A.05.70 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2011, 5900-1735)
constrained by a unique customer identifier . This insures that information is only available to authorized
(and authenticated) users.
Data is kept for varying lengths of time: Mission Critical server data is kept for 6 months, warranty data is
kept for 1 week, SAN configuration information and event data is kept for 6 months. Hardware event details
are kept for 6 months.
2.4.3 Data Privacy
HP respects customer privacy and is committed to ensuring that all customer information is protected. The
personal information provided in the HP SIM and Insight Remote Support Advanced user interface and any
data collected by this tool or other associated tools and utilities will not be shared with third parties. It may
be shared with other HP entities or authorized support providers who provide support services described in
the Insight Remote Support documentation and who may be located in other countries. HP entities and
authorized support providers are required to keep confidential the information received on behalf of HP and
may not use it for any purpose other than to carry out the services they are performing for HP. Our privacy
practices are designed to provide protection for your personal information, all over the world. See the HP
Worldwide Privacy Statement at http://welcome.hp.com/country/us/en/privacy/worldwide_privacy.html.
2.5 Communication Protocols
2.5.1 Secured Communication
These protocols are used either inside the customer’s intranet or over the Internet between the customer and
HP:
• ESP
Encapsulating Security Payload (ESP), or IP protocol 50, is a protocol header inserted into an IP datagram
to provide data encryption and authentication. Remote Device Access uses ESP in tunnel mode to
establish VPN connectivity.
• HTTPS
HTTPS is HTTP with SSL or TLS encryption for security. All communications between the Central
Management Server and the HP Remote Support Data Center are carried out over HTTPS. HTTPS is
also used for the marshalling and transfer of collected device data between the CMS and the managed
systems. HTTPS typically uses TCP port 443, but other services, like STE and WEBES, may specify a
different port number for HTTPS communications.
• IPsec
IP Security, or IPsec, is a suite of protocols for securing IP communications. IPsec operates in two modes.
In transport mode it can be configured to provide end-to-end security of all communications between
two systems. In tunnel mode, IPsec can be used to provide VPN connectivity over insecure networks.
A typical IPsec deployment uses two protocols: either Encapsulating Security Payload (ESP) or
Authentication Header (AH), which are IP protocols, and ISAKMP. Note that AH is seldom used as it
does not provide encryption.
• ISAKMP
The Internet Security Association and Key Management Protocol (ISAKMP) is an application layer
protocol that defines the procedures for authenticating a communicating peer, creation and management
of Security Associations, key generation techniques, and threat mitigation.
• Secure Task Execution and Single Login
Secure Task Execution (STE) is a mechanism for securely executing a command against a managed
system using the Web agents. It provides authentication, authorization, privacy, and integrity in a single
request. Single Login provides the same features but is performed when browsing a system. Secure
Task Execution and Single Login are implemented in very similar ways.
SSL is used for all communication during the STE and Single Login exchange. A single-use value is
requested from the system prior to issuing the STE or Single Login request to help prevent against replay
or delay intercept attacks. After request validation, HP Systems Insight Manager issues the digitally
signed Secure Task Execution or Single Login request. The managed system uses the digital signature
2.5 Communication Protocols 19