iOS Hardening Configuration Guide - DSD

More documents

Recommendations

Info

Sandbboxing In iOS, all applications are sandboxed, wwith the kern nel enforcing mandatorry access co ontrols, and appplications beeing highly restricted inn how they can share data. d Apple sships iOS 4 with the Ma ail App conffigured to st tore mail me essages annd attachme ents in the stroongest data protection –class – – whhere each fi ile is encryp pted with a uunique key, , and is only able to be deccrypted whe en the devicce is unlock ked. Address book and calendar informaation is curreently allowe ed to be deccrypted whe en the devic ce is locked (to support t caller ID and event notificcations). If a security posturre is require ed where thiis level of sandboxing is insufficient, then in-h house Apps, oor third partyy solutions such s as Sybbase Afaria a (http://www w.sybase.coom/afaria), Good for Enteerprise (httpp://www.goo od.com) or LLRW Pinecone (http://wwww.lrwtechhnologies.co om/pineconne.html) can n be used to o provide addditional lev vels of sandbooxing and poolicy enforce ement for eemail, calendar and con ntact data, mmanaged by dedicated servers. There iss usually a usability/se ecurity tradee off in the configuration c n, with custtom sandbo oxed solutionns having a lower level of integratiion with other apps on the device (e.g. it may y not be possiblee to take a photo with the t device’ss camera, and a then sen nd via emaiil is using th he third party saandboxed eemail client ). Note thhat currentlyy no third pa arty sandbooxed solution has been evaluated by DSD. Go ood Enterpprise App User U Interfa ace 19 | Defence S ignals Directo rate
Conteent Filterinng Access to intranet sites, and some s mail, contact or calendaring c data can bbe achieved d via reversee proxies annd content fi ilters. Theree are multip ple solutions s in this spaace such as IIS from Miicrosoft, Moobile Access s Server froom Apple, and a wide variety v of othher solution ns (e.g. from Cisco or F5 nnetworks ). Filteringg Exchangee Active Syn nc data prodducts such as JanusGA ATE Mobilee (http://wwww.janus.nnet.au/janus sGATE/Mobbile) can be e used to en nsure email sent to Exc change ActiveSSync devices has appro opriate privaacy marking gs for the classificationn the device e is approveed to by an agency. Th his approach can allow w for an asym mmetric straategy – mobile devicess only receivve email content at a cclassification n appropriat te to the deevice, as we ell as have poolicy and coontrols appli ied to the email conten nt. In this sscenario, the agency’s Wide Area Network (W WAN) secur rity domain is NOT exte ended out to thhe mobile ddevice, and there is no need to low wer the classification off the agency WAN. Such soolutions cann be used to o redact speecific content patterns from emailss sent via EAS, E e.g. to sscrub creditt card numb bers from alll emails syn nced to mob bile devicess. This class s of tools caan also facilitate correc ct protectivee marking of f email com ming from moobile device es without direct on-device suppo ort for Austrralian Gove ernment marking standdards. For further f informaation see thee ISM sectio on on Conteent Filtering g. Examplee of Mail Ap pp interfacee when Jan nusGATE Mobile M bloccks email 20 | Defence S ignals Directo rate
Page 1 and 2: iOS Hardening Configuration Guide F
Page 3 and 4: Audience This guide is for users an
Page 5 and 6: Using this Guide The following list
Page 7 and 8: Chappter Onne Introoductioon to Mob
Page 9 and 10: The fireewall rules aapplied to th
Page 11 and 12: ensured, due to both ‘Man-in-the-
Page 13 and 14: Question Comments/Selection Does my
Page 15 and 16: Chapter Two Installing iOS 4 This c
Page 17 and 18: Chappter Thhree Secuurity Feeatures
Page 19: Find My iPhone user interface Gener
Page 23 and 24: Chapter Four Suggested Policies Thi
Page 25 and 26: Feature Unclassified XX-in-Confiden
Page 27 and 28: � � � Passcode (can be set vi
Page 29 and 30: VPN � IPSec and SSL are DSD Appro
Page 31 and 32: Chapter Six Mobile Device Managemen
Page 33 and 34: Example of approved or re ecommendd
Page 35 and 36: Task Comments Provide staff with tr
Page 37 and 38: Appendix B Configuration Profiles F
Page 39 and 40: Appendix C Sample Scripts This appe
Page 41 and 42: make new VPN payload with propertie
Page 43 and 44: Appendix E Risk Management Guide Th
Page 45 and 46: Firewall Risk Mitigations Implied P

iOS Hardening Configuration Guide - DSD

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?