7.0.8 Insight Remote Support Security White Paper

ManualsBrandsHP ManualsSoftwareHP Insight Remote Support Next Gen Software

Virtual CAS

The Virtual CAS is provided by HP for free and is the HP preferred method for customers installing CAS functionality

within their network. The Virtual CAS provides enhanced security and management functionality. It is a software-only

solution based on a VMware image of a virtual machine running Ubuntu Server. Virtual CAS features include:

 Runs on VMware Server ESX; ESXi or Oracle VM VirtualBox

 It can run on the Hosting Device of the HP Insight Remote Support 7.X solution

 Based on open source software

 An easy-to-use administration web interface

 Implements SSH authentication using X.509 certificates

 The authentication is compatible with HP’s VeriSign-administered internal Public Key Infrastructure (PKI) (known

internally as HP DigitalBadge)

 Certificate Revocation List (CRL) access is available either via file or Online Certificate Status Protocol (OCSP)

 Fine-granularity access control – customers can specify user level access to targets including TCP ports

 Easy-to-use software update mechanism based on apt-get. The virtual CAS will poll the HP Advanced Packaging Tool

repository for software updates and security patches. The customer has full control on how and when these updates

may be applied to the Virtual CAS

 Can be used with SSH-Direct or IPSec VPN solutions

X86/64 Hardware

Vmware ESX

Virtual CAS

8765432187654321

UID

ProLiant

DL580

Ubuntu Linux

Software CAS

HP Engineer

CAS Administrator

Advanced

Packaging

Tool

Repository

VeriSign

Certificate

Revocation

List

Web Server

Customer Access

Server VMware host

CAS Virtual View

Administrator Access to SW CAS User Interface (GUI)

CRL check to www.verisign.com

Software Updates from APT Repository (at HP)

Tunneled application traffic from HP to Target host

SSH Traffic from HP to SW CAS for Authentication

tcp 443/HTTPS - Internal

tcp 80/HTTP - Outbound

tcp 443/HTTPS - Outbound

tcp/App Specific - Inbound

tcp 22/SSH - Inbound

To Target

Host

Vmware ESX

VM Guest OS

Application

User

Interface

Figure 5: Virtual CAS

HP Instant Customer Access Server (iCAS)

HP Instant Customer Access Server (iCAS) is a lightweight connection tool that allows an HP support agent to quickly and

securely connect to a customer's environment to aid in diagnosis and repair of supported hardware devices. The

customer runs the iCAS software as a browser plug-in on any Windows or Linux computer which has network access to

the device the HP support engineer is attempting to access. HP iCAS uses a meet-in-the-middle connection paradigm to

facilitate the remote access session by establishing a tunneled SSH session to a Remote Access Meeting Server (RAMS).

The HP engineer generates a unique connection key that is used to couple the HP Engineer and Customer SSH