Manualshelf

7.0.8 Insight Remote Support Security White Paper

ManualsBrandsHP ManualsSoftwareHP Insight Remote Support Next Gen Software
21222324252627282930
21
Authentication
Customers can identify that they are securely connected to HP support specialists. Only authorized HP support
specialists are able to establish connections, authenticated with digital certificates.
Access Control Overview
HP customers using RDA have full control of all incoming connections. Authorization and access restrictions can be
configured to meet the customer’s own security needs. For unattended RDA, audit trails are stored in audit log files.
Secure Communications
All communications meet current security best practice standards on encryption. Multiple layers of security ensure that
HP customers can use RDA with confidence.
Remote Device Access Using SSH
All unattended RDA solutions rely on an SSH (SSH-2 protocol) tunnel running between the support specialist's desktop
and a designated Customer Access System (CAS) deployed either in the customer Demilitarized Zone (DMZ) or on a
trusted network.
An SSH server is required on the customer network acting as a Customer Access System (see CAS below). A SSH client is
typically used for establishing connections to a SSH server accepting remote connections. An SSH server is commonly
present on most modern operating systems, including Microsoft Windows, Mac OS X, Linux, FreeBSD, HP-UX, Tru64
UNIX, and OpenVMS. Proprietary, freeware, and open source versions of SSH client are available with various levels of
complexity and functionality.
Most SSH implementations can be configured to comply with customers’ security policies. For example:
The protocol can be limited to SSH-2 only
Selection of encryption algorithm (3DES, AES, AES-256, etc)
Allow only private/public key authentication (disallow password authentication)
Use SecurID and other token-based authentication methods
Additionally some implementations support the use of X.509 certificates (also called an HP DigitalBadge) and two-factor
authentication.
Customer Access System (CAS)
A Customer Access System (CAS) is required for all unattended RDA methods. By hosting the SSH server, the CAS
provides a central point for customers to control remote access into their environment. Customers determine the login
of each HP user individually to allow or deny specific services or access to specific computers within their network. The
HP SIM Central Management Server (CMS) or the Insight RS Hosting Device used by the HP Insight Remote Support
Solution can also function as a CAS.
A CAS may be implemented on any customer-owned system capable of running a compatible SSH server. HP also offers
a self-contained virtualized CAS solution.
Customer-owned CAS
The customer may choose to provide their own CAS. The primary requirement is a functional SSH server such as
OpenSSH. Microsoft Windows, Linux, HP-UX, OpenVMS, and Tru64 UNIX operating systems may be used. HP
recommends that the customer configure SSH to accept only protocol version 2 and strong encryption (that is, AES
(Advanced Encryption Standard), Triple-DES (Data Encryption Standard), or AES-256). Firewalls should also be
configured to allow SSH access only from HP’s access servers.