Table of Contents
Advertisement
BlackBerry Enterprise Solution
TCP/IP connection
The TCP/IP connection from the BlackBerry Enterprise Server to the BlackBerry Router is designed to be secure
in the following ways:
Security measure
The BlackBerry Enterprise
Server sends outbound traffic
to the BlackBerry device only
through the authenticated
connection to the BlackBerry
Infrastructure.
The BlackBerry Enterprise
Server does not send inbound-
initiated traffic to the
messaging server.
The BlackBerry Enterprise
Solution encrypts data traffic
over TCP/IP.
The BlackBerry Enterprise
Server encrypts data traffic
between specific components
The BlackBerry device initiates
inbound connections using the
BlackBerry Router to an
enterprise Wi-Fi network only.
Messaging server to computer email application connection
The system administrator can set your messaging server to encrypt the BlackBerry device data in transit between
the messaging server and the BlackBerry device user's computer email application.
www.blackberry.com
Description
The system administrator must set your organization's firewall or proxy to
permit the BlackBerry Enterprise Server to initiate and maintain an
outbound connection to the BlackBerry Infrastructure on TCP port 3101.
The BlackBerry Enterprise Server discards inbound traffic from any source
other than the BlackBerry device (through the BlackBerry Infrastructure or
BlackBerry Desktop Software) or the messaging server.
•
Data remains encrypted with standard BlackBerry encryption from the
BlackBerry Enterprise Server to the BlackBerry device or from the
BlackBerry device to the BlackBerry Enterprise Server. There is no
intermediate point at which the data is decrypted and encrypted
again.
•
No data traffic of any kind can occur between the BlackBerry
Enterprise Server and the wireless network or the BlackBerry device
unless the BlackBerry Enterprise Server can decrypt the data using the
correct, valid master encryption key. Only the BlackBerry device and
BlackBerry Enterprise Server have the correct, valid master encryption
key.
The BlackBerry Collaboration Service, the Connection Service, the
BlackBerry Policy Service, and the BlackBerry Synchronization Service
share a secure communication password that is known only to them. The
BlackBerry Messaging Agent and the BlackBerry Dispatcher share a
different secure communication password that is known only to them.
When one of these components initiates a connection to the BlackBerry
Dispatcher, the BlackBerry inter-process protocol is designed to use SPEKE
to initialize a key generation process using the component's secure
communication password and establishes a 256-bit AES encryption key (a
session key). The BlackBerry Enterprise Server then uses the session key to
encrypt data traffic to any components that store the same secure
communication password.
The BlackBerry Router sends the Internet or intranet content requests from
the BlackBerry device over port 4101 to the enterprise Wi-Fi network. The
BlackBerry Router verifies that the PIN belongs to a valid BlackBerry device
that is registered on the wireless network.
41
Advertisement
Table of Contents
