Technical white paper Insight Remote Support Security White Paper Version 7.0.9 Table of Contents Related Documents .................................................................................................................................................................. 5 Overview ..........................................................................................................................................................................................
Event Filtering .......................................................................................................................................................................... 18 Entitlement ............................................................................................................................................................................... 18 Event Correlation .................................................................................................................
A.1 Standard Operating System Network Ports............................................................................................................... 35 Table A.1 Standard Operating System Connectivity - Firewall/Port Requirements ............................................ 35 Appendix B: Summary of Network Ports for Servers .......................................................................................................... 36 B.1 Hosting Device ..................................................
Appendix E: Summary of Network Ports for Networking ................................................................................................... 50 E. 1 A-Series/E-Series Switch Monitored Systems .......................................................................................................... 50 E.2 SAN Monitored Systems ................................................................................................................................................. 50 Table E.
Related Documents • Insight Remote Support 7.0.9 Release Notes • Quick Installation Guide • Installation and Configuration Guide • Managed Devices Configuration Guide • HP Insight Online Direct Connect Architecture and Security Model: HP ProLiant Gen8 Servers and BladeSystem c-Class Enclosures This document describes the security aspects of the HP Insight Remote Support solution and its components. It describes the security features and capabilities of the solution.
Insight Remote Support - Onsite Insight Remote Support is a suite of support applications and services used to enhance the support experience by automating routine support tasks. Insight Remote Support does this in three ways. Remote Device Monitoring (RDM) RDM monitors supported devices in your environment by listening for event messages from the local diagnostic monitors.
Insight Remote Support - Communications There are several communication methods used in Insight Remote Support. These include: Device Discovery, Event Management, Data Collection, Data sent to HP, Data Management at HP, and accessing data using Insight Online. Insight Remote Support User Interface The Insight RS Console allows a system administrator to view configuration details about devices in their enterprise. User access to the Insight RS Console is controlled by the Windows account settings.
Email Adapter Insight Remote Support can notify the (default and backup) device contacts via email when certain events occur. Email notification can be configured in the Integration Adapters tab in Administrative Settings menu of the Insight RS Console.
Table 1: Device Discovery Services Service Protocol/Port Source Destination DCOM* TCP/135 Hosting Device Monitored Device ELMC TCP/7920 Hosting Device Monitored Device HTTP* TCP/80 Hosting Device Monitored Device HTTPS TCP/443 Hosting Device Monitored Device P4000 CLI TCP/5989 Hosting Device Monitored Device P6000 CV TCP/2372 Hosting Device Monitored Device RIBCL TCP/443 Hosting Device Monitored iLO Device SNMPv1* UDP/161 Hosting Device Monitored Device SNMPv2* UDP/161 H
HTTP The Hypertext Transfer Protocol (HTTP) is an application-layer protocol used for exchanging data. HTTP is described in RFC 2616. Its most popular usage is for transferring text, graphic images, sound, video, and other multimedia files to Web browsers. HTTP capabilities are also general enough for non-web applications. HTTP communications are unencrypted. HTTP typically uses Transmission Control Protocol (TCP) port 80.
Simple Network Management Protocol version 1 is a protocol developed to manage nodes (servers, routers, switches, and hubs) on an IP network. SNMPv1 is described in RFC 1157. SNMPv1 is an unencrypted communication service that communicates over UDP port 161. SNMPv1 is a simple request/response protocol (responses are not acknowledged). The Hosting device issues a request and a monitored device returns a response.
Windows Management Instrumentation (WMI) is the Microsoft proprietary implementation of WBEM. WMI runs as a DCOM (Distributed Component Object Model) service which in turn uses RPC (Remote Procedure Call) and other associated DCOM services. The WMI Mapper is an application that provides a two way translation interface between DCOM and WBEM. WMI Mapper is required for any Windows monitored system supporting WBEM Indications to be monitored by Insight Remote Support.
Insight Remote Support HP Insight Remote Support version 7.0.8 stores information is specific locations on the Hosting Device. Permissions on these directories are set to deny access to all users except Hosting Device System Administrators and the Windows System account. The Installer can change the default locations for these directories during installation.
Table 3: Data Collection Retention Default Schedule Collection Name Default Collection Schedule Number Retained for 'RunNow' Collections Number Retained for 'Scheduled' Collections ActiveHealthServiceCollection Weekly 1 2 MetricsCollection Weekly 7 4 NetworkConfigurationCollection Weekly 2 3 P4000FamilyConfigurationCollection Daily 2 5 PerformanceDataCollection RunNow Only 2 N/A SANConfigurationCollection Weekly 2 3 ServerBasicConfigurationCollection Monthly 2 3 StorageConfig
All information collected by Insight Remote Support and sent to HP is used in accordance with the Insight Remote Support Terms and Conditions (see note below) and the HP Online Privacy Statement. Note: For receiving remote support: Installing HP Insight Remote Support configures your IT devices being remotely supported to securely send support or service events, IT configuration information, diagnostic, configuration, and telemetry information to HP, together with your support contact information.
