The BES host-based or appliance firewall must be configured as required.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19192	WIR1300-02	SV-21031r2_rule	ECSC-1	High

Description
BlackBerry user could get access to unauthorized network resources (application and content servers, etc.) if the BES firewall is not set up as required.

STIG	Date
BlackBerry Enterprise Server, Part 2 Security Technical Implementation Guide	2012-10-01

Details

Check Text ( C-23119r2_chk )
Detailed Policy Requirements: The BES host-based or appliance firewall must be configured as required. The BES firewall is configured with the following rules: - Deny all except when explicitly authorized. - Internal traffic from the BES is limited to internal systems used to host the BlackBerry services (e.g., email and LDAP servers) and DAA approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized. - Internet traffic from the BES is limited to only those specified BlackBerry services (e.g., BlackBerry SRP server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the BlackBerry system and/or service. - Firewall settings listed in Section 3.13 of the BlackBerry STIG Overview will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trust IP addresses and subnets. Note: At the minimum, the IP address of the site Internet proxy server must be listed so the BlackBerry Browser can connect to the Internet. Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above. Check Procedures: Verify the firewall configuration meets approved architecture configuration requirements (or have the network reviewer do the review of the firewall). Use Table 3-5 in the BlackBerry STIG Overview when using the non-segmented architecture and Tables 3-6 and 3-7 when using the segmented architecture for required firewall rules. Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers that the BES connects to should be included on this list. Mark as a finding if a list of trusted networks by IP address is not configured on the BES host-based firewall.

Check Text ( C-23119r2_chk )

Detailed Policy Requirements:

The BES host-based or appliance firewall must be configured as required.
The BES firewall is configured with the following rules:
- Deny all except when explicitly authorized.
- Internal traffic from the BES is limited to internal systems used to host the BlackBerry services (e.g., email and LDAP servers) and DAA approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized.
- Internet traffic from the BES is limited to only those specified BlackBerry services (e.g., BlackBerry SRP server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the BlackBerry system and/or service.
- Firewall settings listed in Section 3.13 of the BlackBerry STIG Overview will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trust IP addresses and subnets. Note: At the minimum, the IP address of the site Internet proxy server must be listed so the BlackBerry Browser can connect to the Internet. Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above.

Check Procedures:

Verify the firewall configuration meets approved architecture configuration requirements (or have the network reviewer do the review of the firewall). Use Table 3-5 in the BlackBerry STIG Overview when using the non-segmented architecture and Tables 3-6 and 3-7 when using the segmented architecture for required firewall rules.

Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers that the BES connects to should be included on this list. Mark as a finding if a list of trusted networks by IP address is not configured on the BES host-based firewall.

Fix Text (F-23362r1_fix)
The BES host-based or appliance firewall is configured as required.