Re: Predictive Support => "ISEE" !!!

Paul R. Dittrich · ‎05-13-2002

Quoting directly from a letter I have just received from HP:

"Internet connectivity enables continuous communication between HP and your systems through a single access point through your firewall or via a proxy server."

"Problems are detected and communicated continuously....."

"ISEE enables.....direct remote secure access by an HP support engineer."

1. At what point does Predictive Support disappear completely? (Not just patches,etc.) Are XP arrays affected by this? When?

2. Who pays for the bandwidth? Who pays for the additional security logging/monitoring?

3. How am I supposed to persuade our senior staff to violate our hard-fought security policy to allow this when I don't even like the idea myself?

John Carr_2 · ‎05-13-2002

Hi

very interesting I would be scared to death of the thought that a major network under my responsability has such compromised security arrangements.

John

George_Dodds · ‎05-13-2002

We've got the phone home option on our xp256 and it has proved very handy, but is getting expensive.

Below is a thread about possibly using https for support stuff.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x836c7bb04b5cd611abdb0090277a778c,00.html

Jeff Schussele · ‎05-13-2002

Remote Support can be toggled off.
The real benefit of ISEE is a system on-site that can run pre-defined scripts under certain failure or pre-failure scenarios. Monitors kind of like an HAO but can react also - entirely within your network.
I know, I don't like remote support either...makes me nervous. I'd rather see the CE on-site or know the scripts are running "in-house".
Phone home is one thing phone in is entirely another.

Rgds,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!

Jack Marshall · ‎05-14-2002

We're going through the implementation phase at the moment, and some points that have come up when under discussion with our Internal Security Team.

1) HAO is definately going off support - HP are very keen to see it, and Predict replaced with ISEE.

2) You can provide your own PC internally with your own 'hardened' build on it. They will then install the relevant software on it, and unlike HAO you then control it. Alternatively I believe HP will now also provide the hardware.

3) As it would go through your firewall (likely we would route them via a separate extranet designed specifically for vendors needing support access into our environment), the costs should be minimal. We haven't approached the implementation stage yet, but dependant on the outcome I'll post updates to this forum.

4) Authentication is performed via Radius - the ISEE remote access authentication is layered, with the RADIUS authentication coming after the IPSec tunnel is established. For the IPSec tunnel to be established the IPSec client (HP Engineer) and IPSec server (SPOP) authenticate to each other using machine to machine (the certificate is assigned to the hardware) digital certificates. If this authentication step fails then the connection is terminated and the RADIUS user authentication never takes place. This layered security architecture makes it impossible for an attacker to use RADIUS to obtain a remote connection to the SPOP even if RADIUS were compromised.

5) The use of RADIUS, and central administration at HP of HP support engineers user accounts on the SPOP, is critical. Managing these accounts on each SPOP remotely from HP for each support customer would
be an administrative nightmare.

regards
Jy.

Paul R. Dittrich · ‎05-14-2002

George - yes, we have "phone home" for our XP and I've already seen the thread you mentioned.

Jeff - I agree. My preference for "phone in" is to turn it on only when necessary and better still to use a dial-back modem.

Jack - I am very interested in any information you may be able to share about your new implementation, especially your idea of a separate extranet for vendor remote access.

James Randall · ‎08-25-2003

The extranet configuration refered to is something that HP had been doing with HAO clients. i.e. A leased line link back to Atlanta so HAO onsite server could send data back to HP M/C Support.

On most of those implementations...HP M/C Support had the right to come inbound to the HAO server, and other systems in your network. (This access helped streamline support issues as Support Engineers could log in quickly and respond to issues)

[I have a client that didn't allow that access. They firewalled the leaseline so only the outbound data communication was valid - VERY STRICT SECURITY]

No news is good news

Mic V. · ‎01-02-2004

Paul,

I'm sure by now you have the answers to the technical portions of this. For #3, though: I have the same issue with this "solution" from HP. As a CSS customer, I very reluctantly used HAO and discontinued it when it had not shown ROI after a year. I've been trying to convince HP to change the way that ISEE is implemented. I'm not having tons of luck, although they *are* nice enough to listen.

I'd happily join a movement to get HP to change the implementation for improved security.

Mic

What kind of a name is 'Wolverine'?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Predictive Support => "ISEE" !!!

Predictive Support => "ISEE" !!!