Securing Android For the Enterprise

Orome1 writes "While many companies use IPsec for secure remote access to their networks, no integrated IPsec VPN client is available on Android. Apple has already fixed this shortcoming in iOS, in part, because it wanted make the iPhone attractive for businesses. The Android operating system doesn't just lack an integrated IPsec VPN client, it also makes installing and configuring third-party VPN software quite complicated. IPsec VPN clients have to be integrated into the kernel of each device, and the client software has to be installed specifically for a memory area. This means that the firmware of each Android smartphone or tablet has to be modified accordingly. Until a 'real' IPsec VPN client is available, Android users can use their devices' integrated VPN clients based on PPTP or L2TP, which is deployed over IPsec. A 'real' IPsec VPN connection, however, is more secure because it encrypts data prior to authentication."

Oh

[deep9x]

I really thought this article was going to be about Data.

Re:Oh

[93 Escort Wagon]

I really thought this article was going to be about Data.

I thought even the PHB types had given up ending sentencies with 'for the Enterprise'.

I thought... WHOOSH!

Would you have gotten the joke if he'd used "Lore" instead of "Data"?

Re:Oh

[dotancohen]

I got the joke so go employ that dumb WHOOSH meme elsewhere, or better not at all.

I mearly commented that the use of the phrase 'for the Enterprise' is stupid for reasons other than star trek references.

You mean that you replies to the top-most thread with an off-topic post instead of starting a new thread so that your post would show up at the top of the page?

Re:

[1s44c]

You mean that you replies to the top-most thread with an off-topic post instead of starting a new thread so that your post would show up at the top of the page?

I'm not that vain and insecure thanks. Sounds like you are though.

Re:

[master_p]

Man, I logged in to make this exact joke, but I didn't expect it would be first post!!!!

It's not just about the VPN aspect

[geekylinuxkid]

Android needs some sort of remote wipe software to make it even remotely feasible for most businesses. For example, the government requires remote wipe, and some sort of encryption. Until Android has a solution for these two, the VPN-less capability is moot.

Re:It's not just about the VPN aspect

[afidel]

There are MDM's that provide those capabilities, heck just hook most Android phones up to any ActiveSync compatible server or service and you get basic remote wipe. If it weren't for the fact that we provide Citrix for remote access the limitations on getting most Android devices working with ASA would have been a serious redmark against adoption, but as it stands the huge number of usability problems we ran into trumped everything else. Android is great as a geek OS, and fairly good for a consumer OS (my wife likes her Optimus V just fine), but the persistent issues like WiFi clients that randomly failed to work or the email clients that just stopped receiving email from the Exchange server and required a device wipe and resync to reestablish communications to the weird certificate errors we would get all made it so we were not going to foist it as a platform on our users. We offered them iOS or Blackberry and 2/3rds chose to stay on Blackberry for the superior core email capabilities. Personally I'm still on my Android test device because for me the small nagging flaws are outweighed by a physical keyboard (big plus over an iphone) and huge selection of applications and a decent browser (big win over Blackberry).

Re:It's not just about the VPN aspect

[BulletMagnet]

Android needs some sort of remote wipe software to make it even remotely feasible for most businesses. For example, the government requires remote wipe, and some sort of encryption. Until Android has a solution for these two, the VPN-less capability is moot.

Like this? [good.com]

Re:It's not just about the VPN aspect

[Anonymous Coward]

Remote wipe has apparently been supported via activesync since android 2.2

Already there

[Namarrgon]

Exchange-based remote wipe support was added in Android 2.2 [android.com]. Encrypted storage and password policies were added in Android 3.0 [android.com]. Full-device encryption was added in Android 4.0 [android.com], along with an API for third-party VPN solutions, and IPsec support for the built-in VPN client.

Re:

[zaphirplane]

The way it works is
Server hey mr phone do you support activesync remote wipe?
Phone sure do (ha ha ha ha)
Server ok thank you, what about password policy?
Phone sure whatever you want sweetie

There are market apps they respond with yes and then bin the request
So .... It does not count.

Re:

[Rich0]

So, that is true of every device that exists, and will ever exist, unless you use trusted computing and have no local exploits. Certainly this can be done on the iPhone and every other commercially-available smartphone.

You're basically talking about DRM, and that is theoretically impossible to implement perfectly, though in some cases it can be made reasonably difficult to bypass.

