Insight Remote Support 7.0.9 Security White Paper
controls what activities the HP support agent can perform. In this way, the customer oversees who from HP connects to
their network and then controls where they can go and what they are allowed to do.
The third layer is the login credentials on the target system that must be known by the HP support specialist, typically pre-
shared or shared on demand by the customer to HP over a different secure communication channel.
Connectivity Method: SSH-Direct – Secure Shell over Internet
The direct SSH option provides a simple and easy unattended RDA solution. The customer need only provide HP with an
Internet Routable IP address for the CAS and allow one of the HP access servers to access it on port 22. The SSH-2 protocol
is considered as secure as SSL.
Figure 8: SSH Direct
CustomerHP
Customer target
systems or devices
Customer Access
Server
Internet
HP Support
Specialist
Tunneled application traffic to target system Application specific – inbound
Raw application traffic to target system Application specific – inbound
SSH tunnel from HP to CAS TCP/22 (SSH) – inbound
Customer
Firewall
HP
Firewall
Support
Specialist
Workstation
Remote Access
Connection System
Connectivity Methods for VPN Solutions
Many customers’ security policies require that all inbound connections be protected inside a VPN connection that is
terminated in their DMZ. HP offers a site-to-site IPSec VPN access solution for unattended RDA. SSH port-forwarding is still
used, except that it is tunneled over IPSec using VPN routers. The combination of SSH and IPSec provides enhanced
Internet security. SSH is recommended as it provides better end-to-end security as well as enhanced functionality (file
transfer capabilities and application tunneling), but HP recognizes that this may not fit all security policies. Therefore, we
offer site-to-site IPSec VPN connectivity with and without SSH tunneling. The following figures show both options.