The mobile operating system must prevent a user from using a browser that does not direct its traffic to a DoD proxy server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
KNOX-13-002800	KNOX-13-002800	KNOX-13-002800_rule		Medium

Description
Proxy servers can inspect traffic for malware and other signs of a security attack. Allowing a mobile device to access the public Internet without proxy server inspection forgoes the protection that the proxy server would otherwise provide. Malware downloaded onto the device could have a wide variety of malicious consequences, including loss of sensitive DoD information. Forcing traffic to flow through a proxy server greatly mitigates the risk of access to public Internet resources.

Description

Proxy servers can inspect traffic for malware and other signs of a security attack. Allowing a mobile device to access the public Internet without proxy server inspection forgoes the protection that the proxy server would otherwise provide. Malware downloaded onto the device could have a wide variety of malicious consequences, including loss of sensitive DoD information. Forcing traffic to flow through a proxy server greatly mitigates the risk of access to public Internet resources.

STIG	Date
Samsung Knox Android 1.0 STIG	2013-05-03

Details

Check Text ( C-KNOX-13-002800_chk )
This check procedure is performed on both the Fixmo Sentinel Administration Console and the Samsung Knox device. Check that the appropriate setting is configured on the MDM server. For example, on the Fixmo Sentinel Administration Console: 1. Ask the MDM administrator to display the "Web Proxy" field in the "Android Knox Restrictions" rule. 2. Verify this field contains both an IP address and port of a DoD proxy or content filtering server using the format [IP Address]:[port number]. Note: If the format is not correct, the setting may not be enforced. On the Samsung Knox device: 1. Open the Internet browser. 2. Navigate to a known blocked or filtered website. 3. Verify the website cannot be accessed. If greater assurance is required, access a number of Internet websites and verify traffic flows through a DoD proxy server by viewing the traffic using a network protocol analyzer or by communicating with personnel that manage the proxy server. If a proxy or web content filtering server is not configured on the MDM console using the format [IP Address]:[port number], or the device successfully accesses any known blocked website, this is a finding.

Check Text ( C-KNOX-13-002800_chk )

This check procedure is performed on both the Fixmo Sentinel Administration Console and the Samsung Knox device.

Check that the appropriate setting is configured on the MDM server.

For example, on the Fixmo Sentinel Administration Console:
1. Ask the MDM administrator to display the "Web Proxy" field in the "Android Knox Restrictions" rule.
2. Verify this field contains both an IP address and port of a DoD proxy or content filtering server using the format [IP Address]:[port number].
Note: If the format is not correct, the setting may not be enforced.

On the Samsung Knox device:
1. Open the Internet browser.
2. Navigate to a known blocked or filtered website.
3. Verify the website cannot be accessed.
If greater assurance is required, access a number of Internet websites and verify traffic flows through a DoD proxy server by viewing the traffic using a network protocol analyzer or by communicating with personnel that manage the proxy server.

If a proxy or web content filtering server is not configured on the MDM console using the format [IP Address]:[port number], or the device successfully accesses any known blocked website, this is a finding.

Fix Text (F-KNOX-13-002800_fix)
Disable browsers that do not support a feature to direct all traffic to a designated proxy server. Configure browsers that support this functionality to direct all traffic to a designated proxy server. For example, on the Fixmo Sentinel Administration Console, enter the both IP address and port of the DoD proxy in the "Web Proxy" field in the "Android Knox Restrictions" rule. The format must be [IP Address]:[port number]. Note: This setting only applies to the stock browser, but third party browsers would have to be whitelisted prior to operation.

Fix Text (F-KNOX-13-002800_fix)

Disable browsers that do not support a feature to direct all traffic to a designated proxy server. Configure browsers that support this functionality to direct all traffic to a designated proxy server.

For example, on the Fixmo Sentinel Administration Console, enter the both IP address and port of the DoD proxy in the "Web Proxy" field in the "Android Knox Restrictions" rule. The format must be [IP Address]:[port number].

Note: This setting only applies to the stock browser, but third party browsers would have to be whitelisted prior to operation.