Manualshelf

Insight Remote Support 7.0.9 Security White Paper

ManualsBrandsHP ManualsSoftwareHP Insight Remote Support Next Gen Software
21222324252627282930
Authentication
Customers can identify that they are securely connected to HP support specialists. Only authorized HP support specialists
are able to establish connections, authenticated with digital certificates.
Access Control Overview
HP customers using RDA have full control of all incoming connections. Authorization and access restrictions can be
configured to meet the customer’s own security needs. For unattended RDA, audit trails are stored in audit log files.
Secure Communications
All communications meet current security best practice standards on encryption. Multiple layers of security ensure that HP
customers can use RDA with confidence.
Remote Device Access Using SSH
All unattended RDA solutions rely on an SSH (SSH-2 protocol) tunnel running between the support specialist's desktop and
a designated Customer Access System (CAS) deployed either in the customer Demilitarized Zone (DMZ) or on a trusted
network.
An SSH server is required on the customer network acting as a Customer Access System (see CAS below). A SSH client is
typically used for establishing connections to a SSH server accepting remote connections. An SSH server is commonly
present on most modern operating systems, including Microsoft Windows, Mac OS X, Linux, FreeBSD, HP-UX, Tru64 UNIX,
and OpenVMS. Proprietary, freeware, and open source versions of SSH client are available with various levels of
complexity and functionality.
Most SSH implementations can be configured to comply with customers’ security policies. For example:
The protocol can be limited to SSH-2 only
Selection of encryption algorithm (3DES, AES, AES-256, etc)
Allow only private/public key authentication (disallow password authentication)
Use SecurID and other token-based authentication methods
Additionally some implementations support the use of X.509 certificates (also called an HP DigitalBadge) and two-factor
authentication.
Customer Access System (CAS)
A Customer Access System (CAS) is required for all unattended RDA methods. By hosting the SSH server, the CAS provides a
central point for customers to control remote access into their environment. Customers determine the login of each HP
user individually to allow or deny specific services or access to specific computers within their network. The HP SIM Central
Management Server (CMS) or the Insight RS Hosting Device used by the HP Insight Remote Support Solution can also
function as a CAS.
A CAS may be implemented on any customer-owned system capable of running a compatible SSH server. HP also offers a
self-contained virtualized CAS solution.
Customer-owned CAS
The customer may choose to provide their own CAS. The primary requirement is a functional SSH server such as OpenSSH.
Microsoft Windows, Linux, HP-UX, OpenVMS, and Tru64 UNIX operating systems may be used. HP recommends that the
customer configure SSH to accept only protocol version 2 and strong encryption (that is, AES (Advanced Encryption
Standard), Triple-DES (Data Encryption Standard), or AES-256). Firewalls should also be configured to allow SSH access
only from HP’s access servers.