HPE Remote Device Access. Security Whitepaper

Transcription

1 HPE Remote Device Access Security Whitepaper Document Release Date: March 2018 Software Release Date: March 2018

2 Legal Notices Warranty The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HPE shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Valid license from HPE required for possession, use or copying. Consistent with FAR and , Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice Copyright Hewlett Packard Enterprise Development LP Trademark Notices Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. HPE Remote Device Access: Security Whitepaper Page 2 of 24

3 Contents Executive summary 4 HPE RDA overview 5 RDA-CAS connectivity types 8 Customer-Initiated TLS mode 9 HPE-Initiated TLS mode 9 HPE-Initiated IPsec mode 9 HPE-Initiated SSH direct mode 10 HPE-Initiated SSH over IPsec mode 10 Tunnel persistence 10 Connections summary 11 Connections summary (continued) 12 HPE RDA Security 13 CAS-Agent 13 RDA-CAS 13 SSHv2 server 14 RDA-CAS installation 14 RDA-CAS registration 14 Customer-Initiated TLS 15 HPE-Initiated TLS 16 HPE-Initiated IPsec 17 HPE-Initiated SSH 18 HPE-Initiated SSH over IPsec 19 RDA Midways 19 RDA Support App 20 Authentication 20 Certificates 20 Encryption 22 Logging 22 Access control 22 Glossary 24 HPE Remote Device Access: Security Whitepaper Page 3 of 24

4 Executive summary Executive summary About HPE Remote Device Access (HPE RDA) HPE RDA provides a new device connection method and secure transport mechanism. Designed with the customer in mind, privacy and security are of highest priority. HPE RDA gives you more control over your devices, enables secure transfer of data, and efficient package deployment. HPE RDA is a layered communications architecture, a full-featured implementation of that architecture, and the infrastructure and support structure that goes with it. HPE RDA gives more control to your administrators by providing an easy to manage user interface while moving connectivity into the HPE RDA cloud. Persistent connections originate from designated devices in your network up to the HPE RDA cloud, using well known ports and protocols. Connections can be scheduled or on demand and are fully controlled by the CAS Administrator. High-security environments with specialized, compartmented connectivity needs can be accommodated with the HPE RDA flexible options and routing mechanisms. HPE RDA comes in three versions: 1) Embedded CAS-Agent, 2) Standalone RDA-CAS and 2) SSH Direct. The Embedded CAS-Agent (Customer Access Service) provides remote access for HPE Support, data transfer of device telemetry to HPE and diagnostic or update package deployment from HPE to the device. The Standalone RDA-CAS provides secure remote access for authorized HPE support personnel into your environment. SSH Direct also provides remote access for authorized HPE Support technicians, but does not require any HPE software to be downloaded or installed in your environment. HPE RDA delivers all of these capabilities via one pipe with HPE using TLS over HTTPS or TLS over SSH. This means firewall and IPS/IDS system configurations are simplified. Monitoring and managing all external access connections to HPE can be done via a single open port in your external firewall. HPE RDA provides a reliable, available, and scalable infrastructure. Read on for more information on the technical features and capabilities. HPE Remote Device Access: Security Whitepaper Page 4 of 24

5 HPE RDA overview HPE RDA overview HPE RDA capabilities HPE RDA is a two-way communication solution for HPE Remote Support that provides: Remote access from HPE support engineers to customer devices - Available with the CAS-Agent, RDA-CAS and SSH Direct options - The CAS-Agent provides remote access via a customer device initiated HTTPS connection - The RDA-CAS provides remote access either through a customer initiated HTTPS connection or via a --HPE initiated HTTPS connection - SSH Direct provides remote access through a customer initiated SSH connection to HPE Secure data transport from customer devices to HPE (Available with some embedded clients) Remote copy and execution enables delivery and execution of files from HPE to customer devices (Available with some embedded clients) Remote access HPE RDA provides secure connectivity between HPE and customer devices using forward and reverse proxy technology. The HPE RDA Support App is a software application that resides on the HPE or Partner Service Agents' desktop. It provides a secure authenticated connection that enables quick access to devices and secure transport of data to and from HPE services, customer devices and HPE support agents from a single application. Secure data transport HPE RDA provides secure transfer of data between HPE to customer devices, as well as customer devices to HPE. To ensure secure transfer of data, incorporates: Authenticated endpoint identification. This is endpoint identity, which provides an easy method for HPE support engineers to find customers and devices and connect to them securely. Layered security protocol with a meet-in-the middle architecture. This provides two point authority, which enables user access control at the Midway server (by HPE) and at the CAS (by the CAS administrator). Remote copy and execute HPE RDA provides remote copy and execution on customer devices, which enables services such as firmware update(s) on your device(s) for fast security updates. HPE Remote Device Access: Security Whitepaper Page 5 of 24

