Knox White Paper
Virtual Private Networks (VPN)
Standard Android comes with basic VPN abilities that are adequate for most consumers. But many enterprises need better security and more flexible VPN controls for larger deployments. The Knox VPN framework includes the most advanced enterprise-focused feature set, which ensures that VPN connections are efficient, reliable, secure, and compliant with industry regulations and best practices. The Knox Platform VPN framework allows the integration of third-party VPN clients in addition to the built-in VPN client.
Unique advantages of Knox VPN framework
The Knox Platform VPN framework supports all common VPN types, protocols, and configuration options. When deploying VPN solutions, enterprise IT admins must ensure VPN deployments work smoothly, don't waste server resources, limit the VPN solution licensing costs, and enforce strict security policies that prevent data leakage.
The following is an example showing how Knox on-demand VPNs save cost:
The Knox Platform provides the following differentiating VPN features and advantages:
- The flexibility to use a VPN tunnel for the entire device or a single app only.
- The cost saving benefit of using VPN tunnels on-demand, only when apps in a VPN profile are running.
- The convenience to bypass VPN tunnels when a device is on-premise in a local corporate network.
- The strict coverage of corner cases to prevent data leakage outside of VPN tunnels, even during a device boot.
- The ability to connect multiple tunnels simultaneously.
- The extra security of chaining VPNs (also known as cascading or nesting VPNs) for greater anonymity, for example, in classified deployments.
- The power of configuring web proxies over VPN:
- Web proxy configurations are tunnel-specific.
- Web proxy support for NTLM authentication, basic authentication, PAC, and PAC with authentication.
- The ability to configure SSL/IPSEC VPN profiles on multiple devices.
The following Knox VPN features are also available, but are dependent on the VPN client:
- QoS or traffic tracking and shaping. The Knox VPN framework can inform the VPN client when any installed apps generate any traffic.
- Automatic reconnection of VPN tunnels when the server side disconnects. Server-side disconnections are more difficult to detect and handle than device-side disconnections, which are usually related to detectable conditions like loss of connectivity or the presence of new network connections, such as a new Wi-Fi connection.
Robust handling of enterprise requirements
Regardless of the features you choose, the VPN should act predictably even when the unexpected occurs. The following are some common scenarios where Knox Platform enhancements ensure proper VPN behavior:
- During a download, VPN tunnels direct download manager traffic to the VPN tunnel tied to the app that requested the download.
- VPN tunnels handle system events such as power saving mode entry or exit, package addition or removal, connectivity changes, and admin app changes.
- VPN profiles can specify which non-present apps must also use a VPN tunnel if they are ever installed.
- Even the free, built-in VPN client supports all the advanced VPN features listed in the previous list items.
- Robust blocking rules prevent data from leaking to the outside of the tunnel. Common gaps in coverage that
Knox Platform VPNs correctly handle include:
- A VPN client crash or other client app issues
- A tunnel that has not yet been established, for example, during boot
- A VPN client that is unable to connect to a VPN server
- A proxy port that is blocking
- Handle captive portal prior to VPN tunnel establishment.
High-security built-in VPN client
The built-in Android VPN client (also called StrongSwan) is available on all Samsung devices, and is also integrated with the Knox Platform VPN framework, enabling the extra properties available within the Knox platform. The built-in VPN client, even without the Knox VPN framework, is differentiated from what Android offers, providing these advanced VPN features:
- FIPS 140-2 certified device cryptography components
- CPA certification at the Foundation grade, based on its successful Common Criteria evaluation against the Protection Profile for IPsec VPN Clients v1.4
- Security characteristics of IPSec VPN client version 2.5, as set by the NCSC
- Internet Key Exchange (IKE and IKEv2) and Suite-B algorithms:
- IPsec IETF RFCs – IKEv1
- IKEv1 – Main and aggressive IKE exchange modes with pre-shared key, certificates, Hybrid RSA, and EAP-MD5 authentications
- IKEv2 with PSK and certificate-based authentication
- IKEv2 – Pre-shared key, certificates, EAP-MD5 EAP-MSCHAPv2 authentication methods, and mobile extensions
- Triple DES (56/168-bit), AES (128/256-bit) with MD5 or SHA
- IKEv1 Suite B Cryptography supported with PSK and ECDS signature-based authentications
- IKEv2 Suite B Cryptography supported with ECDSA signatures
- The ability to enable audit logs for non-native VPN clients so they can meet NIAP security requirements.