Connection Manager Security
4/8/2010
Connection Manager supports Dual Homing (connecting to multiple networks at the same time). Dual Homing enables phones to have multiple connections available and active, and provides the most optimal behavior in these scenarios.
There are many scenarios when a device would attempt to establish multiple types of connections using the Dual Homing feature. Here are a few examples:
- A device has an active General Packet Radio Service (GPRS) connection, and the user walks into an area with Wi-Fi coverage
- A device has an active GPRS connection, and the user docks (cradles) the device and establishes a Desktop Pass-through (DTPT) connection
Dual Homing introduces various security threats, such as the potential for bridging between two networks.
To help prevent bridging between networks and leaking between interfaces, Connection Manager supports connections that are more secure. The configuration service providers for Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management (DM) include the Secure parameter. By using the Secure parameter, you can provision a connection to be more secure. To determine if a connection is more secure, perform an XML query** or call the ConnMgrQueryDetailedStatus function. Review the value of the dwSecure flag**.
When a Virtual Private Network (VPN) connection is active, Connection Manager generally restricts any new connection to a network other than the one being used by the VPN connection. All traffic is handled by the VPN connection, regardless of the number of active connections, until the VPN connection is disconnected or a specific request to route network traffic to a connection other than the VPN connection occurs. You can call ConnMgrMapConRef to specifically request the routing of network traffic to a connection other than the VPN connection, and the Connection Manager will route traffic accordingly.
The only exception to this behavior is if the newly requested connection has the same security level as or a higher security level than the existing VPN connection. In this case, Connection Manager disables the existing connection and makes the newly requested connection to the network used by the original connection.
Note
You cannot provision a VPN connection or a proxy connection to be more secure. Connecting VPN over an interface modifies the routing table for the interface. The VPN network receives packets not destined for direct subnet of the interface, which reduces the risk of security attacks.
See Also
Concepts
Security Levels of Connection Types