Table of Contents
Advertisement
BlackBerry Enterprise Solution
47
Enterprise Wi-Fi network solution architecture security features
When the BlackBerry Enterprise Server administrator implements the BlackBerry Enterprise Solution over an
enterprise Wi-Fi network, the BlackBerry Enterprise Server administrator must consider additional network
security to protect all message and application data communication between the BlackBerry Enterprise Server
and a supported Wi-Fi enabled BlackBerry device. Wi-Fi enabled BlackBerry devices are designed to reject
incoming connections, to support limited connections in Wi-Fi infrastructure mode only, and to prevent Wi-Fi ad-
hoc networking (peer-to-peer) connections.
Supported Wi-Fi enabled BlackBerry devices on an enterprise Wi-Fi network bypass the use of SRP by using the
BlackBerry Router to send data between the BlackBerry Enterprise Server and the BlackBerry device. After the
BlackBerry Router protocol establishes an authenticated connection successfully, the supported Wi-Fi enabled
BlackBerry device uses a direct connection to the BlackBerry Enterprise Server using the BlackBerry Router
instead of SRP connectivity and authentication. For more information about the BlackBerry Router protocol, see
"BlackBerry Router protocol authentication" on page 38.
Standard BlackBerry encryption is designed to encrypt messages that the supported Wi-Fi enabled BlackBerry
device and the BlackBerry Enterprise Server send between them after establishing an authenticated connection;
supported Wi-Fi enabled BlackBerry devices also support multiple security methods that are designed to encrypt
wireless communications over the enterprise Wi-Fi network between the BlackBerry device and wireless access
points or a network firewall on the enterprise Wi-Fi network.
Accessing the BlackBerry Infrastructure
Wi-Fi enabled BlackBerry devices can connect directly to the BlackBerry Infrastructure over the Internet for
access to voice and data services that a mobile network provider offers, even if UMA is not available. If a user's
mobile network provider makes UMA technology (GAN technology) available, and the user has subscribed to the
UMA feature, a Wi-Fi enabled BlackBerry device is designed to establish an IPSec VPN tunnel over the enterprise
Wi-Fi network to the GANC automatically to access the mobile network provider's voice and data services.
The Wi-Fi enabled BlackBerry device and the BlackBerry Infrastructure send all data between them over the
established SSL connection, which encrypts the data using a negotiable algorithm. For more information, see
"Appendix I: Algorithm suites that the BlackBerry device supports for negotiating SSL connections" on page 86.
The BlackBerry Infrastructure sends its SSL certificate to the BlackBerry device when the BlackBerry device
attempts to establish the SSL connection to the BlackBerry Infrastructure. The BlackBerry device uses a
preloaded root certificate that is encrypted with a 1024 bit key to authenticate the SSL certificate. If the user
deletes the root certificate on the BlackBerry device, when the BlackBerry device attempts to establish the SSL
connection to the BlackBerry Infrastructure the device prompts the user to trust the SSL certificate.
Protecting connections from Wi-Fi enabled BlackBerry devices to the BlackBerry Infrastructure
A connection from a Wi-Fi enabled BlackBerry device to the BlackBerry Infrastructure over SSL is designed to
provide the same protection that an SRP authenticated connection from the BlackBerry Enterprise Server to the
BlackBerry Infrastructure provides. A user with malicious intent cannot use the connection to send data to or
receive data from the BlackBerry device.
If a user with malicious intent tries to impersonate the BlackBerry Infrastructure, the BlackBerry device is
designed to prevent the connection when the public key of the SSL certificate of the impersonated BlackBerry
Infrastructure does not match the private key of the root certificate that is pre-installed on the BlackBerry
device. If the BlackBerry device user accepts an invalid certificate, the connection cannot continue unless the
BlackBerry device can use the connection to authenticate with a valid BlackBerry Enterprise Server or BlackBerry
Internet Service.
Supported security features of Wi-Fi enabled BlackBerry devices
Wi-Fi enabled BlackBerry devices are designed to operate on supported IEEE 802.11 enterprise Wi-Fi networks to
let on-site BlackBerry device users access email, organizer, and browser-based applications over the wireless
network while those BlackBerry device users are mobile in the physical environment of their organization. Wi-Fi
enabled BlackBerry devices provide enterprise Wi-Fi network configuration options that are designed to be
www.blackberry.com
Advertisement
Table of Contents
