How The Ieee 802.1X Environment Controls Access To The Enterprise Wi-Fi Network; Administering Enterprise Wi-Fi Network Solution Security Using It Policy Rules; Requiring Protected Connections To Enterprise Wi-Fi Networks - Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL Overview

BlackBerry Enterprise Solution

How the IEEE 802.1x environment controls access to the enterprise Wi-Fi network

When a wireless client first associates itself with an access point that is enabled for IEEE 802.1x security, the only
communication that that access point permits is IEEE 802.1x authentication. Using a negotiated EAP method, the
supplicant on the supported Wi-Fi enabled BlackBerry device sends its credentials (typically, a BlackBerry device
user name and password) to the access point, which forwards the information to the authentication server. The
authentication server authenticates the supported Wi-Fi enabled BlackBerry device on behalf of the access point
and instructs the access point to permit or prevent access to the enterprise Wi-Fi network. The authentication
server sends Wi-Fi network credentials to the supported Wi-Fi enabled BlackBerry device to allow it to
authenticate the access point.
After an authentication server permits the supported Wi-Fi enabled BlackBerry device to access the enterprise
Wi-Fi network, the access point and the BlackBerry device use IEEE 802.1x EAPoL-Key messages to establish the
WEP, TKIP, or AES-CCMP encryption keys, depending on the EAP method that is set on the BlackBerry device.
After the access point and the supported Wi-Fi enabled BlackBerry device establish encryption keys, the
BlackBerry device has encrypted access to the enterprise Wi-Fi network.
If your enterprise Wi-Fi solution is using one of the supported EAP authentication methods, all of which are
designed to provide mutual authentication between supported Wi-Fi enabled BlackBerry devices and the
enterprise Wi-Fi network, the BlackBerry Enterprise Server administrator can grant and revoke supported Wi-Fi
enabled BlackBerry devices access to the enterprise Wi-Fi network by updating the central authentication server
only. The system administrator does not need to update the configuration of each access point.

Administering enterprise Wi-Fi network solution security using IT policy rules

With the BlackBerry Enterprise Solution, the BlackBerry Enterprise Server administrator can monitor and control
all BlackBerry devices from the BlackBerry Manager using wireless IT commands and IT policy rules. The
enterprise Wi-Fi network solution includes specific IT policy rules for the security of the enterprise Wi-Fi network
solution. The BlackBerry Enterprise Server administrator can turn Wi-Fi access on and off on supported Wi-Fi
enabled BlackBerry devices on BlackBerry Enterprise Server Version 4.1 SP3 or later, and manage WLAN and VPN
settings for individual user accounts on BlackBerry Enterprise Server Version 4.1 SP2 or later.
For more information about using VPN and WLAN IT policy rules and setting configuration profiles to configure
your enterprise Wi-Fi network solution to support Wi-Fi enabled BlackBerry devices, see the BlackBerry
Enterprise Server Wi-Fi Implementation Supplement.

Requiring protected connections to enterprise Wi-Fi networks

Using WEP encryption to protect connections to enterprise Wi-Fi networks
WEP, the oldest, most prevalent form of enterprise Wi-Fi network encryption available, was originally designed to
bring the same level of security to an enterprise Wi-Fi network as is available on a traditional wired LAN. WEP
uses a matching encryption key at both the access point and the wireless client to secure wireless
communication. This key can be 40 bits (for 64-bit WEP) or 104 bits (for 128-bit WEP) in length.
To use WEP, the BlackBerry Enterprise Server administrator must distribute WEP keys to the supported Wi-Fi
enabled devices on your enterprise Wi-Fi network. In the BlackBerry Manager, the BlackBerry Enterprise Server
administrator can define WEP keys for each supported Wi-Fi enabled device using IT policy rules set in an IT
policy that the BlackBerry Enterprise Server sends to the supported Wi-Fi enabled device when the BlackBerry
Enterprise Server activates and registers the supported Wi-Fi enabled device and whenever the BlackBerry
Enterprise Server administrator updates the IT policy thereafter.
By current industry standards, WEP is not a cryptographically strong security solution. Identified WEP
weaknesses include the following scenarios:
•
an attacker could capture transmissions over the wireless network and might thereby be able to deduce
WEP keys in very little time
•
an attacker might be able to use an undetected man-in-the-middle attack to alter WEP-encrypted packets
www.blackberry.com
49