6 HPE RDA overview Figure 1. CAS-Agent infographic Key components: RDA-CAS: HPE RDA service running as a daemon on supported Linux OS s or in a Linux VM Midway Servers: Regional relay servers, internet facing Dropbox: Data lake to store incoming customer data HPE RDA Service Nodes: Servers providing HPE RDA services and disc space in the HPE IT Data Center HPE RDA Support App: Secure client for HPE support technicians that enables access to customer devices Figure 2. RDA-CAS infographic Key components: RDA-CAS: HPE RDA service running as a daemon on supported Linux OS s or in a Linux VM Midway Server: Regional relay servers, internet facing HPE RDA Support App: Secure client for HPE support technicians that enables access to customer devices Target Devices: Systems that an HPE RDA customer authorizes for remote access HPE Remote Device Access: Security Whitepaper Page 6 of 24

7 HPE RDA overview Figure 3. SSH Direct infographic Key components: Customer Device with SSH Server: Customer provided SSHv2 Server running on a local device Midway Servers: Regional 'relay' servers, internet facing HPE RDA Support App: Secure client for HPE support technicians that enables access to customer devices Figure 4. SSH over IPsec infographic Key components: Customer Device with SSH Server: Customer Provided SSHv2 server running on a local device IPsec router: Customer IPsec device, internet facing, used to terminate an IPsec tunnel at customer site Midway Servers: Regional 'relay' servers, internet facing used to terminate IPsec tunnel at HPE HPE RDA Support App: Secure client for HPE support technicians that enables access to customer devices HPE Remote Device Access: Security Whitepaper Page 7 of 24

8 RDA-CAS connectivity types RDA-CAS connectivity types The HPE RDA remote access connection type indicates how a tunnel-layer connection is formed between a customer device (the RDA-CAS) and an HPE RDA Midway server. The customer can choose the connectivity type most appropriate for their situation. The RDA-CAS has five connectivity types available to configure. All connectivity types provide data encryption over Transport Layer Security (TLS) or via Secure Shell (SSH). As part of installing the RDA-CAS, you will need to choose which connection type is best for your network environment: Customer-Initiated TLS - Customer RDA-CAS initiates a TLS connection to an HPE Midway server - Suitable for most customers - Uses a standard port and protocol that's likely already open in your network - Many popular proxy servers supported, with or without authentication - Very easy to setup HPE-Initiated TLS - HPE initiates a TLS tunnel from an HPE Midway server to an installed RDA-CAS - Suitable for customers that restrict outbound communications and/or filter their inbound connections - Setup is easy, fully customer driven and has a built in connection test - Setup may involve configuration of your firewall or network routes before you are able to complete the --connection setup with HPE HPE-Initiated IPsec over TLS - HPE initiates an IPsec tunnel from the HPE Midway server to an IPsec device on the customer perimeter --network - HPE initiates a TLS tunnel from an HPE Midway server through the IPsec tunnel to an installed -RDA-CAS in the customer network - Suitable for customers that restrict outbound communications and/or filter their inbound connections - Setup is easy, fully customer driven and has a built in connection test - Setup may involve configuration of your firewall or network routes before you are able to complete the --connection setup with HPE HPE-Initiated SSH Direct - Requires no HPE provided software - Uses customer provided SSH v2 server - HPE initiates an SSH connection (TCP/22) from Midway server to customer provided internet routable --IP address (Network Address Translation (NAT) is supported) HPE-Initiated SSH over IPsec - Identical to SSH Direct but the SSH tunnel is encapsulated inside a non-routable IPSec tunnel HPE Remote Device Access: Security Whitepaper Page 8 of 24

