A.05.70 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2011, 5900-1735)
two systems. In tunnel mode, IPsec can be used to provide VPN connectivity over insecure networks.
A typical IPsec deployment uses two protocols: either Encapsulating Security Payload (ESP) or
Authentication Header (AH), which are IP protocols, and ISAKMP. Note that AH is seldom used as it
does not provide encryption.
• ISAKMP
Internet Security Association and Key Management Protocol (ISAKMP) is an application-layer IPsec
protocol used for negotiating encryption keys. It is run over UDP port 500.
• SSH
The Secure Shell (SSH) protocol is an application-layer protocol which permits secure remote access
over a network from one computer to another. SSH negotiates and establishes an encrypted, and
authenticated connection between an SSH client and an SSH managed server. SSH provides data
integrity checks, prevents eavesdropping, and modification of sensitive data transferred between the
CMS and managed systems. The default port for SSH is TCP port 22, but it can be configured to run
on other TCP ports.
Although the SSH protocol is typically used to log into a remote machine and execute commands, it
also supports tunneling, forwarding arbitrary TCP ports and X11 connections. It can transfer files using
the associated SFTP or SCP protocols.
The SSH protocol exists in two versions. The original SSH protocol version 1 is somewhat insecure and
should not be used. Its successor, SSH protocol version 2, which is incompatible with SSH protocol
version 1, strengthened security by changing the protocol and adding Diffie-Hellman key exchange
and strong integrity checking via message authentication codes. HP RDA uses SSH protocol version 2
for most connections.
• SSL and TLS
The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are application-layer
protocols which provide data encryption and authentication. TLS is an updated version of SSL V3. SSL
and TLS use X.509 certificates, also known as “digital” certificates, for authentication. Although most
users are accustomed to working only with server certificates, SSL and TLS can be configured to require
client-side certificates which provides password-less two-way authentication. The CMS and managed
systems authenticate one using X.509 certificates. Also, all communications between the client browsers
and the CMS are protected by SSL. The Remote Support Configuration Collector System supports both
SSL V3 and TLS 1.0.These two protocols are most ubiquitous in HTTPS on TCP port 443. Other protocols
and applications also utilize SSL and TLS for security.
3.12.4 Unsecured Communications
HP uses the following unsecure protocols only inside the customer’s internal network HP will not initiate any
external communications between the customer and HP using these protocols.
• HTTP
The Hypertext Transfer Protocol (HTTP) is an application-layer protocol used for exchanging data. Its
most popular usage is for transferring text, graphic images, sound, video, and other multimedia files
to Web browsers. HTTP’s capabilities are also general enough for non-web applications.
• OCSP
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation
status of an X.509 digital certificate. It is described in RFC 2560. Although the protocol is not encrypted,
the sent information is somewhat anonymous (for example, a certificate serial number) and all responses
are digitally signed. OCSP runs on top of HTTP.
3.12.5 Security Auditing
All attended RDA connection attempts from HP to customers are logged. The acting user, start and stop times
of the connection, and the connection status are logged. The connection status will indicate failures such as
improper authentication and authorization. This tracking information is retained for 13 months.
48 Remote Device Access (RDA)