Zimbra Collaboration Suite and Mobile Device Control with ABQ
The rapid development of portable electronics and, in particular, smartphones and tablets, has created a host of new challenges for corporate information security. Indeed, if earlier all cyber security was based on creating a protected perimeter and its subsequent protection, now that almost every employee uses his own mobile devices to solve work tasks, it has become very difficult to control the security perimeter. This is especially true for large enterprises, in which each employee has a username and password from email and other corporate resources. Often acquiring a new smartphone or tablet, an employee of the enterprise enters his credentials on it, often forgetting to log out on the old device. Even if such irresponsible employees in the enterprise are only 5%, without proper control by the administrator, the situation with mobile devices access to the mail server very quickly turns into a real mess.
In addition, quite often mobile devices are lost or stolen, and subsequently used to search for compromising data, as well as access to corporate resources and data that represent commercial secrets. As a rule, the greatest harm to corporate cybersecurity entails hackers gaining access to employee e-mail. Thanks to this, they can get access to the global list of addresses and contacts, to the schedule of meetings in which the hapless employee was to take part, as well as to his correspondence. In addition, hackers who gain access to corporate e-mail have the opportunity to send phishing or malware infected messages from a trusted email address. All this together gives cybercriminals virtually unlimited opportunities to carry out cyber attacks, as well as the use of social engineering to achieve their goals.
')
In order to monitor mobile devices that are included in the security perimeter, there is ABQ, or Allow / Block / Quarantine technology. It allows the administrator to control the list of mobile devices that are allowed to synchronize data with the mail server, and if necessary, block compromised devices and quarantine suspicious mobile devices.
However, as any administrator of the free version of Zimbra Collaboration Suite Open-Source Edition knows, the possibilities of its interaction with mobile devices are severely limited. Strictly speaking, users of the free version of Zimbra can only receive and send letters via POP3 or IMAP, without having the built-in ability to synchronize data with the diary, address books and notes with the server. Not implemented in the free version of Zimbra Collaboration Suite and ABQ technology, which automatically puts an end to all attempts to create a closed information perimeter in the enterprise. In conditions when the administrator does not know which devices are connected to his server, information leakages may appear at the enterprise, and the likelihood of a cyber attack according to the scenario described earlier increases dramatically.
The Zextras Mobile modular extension helps solve this issue in the Zimbra Collaboration Suite Open-Source Edition. This extension allows you to add to the free version of Zimbra a full support for the ActiveSync protocol and, thanks to this, it opens up a lot of possibilities for interaction between mobile devices and your mail server. In addition to other various functions, the expansion of Zextras Mobile provides full support for ABQ.
Immediately, we’ll warn you that since an incorrectly configured ABQ may result in some users not being able to synchronize data on their mobile devices with the server, it is necessary to approach the issue of setting it up with utmost care and caution. Configure ABQ from the Zextras command line. It is in the command line that the ABQ mode of operation in Zimbra is configured, and the device lists are managed.
It is implemented as follows: After the user enters the corporate mail on a mobile device, he sends to the server authorization data, as well as the identification data of his device, which encounters an obstacle in the form of ABQ, which looks at the identification data and compares it with those which are on the lists of allowed, quarantine and blocked devices. If the device is not in any of the lists, then ABQ comes with it in accordance with the mode in which it operates.
ABQ in Zimbra provides three modes of operation:
Permissive : With this mode of operation, after user authentication, synchronization is performed automatically on the first request from a mobile device. In this mode of operation, it is possible to block individual devices, but everyone else can freely synchronize data with the server.
Interactive : In this mode of operation, immediately after the user is authenticated, the security system requests the identification data of the device and maps it to the list of allowed devices. If the device is on the allowed list, the synchronization continues automatically. If the device is not in the “white list” of this device, it will be automatically quarantined so that the administrator can later decide whether to allow this device to synchronize with the server or block it. At the same time the corresponding notification will be sent to the user. The administrator is informed regularly, once per customizable period of time. In this case, each new notification will contain only new devices that are in quarantine.
Strict : In this mode of operation, after authenticating the user, a check is immediately carried out to verify that the device has identification data in the list of allowed. In the event that it appears there, the synchronization continues automatically. In the event that the device is not in the list of allowed, it immediately falls into the list of blocked ones, and the user is notified by mail.