9 RDA-CAS connectivity types Customer-Initiated TLS mode Customer-Initiated TLS (Transport Layer Security) is the simplest and most popular connectivity mode. Suitable for most customers, it uses a standard HTTPS connection (TCP/443) that s typically already open or accessible via a web proxy. HPE RDA enabled customer devices connect to HPE on this port using TLSv1.2 over HTTPS with a persistent, semi-persistent, or on-demand tunnel. HPE-Initiated TLS mode HPE-Initiated TLS mode (Transport Layer Security) is used when customers prefer that HPE connects to them, instead of the customer connecting to HPE. A TLSv1.2 connection is initiated from an HPE Midway server to port TCP/2371 on the RDA-CAS. HPE-Initiated TLS supports Network Address Translation (NAT) at the customer firewall. The HPE-Initiated TLS mode is suitable for those that restrict outbound communications and filter their inbound communications. Setup is relatively easy, but involves the use of an online enrollment portal at HPE. It includes a closed-loop security check. It may, also, require that the customer configure their external (and internal) firewalls and network routing tables, to allow HPE s connection into their environment. HPE-Initiated IPsec mode The HPE-Initiated IPsec mode is designed for high-security customers, such as government, military, finance, and many health organizations will only permit access into their network via a preconfigured IPsec connection. It is essentially the HPE-Initiated TLS mode wrapped in an HPE controlled and initiated IPsec connection. IPsec uses internet Protocol 50 ( ESP) and UDP/500 (ISAKMP) between your IPsec device and the HPE Midway servers. This is a non-routing transport bridge and Generic Routing Encapsulation (GRE) is not used. Only port TCP/2371 is permitted to transit within this IPsec transport. It must be initiated by an HPE Midway server, and may only originate from per-customer unique private and non-routing micro subnet allocated on the Midway server. HPE Remote Device Access: Security Whitepaper Page 9 of 24

10 RDA-CAS connectivity types HPE-Initiated SSH direct mode The SSH tunnel is provided as a simple, secure, easy to implement connectivity option for remote access. With this solution only SSHv2 server (TCP/22) is required inbound from the HPE Midway server IP. This solution requires no HPE provided software, any standard SSHv2 server can be used as the CAS for this type of connection. Customer administrators will need to ensure their firewall and routing is properly configured to accommodate inbound SSH from the HPE Midway servers, then enroll with the HPE Midway server to receive an enrollment token (as a closed loop check). The token is valid for 24 hours and must be on the SSH server being used as the CAS. HPE-Initiated SSH over IPsec mode Tunnel persistence HPE-Initiated SSH over IPsec is essentially an HPE-Initiated SSH Direct tunnel mode wrapped in an HPE controlled and HPE-Initiated IPsec connection. SSH setup is identical, however this option requires additional online enrollment to configure the IPsec gateway parameters supplied by HPE. This setup can be performed on at the HPE online enrollment portal. In addition to the connection type, you may choose the persistence of your device s tunnel: on-demand, scheduled, or persistent. On-demand tunnels are brought-up when needed. Typically, you will access and use the HPE RDA-CAS UI to bring up the tunnel. It will stay open as long as support activity is occurring within the tunnel, but you can also set a hard-expiration time limit (such as 12 hours from now ). Scheduled tunnels are brought up on a regular time schedule. This option is only available for HPE initiated connection types; HPE will automatically check connectivity a few times every month to ensure that device certificates are maintained (renewed). Persistent tunnels stay connected all the time. This provides the best support availability, and very little network overhead when the tunnel is idle as only a few tiny and infrequent keep alive messages are exchanged. The security impact is negligible as all the other controls described in this document are still in effect. The persistent tunnel option is only available with the Customer-Initiated TLS connection type. HPE Remote Device Access: Security Whitepaper Page 10 of 24

11 Connections summary RDA-CAS Customer-Initiated TLS HPE-Initiated TLS HPE-Initiated TLS over IPsec HPE-Initiated SSH HPE-Initiated SSH over IPsec Description Customer RDA-CAS initiates a TLS tunnel to an HPE Global Midway Customer has control over when and for how long the tunnel to the Midway is connected HPE Support initiates a TLS connection to the Global HPE Midways and can then initiate an interactive support session with the desired customer target device Customer has control over who in HPE can access any given target device in their network HPE initiates a TLS tunnel from an HPE Global Midway to an installed RDA-CAS Customer has control over when and for how long the tunnel to the Midway is connected HPE Support initiates a TLS connection to the Global HPE Midways and can then initiate an interactive support session. with the desired customer target device Customer has control over who in HPE can access any given target device in their network HPE initiates an IPsec tunnel from the HPE Global Midway to a customer provided IPsec router Customer has control over when and for how long the tunnel to the Midway is connected HPE Support initiates a TLS connection to the Global HPE Midways and can then initiate an interactive support session with the desired customer target device HPE initiates an SSH direct connection from the HPE Global Midway to a customer provided SSHv2 Server Requires Internet routable IP for SSHv2 Server HPE Support initiates a TLS connection to the Global HPE Midways and can then initiate an interactive support session with the desired customer target device Customer has control over who in HPE can access any given target device in their network HPE initiates an IPsec tunnel from the HPE Global Midway to a customer provided IPsec router Requires Internet routable IP for SSHv2 Server HPE initiates an SSH direct connection from the HPE Global Midway to a customer provided SSHv2 Server through IPsec tunnel HPE Support initiates a TLS connection to the Global HPE Midways and can then initiate an interactive support session with the desired customer target device Customer has control over who in HPE can access any given target device in their network HPE Remote Device Access: Security Whitepaper Page 11 of 24