Application Failure Default contact notified when the Insight Remote Support application fails, or when a data transport failure occurs. Software Management Updates Default contact notified whenever there is a new software update is available. Entitlement Expiration Default and Backup contacts notified when a warranty or contract is about to expire. Notifications are sent at 90, 60, 30 and 0 days prior to expiration.
Insight Remote Support at HP HP Data Centers All customer data received by HP is treated as “HP Confidential” and treated in accordance with HP’s Data Handling guidelines for HP Confidential information. Customer data is stored in one of six HP Global IT Next Generation Data Centers (NGDC) — two each in the geographical zones of Austin, Texas; Houston, Texas; and Atlanta, Georgia — that have site-to-site and zone-to-zone business continuity and disaster recovery capabilities.
Note: The RSDC servers support Global Server Load Balancing (GSLB) and Site-to-Site failover, but have not implemented Zone-to-Zone failover.
Figure 4: Configuration Collection Data Flow at HP Onsite Business Logic Infrastructure Collection Data Processing & Filtering Is Device Yes Registered? No Incoming Collection Data Data Orchestration Close HP Corporate DB’s HP Support Center Is Modeling Supported? Yes Raw Data and Model Reporting DB Raw Data Support Automation DB No HP Support Center DB Collection Processing Collection data, like event data, is parsed to obtain the device GDID and entitlement information.
HP Insight Online HP Support Center HP Insight Online is a new capability with Insight Remote Support version 7.0. It is a cloud-based IT Management and support solution. HP Insight Online lets you provision, monitor, and remotely support devices in your enterprise from a single online portal. Data collected from your devices can be viewed online using HP Support Center.
Remote Device Access (RDA) HP offers several options for establishing a secure connection between HP and your network, allowing an HP support specialist—with your authorization—to remotely access your monitored systems and devices. Using HP RDA, an HP support specialist can login to your system, observing normal security processes and procedures in order to provide remote hardware or software support for faster resolution of problems.
Authentication Customers can identify that they are securely connected to HP support specialists. Only authorized HP support specialists are able to establish connections, authenticated with digital certificates. Access Control Overview HP customers using RDA have full control of all incoming connections. Authorization and access restrictions can be configured to meet the customer’s own security needs. For unattended RDA, audit trails are stored in audit log files.
Virtual CAS The Virtual CAS is provided by HP for free and is the HP preferred method for customers installing CAS functionality within their network. The Virtual CAS provides enhanced security and management functionality. It is a software-only solution based on a VMware image of a virtual machine running Ubuntu Server. Virtual CAS features include: • Runs on VMware Server ESX; ESXi or Oracle VM VirtualBox • It can run on the Hosting Device of the HP Insight Remote Support 7.
Figure 5: Virtual CAS Virtual CAS CAS Virtual View X86/64 Hardware CAS Administrator VeriSign Certificate Revocation List Advanced Packaging Tool Repository Vmware ESX Vmware ESX Ubuntu Linux VM Guest OS Application Software CAS User Interface Web Server To Target Host HP Engineer Administrator Access to SW CAS User Interface (GUI) tcp 443/HTTPS - Internal CRL check to www.verisign.
Figure 6: Instant CAS (iCAS)
RDA Access Controls Access Controls at HP HP manages all remote access customers in an internal portal called Remote Access Portal (RAP). Customer information and their connection data are centrally and securely managed via this central portal. Each customer can be associated with individual access rights so that narrow access permissions for this customer can be enforced, matching your security and access permission needs.
Figure 7: Remote Access Connection System Details HP Remote Access Connection System HP Customer Account Manager Remote Connectivity Toolbox (RCTS) Remote Connectivity Database HP Support Specialist Remote Access Portal (RAP) Workstation Remote Access Connection System (RACS, Regional) HP routing device HP Firewall Remote Device Access connection User authentication and authorization data flow Company access authorization management and connection configuration A Remote Access Connection System (RA
controls what activities the HP support agent can perform. In this way, the customer oversees who from HP connects to their network and then controls where they can go and what they are allowed to do. The third layer is the login credentials on the target system that must be known by the HP support specialist, typically preshared or shared on demand by the customer to HP over a different secure communication channel.