Re:

[Weezul]

Android has by-far the best cryptography suite [guardianproject.info] amongst all phone/tablet OSs, well unless your running vanilla Linux on a tablet.

Re:

[Anonymous Coward]

About your sig:

The Christian religion has been and still is the principal enemy of moral progress in the world.

You must just love the Muslims and Hindus then. After all I never see any corruption in countries where they are in the majority.

Re:

[Anonymous Coward]

Why would you even store sensitive data on a remote device at all ?

Who needs "remote-wipe" if all I have is a couple of photos of the cute lady at In and Out ?

I'm in healthcare and we are prohibited from storing sensitive data on our laptops. Why should Android devices be any different ?

Re:

[spamking]

You are correct, folks shouldn't be storing sensitive data on a portable device of any kind. Our laptops are required to be encrypted using a FIPS 140-2 certified product to prevent loss of any information because not everyone follows the "don't store sensitive data on your laptop" policy.

With our blackberries we have access to our intranet, I guess the remote wipe feature would be helpful if someone happened to crack a password in less than 6 attempts and gain access to our intranet and possibly other int

Re:

[jon3k]

HIPAA does not prohibit the storage of sensitive data on laptops and other mobile devices, it just requires you to secure data at rest.

Re:

[bgat]

Why would you even store sensitive data on a remote device at all ?

Who needs "remote-wipe" if all I have is a couple of photos of the cute lady at In and Out ?

I'm in healthcare and we are prohibited from storing sensitive data on our laptops. Why should Android devices be any different ?

Android devices AREN'T different, actually.

Part of the confusion is buzzword-compliance, part is a desire by competitors to cast Android-based devices in a "not for professionals" light, and the rest is just addressing users who email, etc. sensitive data around and thereby bypass the no-sensitive-data-on-the-device mandate. (Such bypasses are almost irresistible in situations where you have poor connectivity back to the remote server where the sensitive data is normally kept).

Finally, unless you want to t

Re:

[HideyoshiJP]

As the other poster said, MDM is your best bet. ActiveSync works for basic remote-wipe capabilities, but has a specific caveat. For a device to connect to the server and receive a remote-wipe command, the credentials it uses have to be correct, which is contradictory to the whole "reset the user's password after a device is stolen" policy. Having said that, MDM is a difficult area to research without running through three books' worth of marketing/spam.

Re:

[CTachyon]

Android needs some sort of remote wipe software to make it even remotely feasible for most businesses. For example, the government requires remote wipe, and some sort of encryption. Until Android has a solution for these two, the VPN-less capability is moot.

The Google Apps Device Policy [android.com] app supports password policies and remote wipe, and Ice Cream Sandwich supports full-device encryption (I turned it on for my own ICS phone, took about an hour to encrypt the 16GB internal storage partition plus two or three reboots).

Re:Not surprised

[Anonymous Coward]

You're actually more misinformed now. Android does in fact have IPsec capabilities, as well as PPTP and L2TP. Its had this for a while. I don't know why no one's not mentioned that the article is just plain wrong.

It does lack OpenVPN, though, which has been a bit of a thorn in my side - software exists to add this functionality, but so far they all require root privileges, as far as I know.

Re:Not surprised

[aXis100]

I thought the same thing, I've been using the integrated L2TP client on my android phone, and it's only Froyo.

Re:

[AJH16]

It lacks CISCO IPSEC support, which is what many, if not most, businesses use for their VPNs. It does support AnyConnect and it supports conventional IPSEC for quite some time now though.

Stupid article is stupid

[GNUALMAFUERTE]

SSH is all you'll ever fucking need. You can do anything you need over SSH, including a true VPN or just VPN-like functionality. And it's as secure as it gets.

I manage all of my servers from my android devices, and have done so for a long time. What the hell is this guy complaining about?

Regarding the guy talking about the remote wipe ... well, that's a stupid concept. A lost/stolen phone usually doesn't have network access, and even if you do it as a deads man switch, it's not really secure. Just encrypt w

Re:

[marcushnk]

The activsync rules include remote wipe capability anyway.
Android supports that...

Re:Stupid article is stupid

[thegarbz]

Stupid article is stupid because the *current* version of Android actually has full native IPSec support. I wish this is just a case of Slashdot being late to post, but TFA is dated Jan 3rd 2012 so it must just be a blogger who's not up with the times.

