HP Remote Device Access Security Overview for A.05.
© Copyright 2009 Hewlett-Packard Development Company, L.P. Legal Notices Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents About This Document.....................................................................................9 1 2 3 4 Intended Audience...............................................................................................................................9 Publishing History................................................................................................................................9 Document Organization................................................................
List of Figures 1-1 1-2 1-3 1-4 1-5 1-6 1-7 Virtual CAS....................................................................................................................................13 Remote Access Connection System Details..........................................................................................14 SSH Direct.....................................................................................................................................15 General IPSec VPN Access with SSH..........
List of Tables B-1 B-2 B-3 CAS Connectivity - Firewall/Port Requirements....................................................................................25 Additional Ports for Virtual CAS Connectivity - Firewall/Port Requirements...............................................25 hpVPN Connectivity - Firewall/Port Requirements.................................................................................
About This Document 1 Intended Audience IMPORTANT: This HP Remote Site Device Access Security white paper has been prepared, reviewed and approved for use in the United States and the APJ regions only. Additional reviews and approvals are underway for implementation of the RDA service in EMEA, Canada and Latin America and shall be completed as soon as possible. 2 Publishing History Manufacturing Part Number Edition Number Publication Date 5900-0525 1.
1 Remote Device Access (RDA) 1.1 Executive Overview Remote Device Access (RDA) is a support solution that enables the delivery of HP remote support services over the Internet or other connectivity methods. Today, many security-sensitive transactions, such as e-commerce, stock trades, and online banking, are executed securely over the Internet using the same security technology utilized in RDA by HP.
Windows, Mac OS X, Linux, FreeBSD, HP-UX, Tru64 UNIX, and OpenVMS. Proprietary, freeware and open source versions with various levels of complexity and functionality exist. Most SSH implementations can be configured to comply with customers’ security policies. For example: • The protocol can be limited to SSH-2 only. • Selection of encryption algorithm (3DES, AES, AES-256, etc). • Allow only private/public key authentication (disallow password authentication).
Figure 1-1 Virtual CAS 1.5 Access Control Details 1.5.1 Access control on the HP side HP manages all remote access customers in an internal portal called Remote Access Portal. Customers and their connection data are centrally and securely managed in via this central portal. Each customer can be associated with individual access rights so that narrow access permissions for this customer can be enforced, matching your security and access permission needs.
Figure 1-2 Remote Access Connection System Details A Remote Access Connection System (RACS) is an SSH server that can forward an SSH connection to an appropriate CAS. When the HP support specialist connects and is authenticated to the RACS, the SSH server on the RACS checks the security token issued by the RAP to ensure that the support specialist is allowed to connect to customer’s IP address. Upon successful authorization, the RACS will forward the SSH connection to the HP routing device.
oversees whom from HP connects to their network and then controls where they can go and what they are allowed to do. The third layer is the login credentials on the target system that must be known by the HP support specialist, typically pre-shared or shared on demand by the customer to HP over a different secure. 1.6 Connectivity Method: SSH-Direct - Secure Shell over Internet The direct SSH option provides the quickest and easiest unattended RDA solution.
Figure 1-4 General IPSec VPN Access with SSH Figure 1-5 General IPSec VPN Access Without SSH 16 Remote Device Access (RDA)
1.7.1 hpVPN With hpVPN, HP provides a router to the customer. The router is deployed in the customer’s DMZ. HP’s VPN router establishes an IPSec VPN connection with a so called Customer Premises Equipment (CPE) router, at the customer’s site. HP maintains the software and router configurations on both ends. Currently, all hpVPN connections use triple-DES encryption and SHA-1 HMAC. The access lists on the CPE routers allow only connections from authorized HP systems.
The VSR meeting session involves two or more users virtually meeting in a Virtual Support Room and sharing a desktop for collaboration purposes. The collaboration session can be initiated by the HP support specialist after the validation of the customer contract. The HP support specialist will generate room keys for the Virtual Support Room and share those keys via email or phone with the customer. The keys are required to enter the Virtual Support Room.
NOTE: All sessions are encrypted with AES-256 using SSL over HTTPS on port 443. Because VSR is a web application, web proxy servers can be used to access the HP VSR infrastructure. Figure 1-7 Virtual Support Room Architecture 1.10 Data Privacy HP is committed to protecting Customer privacy. Personal information provided to HP and any data collected by this RDA tool or other associated tools and utilities will not be shared with third parties.
2 Remote Device Access Security Details 2.1 Outbound Security The Virtual Customer Access System (CAS) initiates outbound connections to VeriSign.com to validate certificates, using either OCSP to check the CRL status of an individual certificate, or HTTP to periodically fetch the entire CRL for the HP Class 2 Certification Authority. The Virtual CAS also periodically connects to the HP repository server using HTTPS to check for and fetch software updates. 2.
integrity checks, prevents eavesdropping, and modification of sensitive data transferred between the CMS and managed systems. SSH uses TCP port 22. Although the SSH protocol is typically used to log into a remote machine and execute commands, it also supports tunneling, forwarding arbitrary TCP ports and X11 connections. It can transfer files using the associated SFTP or SCP protocols. The SSH protocol exists in two versions. The original version, SSH-1, is somewhat insecure and should not be used.
A X.509 Certificates and Remote Device Access A.1 Overview An X.509 certificate contains a public key that can be used to check the validity of a digital signature. This digital signature verifies the authenticity of a document, a message, another X.590 certificate, or any datum of interest. The digital signature is generated using the X.509 certificate’s corresponding private key. X.509 certificates are the basis of trust in most secure Internet protocols, the most pervasive being SSL and TLS. An X.
B Summary of Network Ports – Remote Device Access The following tables summarize all ports that might be used in Remote Device Access. Ports used only by the respective operating systems are not listed. B.
Protocol Ports Source Destination UDP 123 Virtual CAS TCP 80 or web proxy port TCP Function Configurable Optional Network Time Server Network Time Protocol No Recommended Virtual CAS onsitecrl.verisign.com HTTP (Unencrypted) Daily fetch or Web Proxy of HP Class 2 CA certificate revocation list (CRL) No Recommended 80 Virtual CAS onsite-ocsp.verisign.
