Welcome to Port3101.org : Your BES Connection Mark forums read | View Forum Leaders
Port3101.org : Your BES Connection



Reply
LinkBack Thread Tools Display Modes
Need for BES Router (BER) with ver 5.0.x?
 
  #1 (permalink)  
Old 12-28-2010, 12:32 PM
BES Activated
 
Join Date: Dec 2010
Location: VA
Posts: 3
Default Need for BES Router (BER) with ver 5.0.x?

Have spent the last half day researching the BlackBerry site and previous postings on this site for whether or not I should install a BES Router (BER) in my new BES 5 upgrade. Previous posting were from 2008/2009 time frame when ver 4.1.X was the main BES beast. To this point I have found only 1 reference in the BlackBerry Enterprise Solution Ver: 5.0 | Service Pack :2 Security Technical Overview that states (page #42):

"The BlackBerry Enterprise Server and BlackBerry Enterprise Server components, with the exception of the BlackBerry Router, do not support installation in a DMZ. For more information about configuring the BlackBerry Router in the DMZ, see Placing the BlackBerry Router in the DMZ."

(The 'BlackBerry Router in the DMZ' document they are referring to is older from 2005.)

In the BES Ver: 5.0 | Service Pack :1 Security Technical Overview it dose not mention anything at all about the BER in the DMZ.


In my previous BES 4.1.6 install we went the extra mile to install a BER in our DMZ for our security group, but is it still a 'Best Practice', or should I rope it back into 1 server? We have 400 users and will be running it on a hardened SteelCloud BES VM. I know the ideas of making the BER hard on the outside to make hackers work harder and that the BES only makes requests outbound initiated requests on 3101, and limiting it to the IP's and domain names of BlackBerry.net/.com...

I guess for the security minded, is the BER in a DMZ still worth it OR best practice with BES 5.0.x?

Thanks for reading my ramblings... -B

Last edited by shoemb00; 12-28-2010 at 06:16 PM.
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 01-05-2011, 06:12 PM
knottyrope's Avatar
The knotty A D M I N
 
Join Date: Jan 2009
Location: Mass
Posts: 103
Default

Security
A remote BlackBerry Router might enable further security options because the BlackBerry Router does not have encryption keys and therefore does not compromise the security of the BlackBerry Infrastructure if the BlackBerry Router itself is compromised. However, implementing the BlackBerry Router in the DMZ does not necessarily increase security.

Livelink - Redirection
__________________
------------------------------------------------------

Torch 9800 on BES 4.1.6 MR7, Exchange 2003, SQL 2005.
WES 2009-2010 Survivor
Reply With Quote
  #3 (permalink)  
Old 01-13-2011, 04:30 PM
BES Administrator
 
Join Date: Jun 2010
Location: In the woods
Posts: 28
Default

Quote:
Originally Posted by shoemb00 View Post
Have spent the last half day researching the BlackBerry site and previous postings on this site for whether or not I should install a BES Router (BER) in my new BES 5 upgrade. Previous posting were from 2008/2009 time frame when ver 4.1.X was the main BES beast. To this point I have found only 1 reference in the BlackBerry Enterprise Solution Ver: 5.0 | Service Pack :2 Security Technical Overview that states (page #42):

"The BlackBerry Enterprise Server and BlackBerry Enterprise Server components, with the exception of the BlackBerry Router, do not support installation in a DMZ. For more information about configuring the BlackBerry Router in the DMZ, see Placing the BlackBerry Router in the DMZ."

(The 'BlackBerry Router in the DMZ' document they are referring to is older from 2005.)

In the BES Ver: 5.0 | Service Pack :1 Security Technical Overview it dose not mention anything at all about the BER in the DMZ.


In my previous BES 4.1.6 install we went the extra mile to install a BER in our DMZ for our security group, but is it still a 'Best Practice', or should I rope it back into 1 server? We have 400 users and will be running it on a hardened SteelCloud BES VM. I know the ideas of making the BER hard on the outside to make hackers work harder and that the BES only makes requests outbound initiated requests on 3101, and limiting it to the IP's and domain names of BlackBerry.net/.com...

I guess for the security minded, is the BER in a DMZ still worth it OR best practice with BES 5.0.x?

Thanks for reading my ramblings... -B
I have seen MANY different setups and personally setting the router in the DMZ is not best practice, just preference. Weather the Router is inside the firewall or out, there is still a port that needs to be open so in my opinion, it's 6 of 1 and half a dozen of the other but I'm no firewall / security expert either.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Putting the Router Service in a DMZ JDABS Port 3101: The BES Admin Bar & Grill 9 12-20-2010 05:27 PM
Router + MDS + HA in DMZ lion77 Port 3101: The BES Admin Bar & Grill 4 06-07-2010 10:30 PM
Pipe Full in router logs mjyp Port 3101: The BES Admin Bar & Grill 2 03-23-2010 03:23 PM
Srp connection from router Cognito Port 3101: The BES Admin Bar & Grill 2 02-15-2010 11:59 PM
BES 5.0 Router in DMZ - Anyone done this successfully? BES Not To Ask Port 3101: The BES Admin Bar & Grill 23 12-03-2009 06:28 PM


All times are GMT -4. The time now is 02:24 PM.
Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2018, vBulletin Solutions, Inc.


 

SEO by vBSEO 3.3.2 PL2