Manualshelf

A.05.70 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2011, 5900-1735)

ManualsBrandsHP ManualsSoftwareHP Insight Remote Support Advanced Software
31323334353637383940
NOTE: The ISDN Connectivity option is not available in all countries.
Most of the Entitled Remote Access solutions leverage the end-to-end encryption and application tunneling
capabilities of SSHv2. While using SSHv2 is strongly recommended, some versions of Entitled Remote Access
can be configured without SSHv2. Not using SSHv2 can lower the security profile and limit the functionality
of the RDA solution.
3.3 Service Value
The RDA solution provides HP customers an information security compliance level so that customers can meet
most government and industry regulations. Authentication, access control and secure communications conform
to industry best practices.
3.3.1 Authentication
Customers can identify that they are securely connected to HP support specialists. Only authorized HP support
specialists are able to establish connections, authenticated with digital certificates.
3.3.2 Access Control Overview
HP customers using RDA have full control of all incoming connections. Authorization and access restrictions
can be configured to meet the requirements of most IT network security policies. For unattended RDA, audit
trails are stored in audit log files.
3.3.3 Secure Communications
All HP RDA communication options use strong encryption technologies and two factor authentication
methodologies to insure all remote access connections are secured. A multi-layer security approach insures
the confidentiality, integrity and availability of every connection and insures that HP Customers and HP
Support can use RDA with confidence.
3.4 Unattended RDA Using SSH
All unattended RDA solutions rely on an SSH (SSH-2 protocol) tunnel running between the support specialist's
desktop and a designated Customer Access System (CAS) deployed either in the customer DMZ or on a
trusted network.
An SSH server is required on the customer network acting as a so called customer access system (see CAS
below). A SSH client is typically used for establishing connections to a SSH server accepting remote
connections. SSH server are commonly present on most modern operating systems, including Microsoft
Windows, Mac OS X, Linux, FreeBSD, HP-UX, Tru64 UNIX, and OpenVMS. Proprietary, freeware and open
source versions with various levels of complexity and functionality exist.
Most SSH implementations can be configured to comply with customers security policies. For example:
The protocol can be limited to SSH-2 only.
Selection of encryption algorithm (3DES, AES, AES-256, etc).
Allow only private/public key authentication (disallow password authentication).
Use SecurID and other token-based authentication methods.
Additionally some implementations support the use of X.509 certificates (also called an HP DigitalBadge)
and two-factor authentication.
3.4.1 Customer Access System (CAS)
Customer Access Systems (CASii) are required for all unattended RDA methods. By hosting the SSH server,
the CAS provides a central access point for customers to control remote access into their environment.
Customers determine the login of each HP user individually to allow or deny specific services or access to
specific computers within their network. The HP SIM Central Management Server (CMS) or the Hosting
Device used by the HP Insight Remote Support Solution can also function as a CAS.
38 Remote Device Access (RDA)