The mobile operating system must prevent a user from using a browser that does not direct its traffic to a DoD proxy server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32711	WIR-MOS-iOS-65-11	SV-43057r2_rule	ECWN-1	Medium

Description
Proxy servers can inspect traffic for malware and other signs of a security attack. Allowing a mobile device to access the public Internet without proxy server inspection forgoes the protection that the proxy server would otherwise provide. Malware downloaded onto the device could have a wide variety of malicious consequences, including loss of sensitive DoD information. Forcing traffic to flow through a proxy server greatly mitigates the risk of access to public Internet resources.

Description

Proxy servers can inspect traffic for malware and other signs of a security attack. Allowing a mobile device to access the public Internet without proxy server inspection forgoes the protection that the proxy server would otherwise provide. Malware downloaded onto the device could have a wide variety of malicious consequences, including loss of sensitive DoD information. Forcing traffic to flow through a proxy server greatly mitigates the risk of access to public Internet resources.

STIG	Date
Apple iOS 6 Security Technical Implementation Guide (STIG)	2013-05-23

Details

Check Text ( C-41072r4_chk )
Review the operating system and browser configuration to determine if traffic is forced through DoD proxy servers. If greater assurance is required, access a number of Internet web sites and verify traffic flows through a DoD proxy server by viewing the traffic using a network protocol analyzer or by communicating with personnel that manage the proxy server. Note: Although in iOS 6, Safari can be configured to meet this requirement, Safari encryption is not FIPS 140-2 validated and cannot be used in the DoD. Therefore, a third-party browser must be used. There are two acceptable implementations for this requirement. 1. The device uses a mobile VPN to route all data traffic to the DoD enclave, which forces all browser traffic to the DoD Internet gateway. 2. The device browser supports a proxy server setting that forces all traffic to a specified the proxy server when configured to do so. The configuration must be from an MDM server and not user modifiable. In some implementations, the user may enter a container application to access the browser functionality. Verify that none of the unauthorized browsers can be used. On a sample of 3-4 devices, identify the browsers on the device. If any are unauthorized, verify they are not functional. Mark as a finding if any non-compliant browser is functional.

Check Text ( C-41072r4_chk )

Review the operating system and browser configuration to determine if traffic is forced through DoD proxy servers.

If greater assurance is required, access a number of Internet web sites and verify traffic flows through a DoD proxy server by viewing the traffic using a network protocol analyzer or by communicating with personnel that manage the proxy server.

Note: Although in iOS 6, Safari can be configured to meet this requirement, Safari encryption is not FIPS 140-2 validated and cannot be used in the DoD. Therefore, a third-party browser must be used.

There are two acceptable implementations for this requirement.

1. The device uses a mobile VPN to route all data traffic to the DoD enclave, which forces all browser traffic to the DoD Internet gateway.

2. The device browser supports a proxy server setting that forces all traffic to a specified the proxy server when configured to do so. The configuration must be from an MDM server and not user modifiable. In some implementations, the user may enter a container application to access the browser functionality.

Verify that none of the unauthorized browsers can be used. On a sample of 3-4 devices, identify the browsers on the device. If any are unauthorized, verify they are not functional.

Mark as a finding if any non-compliant browser is functional.

Fix Text (F-36607r2_fix)
Disable browsers that do not support a feature to direct all traffic to a DoD proxy server. Configure browsers that support this functionality to direct all traffic to a DoD proxy server.