Electronic Service Agent TM. Network and Transmission Security And Information Privacy



Similar documents
VPN. Date: 4/15/2004 By: Heena Patel

Cornerstones of Security

Virtual Private Networks

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Unisys Internet Remote Support

7.1. Remote Access Connection

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

Connectivity Security White Paper. Electronic Service Agent for AIX and Virtual I/O Server (VIOS)

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

HMC 840 Connectivity Security White Paper. IBM Power6, Power7 and Power8 Processor-Based Systems and IBM Storage Systems DS8000

MCTS Guide to Microsoft Windows 7. Chapter 14 Remote Access

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

21.4 Network Address Translation (NAT) NAT concept

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Using IPsec VPN to provide communication between offices

REDCENTRIC MANAGED FIREWALL SERVICE DEFINITION

Remote Access Procedure. e-governance

Technical papers Virtual private networks

Protocol Security Where?

Internet Privacy Options

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

Cisco QuickVPN Installation Tips for Windows Operating Systems

Matrix Technical Support Mailer 167 NAVAN CNX200 PPTP VPN with Windows Client

Common Remote Service Platform (crsp) Security Concept

Computer Networks. Secure Systems

Introduction to Security and PIX Firewall

System i and System p. Customer service, support, and troubleshooting

Security Technology: Firewalls and VPNs

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Chapter 32 Internet Security

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Intranet Security Solution

Case Study for Layer 3 Authentication and Encryption

How To Understand And Understand The Security Of A Key Infrastructure

Galileo International. Firewall & Proxy Specifications

ERserver. iseries. Remote Access Services: PPP connections

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

ETSF10 Part 3 Lect 2

introducing The BlackBerry Collaboration Service

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

IPsec VPN Application Guide REV:

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Technical White Paper

Ti m b u k t up ro. Timbuktu Pro Enterprise Security White Paper. Contents. A secure approach to deployment of remote control technology

Virtual Private Networks Solutions for Secure Remote Access. White Paper

How to Secure Mainframe FTP

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

ADM:49 DPS POLICY MANUAL Page 1 of 5

Understanding the Cisco VPN Client

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

JPMorgan Chase Treasury Workstation. Certification Setup Guide Version 2.0

Chapter 12 Supporting Network Address Translation (NAT)

How To Configure L2TP VPN Connection for MAC OS X client

Network Security and Firewall 1

Internet Security Firewalls

IBM Application Hosting EDI Services Expedite software adds Secure Sockets Layer TCP/IP support

Security Policy Revision Date: 23 April 2009

redcoal SMS for MS Outlook and Lotus Notes

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

Optus SMS for MS Outlook and Lotus Notes

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

OBM (Out of Band Management) Overview

Network Access Security. Lesson 10

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

How Reflection Software Facilitates PCI DSS Compliance

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

ReadyNAS Remote White Paper. NETGEAR May 2010

Virtual Private Networks (VPN) Connectivity and Management Policy

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Windows Server 2003 Remote Access Overview

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

AN OVERVIEW OF REMOTE ACCESS VPNS: ARCHITECTURE AND EFFICIENT INSTALLATION

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

CHIS, Inc. Privacy General Guidelines

DMZ Network Visibility with Wireshark June 15, 2010

Small Business Server Part 2

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Ensuring the security of your mobile business intelligence

Ficha técnica de curso Código: IFCAD111

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.


UPSTREAMCONNECT SECURITY

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Transcription:

Electronic Service Agent TM and Transmission Security And Information Privacy Electronic Services January 2006