Re:Stupid article is stupid

[Xugumad]

> *current* version of Android actually has full native IPSec support

Do you mean Ice Cream Sandwich? In which case, to be fair it's not what you'd call in widespread use yet... (I have never seen anyone with an ICS device IRL, or heard of anyone having one)

Re:

[nogginthenog]

I'm running Gingerbread and have a VPN option with PPTP, L2TP, & OpenVPN. Could be a CyanogenMod feature but I don't think so.

Re:Stupid article is stupid

[csnydermvpsoft]

I'm running Gingerbread and have a VPN option with PPTP, L2TP, & OpenVPN. Could be a CyanogenMod feature but I don't think so.

OpenVPN is a Cyanogenmod addition: [source] [wikipedia.org]

Re:

[triffid_98]

Yes, I'm sure that many large corporations will welcome your jail-broken phones running custom kernels(*) with open arms. They will also provide mileage reimbursements for commuting to the office on your flying pig.

*ignoring the fact that this feature could be easily integrated into the stock vanilla build because drumroll that's what CM was built from

Re:

[CheShACat]

That doesn't make "Android" any less "ready for the Enterprise", though does it? The Enterprise in question could go out and buy up a hundred Galaxy Nexuses to give out to its staff, regardless of how many are currently floating around in the wild.

Re:

[jtownatpunk.net]

Time to leave that cave...on Mars. I've got one. Updates for last year's phones are going to start rolling out this quarter. The next wave of tablets will be ICS.

If "IT" is just now starting to look at this, it'll be 6-12 months before anything happens, by which time, ICS will be mature. You have to keep that lead time in mind when trying to shift a major segment of your user base to a new platform. It'll never happen overnight and it often has to be synced to contract dates and such. If you build you

Re:

[thegarbz]

Do you mean Ice Cream Sandwich? In which case, to be fair it's not what you'd call in widespread use yet...

And just what do you think an enterprise is going to look at when rolling out a new device? An obsolete phone from last year? There are ICS devices on the market, there's actually been three minor updates to ICS already since the first device has been released.

The fact is that this blog is saying that the enterprise won't take up Android because of lack of VPN, whereas the current advertised wonderboy of the Android world features the latest software which has the said feature.

Not only that but there have b

Re:

[Xugumad]

Given we have problems with people (at my work) complaining that Froyo is too recent to expect them to have, ICS seems a bit optimistic for widespread adoption quite yet.

That said, I did go read up on alternative firmwares for phones, and in particular how they're doing with ICS. Further on than I'd realised, and in an enterprise setting flashing Gingerbread phones to ICS that way may well be an option (assuming they're the employer's phone, of course).

Re:

[AJH16]

It does not have CISCO IPSEC support. This is likely what the blogger was referring to when he mentions integrated IPSEC client. There are alternatives with a tun.ko capable kernel and third party VPN software, but it is a rather large pain to configure on most devices and impossible on many without custom roms. I've been trying to get it working on my GNEX but support for authenticators seems to be lacking in the third party clients that I have found.

Re:

[DrgnDancer]

No SSH may be all you need, but when the corporate IT decrees that you're not getting past the firewall except via $officalsolution you need $officalsolution. It's great how many of you guys work in some perfect little paradise where you chose all the IT solutions to be most useful for your personal preferences; but most of us work for companies, and outside of our box have little or no influence on how it's all setup. I guestimate that 85-90% of the people on this site are at least somewhat beholden to s

Re:Stupid article is stupid

[Skapare]

Restricting access to particular services is best done by those services themselves doing the authentication. They would know what users are authorized for what functions. The remote Android user is in no position to sniff the server networks, so the fact that the traffic within the LANs is not encrypted does not matter as long as you trust your network admins ... if you don't, you better be using an SSL layer to the server and trust your server admins.

If the remote user has ANY means to access the internet on the phone, either directly through the telco data bandwidth provider, or even proxied or routed through the VPN, then the phone MUST be considered unsafe, and it would be entirely inappropriate for it to be accessing any home base servers that don't authenticate (but that's just totally stupid to run that way under any circumstance).

OpenSSH

[1s44c]

Use OpenSSH. You can tunnel TCP over SSH, it works very nicely on iphones and nokia n900's. I've not tested it on android but It should work.

