Technical white paper Insight Remote Support Security White Paper Version 7.0.
HP Support Center HP Passport 19 19 Remote Device Access (RDA) Ad Hoc Entitled Service Value Authentication Access Control Overview Secure Communications Remote Device Access Using SSH Customer Access System (CAS) Customer-owned CAS Virtual CAS HP Instant Customer Access Server (iCAS) 20 20 20 20 21 21 21 21 21 21 22 RDA Access Controls Access Controls at HP Access Controls Onsite Connectivity Method: SSH-Direct – Secure Shell over Internet Connectivity Methods for VPN Solutions IPSec VPN Connectivity M
B.3 Integrity Linux Monitored Systems B.5 Integrity Windows Server 2008 Monitored Systems B.6 OpenVMS Integrity Monitored Systems B.7 ProLiant C-Class Blade Enclosure B.8 ProLiant Citrix Monitored Systems B.9 ProLiant Generation 8 Monitored Systems B.10 ProLiant Linux Monitored Systems B.11 ProLiant Microsoft Hyper-V Monitored Systems B.12 ProLiant VMWare ESX Monitored Systems B.13 ProLiant VMWare ESXi Monitored Systems B.14 ProLiant Windows Server 2003 Monitored Systems B.
Appendix G: Summary of Network Ports for HP UPS Management Module Connectivity G.1 HP UPS Management Module Connectivity Appendix H: Summary of Network Ports for Remote Device Access H.1 Customer Access System (CAS) H.2 Additional Ports for Virtual CAS H.3 Additional Ports for iCAS H.4 Additional Ports for P9000/XP Storage Array 48 48 49 49 50 51 51 Appendix I: Summary of Network Ports for HP UPS Management Module Connectivity I.
Related Documents Insight Remote Support 7.0.8 Release Notes Quick Installation Guide Installation and Configuration Guide Managed Devices Configuration Guide This document describes the security aspects of the HP Insight Remote Support solution and its components. It describes the security features and capabilities of the solution. Overview Today’s IT department plays a central role in meeting business objectives.
Insight Remote Support - Onsite Insight Remote Support is a suite of support applications and services used to enhance the support experience by automating routine support tasks. Insight Remote Support does this in three ways. Remote Device Monitoring (RDM) RDM monitors supported devices in your environment by listening for event messages from the local diagnostic monitors.
Insight Remote Support - Communications There are several communication methods used in Insight Remote Support. These include: Device Discovery, Event Management, Data Collection, Data sent to HP, Data Management at HP, and accessing data using Insight Online. Insight Remote Support User Interface The Insight RS Console allows a system administrator to view configuration details about devices in their enterprise. User access to the Insight RS Console is controlled by the Windows account settings.
Email Adapter Insight Remote Support can notify the (default and backup) device contacts via email when certain events occur. Email notification can be configured in the Integration Adapters tab in Administrative Settings menu of the Insight RS Console.
HTTP* TCP/80 Hosting Device Monitored Device HTTPS TCP/443 Hosting Device Monitored Device P4000 CLI TCP/5989 Hosting Device Monitored Device P6000 CV TCP/2372 Hosting Device Monitored Device RIBCL TCP/443 Hosting Device Monitored iLO Device SNMPv1* UDP/161 Hosting Device Monitored Device SNMPv2* UDP/161 Hosting Device Monitored Device SSH TCP/22 Hosting Device Monitored Device Telnet* TCP/2372 Hosting Device Monitored Network Device WBEM TCP/5989 Hosting Device Monito
transparently to the user because DCOM handles this function. Thus, the user can access and share information without needing to know where the application components are located. If the client and server components of an application are located on the same computer, DCOM can be used to transfer information between processes. ELMC The Event Log Monitoring Collector (ELMC) is a proprietary management service included with Insight Remote Support.
The Online Certificate Status Protocol (OCSP) [RFC2560] defines a protocol for obtaining certificate status information from an online service. An OCSP responder may or may not be issued an OCSP responder certificate by the certification authority (CA) that issued the certificate whose status is being queried. An OCSP responder may provide pre-signed OCSP responses or may sign responses when queried.