12 Connections summary (continued) RDA-CAS Customer-Initiated TLS HPE-Initiated TLS HPE-Initiated TLS over IPsec HPE-Initiated SSH HPE-Initiated SSH over IPsec Requirements Runs on CentOS or Debian Linux distributions May be installed natively or in a VM See installation guide for details Runs on CentOS or Debian Linux distributions May be installed natively or in a VM See installation guide for details IPsec tunnel terminates into a Customer managed router Only TCP/2371 traffic allowed in the IPsec tunnel IPsec IP address assigned by HPE SSHv2 Server Internet routable IP address (NAT supported) IPsec capable router SSHv2 Server Internet routable IP address (NAT supported) Activity log syslog syslog syslog Configurable (SSHd) Configurable (IPSec and SSHd) Tunnel Persistence On Demand Persistent On Demand Scheduled On Demand Scheduled On Demand Scheduled On Demand Scheduled Comments Recommended if your network allows outbound connections Requires port 443 open outbound Easiest to configure Recommended if your network policy does not allow outbound connections Requires: - Network port 2371 open inbound - Customer registration of CAS endpoint with HPE via the RDA enrollment tool Limited IPsec configurations are allowed Is essentially HPE- Initiated TLS tunnel wrapped in and HPE- Initiated IPsec tunnel Inbound connections from known source IP Customer provided SSHv2 Server required Limited IPsec configurations are allowed Customer provided SSHv2 Server required Is essentially HPE-Initiated SSH, wrapped in an HPE- Initiated IPsec tunnel More involved setup than a Customer- Initiated TLS tunnel HPE Remote Device Access: Security Whitepaper Page 12 of 24

13 HPE RDA Security HPE RDA Security CAS-Agent The CAS-Agent is available as an embedded agent in certain HPE hardware devices. There is also a standalone RDA-CAS (see next section). Regardless of the CAS type, the CAS administrator is in full control of the CAS functions and capabilities. The CAS-Agent enables a device to be connected to HPE. This CAS can be enabled or disabled by the device administrator. It is able to work with most proxies and firewalls. It also uses a single outbound HTTPS (TCP/443) connection from the CAS device (RDA-CAS or CAS-Agent) to the HPE Midway server. The CAS-Agent enables the following three primary functions: Secure data transport from device to HPE. Provides a mechanism for device information to be automatically sent to HPE. Hardware event details and logs can automatically be sent to HPE for immediate action via a secure connection. Remote connectivity for HPE support engineers to CAS-Agent device. Authenticated HPE Support engineer access to the CAS device for support purposes. All HPE RDA sessions are authenticated at HPE (only authorized support personnel are allowed to access the RDA Midways) and again at the CAS device where the device administrator has the ability to allow or deny HPE user connections. Remote copy and execution. Enables the ability for HPE to provide important updates (firmware updates, security patches, etc.) to your devices. Device updates are posted to a central repository by authorized HPE personnel, and the CAS will periodically check the repository for updates. If updates are available, the CAS can download and install them automatically, keeping your device updated with the latest firmware and patches. RDA-CAS The HPE supplied RDA-CAS is a self-contained Linux-based application package capable of running on an HPE ProLiant server or in a Virtual Machine. The RDA-CAS comes in both Debian 8.x 64-bit and CentOS 6.x 64-bit distributions. Customers are also able to configure any standard SSHv2 server to function as an SSH CAS for HPE Initiated SSH connections. Unlike the CAS-Agent, the RDA-CAS has a single function, which is to allow authorized HPE Support agent access to HPE Supported devices on your company network. The RDA-CAS accomplishes remote connectivity in one of two ways: Customer-Initiated TLS or HPE-Initiated TLS. With either method, the CAS administrator has full control of all remote access sessions. The RDA CAS-Agent User Interface provides the ability for a CAS administrator to control who (an HPE Support agent) can access what (device in your enterprise). The RDA-CAS uses a white list access control model, only connections that are specifically allowed by the CAS administrator can connect to (and through) the RDA-CAS. All others are denied. This gives the CAS administrator complete control over who at HPE can access what devices in your enterprise. Furthermore, the CAS administrator can terminate any or all access sessions with a click of the mouse, or the CAS administrator can configure a time threshold for access sessions, when the timeout threshold is exceeded, the session will automatically terminate. SSH CAS configurations are fully controlled by the customer administrator. SSH connections are authenticated using standard SSH authentication (typically keyboard interactive username/password) on the SSHv2 server. HPE Remote Device Access: Security Whitepaper Page 13 of 24