The very last thing anyone should be doing is bridging their networks to a mobile phone.

Re:

[marcushnk]

+1 this brother

Re:

[flyingfsck]

"The very last thing anyone should be doing is bridging their networks to a mobile phone", which sadly is exactly what the corporate IT droids want to do, because any simple solution like OpenSSH must be bad...

Re:OpenSSH

[jimicus]

because any simple solution like OpenSSH must be bad

The problem with OpenSSH - indeed the problem with most of these "simple" solutions is that they're only simple from the perspective of the IT department. They utterly fail the Marcus test.

(Before you ask - "Marcus" is a hypothetical employee. He is a man of perfectly normal intelligence but relatively little in the way of computer skills. If you're expecting him to do anything clever with his computer such as connect to the corporate network remotely, you need the instructions to be as short as possible, as easy to follow as possible with the bare minimum of extra boxes to tick or dialogs to fill in. Anything that gets in the way of that is a Bad Thing. If your instructions for Marcus are 30 steps spread across 6 pages of closely-typed text with no illustrations, he's got precisely zero chance of following them.)

Re:

[Prof.Phreak]

...little in the way of computer skills.

An employee needing corporate network access who has ``little in the way of computer skills'' shouldn't be accessing the network.

If all they need is email, I'm sure a corp can provide a web-based ssl thing for that. If they need to read docs, I'm sure a web-based ssl doc thing (like an in-house version of google docs) would work. But to put a computer illiterate employee "on the network" from a remote location is just stupid (and yes, we've all been there; still doesn

Re:

[csnydermvpsoft]

An employee needing corporate network access who has ``little in the way of computer skills'' shouldn't be accessing the network.

If all they need is email, I'm sure a corp can provide a web-based ssl thing for that. If they need to read docs, I'm sure a web-based ssl doc thing (like an in-house version of google docs) would work.

How would they access those "web-based SSL things"? Are you proposing that they be hosted somewhere other than the corporate network? Regardless of where they're hosted, they'd need to be open to the world. VPNs are useful for adding an additional layer of security between sensitive services (including web-based email) and the world. Making the needed services public defeats the point.

Re:

[Kagetsuki]

This! I have used it on Android and it does work.

Re:OpenSSH

[Karma's A Bitch]

Hi, new poster here but have been lurking for about a decade -- but as fucked up as IPSec is, there are some important benefits:

* IPSec tunnels your traffic over an unreliable datagram protocol (either IP protocol ESP or over some UDP port -- I forget the number). This avoids the performance problems of running a reliable protocol (TCP) over another reliable protocol (TCP). Some time since I looked at this, but IIRC, retransmits in the upper protocol kill you. Probably not too bit a problem if you aren't running significant traffic.

* IPSec is processed in kernel mode which improves processing performance. This isn't as important on the client which is only handling one tunnel as it is on the gateway which is handling many connections and where the CPU load could be important. Disadvantage is that a bug in IPSec is a bug in kernelspace.

* Of course anyone doing something like this should terminate the IPSec connection on a network outside their LAN and should also consider blocking comms between indials.

Just wish whoever designed IPSec had done a proper job.

Cisco IPSec VPN now supported in Android 4.0 (ICS)

[daern]

"Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine.

I'm running an AOSP (kang) 4.0.3 here and this has now been fixed. I believe the official 4.0.3 is just around the corner, so yey! This has been my top #1 feature request since Android day 1 and I bought the GN specifically because of it. Yey Glooge!

Daern

Re:Cisco IPSec VPN now supported in Android 4.0 (I

[maccodemonkey]

""Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine."

You say "works very well." I don't think it means what you think it means.

Re:

[Anonymous Coward]

I think they know exactly what it means ... the Galaxy Nexus is due to be updated to 4.0.3 in which ... it works very well. IN .01 and .02 it has a 3G but wifi works fine. So yes ... they knew what they were saying and said it. Friggin troll.

Re:Cisco IPSec VPN now supported in Android 4.0 (I

[daern]

""Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine."

You say "works very well." I don't think it means what you think it means.

To clarify: It works very well indeed, but in 4.0.1 and 4.0.2 it only works with WiFi. Apparently, the 4.0.2 LTE version works fine on both WiFi and cellular connections.

