A.05.70 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2011, 5900-1735)
with other HP entities and business partners who are providing the services described in the Remote Support
Documentation and who might be located in other countries. Suppliers and service providers are required
to keep confidential the information received on behalf of HP and may not use it for any purpose other than
to carry out the services they are performing for HP. Our privacy practices are designed to provide protection
for your personal information, all over the world. See the HP Worldwide Privacy Statement at http://
welcome.hp.com/country/us/en/privacy/worldwide_privacy.html.
3.12 Remote Device Access Security Details
3.12.1 Outbound Security
All HP RDA Solutions are designed to be used for inbound access from HP to customer networks. All RDA
Solutions, with the exception of the Virutal CAS, do not initiate outbound connections without direct user
interaction. Confidentiality for outbound connections is provided by the connection service (SSL over HTTPS,
SSH, IPSec etc). Authentication mechanisms can vary from solution to solution, but all solutions are designed
to insure the privacy and security of all parties. The Virtual Customer Access System (vCAS) initiates outbound
connections to VeriSign.com to validate certificates, using either OCSP to check the CRL status of an individual
certificate, or HTTP to periodically fetch the entire CRL for the HP Class 2 Certification Authority. The Virtual
CAS also periodically connects to the HP repository server using HTTPS to check for and fetch software
updates.
3.12.2 Inbound Security
Remote device access requires an inbound connection from HP to a customer-designated access server. HP
understands that IT security policies within organizations vary considerably. Therefore, HP offers a number
of remote access solutions (depending on the service level agreement) designed to meet customer’s security
requirements. All of HP solutions use standard techniques that include SSH, IPsec, and HTTPS. HP offers both
hardware and software solutions which can be configured to ensure that the customer is always in control
of the connection. HP also has options that allow the customer to view and monitor a support specialist’s
activities.
All HP support specialists must adhere to the same standards of business conduct as onsite HP engineers,
and are only allowed to initiate a connection with the customer’s approval and a valid business need. Access
restrictions can be placed on specific connection profiles to limit HP's access to a subset of support personnel.
Access restrictions can be restricted by region and/or country. It can also be restricted to HP support personnel
for a specific product platform. Access controls can also be restricted to specific HP personnel. Access
controls can be enforced both at HP (before the connection is initiated) and again at the CAS (see the vCAS
solution). This model insures that both the HP Account Manager and the customer administrator can control
HP access to the customer network. Internally, HP uses two-factor authentication to control access through
the HP Remote Access Connectivity (RACS). Additionally, all connections, attempted and successful, to
customer systems are logged.
3.12.3 Secured Communication
These protocols are used either inside the customer’s intranet or over the Internet between the customer and
HP.
• ESP
Encapsulating Security Payload (ESP), or IP protocol 50, is a protocol header inserted into an IP datagram
to provide data encryption and authentication. Remote Device Access uses ESP in tunnel mode to
establish VPN connectivity.
• HTTPS
HTTPS is HTTP with SSL or TLS encryption for security. All communications between the browser and
the remote data collection system are carried out over HTTPS. HTTPS is also used for the marshalling
and transfer of collected device data between the CMS and the managed systems. The default port for
HTTPS is TCP port 443, but it can be configured to run on other TCP ports.
• IPsec
IP Security, or IPsec, is a suite of protocols for securing IP communications. IPsec operates in two modes.
In transport mode it can be configured to provide end-to-end security of all communications between
3.12 Remote Device Access Security Details 47