UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Samsung Knox Android must prevent a user from using a browser in the container that does not direct its traffic to a DoD proxy server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-48275 KNOX-29-013500 SV-61147r1_rule Medium
Description
Proxy servers can inspect traffic for malware and other signs of a security attack. Allowing a mobile device to access the public Internet without proxy server inspection forgoes the protection that the proxy server would otherwise provide. Malware downloaded onto the device could have a wide variety of malicious consequences, including loss of sensitive DoD information. Forcing traffic to flow through a proxy server greatly mitigates the risk of access to public Internet resources. SFR ID: FMT_SMF.1.1 #42
STIG Date
Samsung Android (with Knox 1.x) STIG 2014-04-22

Details

Check Text ( C-50707r3_chk )
This validation procedure is performed on the MDM Administration Console only.

Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Web Proxy" field in the "Android Knox Container Restrictions" rule.
2. Verify this field contains both an IP address and port of a DoD proxy or content filtering server using the format [IP Address]:[port number].
Note: If the format is not correct, the setting may not be enforced.

If a proxy or web content filtering server is not configured on the MDM console using the format [IP Address]:[port number], or the device successfully accesses any known blocked website, this is a finding.
Fix Text (F-51883r2_fix)
Disable browsers that do not support a feature to direct all traffic to a designated proxy server. Configure browsers that support this functionality to direct all traffic to a designated proxy server.

On the MDM Administration Console, enter both the IP address and port of the DoD proxy in the "Web Proxy" field in the "Android Knox Container Restrictions" rule. The format must be [IP Address]:[port number].

Note: This setting only applies to the stock browser, but third party browsers would have to be whitelisted prior to operation.