A.05.80 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2012)
Security Overview
Chapter 3: Remote Device Access (RDA)
A Remote Access Connection System (RACS) is an SSH server that can forward an SSH connection to
an appropriate CAS. When the HP support specialist connects and is authenticated to the RACS, the
SSH server on the RACS checks the security token issued by the RAP to ensure that the support
specialist is allowed to connect to customer’s IP address. Upon successful authorization, the RACS will
forward the SSH connection to the HP routing device. RACS servers are located in various HP data
center locations.
Access control on the customer side
For a primary defense, the customer’s firewall can be configured to allow only RACS systems at HP to
access their VPN routers or CASii. Although standard passwords can be used, it is recommended to
configure SSH public/private keys instead. Some versions of SSH servers can be configured to use HP’s
DigitalBadge certificates for authentication. HP recommends that customers use the HP provided Virtual
CAS as this provides enhanced access control capabilities for customers.
One-time password systems, such as RSA’s SecurID, can also be used if the customer’s SSH server or
access infrastructure supports them.
The CAS itself provides the second layer of defense. Depending on the CAS type, customers can define
named employees, target systems or even ports that HP support specialists are allowed to connect to.
HP Insight Remote Support Advanced and Remote Device Access (A.05.80)Page 43 of 97