14 HPE RDA Security SSHv2 server SSH direct and SSH over IPsec allow remote access connections without the need to download and install any HPE supplied software. SSH direct connections require a customer provided SSHv2 server to act as the connect point for HPE Support engineers. SSH direct configurations are fully controlled by the Customer administrator. SSH direct connections can be authenticated using any standard authentication option (typically keyboard interactive username/password) supported by your SSHv2 server. RDA-CAS installation Installation of the HPE-supplied RDA-CAS requires root access on the host or VM, a minimum of 10Mb s free disk and an Internet routable IPv4 or IPv6 network connection (Direct or via a Proxy). The software can be downloaded from the global URL: (choose the CentOS or Debian CAS- Agent software kit). Once downloaded and transferred to the RDA-CAS host it can be installed and configured using the instructions provided in the RDA Install Guide. The RDA-CAS is pre-configured with the names and IP addresses of all RDA Midway servers (located geographically). The RDA-CAS software includes a CAS certificate signed by the HPE RDA Certificate Authority. See the Certificates section for more information regarding RDA Certificates. The primary purpose of the RDA-CAS is to serve as an HPE remote access server that allows HPE authorized support agents to securely access supported devices in your corporate network. There are five connection methods for the RDA-CAS. They are: Customer-Initiated TLS, HPE-Initiated TLS, HPE-Initiated TLS over IPsec, HPE-Initiated SSH and HPE-Initiated SSH over IPsec. These connection types are described in more detail in the following sections. RDA-CAS registration Once the RDA-CAS installation is complete, it must register with the Midway servers. The preconfigured Global DNS entry for the RDA Midway servers (midway.ext.hpe.com) will resolve to one of several Midway servers located in three geographical regions (United States, United Kingdom and Singapore). To register, the RDA-CAS will establish communication with a Midway server and present its RDA certificate to the Midway server. The Midway server will register the RDA-CAS and issue an HPE RDA CA signed certificate for the RDA-CAS to use for HPE Remote Access sessions. HPE Remote Device Access: Security Whitepaper Page 14 of 24

15 HPE RDA Security Customer-Initiated TLS For the Customer-Initiated TLS tunnel, the RDA-CAS admin is actively involved with all HPE Support agent remote access sessions. With Customer-Initiated TLS, the CAS Admin must configure access for the HPE Support agent (based on the agent s HPE address) in the CAS User Interface (UI) and open a persistent (or on demand) HTTPS (TCP/443) connection tunnel to the RDA Midway server. When a TLS tunnel is established with the Midway server, an HPE Support agent connected to the HPE RDA Midway server using the HPE RDA Support App, can select your RDA-CAS from the list of available devices and click Start Session to connect. The Midway will bridge the RDA-CAS connection with the HPE Support agent connection and allow the connection through to the RDA-CAS where the HPE Support agent s credentials (HPE DigitalBadge) and requested service will be validated against the Access Control whitelist on the RDA- CAS. If the support agent is authorized to access the RDA-CAS, and the credentials (HPE DigitalBadge) are valid, then the connection is established and all customer authorized protocols will be tunneled through the HTTPS connection. If the HPE Support agent s HPE address is not in the RDA-CAS whitelist, the verification check will fail and the connection will be refused. Figure 5. Customer-Initiated TLS infographic HPE Remote Device Access: Security Whitepaper Page 15 of 24

16 HPE RDA Security HPE-Initiated TLS HPE-Initiated TLS tunnel is similar to Customer-Initiated TLS, in that the HPE Support agent must be configured for access to the RDA-CAS (added to the Access Control white list by a RDA-CAS administrator via the RDA-CAS user Interface) before he/she can connect. However, for HPE-Initiated TLS, the RDA-CAS administrator enables inbound TCP/2371 connections from the HPE RDA Midway servers. Authorized HPE Support agents, included in the RDA CAS access white list, can connect and authenticate with the RDA- CAS without specific interaction required by a RDA-CAS administrator. When an HPE Support agent attempts to connect to the RDA-CAS, the RDA-CAS is signaled (via TCP/2371) to open an HTTPS connection to the Midway server. The HTTPS session is connected at the Midway server to the HPE Support user session to allow access to the RDA-CAS. Access Control and user validation for HPE Support agents is identical to Customer-Initiated TLS. Figure 6. HPE-Initiated TLS infographic HPE Remote Device Access: Security Whitepaper Page 16 of 24