The SSH protocol exists in two versions. Several security vulnerabilities have been identified in the original SSH protocol version 1, therefore it should be considered insecure and should not be used in a secure environment. Its successor, SSH protocol version 2, strengthened security by changing the protocol and adding DiffieHellman key exchange and strong integrity checking via message authentication codes. HP RDC and HP RDA use SSH protocol version 2 for most connections.
Insight Remote Support HP Insight Remote Support version 7.0.8 stores information is specific locations on the Hosting Device. Permissions on these directories are set to deny access to all users except Hosting Device System Administrators and the Windows System account. The Installer can change the default locations for these directories during installation.
ServerBasicConfigurationCollection Monthly 2 3 StorageConfigurationCollection Weekly 2 3 SupportDataCollection RunNow Only 1 N/A vCenterApplicationDataCollection Weekly 1 2 Table 3: Data Collection Retention Default Schedule Logging The Hosting Device keeps a record of Insight Remote Support activities in the following (default) location: Log Data: C:\ProgramData\HP\RS\LOG\{Log_Name}.
have the option to specify your HP authorized reseller(s) or support provider(s) during setup of HP Insight Remote Support software. Only the HP authorized resellers and support providers you associate with your devices can receive your configuration data to individually contact you for making IT environment recommendations, sell, or deliver solutions.
Insight Remote Support at HP HP Data Centers All customer data received by HP is treated as “HP Confidential” and treated in accordance with HP’s Data Handling guidelines for HP Confidential information. Customer data is stored in one of six HP Global IT Next Generation Data Centers (NGDC) — two each in the geographical zones of Austin, Texas; Houston, Texas; and Atlanta, Georgia — that have site-to-site and zone-to-zone business continuity and disaster recovery capabilities.
Note: The RSDC servers support Global Server Load Balancing (GSLB) and Site-to-Site failover, but have not implemented Zone-to-Zone failover.
Onsite Business Logic Infrastructure Collection Data Processing & Filtering Is Device Yes Registered? No Incoming Collection Data Data Orchestration Close HP Corporate DB’s HP Support Center Is Modeling Supported? Yes Raw Data and Model Reporting DB Raw Data Support Automation DB No HP Support Center DB Figure 4: Configuration Collection Data Flow at HP Collection Processing Collection data, like event data, is parsed to obtain the device GDID and entitlement information.
HP Insight Online HP Support Center HP Insight Online is a new capability with Insight Remote Support version 7.0. It is a cloud-based IT Management and support solution. HP Insight Online lets you provision, monitor, and remotely support devices in your enterprise from a single online portal. Data collected from your devices can be viewed online using HP Support Center.
Remote Device Access (RDA) HP offers several options for establishing a secure connection between HP and your network, allowing an HP support specialist—with your authorization—to remotely access your monitored systems and devices. Using HP RDA, an HP support specialist can login to your system, observing normal security processes and procedures in order to provide remote hardware or software support for faster resolution of problems.
Authentication Customers can identify that they are securely connected to HP support specialists. Only authorized HP support specialists are able to establish connections, authenticated with digital certificates. Access Control Overview HP customers using RDA have full control of all incoming connections. Authorization and access restrictions can be configured to meet the customer’s own security needs. For unattended RDA, audit trails are stored in audit log files.
Virtual CAS The Virtual CAS is provided by HP for free and is the HP preferred method for customers installing CAS functionality within their network. The Virtual CAS provides enhanced security and management functionality. It is a software-only solution based on a VMware image of a virtual machine running Ubuntu Server. Virtual CAS features include: Runs on VMware Server ESX; ESXi or Oracle VM VirtualBox It can run on the Hosting Device of the HP Insight Remote Support 7.
connections together creating an end-to-end SSH tunnel between the HP Support engineer desktop and the iCAS host.
