Security Technical Overview

Local Navigation

Using a VPN with a Wi-Fi enabled device

If your organization’s environment includes VPNs, such as IPSec VPNs, you can configure a Wi-Fi® enabled BlackBerry® device to authenticate with the VPN so that it can access an enterprise Wi-Fi network. A VPN provides an encrypted tunnel between a device and your organization’s network. VPN is the only layer 3 security method that the device supports.

A VPN solution consists of a VPN client on the device and a VPN concentrator. The device can use the VPN client to authenticate with a VPN concentrator, which acts as the gateway to the enterprise Wi-Fi network. Each device includes a built-in VPN client that supports several VPN concentrators. The VPN client on the device is designed to use strong encryption to authenticate itself with the VPN concentrator. It creates an encrypted tunnel between the device and VPN concentrator that the device and enterprise Wi-Fi network can use to communicate.

After you configure a VPN, the device can use a layer 2 security method to connect to the enterprise Wi-Fi network, and use the VPN to provide authentication with the enterprise Wi-Fi network. In this scenario, you can configure the enterprise Wi-Fi network as an untrusted network, and specify that only a VPN concentrator can connect to the enterprise Wi-Fi network.

Unlike other supported security methods for enterprise Wi-Fi networks, a VPN does not use the wireless access point during data encryption.

For a list of supported VPN concentrators, visit www.blackberry.com/support to read article KB13354.

Permitting a Wi-Fi enabled device to log in to a VPN concentrator

To permit a Wi-Fi® enabled BlackBerry® device to log in to a VPN concentrator automatically after it connects to an enterprise Wi-Fi network, you or a user can configure a VPN profile that includes a user name and password for authentication with the VPN concentrator. Depending on your organization’s security policy, you or the user can save the user name and password for authentication with the VPN concentrator on the device. When you or the user saves the user name and password, the device does not prompt the user for the user name and password the first time or each time that the device connects to the enterprise Wi-Fi network.

The device is also compatible with VPN environments that use two-factor authentication using hardware tokens or software tokens for credentials. When the device tries to log in to the VPN, the device uses credentials that the token generates or that the user provides.

For more information about configuring VPN profiles, see the BlackBerry Enterprise Server Administration Guide.

Back To Top

Using a segmented network to reduce the spread of malware on an enterprise Wi-Fi network that uses a VPN

When a Wi-Fi® enabled BlackBerry® device connects to an enterprise Wi-Fi network that uses a VPN, the device might permit the VPN concentrator to send data directly to a BlackBerry® Enterprise Server over your organization's network. The VPN concentrator sends data over port 4101. In this scenario, only the VPN concentrator connects to the enterprise Wi-Fi network.

To configure your organization’s VPN concentrator to prevent it from opening unnecessary connections to your organization’s network, you can configure a segmented network. In a segmented network, you can divide components of your organization’s network using firewalls to reduce the spread of malware.

For more information about reducing the spread of malware, see Protecting the BlackBerry device platform against malware.

Back To Top

Supported UI settings for VPN concentrators

BlackBerry® 7 supports the configuration of the following UI settings for the VPN concentrators that BlackBerry smartphones connect to.

UI setting

VPN-1 Power®

Cisco VPN 3000 Series Concentrator

Cisco PIX Firewall

Cisco IOS Easy VPN

VPN Firewall Brick®

NetScreen

Nortel Networks Contivity

Secure Computing® Sidewinder®

Symantec Raptor Firewall

Gateway Credential (PSK): Username (Group Name)

X

X

X

X

X

X

X

X

X

Gateway Credential (PSK): Password (Group Password)

X

X

X

X

X

X

X

X

X

XAuth Credential (PSK): Username

X

X

X

X

X

X

X

XAuth Credential (PSK): Password

X

X

X

X

X

X

X

XAuth Credential: Enable Extended Authentication

X

X

X

X

Gateway Auth (PKI): Client Certificate

X

X

X

X

Gateway Auth (PKI): CA Certificate

X

X

X

X

DNS Config: Dynamically determine DNS

X

X

X

X

X

X

External Network: Subnet IP address 1

X

External Network: Subnet mask 1

X

XAuth Credential: Extended Authentication

X

IKE: DH Group

X

X

X

X

X

X

X

X

X

IKE: Cipher

X

X

X

X

X

X

X

X

X

IKE: Hash

X

X

X

X

X

X

X

X

X

IPSec: Perfect Forward Secrecy

X

X

X

X

X

X

X

X

IPSec: Crypto and Hash Suite

X

X

X

X

X

X

X

X

X

XAuth Credential: Soft Token

X

X

Back To Top

Supported configurations for the Cisco VPN 3000 Series Concentrator

The following table describes the configurations that BlackBerry® 7 supports for the Cisco® VPN 3000 Series Concentrator.