17 HPE RDA Security HPE-Initiated IPsec HPE-Initiated IPsec requires an IPsec tunnel between the HPE Midway servers and a customer IPsec router/device. IPsec is intended for customers that only allow access to their network via a preconfigured IPsec connection. HPE-Initiated IPsec is a non-routing transport bridge. Only TCP 2371 traffic is permitted to transit within this IPsec transport. It must be initiated by an RDA Midway server and can only originate from a per-customer-unique private and non-routing micro-subnet allocated on the Midway. To ensure the protection of customer and HPE networks, HPE-Initiated IPsec offers a limited set of IPsec parameters: All aspects of the IPsec tunnel are controlled by HPE Use of Transport Mode Disable IP forwarding Do not use GRE tunneling /32 Subnets the tiniest possible exposure Controlled address assignment iptables policies for RDA-protocol only HPE-Initiated IPsec is essentially an HPE-Initiated TLS wrapped in an HPE controlled and HPE-Initiated IPsec connection. Once the IPSec tunnel is established, an HPE-Initiated TLS connection will be established between the Midway server and the RDA-CAS via the IPsec tunnel. Access control and user validation is identical to Customer-Initiated TLS. Figure 7. HPE-Initiated IPsec infographic HPE Remote Device Access: Security Whitepaper Page 17 of 24

18 HPE RDA Security HPE-Initiated SSH HPE-Initiated SSH does not require any HPE supplied software, it uses a customer provided SSHv2 server. This SSHv2 server is configured and managed by a customer administrator according to your company IT policies. All standard SSHv2 server authentication types are supported. HPE-Initiated SSH requires an Internet Routable IP address for the SSHv2 server to be provided during enrollment on the HPE Midway servers, during the enrollment process, you must provide IP address and authentication type for your SSHv2 server session account. Authentication types include public key (recommended), or password for the session account. For public key authentication, you will be provided a public key for the midway server, this key will need to be stored in the authorized keys typically located in the session user s home directory. For password authentication, you will be prompted to enter the session user password during enrollment. This password will be stored (encrypted) on the HPE Midway server and used to initiate a remote access session when needed. The session user account should be dedicated to HPE RDA connections only and does not require remote shell capabilities. HPE user access authentication should be configured and managed separately from the session account. Once the HPE-Initiated SSH connection is enrolled and HPE is able to connect to the SSHv2 server, authorized HPE support engineers (HPE users added to the access whitelist) will be able to initiate a remote connection to the SSHv2 server at your site. The SSHv2 server administrator will need to add a user account and provide the user account access information to the authorized HPE support engineer. Figure 8. HPE-Initiated SSH infographic HPE Remote Device Access: Security Whitepaper Page 18 of 24

19 HPE RDA Security HPE-Initiated SSH over IPsec HPE-Initiated SSH over IPsec uses a customer provided and managed SSHv2 server as the access point into their environment. This SSH is encapsulated inside a non-routable HPE managed IPsec tunnel between the Midway server and your IPsec device. Only TCP 22 (SSH) traffic is permitted between the HPE Midway and the Internet routable IP of the customer provided SSHv2 server. Setup and enrollment of the SSHv2 server is identical to HPE-Initiated SSH. Configuration of IPsec requires customers to configure their IPsec device using the IPsec parameters supplied by HPE during enrollment. Figure 9. HPE-Initiated SSH over IPsec infographic RDA Midways The HPE RDA Midway servers are located in an HPE DMZ. They serve as the master control for all HPE RDA connections. The HPE RDA Midway servers are also responsible for issuing, verifying and revoking HPE RDA CA certificates. HPE RDA Midway servers use three Certificate Authorities (see Certificates) to manage user access and CAS device tunnel sessions. HPE Midway server clusters are located in three geographical regions (Americas, Asia Pacific and EMEA) to reduce network latency. Just as the RDA-CAS controls who (from HPE) can access what (devices in your enterprise). The HPE Midway servers operate similarly, controlling who (HPE employees) can connect to which CAS (your enterprise gateway). All HPE employees connecting to the Midway servers are validated using two factor authentication with their HPE issued DigitalBadge (X.509v3 digital certificate and PIN). The HPE Midway servers maintain the list of valid HPE RDA CA certificates. HPE Midway servers manage connections by issuing one time digital keys that are used to uniquely identify connection pipes. The HPE Midway servers function as a digital switchboard, managing communication paths between the RDA Customer Access Service and the RDA Support App clients and other HPE resources. HPE Remote Device Access: Security Whitepaper Page 19 of 24

