Manualshelf

A.05.80 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2012)

ManualsBrandsHP ManualsSoftwareHP Insight Remote Support Advanced Software
11121314151617181920
Security Overview
Chapter 2: HP Insight Remote Support Advanced
HTTPS is HTTP with SSL or TLS encryption for security. All communications between the Central
Management Server and the HP Remote Support Data Center are carried out over HTTPS. HTTPS is
also used for the marshalling and transfer of collected device data between the CMS and the managed
systems. HTTPS typically uses TCP port 443, but other services, like STE and WEBES, may specify
a different port number for HTTPS communications.
l IPsec
IP Security, or IPsec, is a suite of protocols for securing IP communications. IPsec operates in two
modes. In transport mode it can be configured to provide end-to-end security of all communications
between two systems. In tunnel mode, IPsec can be used to provide VPN connectivity over insecure
networks. A typical IPsec deployment uses two protocols: either Encapsulating Security Payload
(ESP) or Authentication Header (AH), which are IP protocols, and ISAKMP. Note that AH is seldom
used as it does not provide encryption.
l ISAKMP
The Internet Security Association and Key Management Protocol (ISAKMP) is an application layer
protocol that defines the procedures for authenticating a communicating peer, creation and
management of Security Associations, key generation techniques, and threat mitigation.
l Secure Task Execution and Single Login
Secure Task Execution (STE) is a mechanism for securely executing a command against a managed
system using the Web agents. It provides authentication, authorization, privacy, and integrity in a
single request. Single Login provides the same features but is performed when browsing a system.
Secure Task Execution and Single Login are implemented in very similar ways.
SSL is used for all communication during the STE and Single Login exchange. A single-use value is
requested from the system prior to issuing the STE or Single Login request to help prevent against
replay or delay intercept attacks. After request validation, HP Systems Insight Manager issues the
digitally signed Secure Task Execution or Single Login request. The managed system uses the digital
signature to authenticate the Central Management Server. Note that the managed system must have a
copy of the CMS SSL certificate imported into the Web agent and be configured to ā€œtrust by certificateā€
to validate the digital signature. STE uses TCP port 2381.
l SSH
The Secure Shell (SSH) protocol is an application-layer protocol which permits secure remote access
over a network from one computer to another. SSH negotiates and establishes an encrypted, and
authenticated connection between an SSH client and an SSH managed server. SSH provides data
integrity checks, prevents eavesdropping, and modification of sensitive data transferred between the
CMS and managed systems. SSH typically uses TCP port 22, but alternative port numbers may be
assigned to the SSH server.
Although the SSH protocol is typically used to log into a remote machine and execute commands, it
also supports tunneling, forwarding arbitrary TCP ports and X11 connections. It can transfer files using
the associated SFTP or SCP protocols.
The SSH protocol exists in two versions. Several security vulnerabilities have been identified in the
original SSH protocol version 1, therefore it should be considered insecure and should not be used in a
secure environment. Its successor, SSH protocol version 2, strengthened security by changing the
protocol and adding Diffie-Hellman key exchange and strong integrity checking via message
authentication codes. HP RDA uses SSH protocol version 2 for most connections.
HP Insight Remote Support Advanced and Remote Device Access (A.05.80)Page 17 of 97