Also, if desired, the Zimbra administrator can completely disable ABQ on his mail server.
Setting the ABQ mode of operation is carried out using the commands:
You can find out the current ABQ operation mode using the zxsuite config global get attribute abqMode command .
In the event that you use interactive or strict ABQ modes of operation, you will often have to work with lists of allowed and blocked devices, as well as devices in quarantine. Suppose that two devices are connected to our server: one iPhone and one Android with the corresponding identification data. Later it turns out that the CEO of the company recently acquired an iPhone and decided to work with mail on it, and Android belongs to an ordinary manager who does not have the right to use work mail on a smartphone for security reasons.
In the case of the Interactive mode, they will all be in quarantine, from where the administrator will need to transfer the iPhone to the list of allowed devices, and Android to the list of blocked ones. To do this, it uses the zxsuite mobile abq allow commands of the iPhone and zxsuite mobile abq block Android . After that, the CEO will be able to fully work with the mail from his devices, while the manager will still have to view it exclusively from a working laptop.
It should be noted that when using the Interactive mode, even if the manager on his Android device correctly enters his username and password, he still will not get access to his account, but will enter the virtual mailbox in which he will receive an alert that his device has been added to quarantine and he cannot use mail from him.
In the case of the strict mode, all new devices will be blocked and after it becomes clear to whom they belonged, the administrator will only have to add the CEO to the list of allowed iPhone devices using the zxsuite mobile ABQ set iPhone Allowed command, leaving the manager’s phone number there.
The permissive mode of operation is poorly compatible with any security rules in the enterprise, however if you still need to block any of the allowed mobile devices, for example, if the manager suddenly quits with a scandal, you can do this with the help of the zxsuite mobile ABQ set Android command Blocked .
If at the enterprise, office gadgets are issued to employees for working with mail, then at the next change of its owner, the device can be completely removed from the ABQ lists in order to decide again whether to allow it to synchronize with the server or not. This is done using the command zxsuite mobile ABQ delete Android .
Thus, as you can see, with the expansion of Zextras Mobile in Zimbra, you can implement a very flexible control system for used mobile devices, suitable for both enterprises with a fairly strict policy about the use of corporate resources outside the office, and for those companies that are quite liberal in this plan.
In addition, quite often mobile devices are lost or stolen, and subsequently used to search for compromising data, as well as access to corporate resources and data that represent commercial secrets. As a rule, the greatest harm to corporate cybersecurity entails hackers gaining access to employee e-mail. Thanks to this, they can get access to the global list of addresses and contacts, to the schedule of meetings in which the hapless employee was to take part, as well as to his correspondence. In addition, hackers who gain access to corporate e-mail have the opportunity to send phishing or malware infected messages from a trusted email address. All this together gives cybercriminals virtually unlimited opportunities to carry out cyber attacks, as well as the use of social engineering to achieve their goals.
')
In order to monitor mobile devices that are included in the security perimeter, there is ABQ, or Allow / Block / Quarantine technology. It allows the administrator to control the list of mobile devices that are allowed to synchronize data with the mail server, and if necessary, block compromised devices and quarantine suspicious mobile devices.
However, as any administrator of the free version of Zimbra Collaboration Suite Open-Source Edition knows, the possibilities of its interaction with mobile devices are severely limited. Strictly speaking, users of the free version of Zimbra can only receive and send letters via POP3 or IMAP, without having the built-in ability to synchronize data with the diary, address books and notes with the server. Not implemented in the free version of Zimbra Collaboration Suite and ABQ technology, which automatically puts an end to all attempts to create a closed information perimeter in the enterprise. In conditions when the administrator does not know which devices are connected to his server, information leakages may appear at the enterprise, and the likelihood of a cyber attack according to the scenario described earlier increases dramatically.
The Zextras Mobile modular extension helps solve this issue in the Zimbra Collaboration Suite Open-Source Edition. This extension allows you to add to the free version of Zimbra a full support for the ActiveSync protocol and, thanks to this, it opens up a lot of possibilities for interaction between mobile devices and your mail server. In addition to other various functions, the expansion of Zextras Mobile provides full support for ABQ.
