Manualshelf

HP Insight Control Server Provisioning 7.2 Administrator Guide

ManualsBrandsHP ManualsSoftwareHP Insight Control including 1yr 24x7 Technical Support and Updates Single Server License
21222324252627282930
4 Security considerations
Insight Control server provisioning is delivered as a security-hardened virtual appliance. The number
of open ports and the protocols supported on them have been limited to the minimum necessary
for the operation of Insight Control server provisioning.
4.1 Assumptions
The appliance should be on a deployment network, separate from the production network (see
“Security best practices (page 31) for more information). Additionally, access to the virtual
appliance console should be restricted to authorized users (see “Restricting console access
(page 30) for more information).
The appliance needs access to the iLOs on target servers as well as their deployment NICs. A
network configuration includes a separate management network that connects to target iLOs and
a deployment network with DHCP and PXE that connects to target deployment NICs. This type of
configuration will require a router between the management and deployment networks to provide
access to the target iLOs via the deployment network.
Insight Control server provisioning lands an agent in the production operating system and this
agent must be able to communicate back to the appliance. The assumption is that the deployment
NIC will be active in the production OS or that there will be a route back to the deployment network
for this communication.
4.2 Hypervisor and virtual machine security considerations
As a virtual appliance, the security of the appliance relies on the security of the host hypervisor,
in the same way that a physical appliance relies on the physical security of the datacenter.
Administrative access to the host hypervisor needs to be controlled to ensure the security of the
appliance. The appliance software image on the VM has been hardened but the hypervisor must
be configured to limit access to the virtual appliance console and virtual hard drive (VMware vmxd
file) to secure the appliance.
4.3 Authentication
Access to the appliance requires authentication using a username and password. These user
accounts are configured on the appliance. All access through the browser interface occurs over
SSL, including authentication, which protects the credentials during transmission over the network.
4.4 Session
A session is created when a user logs in to the appliance through the browser or some other client
(for example, using the REST API). A session ID is then used for additional requests to the appliance,
and it must be protected because it represents the authenticated user.
A session remains valid until the user logs out or the session times out. When using the REST API,
you should set the session idle time to a shorter duration or use the default duration of 24 hours
and be sure to logout and end the session when done. The screen saver/system lock mechanism
of the operating system will provide some protection but the UI should not be left open and
unprotected. If the browser UI is closed without logging out, the session token will time out and be
invalid after 20 minutes. The browser session is stored in a session cookie stored in memory and
will not be retained after the browser closes. It is a best practice to always log off before closing
the browser.
4.5 Authorization
Access to the appliance is restricted by roles, which describe what an authenticated user can do
in the appliance. Each user must be associated with at least one role.
24 Security considerations