Installation guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL

BlackBerry Enterprise Solution 41

Step Action Description

6 The BlackBerry Enterprise Server sends

data to the BlackBerry device.

If wireless PIM synchronization and wireless backup is

enabled for the BlackBerry device user, the BlackBerry

Enterprise Server sends the following data to the user’s

BlackBerry device:

• calendar entries

• contacts, tasks, and memos

• existing BlackBerry device options (if applicable)

that the BlackBerry device backed up using

automatic wireless backup.

For more information, see the BlackBerry Wireless Enterprise Activation Technical Overview.

TCP/IP connection

The TCP/IP connection from the BlackBerry Enterprise Server to the BlackBerry Router is designed to be secure

in the following ways:

Security measure Description

The BlackBerry Enterprise

Server sends outbound traffic

to the BlackBerry device only

through the authenticated

connection to the BlackBerry

Infrastructure.

The system administrator must set your organization’s firewall or proxy to

permit the BlackBerry Enterprise Server to initiate and maintain an

outbound connection to the BlackBerry Infrastructure on TCP port 3101.

The BlackBerry Enterprise

Server does not send inbound-

initiated traffic to the

messaging server.

The BlackBerry Enterprise Server discards inbound traffic from any source

other than the BlackBerry device (through the BlackBerry Infrastructure or

BlackBerry Desktop Software) or the messaging server.

The BlackBerry Enterprise

Solution encrypts data traffic

over TCP/IP.

• Data remains encrypted with standard BlackBerry encryption from the

BlackBerry Enterprise Server to the BlackBerry device or from the

BlackBerry device to the BlackBerry Enterprise Server. There is no

intermediate point at which the data is decrypted and encrypted

again.

• No data traffic of any kind can occur between the BlackBerry

Enterprise Server and the wireless network or the BlackBerry device

unless the BlackBerry Enterprise Server can decrypt the data using the

correct, valid master encryption key. Only the BlackBerry device and

BlackBerry Enterprise Server have the correct, valid master encryption

key.

The BlackBerry Enterprise

Server encrypts data traffic

between specific components

The BlackBerry Collaboration Service, the Connection Service, the

BlackBerry Policy Service, and the BlackBerry Synchronization Service

share a secure communication password that is known only to them. The

BlackBerry Messaging Agent and the BlackBerry Dispatcher share a

different secure communication password that is known only to them.

When one of these components initiates a connection to the BlackBerry

Dispatcher, the BlackBerry inter-process protocol is designed to use SPEKE

to initialize a key generation process using the component’s secure

communication password and establishes a 256-bit AES encryption key (a

session key). The BlackBerry Enterprise Server then uses the session key to

encrypt data traffic to any components that store the same secure

communication password.