Configuration setting

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Gateway Credential (PSK): Username (Group Name)

X

X

Gateway Credential (PSK): Password (Group Password)

X

X

XAuth Credential (PSK): Username

X

X

XAuth Credential (PSK): Password

X

X

XAuth Credential: Enable Extended Authentication

X

X

Gateway Auth (PKI): Client Certificate

X

X

Gateway Auth (PKI): CA Certificate

X

X

DNS Config: Dynamically determine DNS

X

X

X

X

IKE: DH Group

Group 1

Group 1, 2

Group 5

Group 1, 5

IKE: Cipher

3DES, AES128

3DES, AES128

AES256

3DES, AES256

IKE: Hash

HMAC MD5, HMAC SHA1

HMAC MD5, HMAC SHA1

HMAC SHA1

HMAC MD5, HMAC SHA1

IPSec: Crypto and Hash Suite

3DES-MD5, AES128-SHA1

3DES-MD5, AES128-SHA1

AES256-SHA1

3DES-MD5, AES256-SHA1

NAT timeout

Default

Default

Default

Default

Back To Top

Supported configurations for the Cisco PIX Firewall

The following table describes the configurations that BlackBerry® 7 supports for the Cisco® PIX® Firewall.

Configuration setting

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Gateway Credential (PSK): Username (Group Name)

X

X

Gateway Credential (PSK): Password (Group Password)

X

X

XAuth Credential (PSK): Username

X

X

XAuth Credential (PSK): Password

X

X

XAuth Credential: Enable Extended Authentication

X

X

Gateway Auth (PKI): Client Certificate

X

X

Gateway Auth (PKI): CA Certificate

X

X

DNS Config: Dynamically determine DNS

X

X

X

X

IKE: DH Group

Group 1, 2, 5 Group 1, 2, 5

Group 5

Group 5

IKE: Cipher

DES, 3DES, AES128, AES192, AES256

DES, 3DES, AES128, AES192, AES256

AES256

AES256

IKE: Hash

HMAC MD5, HMAC SHA1

HMAC MD5, HMAC SHA1

HMAC SHA1

HMAC SHA1

IPSec: Perfect Forward Secrecy

IPSec: Crypto and Hash Suite

DES-SHA1, 3DES-MD5, 3DES-SHA1, AES128-MD5, AES128-SHA1, AES192-MD5, AES192-SHA1, AES256-MD5, AES256-SHA1

DES-SHA1, 3DES-MD5, 3DES-SHA1, AES128-MD5, AES128-SHA1, AES192-MD5, AES192-SHA1, AES256-MD5, AES256-SHA1

AES256-SHA1

AES256-SHA1

NAT timeout

Default

Default

Default

Default

Back To Top

Supported configurations for the Cisco IOS Easy VPN

The following table describes the configurations that the BlackBerry® 7 supports for the Cisco IOS® Easy VPN.

Configuration setting

Configuration 1

Configuration 2

Gateway Credential (PSK): Username (Group Name)

X

X

Gateway Credential (PSK): Password (Group Password)

X

X

XAuth Credential (PSK): Username

X

XAuth Credential (PSK): Password

X

XAuth Credential: Enable Extended Authentication

X

DNS Config: Dynamically determine DNS

X

X

IKE: DH Group

Group 1

Group 1, 2, 5

IKE: Cipher

3DES

DES, 3DES, AES128, AES192, AES256

IKE: Hash

HMAC MD5

HMAC MD5, HMAC SHA1

IPSec: Crypto and Hash Suite

3DES-MD5

DES-SHA1, 3DES-SHA1, AES128-SHA1, AES192-SHA1, AES256-MD5, AES256-SHA1

NAT timeout

Default

Default

Back To Top

Supported configurations for the Secure Computing Sidewinder

The following table describes the configurations that BlackBerry® 7 supports for the Secure Computing® Sidewinder®.

Configuration setting

Configuration 1

Gateway Credential (PSK): Username (Group Name)

X

Gateway Credential (PSK): Password (Group Password)

X

XAuth Credential (PSK): Username

X

XAuth Credential (PSK): Password

X

XAuth Credential: Enable Extended Authentication

X

DNS Config: Dynamically determine DNS

X

External Network: Subnet IP address 1

X

External Network: Subnet mask 1

X

IKE: DH Group

Group 1

IKE: Cipher

3DES

IKE: Hash

HMAC MD5

IPSec: Crypto and Hash Suite

3DES-MD5

NAT timeout

Default

Back To Top

Supported configurations for Nortel Networks Contivity

The following table describes the configurations that BlackBerry® 7 supports for Nortel Networks® Contivity®.

Configuration setting

Configuration 1

Configuration 2

Gateway Credential (PSK): Username (Group Name)

X

X

Gateway Credential (PSK): Password (Group Password)

X

X

XAuth Credential (PSK): Username

X

XAuth Credential (PSK): Password

X

DNS Config: Dynamically determine DNS

X

X

XAuth Credential: Extended Authentication

X

IKE: DH Group

Group 1

Group 1

IKE: Cipher

3DES

3DES

IKE: Hash

HMAC MD5

HMAC MD5

IPSec: Crypto and Hash Suite

3DES-MD5

3DES-MD5

NAT timeout

Default

Default

Back To Top

Was this information helpful? Send us your comments.