20 HPE RDA Security RDA Support App The RDA Support App is used by authorized HPE personnel and HPE authorized support providers to access a communication channel for a particular customer to establish an interactive session on a customer device. This session is initiated when both parties agree that the HPE support engineer has a need to access a device on your network to troubleshoot a support issue, provide proactive services, or provide a resolution for an ongoing support issue. The HPE support engineer opens a connection to the Midway server using the RDA Support App and authenticates using their HPE issued DigitalBadge. Once authenticated, they select the destination CAS device and target device from the list of registered CAS devices and connect. The Midway server routes the connection to the CAS-Agent on your corporate network and the CAS device will route the connection to the target device in your corporate network. Authentication Authentication for the RDA client is accomplished using digital certificates. RDA-CAS agents are preconfigured to connect to the HPE Midway server and register as a CAS-Agent. The HPE Midway server will supply a DigiCert Public certificate to the CAS-Agent as proof of identity. Upon registration the Midway server will issue an HPE RDA Root CA signed certificate to the CAS-Agent. This certificate will be checked every time the CAS-Agent initiates a remote connection to HPE. Certificates HPE RDA uses several certificate types to validate the RDA infrastructure, they are: DigiCert Global Root G2 DigiCert Global CA G2 DigiCert Global Root CA DigiCert SHA2 Secure Server CA Hewlett Packard Enterprise Collaboration CA Hewlett Packard Enterprise Private Root CA Hewlett Packard Enterprise Private SSL CA Hewlett Packard Enterprise Remote Device Access Root CA The RDA Midway servers use multiple certificates to provide various RDA services. To begin, the CAS device (RDA-CAS or CAS-Agent) software is pre-installed with a DigiCert (Public) and an HPE RDA CA (Private) certificate. These certificates are used to connect to the Midway servers, perform any updates needed and initiate the CAS device registration. Once registered the Midway server issues an HPE RDA CA certificate that will be used to uniquely identify the CAS device and manage TLS tunnel connections from the CAS device. The HPE RDA Midway servers are secured with public X.509v3 Digital certificates issued by Symantec Class 3 Secure Server SHA256 SSL CA and are signed by the public.com Root Certificate Authority VeriSign Universal Root Certification Authority. The HPE RDA Midway Private certificates are issued by the RDA CA and are the master certificates. Note: VeriSign public certificates will be replaced by DigiCert public certificates upon expiry. DigiCert Public CA The DigiCert (Public) certificates are shipped as part of the RDA-CAS software kits. The Certificates are issued by DigiCert SHA2 Secure Server CA. They are used by the RDA-CAS device to publicly validate that the Midway servers are genuine HPE. HPE Remote Device Access: Security Whitepaper Page 20 of 24

21 HPE RDA Security HPE RDA Certificate Once the CAS has verified that the RDA Midway is Genuine HPE, The RDA Midway server will verify the RDA-CAS is also genuine HPE using the RDA-CAS certificate that is shipped with the RDA-CAS software. HPE RDA Enrollment If both the RDA-CAS and RDA Midway server certificate are verified successfully, the Midway server will request device information from the RDA-CAS host in order to generate a certificate signing request for a unique (tunnel) certificate for the RDA-CAS host. This certificate will be pushed to the RDA-CAS host and will be used to uniquely identify the RDA-CAS when a tunnel is initiated between the RDA-CAS and the RDA Midway server. This certificate is signed by the RDA Intermediate CA and is valid for 1 year and can be validated by the RDA. HPE Virtual DigitalBadge HPE DigitalBadge certificates are used by HPE employees (or HPE Authorized Support agents) to drive RDA connections to an HPE Midway server. An HPE DigitalBadge is a unique certificate issued to HPE Employees (or HPE Authorized Support agents). They are used by the Midway servers and RDA-CAS- Agents to authorize access to customer devices.hpe DigitalBadges are issued by the Hewlett Packard Enterprise Private Root CA, have an expiry date of 1 year from the date of issue and are validated using HPE's private certificate authority. HPE RDA Root CA The HPE solution uses its own Certificate Authority to manage CAS certificates and trust relationships. The RDA CA uses an Enterprise Secure Key Management (ESKM) device to issue and manage RDA certificates. The ESKM device provides FIPS Level 2 security for the HPE RDA CA, enabling RDA connections to establish and manage a chain of trust for RDA connections. The RDA CA is considered part of the HPE Midway server environment. Chain of Trust The RDA connection is a series of connected stations, the stations at each end are called the terminus stations, the stations in the chain that are not terminus stations are called gateway stations. Each RDA station is responsible for verifying the trust mapping (included in the header information) from its predecessor and evaluating its own trust level and adding it to the station header information. Trust levels are expressed as a grade or numerical value (0.0 through 1.0) based on the following table: Grade Value Meaning A 0.95 Two factor authentication on a controlled link B 0.85 One factor authentication on a controlled link, or two-factor over an uncontrolled link C 0.75 One-factor on an uncontrolled link with controlled verifier D 0.65 External user/pass over uncontrolled link E 0.45 Anonymous identity with controlled issuance F 0.25 No significant authentication - untrusted Trust is measured in both directions, and can be used to provide a relative measurement of how trustworthy a connection (chain) is. The overall trust grade can depend on several factors (number of stations, number of simultaneous connections, origin and destination terminus trust value, etc.). HPE DigitalBadge certificates are issued with a trust level of A or B. HPE Remote Device Access: Security Whitepaper Page 21 of 24

