7.0.8 Insight Remote Support Security White Paper
12
The SSH protocol exists in two versions. Several security vulnerabilities have been identified in the original SSH
protocol version 1, therefore it should be considered insecure and should not be used in a secure environment.
Its successor, SSH protocol version 2, strengthened security by changing the protocol and adding Diffie-
Hellman key exchange and strong integrity checking via message authentication codes. HP RDC and HP RDA
use SSH protocol version 2 for most connections.
SSL and TLS
The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are application-layer protocols
which provide data encryption and authentication. TLS 1.0 is an updated version of SSL v3. SSL and TLS use
X.509 certificates, also known as “digital” certificates, for authentication. Although most users are
accustomed to working only with server certificates, SSL and TLS can be configured to require client-side
certificates which provides password-less two-way authentication. The Hosting Device and monitored devices
authenticate one using X.509 certificates. Also, all communications between the client browsers and the
Hosting Device are protected by SSL. The Remote Support Configuration Collector System supports both SSL
V3 and TLS 1.X.These two protocols are most ubiquitous in HTTPS on TCP port 443. Other protocols and
applications also utilize SSL and TLS for security.
Telnet
Telecommunications Network (Telnet) is an application-layer protocol that was developed for providing
remote terminal sessions. Some older storage devices, routers, switches, and other devices will support only
telnet for network access. Although it is insecure, Insight Remote Support uses this protocol to provide
support for these legacy devices. Telnet does not provide encrypted transport of data and is considered to be
an insecure communication service. Today, most operating systems use SSH in place of telnet as the standard
terminal communication protocol. Telnet is described in RFC 854. Telnet has been assigned to TCP port 23,
however it may be configured to run on other ports
WBEM
Web Based Enterprise Management (WBEM) is an initiative based on a set of management and Internet
standard technologies developed by the Distributed Management Task Force (DMTF) to unify the management
of enterprise computing environments. WBEM is really a collection of Internet standards and DMTF open
standards: Common Information Model (CIM) infrastructure and schema, CIM-XML, CIM operations over HTTP,
and Web Services for Management (WS-Management). The Common Information Model (CIM) provides a
common definition of management information for systems, networks, applications and services, and allows
for vendor extensions. WS-Management is a specification of a SOAP-based protocol for the management of
servers, devices, and applications. WBEM can be encapsulated inside either HTTP or HTTPS. HP Insight Remote
Support does not support unencrypted WBEM communications. All Insight Remote Support WBEM traffic is
encrypted using HTTPS on TCP port 5989.
Windows Management Instrumentation (WMI) is the Microsoft proprietary implementation of WBEM. WMI runs
as a DCOM (Distributed Component Object Model) service which in turn uses RPC (Remote Procedure Call) and
other associated DCOM services. The WMI Mapper is an application that provides a two way translation
interface between DCOM and WBEM. WMI Mapper is required for any Windows monitored system supporting
WBEM Indications to be monitored by Insight Remote Support.
WS-MAN
WS-MAN or Web Services Management is a DMTF open standard defining a soap based protocol for the
management of servers, devices and applications. HP Insight Remote Support uses WS-MAN to communicate
with the Superdome 2 Onboard Administrator.
WMI
Windows Management Instrumentation (WMI) is Microsoft Corporations implementation of the Web Based
Enterprise Management (WBEM) and Common Information Model (CIM) schema. WMI is a Windows API that can
be leveraged to provide remote management and
Active Health System
HP Active Health System tracks configuration changes on ProLiant Gen8 servers with attached Smart Memory and Smart
Drive devices, enabling you to eliminate time spent running diagnostics, reproducing problems, and describing errors to
HP support engineers. Changes to the device configuration are reported to Insight RS using a secure (HTTPS) connection
between the ProLiant Gen8 iLO (Integrated Lights Out) and the Hosting Device. HP Insight RS will package and forward
the configuration changes to HP over a secure HTTPS connection. Active Health System information is not customer
viewable.