RDA Access Controls Access Controls at HP HP manages all remote access customers in an internal portal called Remote Access Portal (RAP). Customer information and their connection data are centrally and securely managed via this central portal. Each customer can be associated with individual access rights so that narrow access permissions for this customer can be enforced, matching your security and access permission needs.
security token issued by the RAP to ensure that the support specialist is allowed to connect to the customer’s IP address. Upon successful authorization, the RACS will forward the SSH connection to the HP routing device. RACS servers are located in various HP data center locations. Access Controls Onsite For a primary defense, the customer external firewall can be configured to allow only RACS systems at HP to access their VPN devices and/or CASii.
HP Customer HP Support Specialist Customer target systems or devices Customer Access Server Support Specialist Workstation Remote Access Connection System Internet HP Firewall Tunneled application traffic to target system Raw application traffic to target system SSH tunnel from HP to CAS Customer Firewall Application specific – inbound Application specific – inbound TCP/22 (SSH) – inbound Figure 8: SSH Direct Connectivity Methods for VPN Solutions Many customers’ security policies require that a
HP Customer SSH Tunnel IPSec Tunnel HP Support Specialist Customer target systems or devices SSH Tunneled Application traffic Telnet, VNC, RDP, PCAnywhere, etc. Raw Application traffic Telnet, VNC, RDP, PCAnywhere, etc.
IPSec VPN With IPSec VPN, HP establishes an IPSec VPN with a customer-managed VPN device. HP’s RDA VPN routers are successfully inter-operating with ProCurve, Cisco IOS, Cisco PIX, Check Point, Juniper, Linux and other IPSec VPN-capable devices at customer sites. IPSec VPN connections can be configured according to a customer’s unique configuration requirements.
The HP support specialist will generate room keys for the Virtual Support Room and share those keys via unencrypted email or phone with the customer. The keys are required to enter the Virtual Support Room. The room keys are valid for one hour and must be re-generated after that time. Joining a VSR session is a single mouse click action. A customer does not need more than a web browser, connecting via HTTPS to the HP Virtual Support Rooms infrastructure.
over the world. See the HP Worldwide Privacy Statement at: http://welcome.hp.com/country/us/en/privacy/worldwide_privacy.html. Outbound Security All HP RDA Solutions are designed to be used for inbound access from HP to customer networks. All RDA solutions, with the exception of the Virtual CAS, do not initiate outbound connections without direct user interaction. Confidentiality for outbound connections is provided by the connection service (SSL over HTTPS, SSH, IPSec etc).
GLOSSARY Terms API Application Programming Interface DCOM Distributed Component Object Module EDW Enterprise Data Warehouse ELMC Event Log Monitoring Collector ESP Encapsulating Security Payload GDID Global Support Identifier GUI Graphical User Interface (same as UI) HTTP Hyper Text Transfer Protocol HTTPS Hyper Text Transfer Protocol Secure IKEv2 Internet Key Exchange version 2 IP Internet Protocol IPSEC Internet Protocol Security LAN Local Area Network OSCP Online Certificate St
Appendix A: Summary of Network Ports for Standard Operating System Connectivity The following tables summarize all ports that might be used in Insight Remote Support Hosting Device Operating System Connectivity. The following ports are required for basic system operation. A.1 Standard Operating System Network Ports Table A.
Appendix B: Summary of Network Ports for Servers The following tables summarize all ports that might be used in Insight Remote Support for Servers. See Table A-1 for ports that are required for basic system operation. B.1 Hosting Device Table B.
B.3 Integrity Linux Monitored Systems Table B.3 Integrity Linux Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function TCP Monitored Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to Yes communicate with WBEM end point nodes. Required Required Recommended 5989 Hosting Device Configurable Optional TCP 7905 Monitored Systems Hosting Device Secure HTTP (HTTPS) port used by the listener running in the Director's Web Interface.
B.4 Integrity Windows Server 2003 Monitored Systems Table B.4 Integrity Windows Server 2003 Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function TCP Monitored Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to Yes communicate with WBEM end point nodes. Required Hosting Device Monitored Systems The Insight-RS ELMC (formerly WCCProxy) process communicates with the Director on this port. This is a proprietary protocol.
B.5 Integrity Windows Server 2008 Monitored Systems Table B.5 Integrity Windows Server 2008 Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function TCP 5989 Hosting Device Monitored Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to Yes communicate with WBEM end point nodes. Required TCP 135 Monitored Systems Hosting Device DCE endpoint resolution.