In 4.0.3 it works very well on both WiFi and 3G and is a monumentally excellent feature to be added :-)

Re:

[Chris Mattern]

It works very well indeed, but in 4.0.1 and 4.0.2 it only works with WiFi.

If it was simply nonfunctional in 3G, you'd have some justification for this statement. Something that *crashes the whole phone* when you try to use it in 3G cannot, under any standards, be said to "work very well."

Re:

[silverglade00]

Spellcheck over IPSEC.

Re:

[daern]

Yey Glooge!

Glooge?

Yes, Glooge.

Glad to have cleared that up.

I must be from another dimension

[Anonymous Coward]

I am doing IPSec on my stock ICS phone right now.

Re:

[jon3k]

I am too, Galaxy Nexus, stock image from VZW. Do the following:

1) Tap settings
2) Under "Wireless & Networks" tap "More..."
3) Tap "VPN"
4) Tap "Add VPN network"
5) Enter a Name
6) Tap "Type"
7) Choose from: PPTP, L2TP/IPSec PSK, L2TP/IPSec RSA, IPSec Xauth PSK, IPSec Xauth RSA, IPSec Hybrid RSA
8) Enter Server Address
9) Tap Save

Not the problem

[ryanov]

My University doesn't support Android phones because there's no at-rest encryption (or at least they say there isn't -- I personally don't want one anyway and so haven't investigated).

Re:Not the problem

[thegarbz]

It's not standard as part of Android (or at least it wasn't in 2.0 - 2.3), there is however the option on the AOSP port of ICS (4.0.3) to do full device encryption, so that may be a standard feature now.

That said there are many phones who have supported this for a long time, but the feature was added by the vendor and not a default function of Android itself.

Re:

[aarner]

"Securing Android for the Enterprise" = "How may we break your device today?"

So I bought a Droid-X about a year ago. Pretty happy with it. Then I hooked it up to Corporate Sync (exchange email server). A few PITA issues brought on by corporate security paranoia, but otherwise livable. (They forced a screen lock after 3 minutes with a minimum 6-digit PIN). Mildly irritating, but tolerable.

Then some even more paranoid actor in our security theater / department found out that they could force full-device

Not true.

[Slartibartfast]

There *is* a stock IPSec (Cisco) client for Android, though it lacks a lot of functionality. Ice Cream Sandwich release addresses those failings [phandroid.com]. As for connecting to a non-Cisco IPSec device, well, that's a different kettle of fish of another color, if you will.

plenty of network sec companies selling solutions

[gl4ss]

for this. customised and all, to operators or companies. if it's really enterprise, the enterprise should afford that anyways.

O RLY?!

[Gravis Zero]

The Android operating system doesn't just lack an integrated IPsec VPN client

someone should actually do come fact checking before posting these stories.
http://en.flossmanuals.net/basic-internet-security/ch050_vpn-on-android/ [flossmanuals.net]

Re:

[thsths]

You seem to be under the mistaken impression that "Slashdot is news for geeks". A mistake that is easy to make, I admit.

In my experience, Slashdot is more likely than not misinformation for the masses.

Re:

[Demonoid-Penguin]

The Android operating system doesn't just lack an integrated IPsec VPN client

someone should actually do come fact checking before posting these stories. http://en.flossmanuals.net/basic-internet-security/ch050_vpn-on-android/ [flossmanuals.net]

But wouldn't fact checking drive away the shills and their sock puppets? Besides - despite all the evidence to the contrary - it must be true. Surely SoulFree wouldn't publish bullshit media releases [businesswire.com] disguised as "stories".

After all the referenced author author has modestly announced his company are front-runners for the 2012 (my how time flies) Security Products Global Bullshit, sorry I mean, Excellence Award.

Though I'm betting McAffee and Windows 95 might beat them (like a rented mule).

Complete lack of security

[Anonymous Coward]

We reviewed Android and iOS for a very large, very well known global company. After a lot of research Android was pretty much laughed out of the room. Any corporation that uses it for their issued device and has information to protect is not paying attention.

1. Android has next to nothing in the way of large scale management and configuration tools.
2. The OS itself is highly insecure allowing all sorts of application and OS interactions regardless of resource usage or malware possibilities.
3. Google ro

Re:

[Skapare]

So your company is issuing iOS phones to the staff that need phone based access? Great. But I still would not want to work there because I don't want to carry around two phones.

