OK just thought I would try the poll option. So the poll questions are:

Do you have the Router in the DMZ?

Do you use a separate Attachment server that is firewalled off?

Fell free to post why or why not and your general thoughts on such a setup


Edit: Ops look like my first poll didn't work out as planned. I was hoping to be able to have 2 questions in the poll. Argh.

Not a major concern here maybe for DOJ, DOD types.

Router in DMZ firewall rules =

__________________
------------------------------------------------------

Torch 9800 on BES 4.1.6 MR7, Exchange 2003, SQL 2005.
WES 2009-2010 Survivor

It hasn't been here either... until now. 10 years after deployment with zero incidenceseseseses (knock on wood), and now InfoSec wants to see this high security config put in place. Of course I have no idea who will pay for the at least 10 additional servers we will need to spin up in the 5 different BES environment.

The one benefit of having the router in the DMZ is if you decide to also NAT it for availability to the internet and use it for Wi-Fi bypass outside of your network. Of course, this is only a concept in theory, but it could potentially allow for an EAS-esque configuration. Just food for thought (if this would be a possible scenario for you, it could open the doors for an entirely new aspect of your deployment).

__________________
BCSA (4.1, 5.0) | BCSD (4.1, 5.0)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.

Well I'm trying to get all my ducks in a row, and I'm looking for a RIM whitepaper that our InfoSec guys say RIM describes the placement of the router in the DMZ as "best practice".

Perhaps my search skills are waning in these wee hours, but I didn't find a whitepaper that that specifically describes this as "best practice" (whether it is or not is not the point - I want to see this whitepaper ).

The PDF I have from them titled "Placing the BlackBerry Router in the DMZ" states on page #5: "A remote BlackBerry Router might enable further security options because the BlackBerry Router does not have encryption keys and therefore does not compromise the security of the BlackBerry Infrastructure if the BlackBerry Router itself is compromised. However, implementing the BlackBerry Router in the DMZ does not necessarily increase security."

Doesn't exactly sound like a "best case" endorsement to me.

...and I can guarantee you that RIM does not state such a practice as the 'best' by any stretch of the imagination. The fact that it is separate was done to pacify a very, very small albeit powerful sector of the industries.

__________________
BCSA (4.1, 5.0) | BCSD (4.1, 5.0)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.

Even DoD doesnt "require" it. It is recommended but not anything that is enforced.

http://www.docstoc.com/docs/4058172/...r-Developed-by

That is a copy of one of the guides from the DoD.

__________________

Never did figure out the 'added security' of the router in the DMZ.

Router needs an OUTBOUND port 3101 connection. If it's in the DMZ, it also needs open ports to the inside of your network. How is that more secure?

We have the router in the DMZ.

The security reason is that an internal server shouldn't talk directly to the outside world, as it make it more vulnerable. The Blackberry Router (BER) is another lay of security a potential intruder would have to gain access too. as a DMZ server, the BER would be locked down to a level, which wouldn't be possible on a BES.

It's like putting your car in a garage & locking both the car & the garage door. If you just locked the car & left the garage door open, you probably wouldn't consider it as secure.

OK - the problem with putting your BB Router in the DMZ is that you need another Windows box (and Windows Server license - $$) and a lot of patience protecting it from public access with whatever proxy/firewall devices you have.

Plus, if there is too much latency between the BB Router and the other BES components, it causes problems (you will frequently see "Unknown" in the SRP Status field on BES).

If your company isn't huge (i.e. less than 1000 BB users), all BES components can easily sit on one box that isn't that powerful right next to your Exchange Server and you can simply make port forwarding rules on your proxy/firewall to bypass the DMZ for SRP (these can be authenticated rules that only apply to SRP traffic to maintain security).
Cheers,
Jason.

__________________
Jason W. Eckert

Thanks Jason for the reply, but really none of what you stated is really "a problem" for us. Cost isn't an issue... and no it isn't a small company (approaching 10k BB users in 6 BES environments). Protection of it is really no different than when it is not in the DMZ (i.e. even there it will be no additional access to it than our current setup - which is one of my reasons not to do it), and lastly in test it really doesn't add much to latency, in fact RIM will tell you that you can use one router for not just mutiple servers in the same BES domain, but from mulitple BES domains/environments. We of course would not be doing that.

So my issue is that it doesn't buy you much but added cost, complexity, and another possible point of failure. We already have only out-bound initiated connections to a limited range of RIM IPs open on port 3101 for the BES. If you place a router in the DMZ, you need this same setup there, and then you must open port 3101 back into your inside router. So all you are doing is adding a box in the middle as you must have port 3101 open on both FWs. If you like security by obscurity/complexity then this is fine I guess.

Are you sure you only need 3101 open for the router to talk to the rest of the BES?

If the servers in the DMZ require a connection back to the LAN, I've always felt the DMZ is like adding a locked screen door in front of your front door. Sure it's going to slow down the intruder, but it's not necessaraly going to stop him.

RIM state such when discussing a chained router install.

You definitely only require an outbound initiated connection on a port (usually 3101) from the BES to the BER.

There's two layers of security.
1) A hacker can not directly access the BES, it is not visible to the outside world on any port. (and the BES doesn't directly talk to the outside world).
2) Servers in the DMZ are locked down a lot more tightly then one on the internal network. So hacking it is a lot harder. The only open port on the BER is 3101, which again is outbound initiated.

Whilst I tend to agree that in theory, it's useless because the BES only requires an outbound initiated connection on port 3101, so technically an intruder can't just start a connection. In practice, security people tend to want to keep themselves in a job, by designing several layers of complicated security, in a one technical design model for all (this makes their life simple because if it fits their model, they don't have to worry about the teechnology being used). I've rarely met a person in a large companies IT security section who is very technical and is apt at understanding technology.

It's not getting any better. The latest fad is to have 3 layers of security, a DMZ, an middle zone & an internal zone, which servers can only talk to an adjoining zone. (thus they want to put the mail servers in the internal, the BES in the middle & the BER in the DMZ).

OK, so the choices are:


1) single server on LAN, open outbound 3101 ro RIM IPs
2) 2 servers, DMZ. open outbound 3101 from LAN to DMZ and outbond 3101 from DMZ to RIM IPs

For this, I really fail to see the advantage. If a hacker is ggos enough to connect to the router, he'll be good enough to connect to the BES through the router.

Hiya CanuckBB,

Not quite, a BES (in the LAN) can't be locked down as tightly as a BER. (which is one reason why RIM don't support a BES in the DMZ) a BES generally has numerous open ports (email, web, IM, etc) a BER only has 3101. a BES also must have lots of services and windows feature installed and running, where as a BER has bugger all. So in theory a BER is a much harder beast to hack, as there less open ports or services running in order to exploit. So yes if a hacker is good enough to gain access to the BER, then they're probably good enough to gain access to the BES. But on the other hand, a hacker good enough to gain access to the BES, may not be good enough to gain access to the BER (in the first place).

In practice a good firewall would make the BER unnecessary as it would block intruders from gaining access to the BES. But as I said security types tend not to live in the practical real world.

Router in the DMZ solely to fall in line with internal (company specific) best practices. Our old 4.1.6 environment was single server with direct port 3101 access to the internet which required a security exception from our NetComm group.