Electronic Service Agent TM and Transmission Security And Information Privacy Electronic Services January 2006
Introduction IBM Electronic Service Agent TM is a software application responsible for collecting and transporting machine information to IBM. The information collected is for problem, heartbeat (periodic check for Service Agent activation) and inventory reporting. The inventory information provides higher system availability for client systems by: faster response to Client problems due to electronic submission faster problem resolution of Client problems by using timely and accurate details of the Client machine environment Transmission Security The transmission of Service Agent information is performed by a security-rich process. Depending on the connection options available, the transaction is by modem or in many networks, via the Internet. Allowing access between the Internet and the Client network raises security and privacy concerns, which are addressed in this document. IBM has taken a number of steps necessary to provide security-enhanced transmissions for Service Agent transactions: 1. Outbound transmission only: the client Service Agent initiates communications and does not allow any inbound connection attempts. There are no applications "listening" to TCP/IP port to establish a session. 2. Public key encryption: Service Agent uses a 128-bit public key encryption mechanism to maintain integrity and authenticity of data exchanged between the Service Agent and IBM. Service Agent uses Secure Socket Layer (SSL) based encryption and decryption. 3. Enrollment: the first communication to IBM after activation is to request a unique ID and password for each machine monitored. The ID is generated by algorithm, using machine specific information. IBM, using this ID and password to authenticate the client machine, authenticates each subsequent communication. 4. Machine information only: machine or error information is sent. Service Agent does not access or transmit any other information on the monitored machines. The Client license agreement clarifies the type of information transmitted. Connection options, example and flowcharts This is a list of connection options for Service Agent, at this time. Each Service Agent User Guide will provide the most current connection options for that platform. NOTE: Not all options described below are available for all platforms. Please reference the respective Service Agent User Guide. 1. Modem Service Agent uses the AT&T Global Services (AGNS) dialer for modem access. Service Agent provides AGNS ID and password, supplied electronically in the background. Client is not able to view this information. This is an exclusive account for Service Agent. Service Agent uses these userids for point-to-point communications. Dynamic IP address assigned for each logon session. Service Agent does not accept incoming calls to modem. 2
The information is encrypted prior to entering the AGNS network. No party on the AGNS network can decrypt the information. The information is decrypted only inside IBM firewalls by appropriate application AGNS has provided a document describing their communication process with Service Agent. You will find this document AGNS at www.ibm.com/support/electronic, under the Electronic Service Agent category. Modem transmission example - Client has a modem connected to the system. - Service Agent collects the information to be transmitted and queues for transmission at the appropriate time. - System dials AGNS LIG at the appropriate time and establishes a connection using AGNS ID/Password. - SSL connection is established with IBM through the AGNS LIG - Service Agent inventory information flows to IBM destination (predetermined by Service Agent code) - Upon arrival at IBM, Service Agent information is transferred to the appropriate IBM database. Client Environm ent Public DMZ IB M Customer Firewall (if provided) AT&T Global Problem Managem ent AT&T SA client code AGN Dial Public Telephone IS P Intern et System In fo rm a tion 2. Internet HTTPS Service Agent uses HTTPS, which utilizes SSL 128-bit encryption and TCP/IP protocols. Service Agent may be configured to work with firewalls and authentication proxies. Service Agent only initiates HTTPS communications, does not respond. The Internet provider relationship and connection are the responsibility of the client. Internet transmission example - Service Agent collects the information that is transmitted and queues it for transmission at the scheduled time. 3
- At the appropriate time, client Service Agent code establishes Internet connection using System IDs and passwords created previously. - SSL connection is established between the client system and IBM - Service Agent information flows to IBM destination (predetermined by Service Agent code) - Upon arrival at IBM, Service Agent information is transferred to the appropriate IBM database. Client Environment Public DMZ IBM Customer Firewall (if provided) AT&T Global Problem Management AT&T SA client code Internet Dial-up Internet Direct Public Telephone ISP Internet gateway Internet System Information 3. Internet VPN A Virtual Private (VPN) gives users the privacy of a separate network over public lines by substituting encryption and other security measures for the physically separate network lines of traditional private networks. VPNs require configuration of an access device, either hardware- or software-based, to set up a channel in a security-enhanced environment. In the case of Service Agent, it is software-based. VPN access uses Layer 2 Tunneling Protocol (L2TP) safeguarded with IPSec. Internet Key Exchange (IKE) is used to