Figure 9: General IPSec VPN Access with SSH HP Customer SSH Tunnel IPSec Tunnel HP Support Specialist Raw Application traffic Telnet, VNC, RDP, PCAnywhere, etc. Access Server Customer Access Server Internet, ISDN, Leased line Remote Access Portal HP Internal firewall Customer target systems or devices SSH Tunneled Application traffic Telnet, VNC, RDP, PCAnywhere, etc.
Figure 10: General IPSec VPN Access Without SSH HP Customer HP Support Specialist Customer target systems or devices Customer Access Server Internet Remote Access Connection System VPN routing device SSH tunnel to HP access server SSH tunneled application traffic Raw application traffic IPSEC VPN Tunnel HP Firewall Customer Firewall VPN routing device Customer internal Firewall TCP/22 (SSH) – inbound Application specific – inbound Application specific – inbound Protocol 50 (ESP) & UDP 500 (IKE)
Figure 11: ISDN HP Customer HP Support Specialist Customer target systems or devices Customer Access Server Support Specialist Workstation Remote Access ISDN Routing Connection System device Public Telephone Network HP Firewall Tunneled application traffic to target system Raw application traffic to target system SSH tunnel from HP to CAS ISDN Connection Customer Firewall ISDN routing device Application specific – inbound Application specific – inbound TCP/22 (SSH) – inbound Integrated Services D
• Provide support with the customer’s confidence. All actions requested by the support engineer (taking desktop control or snapshot, collecting system information, file transfer) must first be approved by the customer – via a popup permissions window, and are completed with secure transmissions. • The customer views all activity in real time and can suspend a remote access session immediately if so required. Note: All sessions are encrypted with AES-256 using SSL over HTTPS on port 443.
Inbound Security Remote Device Access requires an inbound connection from HP to a customer-designated access server. HP understands that IT security policies within organizations vary considerably. Therefore, HP offers a number of remote access solutions (depending on the service level agreement) designed to meet customer security requirements. All of HP solutions use standard techniques that include SSH, IPSec, and HTTPS.
GLOSSARY of Terms API Application Programming Interface DCOM Distributed Component Object Module EDW Enterprise Data Warehouse ELMC Event Log Monitoring Collector ESP Encapsulating Security Payload GDID Global Support Identifier GUI Graphical User Interface (same as UI) HTTP Hyper Text Transfer Protocol HTTPS Hyper Text Transfer Protocol Secure IKEv2 Internet Key Exchange version 2 IP Internet Protocol IPSEC Internet Protocol Security LAN Local Area Network OSCP Online Certificate
A.1 Standard Operating System Network Ports Table A.1 Standard Operating System Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional UDP 53 System DNS Server Domain Name Service (DNS) - Host name resolution.
Appendix B: Summary of Network Ports for Servers The following tables summarize all ports that might be used in Insight Remote Support for Servers. See Table A-1 for ports that are required for basic system operation. B.1 Hosting Device Table B.
B.2 HP-UX Monitored Systems Table B.2 HP-UX Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function TCP Monitored Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to Yes communicate with WBEM end point nodes. Required Required 5989 Hosting Device Configurable Optional TCP 7905 Monitored Systems Hosting Device Secure HTTP (HTTPS) port used by the listener running in the Director's Web Interface.
B.4 Integrity Windows Server 2003 Monitored Systems Table B.4 Integrity Windows Server 2003 Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function TCP Monitored Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to Yes communicate with WBEM end point nodes. Required Hosting Device Monitored Systems The Insight-RS ELMC (formerly WCCProxy) process communicates with the Director on this port. This is a proprietary protocol.
Table B.5 Integrity Windows Server 2008 Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function TCP 5989 Hosting Device Monitored Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to Yes communicate with WBEM end point nodes. Required TCP 135 Monitored Systems Hosting Device DCE endpoint resolution.
B.6 OpenVMS Integrity Monitored Systems Table B.6 OpenVMS Integrity Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function TCP Monitored Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to Yes communicate with WBEM end point nodes. Required Monitored Systems The Insight-RS ELMC (formerly WCCProxy) process communicates with the Director on this port. This is a proprietary protocol. Any No connections that exchange username and passwords use SSL.
B.8 ProLiant Citrix Monitored Systems Table B.8 ProLiant Citrix Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional UDP 161 Hosting Device SNMP. This is the standard port used by SNMP agents on monitored systems. The Monitored Systems Yes Hosting Device sends requests to devices on this port.