22 HPE RDA Security Encryption HPE RDA uses TLSv1.2 encryption for customer connectivity. Note that customer devices and the HPE Backend use TLSv1.2 only and meet FIPS Annex 1 encryption specifications. All communications from the CAS-Agent back to the HPE Midway servers are contained within the TLS encrypted tunnel between the CAS and the Midway server. HPE Support agent tunnel sessions are also encrypted using TLSv1.2. Services within the encrypted tunnel may or may not be encrypted. Logging RDA-CAS logs all user and web service activities to syslog. This includes setting up new connections, transferring data to and from HPE and logging of all support technician access connections. Transaction details include (but are not limited to) the source and destination URLs, timestamp, action requested and status result of the transaction request. Log levels can be adjusted (with help from an HPE RDA Support engineer) for troubleshooting or debugging purpose. Access control Access controls for RDA-CAS are determined by the contents of /etc/rda/acl-rda.dat. This file is managed by the CAS administrator through the CAS UI. The RDA-CAS has four primary modes of operation. The mode of operation is the first line of the acl-rda.dat file and begins with the word mode. See below for more info: Table 5.1 Mode attributes: Shut: Open: Local: List: All Access is disabled (regardless of the rest of the contents in acl-rda.dat) no access is allowed All access is enabled (regardless of the rest of the contents in acl-rda.dat) all users are allowed to connect to the RDA-CAS and any device on the network Allows access to the local host (RDA-CAS) only (regardless of the rest of the contents of acl=rda.dat) Access is controlled by the remaining contents of acl-rda.dat The remaining entries in the acl-rda.dat file specify access directives (allow or deny) followed by the direction (From or To) and the attribute and attribute values. Table 5.2 "From" attributes: App: Country: Group: Region: Source: Trust: Specifies an application name, such as; ssh, http, ftp, etc (listed in /etc/services file) Specifies the country of origin of HPE service technician Specifies the service technicians HPE address Specifies the group of HPE service technicians Specifies the region of origin (AMS, APJ, or EMEA) for the HPE service technician Specifies the IP address or subnet and port for the source of the connection Specifies the minimum trust level (A through F) of the HPE service technician Table 5.3 "To" attributes: App: Source: Target: Specifies an application name, such as; ssh, http, ftp, etc. Specifies the IP address or subnet and port for the source of the connection Specifies the IP address or subnet and port for the target of the connection HPE Remote Device Access: Security Whitepaper Page 22 of 24

23 HPE RDA Security Example of /etc/rda/acl-rda.dat: # allow SSH access for Jane Doe to host and deny all other connections Mode: List Allow from jane.doe@hpe.com to target TCP: :SSH Deny from all RDA-CAS administrator RDA-CAS administrators can authorize HPE support personnel to remotely access their environment using the support technician s HPE simplified address (<employee>@hpe.com). The employee s HPE simplified address is contained in their HPE DigitalBadge and can be validated automatically when connecting to a Midway server or RDA-CAS. HPE Support technicians Authorized HPE support personnel connect to the Midway servers using their HPE DigitalBadge. Once connected, they choose an RDA-CAS from a list of CAS devices they are authorized to access and connect. HPE support technicians credentials (DigitalBadge) are validated at both the RDA Midway servers as well as the RDA-CAS. HPE Remote Device Access: Security Whitepaper Page 23 of 24

24 Glossary Glossary API Application Programming Interface CA CAS CAS-Agent CAS device DMZ FIPS IPsec OCSP RDA RDA-CAS REST SSH TLS Certificate Authority Customer Access Service CAS software embedded in a hardware device (ilo4 of OA) CAS-Agent or RDA-CAS Demilitarized Zone or Perimeter Network Federal Information Processing Standard Internet Protocol Security Online Certificate Status Protocol Remote Device Access CAS software bundle (CentOS or Debian) installed on a Host server or in a VM Representational State Transfer (sometimes spelled ReST) Secure Shell Transport Layer Security HPE Remote Device Access: Security Whitepaper Page 24 of 24