perform the initial authentication and to establish the security parameters to be used when encrypting the information that will flow between the client s system and the IBM eserver TM The Challenge Handshake Authentication Protocol (CHAP) utilized as part of establishing the L2TP tunnel. This is to perform a second level of authentication. Behind the IBM VPN gateways to which the tunnels are established, is a firewall, which filters traffic to allow access to specific IP addresses and ports. Once a tunnel is established with the VPN gateway, Electronic Service Agent then establishes a socket session to a specific port. Once a socket is established, Electronic Service Agent sends up a logon record. VPN transmission example - Service Agent collects the information and queues for transmission at the scheduled time. - At the appropriate time, client Service Agent code establishes Internet connection using System IDs and passwords created previously. 4
- VPN connection is established between the client system and IBM - Service Agent information flows to IBM destination (predetermined by Service Agent code) - Upon arrival at IBM, Service Agent information is transferred to the appropriate IBM database. Firewall Considerations When a VPN connection is used for Service Agent transmission with a firewall between the client network and the Internet, the firewall will need to be configured to allow Service Agent to connect to the IBM. The TCP/IP addresses that Service Agent will establish connections to are: 207.25.252.196 - IBM Boulder VPN Server 129.42.160.16 - IBM Rochester VPN Server You must enable the following ports and protocols: Protocol ESP Protocol UDP port 500 Protocol UDP port 4500 Privacy of Client information The inventory information that is gathered from Client systems is information typically collected verbally from Clients during phone calls with the IBM Support Center, pre-sales specialists, administrative clerks and other groups within IBM* that work with the Client to provide the best possible service (technical or administrative). These IBM groups will have electronic access to the information so that they can prepare, do advance problem determination and more efficiently serve IBM Clients *in some IBM organizations the representatives are not full- time IBM employees or may be vendors working under IBM direction and contract. These staff members are subject to same privacy and security guidelines as any IBM employee. Inventory information includes: your contact information: including names, phone numbers, and e-mail addresses; system utilization, performance, system failure logs, part feature codes, part number, part serial number, part locations, software inventory, operating system applications, PTF s, maintenance level and configuration values. All the inventory information can be viewed on the system using platform-specific commands. 5
Inventory information does not include the collection or transmission of any of your company s financial, statistical, personnel data, client information or your business plans. In addition, Service Agent may also provide a call home mechanism for other IBM offerings you may select in the future. The information collected by those offerings is covered in separate agreements. For example: Performance Management offerings. Portion of the Electronic Service Agent license agreement: Electronic Service Agent machine inventory information usage within IBM 4. Use of Information You agree to allow International Business Machines Corporations and its subsidiaries to store and use your contact information, including names, phone numbers, and e-mail addresses, anywhere they do business. Such information will be processed and used in connection with our business relationship, and may be provided to contractors, Business Partners, and assignees of International Business Machines Corporation and its subsidiaries for uses consistent with their collective business activities, including communicating with you (for example, for processing orders, for promotions, and for market research). The Program performs system utilization, performance and capacity planning ( Inventory Collection ) and system failure logs and preventative maintenance event ( Hardware Problem Reporting ) monitoring functions. You agree that IBM may use and share within IBM and with IBM Business Partners and third parties such as subcontractors and consultants under contract to IBM the data gathered from these monitoring functions ( Your Information ) for purposes of problem determination, assisting you with performance and capacity planning, assisting IBM to enhance IBM products and services and notifying you of your system status and solutions we have available. Your Information excludes the collection and transmission of your financial, statistical and personnel data and your business plans. You also agree that Your Information may be transferred to such entities in any country whether or not a member of the European Union. ------------------------------------------------------------------------------------------------------------------------------- January 2006 International Business Machines Corporation 2004 IBM United States Route 100 Somers, New York 10589 U.S.A. IBM, the IBM logo, eserver logo and Electronic Service Agent are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. Disclaimer The nature of maintaining a high-level security posture dictates that IBM and AT&T Global Services (AGNS) do not divulge in-depth details regarding the management of security: tools, processes and audits. The English language version of this document prevails over any other language version. 6