no reasonable way of ensuring that the right key data gets to the right clients. Though I had hopes for DNSSEC...
But the problem here isn't that. The problem is the original expectation that ALL data would become encrypted. Because of this they inserted the encryption into the middle of the IP stack (a shim if you will) which sometimes converts TCP/IP packets into TCP/IPSec/IP packets without changing the IP addresses or routing or anything else. Because of this design decision the exact version/variant of the IPSec protocol HAS to exist in the kernel binary. You can't work around this.
Every other VPN solution does it the right way. Actually creating a Virtual Private Network Adaptor for a Virtual Private Network Wire onto a Virtual Private Network. So you actually have a visible private network and you can see the routing and you can enforce firewall rules (or reverse path rules). What's more because of this every single one of them can easily be altered to work purely in userspace repurposing whatever virtual adaptor may be available on the platform be it PPP/SLIP/TAP or someone else's VPN adaptor. With this the horrific complexity that is IPSec can be avoided because you can run two versions of the VPN client on the same machine preserving compatibility by keeping old (put patched) versions of the software rather than creating a rats nest of compatibility hacks within the standard itself.
The end result, IPSec is avoided unless somebody "requires" this enterprisey solution AND will be paying for it.
article is out of date - Android 4.0 ICS update (Score:4, Interesting)
This article is out of date the following IPsec VPN options are available on a Google Nexus Galaxy from Verizon running Android ICS (4.0)
IPsec XAUTH PSK
IPsec XAUTH RSA
IPSEC Hybrid RSA
Android 4.0 supports standard IP sec gateways as well as Cisco's proprietary Xauth -- and unlike apple the android release does NOT require a company go out and buy a new Cisco Pix running IOS 7.0 or higher like the Apple iPhone 4 does (Iphone doesn't support xauth rsa profile). .. ahem, oversight on the iPhone made it so our company chose NOT to reimburse employees for iPhones since they can't be used for work -- so at least for our company if employees want reimbursement for phones, they need to purchase a device that's compatible.
This little
While I'm ranting-- I figured I'd also say that I wish either vendor apple/cisco natively supported OpenVPN so I could kill off my IPSec VPN I'd be thrilled, and the first vendor who does will receive the "recommended device" status for our employees.
IPSec is my last choice, not my first - it's not well suited for modern day deployments anyway since it doesn't work through some NAT gateways (at many hotels), and it *never* works [by design] if two people on the same network are connecting to the same endpoint from behind the same nat firewall (ex: two employees at the same coffee shop both trying to do their work.. or a husband wife who both work for the same company trying to concurrently connect to their own home network)
As NAT becomes more and more common (aren't we out of IPv4 addresses?) IPsec will cede way to more flexible solutions like OpenVPN.
Re:OpenSSH (Score:5, Interesting)
because any simple solution like OpenSSH must be bad
The problem with OpenSSH - indeed the problem with most of these "simple" solutions is that they're only simple from the perspective of the IT department. They utterly fail the Marcus test.
(Before you ask - "Marcus" is a hypothetical employee. He is a man of perfectly normal intelligence but relatively little in the way of computer skills. If you're expecting him to do anything clever with his computer such as connect to the corporate network remotely, you need the instructions to be as short as possible, as easy to follow as possible with the bare minimum of extra boxes to tick or dialogs to fill in. Anything that gets in the way of that is a Bad Thing. If your instructions for Marcus are 30 steps spread across 6 pages of closely-typed text with no illustrations, he's got precisely zero chance of following them.)