Title

The BlackBerry Device Service server must be configured so the connection between the BlackBerry Device Service server and the mobile device is initiated based on an out-bound connection request from the BlackBerry Device Service server only. (Cat III impact)

Discussion

By configuring the BlackBerry Device Service server to connect to the mobile device on an out-bound connection, the traffic is segregated which made it more difficult for an intruder to compromise the device management session.

Check Content

By default, the connection between the BlackBerry Device Service server and the mobile device is initiated based on an out-bound connection request from the BlackBerry Device Service server only. No configuration or modification is required on the server; however, the corporate firewall must be configured for this connection. See the Firewall configuration settings in the "Architecture: BlackBerry Device Service" section of the Blackberry Enterprise Service 10 BlackBerry Device Service Solution Version: 6.2 Security Technical Overview document. If the system has not been configured so the connection between the BlackBerry Device Service server and the mobile device is initiated based on an out-bound connection request from the BlackBerry Device Service server only, this is a finding.

Fix Text

Configure the system so the connection between the BlackBerry Device Service server and the mobile device is initiated based on an out-bound connection request from the BlackBerry Device Service server only.

Additional Identifiers

Rule ID:

Vulnerability ID: BBDS-00-000335

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.