Samsung Knox Android must prevent a user from using a browser outside the container that does not direct its traffic to a DoD proxy server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-48289	KNOX-23-013400	SV-61161r1_rule		Medium

Description
Proxy servers can inspect traffic for malware and other signs of a security attack. Allowing a mobile device to access the public Internet without proxy server inspection forgoes the protection that the proxy server would otherwise provide. Malware downloaded onto the device could have a wide variety of malicious consequences, including loss of sensitive DoD information. Forcing traffic to flow through a proxy server greatly mitigates the risk of access to public Internet resources. SFR ID: FMT_SMF.1.1 #42

Description

Proxy servers can inspect traffic for malware and other signs of a security attack. Allowing a mobile device to access the public Internet without proxy server inspection forgoes the protection that the proxy server would otherwise provide. Malware downloaded onto the device could have a wide variety of malicious consequences, including loss of sensitive DoD information. Forcing traffic to flow through a proxy server greatly mitigates the risk of access to public Internet resources. SFR ID: FMT_SMF.1.1 #42

STIG	Date
Samsung Android (with Knox 1.x) STIG	2014-04-22

Details

Check Text ( C-50719r3_chk )
This validation procedure is performed on the MDM Administration Console only. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Web Proxy" field in the "Android Restrictions" rule. 2. Verify this field contains both an IP address and port of a DoD proxy or content filtering server using the format [IP Address]:[port number]. Note: If the format is not correct, the setting may not be enforced. If a proxy or web content filtering server is not configured on the MDM console using the format [IP Address]:[port number], this is a finding.

Check Text ( C-50719r3_chk )

This validation procedure is performed on the MDM Administration Console only.

Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Web Proxy" field in the "Android Restrictions" rule.
2. Verify this field contains both an IP address and port of a DoD proxy or content filtering server using the format [IP Address]:[port number].
Note: If the format is not correct, the setting may not be enforced.

If a proxy or web content filtering server is not configured on the MDM console using the format [IP Address]:[port number], this is a finding.

Fix Text (F-51895r2_fix)
Disable browsers that do not support a feature to direct all traffic to a designated proxy server. Configure browsers that support this functionality to direct all traffic to a designated proxy server. On the MDM Administration Console, enter the both IP address and port of the DoD proxy in the "Web Proxy" field in the "Android Knox Restrictions" rule. The format must be [IP Address]:[port number]. Note: This setting only applies to the stock browser, but third party browsers would have to be whitelisted prior to operation.

Fix Text (F-51895r2_fix)

Disable browsers that do not support a feature to direct all traffic to a designated proxy server. Configure browsers that support this functionality to direct all traffic to a designated proxy server.

On the MDM Administration Console, enter the both IP address and port of the DoD proxy in the "Web Proxy" field in the "Android Knox Restrictions" rule. The format must be [IP Address]:[port number].

Note: This setting only applies to the stock browser, but third party browsers would have to be whitelisted prior to operation.