The mobile operating system must prevent a user from using a browser that does not direct its traffic to a DoD proxy server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32711	WIR-MOS-iOS-65-11	SV-43057r1_rule	ECWN-1	Medium

Description
Proxy servers can inspect traffic for malware and other signs of a security attack. Allowing a mobile device to access the public Internet without proxy server inspection forgoes the protection that the proxy server would otherwise provide. Malware downloaded onto the device could have a wide variety of malicious consequences, including loss of sensitive DoD information. Forcing traffic to flow through a proxy server greatly mitigates the risk of access to public Internet resources.

Description

Proxy servers can inspect traffic for malware and other signs of a security attack. Allowing a mobile device to access the public Internet without proxy server inspection forgoes the protection that the proxy server would otherwise provide. Malware downloaded onto the device could have a wide variety of malicious consequences, including loss of sensitive DoD information. Forcing traffic to flow through a proxy server greatly mitigates the risk of access to public Internet resources.

STIG	Date
Apple iOS 6 Interim Security Configuration Guide (ISCG)	2013-01-17

Details

Check Text ( C-41072r3_chk )
Review the operating system and browser configuration to determine if traffic is forced through DoD proxy servers. If greater assurance is required, access a number of Internet web sites and verify traffic flows through a DoD proxy server by viewing the traffic using a network protocol analyzer or by communicating with personnel that manage the proxy server. Note, although in iOS 6 Safari can be configured to meet this requirement, Safari encryption is not FIPS 140-2 validated and cannot be used in the DoD. Therefore, a third-party browser must be used. There are two acceptable implementations for this requirement. 1. The device uses a mobile VPN to route all data traffic to the DoD enclave, which forces all browser traffic to the DoD Internet gateway. 2. The device browser is installed inside an iOS security container and the security container provides the capability to route all browser traffic to the MDM server where it will be routed to the DoD Internet gateway. Using a browser without a mobile VPN and installed outside the iOS device security container is not an approved implementation. Verify that none of the unauthorized browsers can be used. On a sample of 3-4 devices, identify the browsers on the device. If any are unauthorized, verify they are not functional. Mark as a finding if any non-compliant browser is functional.

Check Text ( C-41072r3_chk )

Review the operating system and browser configuration to determine if traffic is forced through DoD proxy servers.

If greater assurance is required, access a number of Internet web sites and verify traffic flows through a DoD proxy server by viewing the traffic using a network protocol analyzer or by communicating with personnel that manage the proxy server.

Note, although in iOS 6 Safari can be configured to meet this requirement, Safari encryption is not FIPS 140-2 validated and cannot be used in the DoD. Therefore, a third-party browser must be used.

There are two acceptable implementations for this requirement.
1. The device uses a mobile VPN to route all data traffic to the DoD enclave, which forces all browser traffic to the DoD Internet gateway.
2. The device browser is installed inside an iOS security container and the security container provides the capability to route all browser traffic to the MDM server where it will be routed to the DoD Internet gateway.
Using a browser without a mobile VPN and installed outside the iOS device security container is not an approved implementation.

Verify that none of the unauthorized browsers can be used. On a sample of 3-4 devices, identify the browsers on the device. If any are unauthorized, verify they are not functional.

Mark as a finding if any non-compliant browser is functional.

Fix Text (F-36607r2_fix)
Disable browsers that do not support a feature to direct all traffic to a DoD proxy server. Configure browsers that support this functionality to direct all traffic to a DoD proxy server.