Manualshelf

A.05.70 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2011, 5900-1735)

ManualsBrandsHP ManualsSoftwareHP Insight Remote Support Advanced Software
31323334353637383940
TIP: To learn more about HP Insight Remote Support Solutions please visit:
http://h18013.www1.hp.com/products/servers/management/hpsim/index.html.
A CAS may be implemented on any customer-owned system capable of running a compatible SSH server.
HP also offers a virtualized CAS (vCAS) solution that can be used to manage HP access into a customer
environment.
3.4.1.1 Customer-owned CASii
The customer may choose to provide their own CAS. The primary requirement is a functional SSH server
such as OpenSSH. Microsoft Windows, Linux, HP-UX, OpenVMS, and Tru64 UNIX operating systems may
be used. HP recommends that the customer configure SSH to accept only protocol version 2 and strong
encryption, for example AES (128 or better) or Triple DES. Firewalls should also be configured to allow SSH
(version 2) access only from HP’s access servers.
3.4.1.2 Virtual CAS
The Virtual CAS is provided by HP free of charge for HP RDA customers and is the HP preferred method for
customers using an Entitled Remote Access solution. The Virtual CAS provides enhanced security and
management functionality to restrict access into customer networks. Access restrictions on the vCAS solution
can be easily defined by the customer administrator through a web interface. There are three basic access
control settings:
Open Access: allow access to all HP users
Closed Access: deny access to all HP users
White List: Allow/Deny access to specific users
The HP vCAS solution can assign specific access rules to HP users. These rules can restrict users to specific
devices (and services) based on the rules defined in the vCAS admin interface. It is a software-only solution
based on a VMware image of a virtual machine running Ubuntu Server. Virtual CAS features include:
Runs on VMware Server ESX or ESXi. Can also run on VMware Server (available from VMware at no
cost for Microsoft Windows or Linux).
Can run as a VM Guest on a virtualized Central Management Server (CMS) or Hosting Device.
Based on open source software.
An easy to use administration web interface.
Implements SSH authentication using HP issued X.509 certificates.
The authentication is compatible with HP’s VeriSign-administered internal PKI (known internally as
HP DigitalBadge).
CRL access is available either via file or Online Certificate Status Protocol (OCSP).
Fine-granularity access control customers can specify user level access to targets including TCP ports.
Easy-to-use software update mechanism based on apt-get. The virtual CAS will poll HP for software
updates and security patches. The Customer has full control on how and when these updates may be
applied to the Virtual CAS.
Can be used with SSH-Direct, hpVPN, or CorVPN solutions.
3.4 Unattended RDA Using SSH 39