Re:

[Jim Buzbee]

Hmmm... With some restrictions, the US Department of Defense has approved use of Android and not IOS: http://www.bgr.com/2011/12/28/pentagon-approves-android-device-for-department-of-defense-apple-still-awaits-clearance/ [bgr.com]

Re:

[jon3k]

Literally everything you've mentioned is addressed using any modern MDM platform (Air-Watch, MobileIron, etc). Maybe try doing some research, like, I don't know, one Google search?

Android can haz VPN...

[kbin]

a) Since when did "proper vpn" equal somethings that is "Cisco compatible"? I run IPsec/L2TP to my Juniper ScreenOS fw just fine b) I don't think L2TP over IPsec is particulary insecure. L2TP authentication/setup is also secured by IPsec transport mode. The article says that the authentication is not protected, which is wrong, since the authentication occurs first by IPsec Certificate or PSK and then by L2TP username/pw (which is protected by IPsec SA). http://en.wikipedia.org/wiki/Layer_2_Tunneling_Pro [wikipedia.org]

Re:

[Skapare]

So how does IPsec in tunnel mode communicate the user credentials to the internal servers being accessed?

Sigh, this is normal for IPSec

[rdebath]

IPSec was designed as an add-on for IPv6 back in the '90's and backported to IPv4. Unfortunately, it wasn't one of the well tested parts of the standard with many years of experience behind it, instead it was a recognition than encryption would become more important, and hopefully ubiquitous.

But nothing has happened. Instead of becoming the normal way to encrypt data across the internet it's been sidelined to enterprise VPNs were it does quite well because of the very long protocol documentation it has. This is perfect for breaking the finger pointing crap that is so common in that environment. For general use encryption is still done at the application level.

I think the worst problem is the usual suspect: key distribution. There is no reasonable way of ensuring that the right key data gets to the right clients. Though I had hopes for DNSSEC...

But the problem here isn't that. The problem is the original expectation that ALL data would become encrypted. Because of this they inserted the encryption into the middle of the IP stack (a shim if you will) which sometimes converts TCP/IP packets into TCP/IPSec/IP packets without changing the IP addresses or routing or anything else. Because of this design decision the exact version/variant of the IPSec protocol HAS to exist in the kernel binary. You can't work around this.

Every other VPN solution does it the right way. Actually creating a Virtual Private Network Adaptor for a Virtual Private Network Wire onto a Virtual Private Network. So you actually have a visible private network and you can see the routing and you can enforce firewall rules (or reverse path rules). What's more because of this every single one of them can easily be altered to work purely in userspace repurposing whatever virtual adaptor may be available on the platform be it PPP/SLIP/TAP or someone else's VPN adaptor. With this the horrific complexity that is IPSec can be avoided because you can run two versions of the VPN client on the same machine preserving compatibility by keeping old (put patched) versions of the software rather than creating a rats nest of compatibility hacks within the standard itself.

The end result, IPSec is avoided unless somebody "requires" this enterprisey solution AND will be paying for it.

Re:

[subreality]

Some of the problems you're describing have to do with Transport Mode. Tunnel Mode encapsulates the whole IP packet, and creates an actual shared private network between your endpoint and the VPN server. If you enable UDP encapsulation it also traverses uncooperative NAT.

Tunnel Mode can be done in userspace since it's able to spit out complete packets on a TUN interface. Basically it's everything you want, except overly complicated and hard to figure out in the way that any too-generalized system tends t

article is out of date - Android 4.0 ICS update

[gru3hunt3r]

This article is out of date the following IPsec VPN options are available on a Google Nexus Galaxy from Verizon running Android ICS (4.0)

IPsec XAUTH PSK
IPsec XAUTH RSA
IPSEC Hybrid RSA

Android 4.0 supports standard IP sec gateways as well as Cisco's proprietary Xauth -- and unlike apple the android release does NOT require a company go out and buy a new Cisco Pix running IOS 7.0 or higher like the Apple iPhone 4 does (Iphone doesn't support xauth rsa profile).
This little .. ahem, oversight on the iPhone made it so our company chose NOT to reimburse employees for iPhones since they can't be used for work -- so at least for our company if employees want reimbursement for phones, they need to purchase a device that's compatible.