TCP 5989 Hosting Device Monitored Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to Yes communicate with WBEM end point nodes. Required SNMP. This is the standard port used by SNMP agents on monitored systems. The Hosting Device sends requests to devices on this port. Yes Required UDP 161 Hosting Device Monitored Systems TCP 135 Monitored Systems Hosting Device DCE endpoint resolution.
B.12 ProLiant VMWare ESX Monitored Systems ProLiant VMWare ESX Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional SNMP. This is the standard port used by SNMP agents on monitored systems. The Yes Hosting Device sends requests to devices on this port. Required UDP 161 Hosting Device Monitored Systems UDP 162 Monitored Systems Hosting Device SNMP Trap. This is the standard port used Yes by SNMP managers for listening to traps.
B.14 ProLiant Windows Server 2003 Monitored Systems ProLiant Windows Server 2003 Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function TCP 5989 Hosting Device Monitored Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to Yes communicate with WBEM end point nodes. Required TCP 135 Monitored Systems Hosting Device DCE endpoint resolution.
TCP 5989 Hosting Device Monitored Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to Yes communicate with WBEM end point nodes. Required SNMP. This is the standard port used by SNMP agents on monitored systems. The Hosting Device sends requests to devices on this port. Yes Required UDP 161 Hosting Device Monitored Systems TCP 135 Monitored Systems Hosting Device DCE endpoint resolution.
Appendix C: Summary of Network Ports for Storage The following tables summarize all ports that might be used in Insight Remote Support for Storage. See Table A-1 for ports that are required for basic system operation. C.1 StorageWorks MSA15XX/2XXX G1 Storage Systems Table C.
C.3 HP P4000 Storage Systems Table C.
D.4 StorageWorks P6000 (EVA) Storage Systems Table D.4 EVA Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional TCP 2372 Hosting Device EVA P6000/EVA CommandView - Storage Collections for EVA (HTTPS) No Required TCP 5989 Hosting Device Monitored Systems Secured WBEM CI-MOM protocol over HTTPS/SOAP. This port is used to communicate with WBEM end point nodes.
C.5 StorageWorks Tape Libraries Table C.5 StorageWorks Tape Libraries Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional TCP 2301 Customer's Hosting Web Browser Device HP SMH port for Insight Manager Web Agents; HTTP (Recommend using TCP/2381) TCP 2381 Customer's Hosting Web Browser Device HP SMH port for Insight Manager Web Agents; HTTPS Yes redirected to 2381 (HTTPS) Recommended UDP 161 Hosting Device Monitored Systems SNMP.
Appendix E: Summary of Network Ports for Networking The following tables summarize all ports that might be used in Insight Remote Support for Networking. See Table A-1 for ports that are required for basic system operation. E. 1 A-Series/E-Series Switch Monitored Systems Table E. 1 A-Series/E-Series Switch Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional UDP 161 Hosting Device Monitored Systems SNMP.
E.3 SAN Switch Monitored Systems Table E.3 SAN Switch Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional UDP 161 Hosting Device Monitored Systems SNMP. This is the standard port used by SNMP agents on monitored systems. The Hosting Device sends Yes requests to devices on this port. Required UDP 162 Monitored Systems Hosting Device SNMP Trap. This is the standard port used by SNMP managers for listening to traps.
Appendix F: Summary of Network Ports for HP UPS Management Module Connectivity The following tables summarize all ports that might be used in Insight Remote Support for HP UPS Management Module Connectivity. See Table A-1 for ports that are required for basic system operation. F.1 HP UPS Management Module Connectivity Table G.
Appendix G: Summary of Network Ports for Remote Device Access The following tables summarize all ports that might be used in Remote Device Access. See Table A-1 for ports that are required for basic system operation. G.1 Customer Access System (CAS) Table H.
G.2 Additional Ports for Virtual CAS Table H.
G.3 Additional Ports for iCAS Table H.
Appendix H: Summary of Network Ports for HP UPS Management Module Connectivity H.1 HP UPS Management Module Connectivity HP UPS Management Module Connectivity Connectivity - Firewall/Port Requirements Protocol Ports Source Destination Function Configurable Optional UDP 161 Hosting Device Monitored Systems SNMP. This is the standard port used by SNMP agents on monitored systems. The Hosting Device Yes sends requests to devices on this port.
Sources: ANSI TIA 942-2005 Distributed Component Object Model (DCOM) Internet Engineering Task Force (IETF) RFC 854: Telnet Protocol Specification RFC 1157: A Simple Network Management Protocol (SNMP) RFC 1441: Introduction to Version 2 of Internet Standard Network Management Framework (SNMPv2) RFC 2560: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol (OSCP) RFC 2616: Hypertext Transfer Protocol (HTTP 1.