Immediately, we’ll warn you that since an incorrectly configured ABQ may result in some users not being able to synchronize data on their mobile devices with the server, it is necessary to approach the issue of setting it up with utmost care and caution. Configure ABQ from the Zextras command line. It is in the command line that the ABQ mode of operation in Zimbra is configured, and the device lists are managed.
It is implemented as follows: After the user enters the corporate mail on a mobile device, he sends to the server authorization data, as well as the identification data of his device, which encounters an obstacle in the form of ABQ, which looks at the identification data and compares it with those which are on the lists of allowed, quarantine and blocked devices. If the device is not in any of the lists, then ABQ comes with it in accordance with the mode in which it operates.
ABQ in Zimbra provides three modes of operation:
Permissive : With this mode of operation, after user authentication, synchronization is performed automatically on the first request from a mobile device. In this mode of operation, it is possible to block individual devices, but everyone else can freely synchronize data with the server.
Interactive : In this mode of operation, immediately after the user is authenticated, the security system requests the identification data of the device and maps it to the list of allowed devices. If the device is on the allowed list, the synchronization continues automatically. If the device is not in the “white list” of this device, it will be automatically quarantined so that the administrator can later decide whether to allow this device to synchronize with the server or block it. At the same time the corresponding notification will be sent to the user. The administrator is informed regularly, once per customizable period of time. In this case, each new notification will contain only new devices that are in quarantine.
Strict : In this mode of operation, after authenticating the user, a check is immediately carried out to verify that the device has identification data in the list of allowed. In the event that it appears there, the synchronization continues automatically. In the event that the device is not in the list of allowed, it immediately falls into the list of blocked ones, and the user is notified by mail.
Also, if desired, the Zimbra administrator can completely disable ABQ on his mail server.
Setting the ABQ mode of operation is carried out using the commands:
zbsuite config global set attribute abqMode value Permissive
zxsuite config global set attribute attribute abqMode value Interactive
zxsuite config global set attribute abqMode value Strict
zxsuite config global set attribute attribute abqMode value Disabled
You can find out the current ABQ operation mode using the zxsuite config global get attribute abqMode command .
In the event that you use interactive or strict ABQ modes of operation, you will often have to work with lists of allowed and blocked devices, as well as devices in quarantine. Suppose that two devices are connected to our server: one iPhone and one Android with the corresponding identification data. Later it turns out that the CEO of the company recently acquired an iPhone and decided to work with mail on it, and Android belongs to an ordinary manager who does not have the right to use work mail on a smartphone for security reasons.
In the case of the Interactive mode, they will all be in quarantine, from where the administrator will need to transfer the iPhone to the list of allowed devices, and Android to the list of blocked ones. To do this, it uses the zxsuite mobile abq allow commands of the iPhone and zxsuite mobile abq block Android . After that, the CEO will be able to fully work with the mail from his devices, while the manager will still have to view it exclusively from a working laptop.
It should be noted that when using the Interactive mode, even if the manager on his Android device correctly enters his username and password, he still will not get access to his account, but will enter the virtual mailbox in which he will receive an alert that his device has been added to quarantine and he cannot use mail from him.
In the case of the strict mode, all new devices will be blocked and after it becomes clear to whom they belonged, the administrator will only have to add the CEO to the list of allowed iPhone devices using the zxsuite mobile ABQ set iPhone Allowed command, leaving the manager’s phone number there.
The permissive mode of operation is poorly compatible with any security rules in the enterprise, however if you still need to block any of the allowed mobile devices, for example, if the manager suddenly quits with a scandal, you can do this with the help of the zxsuite mobile ABQ set Android command Blocked .
If at the enterprise, office gadgets are issued to employees for working with mail, then at the next change of its owner, the device can be completely removed from the ABQ lists in order to decide again whether to allow it to synchronize with the server or not. This is done using the command zxsuite mobile ABQ delete Android .
Thus, as you can see, with the expansion of Zextras Mobile in Zimbra, you can implement a very flexible control system for used mobile devices, suitable for both enterprises with a fairly strict policy about the use of corporate resources outside the office, and for those companies that are quite liberal in this plan.
Source: https://habr.com/ru/post/454590/
All Articles