Manualshelf

HP Remote Device Access Security Overview for A.05.30 (December 2009)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
17181920212223242526
integrity checks, prevents eavesdropping, and modification of sensitive data transferred between the
CMS and managed systems. SSH uses TCP port 22.
Although the SSH protocol is typically used to log into a remote machine and execute commands, it
also supports tunneling, forwarding arbitrary TCP ports and X11 connections. It can transfer files using
the associated SFTP or SCP protocols.
The SSH protocol exists in two versions. The original version, SSH-1, is somewhat insecure and should
not be used. Its successor, SSH-2, which is incompatible with SSH-1, strengthened security by changing
the protocol and adding Diffie-Hellman key exchange and strong integrity checking via message
authentication codes.
SSL and TLS
The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are application-layer
protocols which provide data encryption and authentication. TLS is an updated version of SSL V3. SSL
and TLS use X.509 certificates, also known as digital” certificates, for authentication. Although most
users are accustomed to working only with server certificates, SSL and TLS can be configured to require
client-side certificates which provides password-less two-way authentication. The CMS and managed
systems authenticate one using X.509 certificates. Also, all communications between the client browsers
and the CMS are protected by SSL. The Remote Support Configuration Collector System supports both
SSL V3 and TLS 1.0.These two protocols are most ubiquitous in HTTPS on TCP port 443. Other protocols
and applications also utilize SSL and TLS for security.
2.4 Unsecured Communications
HP uses the following unsecure protocols only inside the customer’s internal network HP will not initiate any
external communications between the customer and HP using these protocols.
HTTP
The Hypertext Transfer Protocol (HTTP) is an application-layer protocol used for exchanging data. Its
most popular usage is for transferring text, graphic images, sound, video, and other multimedia files
to Web browsers. HTTP’s capabilities are also general enough for non-web applications.
OCSP
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation
status of an X.509 digital certificate. It is described in RFC 2560. Although the protocol is not encrypted,
the sent information is somewhat anonymous (for example, a certificate serial number) and all responses
are digitally signed. OCSP runs on top of HTTP.
2.5 Security Auditing
All attended RDA connection attempts from HP to customers are logged. The acting user, start and stopping
times of the connection, and the connection status are logged. The connection status will indicate failures
such as improper authentication and authorization. This tracking information is retained for 13 months.
22 Remote Device Access Security Details