B.6 OpenVMS Integrity Monitored Systems Table B.6 OpenVMS Integrity Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function TCP Monitored Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to Yes communicate with WBEM end point nodes. Required Monitored Systems The Insight-RS ELMC (formerly WCCProxy) process communicates with the Director on this port. This is a proprietary protocol. Any No connections that exchange username and passwords use SSL.
B.8 ProLiant Citrix Monitored Systems Table B.8 ProLiant Citrix Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional UDP 161 Hosting Device Monitored Systems SNMP. This is the standard port used by SNMP agents on monitored systems. The No Hosting Device sends requests to devices on this port.
B.11 ProLiant Microsoft Hyper-V Monitored Systems ProLiant Microsoft Hyper-V Connectivity - Firewall/Port Requirements Protocol Ports TCP 5989 Source Destination Function Configurable Optional Hosting Device Monitored Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to Yes communicate with WBEM end point nodes. SNMP. This is the standard port used by SNMP agents on monitored systems. The Hosting Device sends requests to devices on this port.
B.12 ProLiant VMWare ESX Monitored Systems ProLiant VMWare ESX Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional UDP 161 Hosting Device Monitored Systems SNMP. This is the standard port used by SNMP agents on monitored systems. The No Hosting Device sends requests to devices on this port. UDP 162 Monitored Systems Hosting Device SNMP Trap. This is the standard port used No by SNMP managers for listening to traps.
B.14 ProLiant Windows Server 2003 Monitored Systems ProLiant Windows Server 2003 Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function TCP 5989 Hosting Device Monitored Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to Yes communicate with WBEM end point nodes. Required TCP 135 Monitored Systems Hosting Device DCE endpoint resolution.
B.15 ProLiant Windows Server 2008 Monitored Systems ProLiant Windows Server 2008 Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function TCP Hosting Device Monitored Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to Yes communicate with WBEM end point nodes. Required SNMP. This is the standard port used by SNMP agents on monitored systems. The Hosting Device sends requests to devices on this port.
Appendix C: Summary of Network Ports for Storage The following tables summarize all ports that might be used in Insight Remote Support for Storage. See Table A-1 for ports that are required for basic system operation. C.1 StorageWorks MSA15XX/2XXX G1 Storage Systems Table C.
C.3 HP P4000 Storage Systems Table C.
C.5 StorageWorks Tape Libraries Table C.5 StorageWorks Tape Libraries Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional Yes TCP 2301 Customer's Hosting Web Browser Device HP SMH port for Insight Manager Web Agents; HTTP (unencrypted) ? redirected to 2381 (HTTPS) UDP 161 Hosting Device Monitored Systems SNMP. This is the standard port used by SNMP agents on monitored systems. The Hosting Device sends No requests to devices on this port.
Appendix E: Summary of Network Ports for Networking The following tables summarize all ports that might be used in Insight Remote Support for Networking. See Table A-1 for ports that are required for basic system operation. E. 1 A-Series/E-Series Switch Monitored Systems Table E. 1 A-Series/E-Series Switch Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional UDP 161 Hosting Device Monitored Systems SNMP.
Appendix F: Summary of Network Ports for Printing The following tables summarize all ports that might be used in Insight Remote Support for Printing. See Table A-1 for ports that are required for basic system operation. F.1 Printers Table F.
Appendix H: Summary of Network Ports for Remote Device Access The following tables summarize all ports that might be used in Remote Device Access. See Table A-1 for ports that are required for basic system operation. H.1 Customer Access System (CAS) Table H.
H.2 Additional Ports for Virtual CAS Table H.
H.3 Additional Ports for iCAS Table H.
Sources: ANSI TIA 942-2005 Distributed Component Object Model (DCOM) Internet Engineering Task Force (IETF) RFC 854: Telnet Protocol Specification RFC 1157: A Simple Network Management Protocol (SNMP) RFC 1441: Introduction to Version 2 of Internet Standard Network Management Framework (SNMPv2) RFC 2560: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol (OSCP) RFC 2616: Hypertext Transfer Protocol (HTTP 1.