While I'm ranting-- I figured I'd also say that I wish either vendor apple/cisco natively supported OpenVPN so I could kill off my IPSec VPN I'd be thrilled, and the first vendor who does will receive the "recommended device" status for our employees.

IPSec is my last choice, not my first - it's not well suited for modern day deployments anyway since it doesn't work through some NAT gateways (at many hotels), and it *never* works [by design] if two people on the same network are connecting to the same endpoint from behind the same nat firewall (ex: two employees at the same coffee shop both trying to do their work.. or a husband wife who both work for the same company trying to concurrently connect to their own home network)

As NAT becomes more and more common (aren't we out of IPv4 addresses?) IPsec will cede way to more flexible solutions like OpenVPN.

Re:

[JAlexoi]

VpnService is a base class for applications to extend and build their own VPN solutions. In general, it creates a virtual network interface, configures addresses and routing rules, and returns a file descriptor to the application. Each read from the descriptor retrieves an outgoing packet which was routed to the interface. Each write to the descriptor injects an incoming packet just like it was received from the interface. The interface is running on Internet Protocol (IP), so packets are always started wit

Re:

[subreality]

it *never* works [by design] if two people on the same network are connecting to the same endpoint from behind the same nat firewall

That's true of Transport Mode, but Tunnel Mode (where entire IP packets are encapsulated instead of just the data) deals with that situation just fine. If you enable UDP encapsulation it also traverses uncooperative NAT.

Re:

[Cereal Box]

There are basically two phones with ICS support (the Nexus and Nexus S) and combined they make up maybe 1 or 2% of all active Android phones (actually, I'm being generous here, the Android platform version graph shows 0.6%). So for all intents and purposes Android "still" doesn't have proper IPSec support. Or, put another way, more than 98% of Android phones don't have IPSec support. And it will take a good year or two before a simple majority of Android phones are running 4.0 or later.

Re:

[afidel]

I think even two years is being generous, the plurality of devices being offered by carriers *today* are not slated to receive ICS which means for most users purchasing right now they won't get ICS+ until their contract expires in two years.

Re:

[jon3k]

A "new" PIX? Cisco hasn't sold PIX for 4 years, it was replaced by the ASA line. And neither PIX or the ASA line have _ever_ run IOS.

Android 4 includes custom VPN provider support

[JAlexoi]

Since the release of ICS, users are able to roll-out their custom VPN solutions. I bet OpenVPN is in the works.
http://developer.android.com/reference/android/net/VpnService.html [android.com]

VPN Client API

[robmv]

This is false, since Android 4.0 there is an API to add new VPN clients [android.com] without need to build kernel modules

Enhancements for Enterprise

VPN client API

Developers can now build or extend their own VPN solutions on the platform using a new VPN API and underlying secure credential storage. With user permission, applications can configure addresses and routing rules, process outgoing and incoming packets, and establish secure tunnels to a remote server. Enterprises can also take advantage of a standard VPNclientbuilt into the platform that provides access to L2TP and IPSec protocols.

Bad Article

[Demoknight]

Out of date and biased. Would prefer more technical details as well - seems very generic in certain areas. Boo.

Use Connectbot

[sl4shd0rk]

It's open source, can port forward, can use pubkey auth (shared key auth) and doesn't require you to "modify" kernels or root the device.

http://code.google.com/p/connectbot/ [google.com]

JunOS Pulse seems to work okay

[H0bb3z]

In preliminary testing, we've been able to get some Android devices connected using Juniper VPN. It does appear there are some variations depending on device and version of Android that is running, but in most cases things do appear to work well. The only issue some of the power users have is that the Pulse client needs to have fairly significant access to the device to install correctly...

and This is why WP7 is going Corporate

[fast turtle]

MS does get it and once they get WP7 fully working, it's going to be on most of the corporate phones as it'll include an Exchange Client, Remote Wipe, Can be locked down by an Active Directory Server tighter then a Black Berry. Simply put, Apple and Google don't get the corporate culture and that's what keeps MS alive.

Securing Asteroid For the Enterprise

[FreakyGreenLeaky]

/bounces with excitement
ah, fuckit, never mind.

SonicWALL NetExtender Works Great!

