Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: Apple IOS 7 - Brace for Impact! - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Apple IOS 7 - Brace for Impact!

Apple IOS 7 is available today (just posted in fact). While the major push for this is support for the new iPhone platforms, we can expect functional and security changes that will affect all ios platforms, among them:

  • per app licensing
  • per app vpn settings
  • per app encryption keys
  • single signon (What could possibly go wrong with this?! )
  • and better MDM (Mobile Device Management) functions - expect upgrades for your corporate MDM platforms sometime real soon, and expect that management will want these applied ASAP!
  • More on these features here - http://www.apple.com/ios/business/


 I'm sure several of these new features are worth a story all on their own - stay tuned!

We've all seen the flurry of app updates over the past few weeks, as everyone gets their app ready for the new OS. Before updating, you should check to see that all of your apps will support the new operating system. For instance, I still use Stanza as a reader app for my fiction library. Since it was officially moved to unsupported status by Amazon, I think it's smart for me to (finally) change readers before I upgrade.

This update comes at an interesting time for a couple of my clients. Since going to a BYOD model, they now have thousands of i-devices ontheir networks, unmanaged and for the mostly owned by their users (or their visitors). Ibn most organizations, at just under 1GB the bandwidth overhead of for this update shouldn't be an issue, but one client in my list is in that "thousands of Apple devices" list and is also on my "bandwidth constrained" list. I can see this update affecting their business applications, both by stressing their already maxed out WAN and also by adding to their already over-capacity internet uplink. We're changing their QOS to de-prioritize "all things Apple" for today. Once we can characterize what this update looks like on the network, we'll make the ACL more specific to just deprioritize the update traffic.  Now that the update is posted, I'll be firing up TCPDUMP and doing just that !

===============
Rob VandenBrink
Metafore

Rob VandenBrink

489 Posts
ISC Handler
Apple just DDoS'ed my network! We went from our average 75% utilization to 100% within an hour of the iOS7 release. The eduCause wireless dlist is full of chatter from .edu's having the same problem. All the students are downloading the update at once. Since they are unmanaged, no server to cache updates, they are all going to the mother ship.
John

88 Posts
From an networking viewpoint, an important modification introduced by Apple on iOS7 is that it uses Multipath TCP for some applications towards Apple servers. Multipath TCP is a recent TCP extension specified in RFC6824 that allows a TCP connection to use several interfaces at the same time. Until now, the main implementation of Multipath TCP has been the implementation from UCLouvain in the Linux kernel available from http://www.multipath-tcp.org

The inclusion of Multipath TCP on iOS7 will likely have an impact on firewalls, IDS, IPS and traffic normalizers that check the validity of the TCP options. You might see something completely new and probably unexpected on your logs. At this stage, it is unclear which firewall/IDS/IPS vendor correctly supports Multipath TCP.

Additional tests are required to understand the use case for Multipath TCP on iOS7 devices.
John
1 Posts

Sign Up for Free or Log In to start participating in the conversation!