UCF STIG Viewer Logo

The BES host-based or appliance firewall must be configured as required.


Finding ID Version Rule ID IA Controls Severity
V-19192 WIR1300-02 SV-21031r3_rule High
BlackBerry user could get access to unauthorized network resources (application and content servers, etc.) if the BES firewall is not set up as required.
BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide 2016-09-08


Check Text ( C-23119r3_chk )
Detailed Policy Requirements:

The BES host-based or appliance firewall must be configured as required.

The BES firewall is configured with the following rules:

- Deny all except when explicitly authorized.
- Internal traffic from the BES is limited to internal systems used to host the BlackBerry services (e.g., email and LDAP servers) and AO-approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized.
- Internet traffic from the BES is limited to only those specified BlackBerry services (e.g., BlackBerry SRP server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the BlackBerry system and/or service.
- Firewall settings listed in Section 3.13 of the BlackBerry STIG Overview will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trust IP addresses and subnets.

Note: At the minimum, the IP address of the site Internet proxy server must be listed so the BlackBerry Browser can connect to the Internet.

Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above.

Check Procedures:

Verify the firewall configuration meets approved architecture configuration requirements (or have the network reviewer do the review of the firewall).

Use Table 3-5 in the BlackBerry STIG Overview when using the non-segmented architecture and Tables 3-6 and 3-7 when using the segmented architecture for required firewall rules.

Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers that the BES connects to should be included on this list.

If a list of trusted networks by IP address is not configured on the BES host-based firewall, this is a finding.
Fix Text (F-23362r1_fix)
The BES host-based or appliance firewall is configured as required.