[nevermore94]

If you use SonicWALL firewalls then check out NetExtender which they call a "layer 3 VPN client". I use it all of the time to connect to my work desktop from home on my ASUS Transformer and it works perfectly. They also have a version specifically for their SonicWALL Aventail SRA E-Class SSL VPN Appliances.

Lor

[rossdee]

It must be one of those eps featuring his evil twin brother

Re:

[1s44c]

His security history isn't perfect:

Stardate: 42437.5 ''Data is possessed by the consciousness of a brilliant scientist. However, it has a disturbing impact on Data's personality.
Stardate: 45571.2 "Data, O'Brien, and the chick in the low cut top are possessed by aliens from a prison planet and run around trying to free all the other prisoner aliens."

Re:

[Verteiron]

And don't forget the episode where we found out his creator left a backdoor in both of his androids, forcing them to go to him at will regardless of the consequences.

Re:

[FairAndHateful]

And don't forget the episode where we found out his creator left a backdoor in both of his androids, forcing them to go to him at will regardless of the consequences.

Wow! Data IS fully functional and programmed in a number of techniques!

Re:

[turbidostato]

Can OpenVPN be installed without rooting the phone and therefore voiding the device's warrant and your provider's support?

Re:

[JAlexoi]

Soon it will be. At leas ICS already provides custom VPN solution SPI.

IPsec is not more secure

[Kludge]

The original poster thinks that IPsec is more secure, but has he ever seen case of other VPN's encryption being cracked? The answer is no. All data does not need to be encrypted. If either end of the VPN connection does not have the correct key the game is up. IPsec is less convenient and only provides additional security to an already uncrackable system.

Re:

[Skapare]

It means the author of the article is confused. PPTP and L2TP and other VPN protocols can go over IPsec or they can go direct and use their own encryption. The author seems to be upset that Android doesn't use IPsec. If he knew me, he'd be upset with me, too, because I don't use IPsec, either ... anymore.

Re:

[Skapare]

I'm looking for an Android phone. None have Ice Cream Sandwich from the vendor. So I would need to upgrade (probably should, anyway). Which download should I use to do so since the vendor would not have it?

Re:

[rrossman2]

Nexus S sure does via the OEM.

Many others are receiving updates to ICS.

Those "not supported" such as my Galaxy S have 3rd party options (I'm running CyanogenMod 9 build 12 made from AOSP with some stuff pulled/added in from the Nexus S (camera app/driver though I believe that's changed)

Re:

[Skapare]

None? For example there's Samsung Galaxy Nexus which has ICS.

Or you can get a Samsung Nexus S. It comes with Gingerbread. Then check the Android mailing lists for the update zip URL (or google it up, it was some google.com address). Download the .zip. Put it to your phone SD card as update.zip, boot into recovery mode (volumeup+power). Select to upgrade the update.zip. Let it upgrade the system. Done.

As a bonus all your data will be there, if you didn't wipe it.

I don't have a smart phone, yet (so no data to save). I have started looking around. But I'm only looking at unlocked phones because that's the only acceptable way. I won't be signing up with any provider term plan. I know most can do month to month to start (a friend of mine works as a rep for one of them and says they are not allow to offer M2M but should sign up whoever asks for it). I only want SIM-compatible phones, so Verizon is off the radar.

You know where to order one of these phones online, un

Re:

[rrossman2]

yeah, it does... cyanogenmod 9 on my phone lists:
PPTP
L2TP/IPSec PSK
L2TP/IPSec RSA
IPSec Xauth PSK
IPSec Xauth RSA
IPSec Xauth Hybrid

And that's build off of the ice cream sandwich (android 4.0) source for a device that doesn't have ICS from the phone maker.. and not long after the AOSP android source was released.

Re:

[ColdWetDog]

I'll need a screwdriver, a pliers, a one gallon (US) bucket of epoxy, a roll of duct tape, two ice picks, a bottle of rubbing alcohol, a copy of Grey's Anatomy (the book, not the TV show), one hundred sixty feet of sterile gauze, a dentist's chair (or a barber's chair in a pinch), and two round-trip tickets to a country favorable to unlicensed medical procedures.

If you want me to secure an entire enterprise infrastructure I will need more.

Way to fail, n00b. You forgot the WD-40.

Don't do that again.

Re:

[ColdWetDog]

Oh, maybe that's what you meant when you need more stuff for Enterprise things.

Sorry, my bad.