Manualshelf

HP Remote Device Access Security Overview for A.05.30 (December 2009)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
11121314151617181920
Figure 1-2 Remote Access Connection System Details
A Remote Access Connection System (RACS) is an SSH server that can forward an SSH connection to an
appropriate CAS. When the HP support specialist connects and is authenticated to the RACS, the SSH server
on the RACS checks the security token issued by the RAP to ensure that the support specialist is allowed to
connect to customer’s IP address. Upon successful authorization, the RACS will forward the SSH connection
to the HP routing device. RACS servers are located in various HP data center locations.
1.5.2 Access control on the customer side
For a primary defense, the customer’s firewall can be configured to allow only RACS systems at HP to access
their VPN routers or CASii. Although standard passwords can be used, it is recommended to configure SSH
public/private keys instead. Some versions of SSH servers can be configured to use HP’s DigitalBadge
certificates for authentication. HP recommends that customers use the HP provides Virtual CAS’ as this
provides richer access control for customers.
One-time password systems, such as RSA’s SecurID, can also be used if the customer’s SSH server supports
them.
The CAS itself provides the second layer of defense. Depending on the CAS type, customers can define
named employees, target systems or even ports that HP support specialists are allowed to connect to.
The customer owns the security policies and access control into his/her environment and can specifically
restrict connections to named HP support personnel and can terminate connections as needed.
The HP Support specialist is also subject to customer’s own access control and security policies in that the
customer must provide login credentials if needed for the device that HP wishes to connect to. For example
if the HP support engineer wishes to logon to a UNIX server within customers network, the customer provides
the logon name and what controls what activities, the HP support agent can perform. In this way the customer
14 Remote Device Access (RDA)