Manualshelf

A.05.70 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2011, 5900-1735)

ManualsBrandsHP ManualsSoftwareHP Insight Remote Support Advanced Software
41424344454647484950
Figure 3-3 Remote Access Connection System Details
A Remote Access Connection System (RACS) is an SSH server that can forward an SSH connection to an
appropriate CAS. When the HP support specialist connects and is authenticated to the RACS, the SSH server
on the RACS checks the security token issued by the RAP to ensure that the support specialist is allowed to
connect to customer’s IP address. Upon successful authorization, the RACS will forward the SSH connection
to the HP routing device. RACS servers are located in various HP data center locations.
3.6.2 Access control on the customer side
For a primary defense, the customer’s firewall can be configured to allow only RACS systems at HP to access
their VPN routers or CASii. Although standard passwords can be used, it is recommended to configure SSH
public/private keys instead. Some versions of SSH servers can be configured to use HP’s DigitalBadge
certificates for authentication. HP recommends that customers use the HP provided Virtual CAS as this provides
enhanced access control capabilities for customers.
One-time password systems, such as RSA’s SecurID, can also be used if the customer’s SSH server or access
infrastructure supports them.
The CAS itself provides the second layer of defense. Depending on the CAS type, customers can define
named employees, target systems or even ports that HP support specialists are allowed to connect to.
The customer owns the security policies and access control into his/her environment and can specifically
restrict connections to named HP support personnel and can terminate connections as needed.
The HP Support specialist is also subject to customer’s own access control and security policies in that the
customer must provide login credentials if needed for the device that HP connects to. For example if the HP
support engineer wishes to logon to a UNIX server within a customer network, the customer provides the
logon name and controls what activities, the HP support agent can perform. In this way the customer oversees
42 Remote Device Access (RDA)