Manualshelf

HP Remote Device Access Security Overview for A.05.30 (December 2009)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
11121314151617181920
Windows, Mac OS X, Linux, FreeBSD, HP-UX, Tru64 UNIX, and OpenVMS. Proprietary, freeware and open
source versions with various levels of complexity and functionality exist.
Most SSH implementations can be configured to comply with customers security policies. For example:
The protocol can be limited to SSH-2 only.
Selection of encryption algorithm (3DES, AES, AES-256, etc).
Allow only private/public key authentication (disallow password authentication).
Use SecurID and other token-based authentication methods.
Additionally some implementations support the use of X.509 certificates (also called an HP DigitalBadge)
and two-factor authentication.
1.4.1 Customer Access System (CAS)
Customer Access Systems (CAS, plural is CASii) are required for all unattended RDA methods. By hosting
the SSH server, the CAS provides a central point for customers to control remote access into their environment.
Customers determine the login of each HP user individually to allow or deny specific services or access to
specific computers within their network. Each customer may designate up to three CASii. The Central
Management Server (CMS) or the Hosting Device used by the HP Insight Remote Support Solution can also
function as a CAS.
TIP: To learn more about HP Insight Remote Support Solutions please visit:
http://h18013.www1.hp.com/products/servers/management/hpsim/index.html.
A CAS may be implemented on any customer-owned system capable of running a compatible SSH server.
HP also offers a virtualized packaged solution.
1.4.1.1 Customer-owned CASii
The customer may choose to provide their own CAS. The primary requirement is a functional SSH server
such as OpenSSH. Microsoft Windows, Linux, HP-UX, OpenVMS, and Tru64 UNIX operating systems may
be used. HP recommends that the customer configure SSH to accept only protocol version 2 and strong
encryption, that is, AES, Triple-DES, or AES-256. Firewalls should also be configured to allow access only
from HP’s access servers.
1.4.1.2 Virtual CAS
The Virtual CAS is provided by HP for free and is the HP preferred method for customers installing CAS
functionality within their network. The Virtual CAS provides enhanced security and management functionality.
It is a software-only solution based on a VMware image of a virtual machine running Ubuntu Server. Virtual
CAS features include:
Runs on VMware Server (available from vmware.com at no cost) on either Microsoft Windows or Linux.
Runs on the Central Management Server (CMS) of the Insight Remote Support Advanced Solution or
on the Hosting Device of the HP Insight Remote Support Standard solution.
Based on open source software.
An easy to use administration web interface.
Implements SSH authentication using X.509 certificates.
The authentication is compatible with HP’s VeriSign-administered internal PKI (known internally as
HP DigitalBadge).
CRL access is available either via file or Online Certificate Status Protocol (OCSP).
Fine-granularity access control customers can specify user level access to targets including TCP ports.
Easy-to-use software update mechanism based on apt-get. The virtual CAS will poll HP for software
updates or security patches. The Customer has full control on how and when these updates may be
applied to the Virtual CAS.
Can be used with SSH-Direct, hpVPN, or CorVPN solutions.
12 Remote Device Access (RDA)