A.05.80 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2012)
Security Overview
Chapter 3: Remote Device Access (RDA)
Unattended RDA Using SSH
All unattended RDA solutions rely on an SSH (SSH-2 protocol) tunnel running between the support
specialist's desktop and a designated Customer Access System (CAS) deployed either in the customer
DMZ or on a trusted network.
An SSH server is required on the customer network acting as a so called customer access system (see
CAS below). A SSH client is typically used for establishing connections to a SSH server accepting
remote connections. SSH server are commonly present on most modern operating systems, including
Microsoft Windows, Mac OS X, Linux, FreeBSD, HP-UX, Tru64 UNIX, and OpenVMS. Proprietary,
freeware and open source versions with various levels of complexity and functionality exist.
Most SSH implementations can be configured to comply with customers’ security policies. For example:
l The protocol can be limited to SSH-2 only.
l Selection of encryption algorithm (3DES, AES, AES-256, etc).
l Allow only private/public key authentication (disallow password authentication).
l Use SecurID and other token-based authentication methods.
Additionally some implementations support the use of X.509 certificates (also called an HP DigitalBadge)
and two-factor authentication.
Customer Access System (CAS)
Customer Access Systems (CASii) are required for all unattended RDA methods. By hosting the SSH
server, the CAS provides a central access point for customers to control remote access into their
environment. Customers determine the login of each HP user individually to allow or deny specific
services or access to specific computers within their network. The HP SIM Central Management Server
(CMS) or the Hosting Device used by the HP Insight Remote Support Solution can also function as a
CAS.
Tip: To learn more about HP Insight Remote Support Solutions please visit:
http://h18013.www1.hp.com/products/servers/management/hpsim/index.html.
A CAS may be implemented on any customer-owned system capable of running a compatible SSH
server. HP also offers a virtualized CAS (vCAS) solution that can be used to manage HP access into a
customer environment.
Customer-owned CASii
The customer may choose to provide their own CAS. The primary requirement is a functional SSH server
such as OpenSSH. Microsoft Windows, Linux, HP-UX, OpenVMS, and Tru64 UNIX operating systems
may be used. HP recommends that the customer configure SSH to accept only protocol version 2 and
strong encryption, for example AES (128 or better) or Triple DES. Firewalls should also be configured to
allow SSH (version 2) access only from HP’s access servers.
HP Insight Remote Support Advanced and Remote Device Access (A.05.80)Page 39 of 97