Manualshelf

HP Remote Device Access Security Overview for A.05.30 (December 2009)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
17181920212223242526
2 Remote Device Access Security Details
2.1 Outbound Security
The Virtual Customer Access System (CAS) initiates outbound connections to VeriSign.com to validate
certificates, using either OCSP to check the CRL status of an individual certificate, or HTTP to periodically
fetch the entire CRL for the HP Class 2 Certification Authority. The Virtual CAS also periodically connects to
the HP repository server using HTTPS to check for and fetch software updates.
2.2 Inbound Security
Remote device access requires an inbound connection from HP to a customer-designated access server. HP
understands that IT security policies within organizations vary considerably. Therefore, HP offers a number
of remote access solutions (depending on the service level agreement) that help meet customer’s security
requirements. All of HP solutions use standard techniques that include SSH, IPSec, and HTTPS. HP offers
both hardware and software solutions which can be configured to ensure that the customer always has
control of the connection. HP also has an option that allows the customer to view and monitor a support
specialist’s activities.
All HP support specialists must adhere to the same standard of business conduct as onsite HP engineers,
and are only allowed to attempt a connection with the customer’s approval and a valid business need. If
the customer has an assigned HP account support team, it is possible to restrict the access to only the HP
support specialists assigned to the team. Internally, HP uses two-factor authentication to control access to the
HP access connectivity servers. Additionally, all connections, attempted and successful, to customer systems
are logged.
2.3 Secured Communication
These protocols are used either inside the customer’s intranet or over the Internet between the customer and
HP.
ESP
Encapsulating Security Payload (ESP), or IP protocol 50, is a protocol header inserted into an IP datagram
to provide data encryption and authentication. Remote Device Access uses ESP in tunnel mode to
establish VPN connectivity.
HTTPS
HTTPS is HTTP with SSL or TLS encryption for security. All communications between the browser and
the remote data collection system are carried out over HTTPS. HTTPS is also used for the marshalling
and transfer of collected device data between the CMS and the managed systems. HTTPS usually uses
TCP port 443.
IPSec
IP Security, or IPSec, is a suite of protocols for securing IP communications. IPSec operates in two modes.
In transport mode it can be configured to provide end-to-end security of all communications between
two systems. In tunnel mode, IPSec can be used to provide VPN connectivity over insecure networks.
A typical IPSec deployment uses two protocols: either Encapsulating Security Payload (ESP) or
Authentication Header (AH), which are IP protocols, and ISAKMP. Note that AH is seldom used as it
does not provide encryption.
ISAKMP
Internet Security Association and Key Management Protocol (ISAKMP) is an application-layer IPSec
protocol used for negotiating encryption keys. It is run over UDP port 500.
SSH
The Secure Shell (SSH) protocol is an application-layer protocol which permits secure remote access
over a network from one computer to another. SSH negotiates and establishes an encrypted, and
authenticated connection between an SSH client and an SSH managed server. SSH provides data
2.1 Outbound Security 21