Manualshelf

7.0.8 Insight Remote Support Security White Paper

ManualsBrandsHP ManualsSoftwareHP Insight Remote Support Next Gen Software
21222324252627282930
25
security token issued by the RAP to ensure that the support specialist is allowed to connect to the customer’s IP address.
Upon successful authorization, the RACS will forward the SSH connection to the HP routing device. RACS servers are
located in various HP data center locations.
Access Controls Onsite
For a primary defense, the customer external firewall can be configured to allow only RACS systems at HP to access their
VPN devices and/or CASii. Although standard passwords can be used, it is recommended to configure SSH public/private
keys instead. Some versions of SSH servers can be configured to use HP’s DigitalBadge certificates for authentication.
HP recommends that customers use the HP provided Virtual CAS, as this provides richer access control for customers.
One-time password systems, such as RSA’s SecurID, can also be used if the customer’s SSH server supports them.
The CAS itself provides the second layer of defense. Depending on the CAS type, customers can define named
employees, target systems, or even ports, that HP support specialists are allowed to connect to.
The customer owns the security policies and access control into his/her environment and can specifically restrict
connections to named HP support personnel and can terminate connections as needed.
The HP Support specialist is also subject to the customer’s own access control and security policies in that the customer
must provide login credentials if needed for the device that HP wishes to connect to. For example if the HP support
engineer wishes to logon to a UNIX server within the customers network, the customer provides the logon name and
controls what activities the HP support agent can perform. In this way, the customer oversees who from HP connects to
their network and then controls where they can go and what they are allowed to do.
The third layer is the login credentials on the target system that must be known by the HP support specialist, typically
pre-shared or shared on demand by the customer to HP over a different secure communication channel.
Connectivity Method: SSH-Direct Secure Shell over Internet
The direct SSH option provides a simple and easy unattended RDA solution. The customer need only provide HP with an
Internet Routable IP address for the CAS and allow one of the HP access servers to access it on port 22. The SSH-2
protocol is considered as secure as SSL.