Introduction IBM Electronic Service Agent TM is a software application responsible for collecting and transporting machine information to IBM. The information collected is for problem, heartbeat (periodic check for Service Agent activation) and inventory reporting. The inventory information provides higher system availability for client systems by: faster response to Client problems due to electronic submission faster problem resolution of Client problems by using timely and accurate details of the Client machine environment Transmission Security The transmission of Service Agent information is performed by a security-rich process. Depending on the connection options available, the transaction is by modem or in many networks, via the Internet. Allowing access between the Internet and the Client network raises security and privacy concerns, which are addressed in this document. IBM has taken a number of steps necessary to provide security-enhanced transmissions for Service Agent transactions: 1. Outbound transmission only: the client Service Agent initiates communications and does not allow any inbound connection attempts. There are no applications "listening" to TCP/IP port to establish a session. 2. Public key encryption: Service Agent uses a 128-bit public key encryption mechanism to maintain integrity and authenticity of data exchanged between the Service Agent and IBM. Service Agent uses Secure Socket Layer (SSL) based encryption and decryption. 3. Enrollment: the first communication to IBM after activation is to request a unique ID and password for each machine monitored. The ID is generated by algorithm, using machine specific information. IBM, using this ID and password to authenticate the client machine, authenticates each subsequent communication. 4. Machine information only: machine or error information is sent. Service Agent does not access or transmit any other information on the monitored machines. The Client license agreement clarifies the type of information transmitted. Connection options, example and flowcharts This is a list of connection options for Service Agent, at this time. Each Service Agent User Guide will provide the most current connection options for that platform. NOTE: Not all options described below are available for all platforms. Please reference the respective Service Agent User Guide. 1. Modem Service Agent uses the AT&T Global Services (AGNS) dialer for modem access. Service Agent provides AGNS ID and password, supplied electronically in the background. Client is not able to view this information. This is an exclusive account for Service Agent. Service Agent uses these userids for point-to-point communications. Dynamic IP address assigned for each logon session. Service Agent does not accept incoming calls to modem. 2

The information is encrypted prior to entering the AGNS network. No party on the AGNS network can decrypt the information. The information is decrypted only inside IBM firewalls by appropriate application AGNS has provided a document describing their communication process with Service Agent. You will find this document AGNS at www.ibm.com/support/electronic, under the Electronic Service Agent category. Modem transmission example - Client has a modem connected to the system. - Service Agent collects the information to be transmitted and queues for transmission at the appropriate time. - System dials AGNS LIG at the appropriate time and establishes a connection using AGNS ID/Password. - SSL connection is established with IBM through the AGNS LIG - Service Agent inventory information flows to IBM destination (predetermined by Service Agent code) - Upon arrival at IBM, Service Agent information is transferred to the appropriate IBM database. Client Environm ent Public DMZ IB M Customer Firewall (if provided) AT&T Global Problem Managem ent AT&T SA client code AGN Dial Public Telephone IS P Intern et System In fo rm a tion 2. Internet HTTPS Service Agent uses HTTPS, which utilizes SSL 128-bit encryption and TCP/IP protocols. Service Agent may be configured to work with firewalls and authentication proxies. Service Agent only initiates HTTPS communications, does not respond. The Internet provider relationship and connection are the responsibility of the client. Internet transmission example - Service Agent collects the information that is transmitted and queues it for transmission at the scheduled time. 3

- At the appropriate time, client Service Agent code establishes Internet connection using System IDs and passwords created previously. - SSL connection is established between the client system and IBM - Service Agent information flows to IBM destination (predetermined by Service Agent code) - Upon arrival at IBM, Service Agent information is transferred to the appropriate IBM database. Client Environment Public DMZ IBM Customer Firewall (if provided) AT&T Global Problem Management AT&T SA client code Internet Dial-up Internet Direct Public Telephone ISP Internet gateway Internet System Information 3. Internet VPN A Virtual Private (VPN) gives users the privacy of a separate network over public lines by substituting encryption and other security measures for the physically separate network lines of traditional private networks. VPNs require configuration of an access device, either hardware- or software-based, to set up a channel in a security-enhanced environment. In the case of Service Agent, it is software-based. VPN access uses Layer 2 Tunneling Protocol (L2TP) safeguarded with IPSec. Internet Key Exchange (IKE) is used to perform the initial authentication and to establish the security parameters to be used when encrypting the information that will flow between the client s system and the IBM eserver TM The Challenge Handshake Authentication Protocol (CHAP) utilized as part of establishing the L2TP tunnel. This is to perform a second level of authentication. Behind the IBM VPN gateways to which the tunnels are established, is a firewall, which filters traffic to allow access to specific IP addresses and ports. Once a tunnel is established with the VPN gateway, Electronic Service Agent then establishes a socket session to a specific port. Once a socket is established, Electronic Service Agent sends up a logon record. VPN transmission example - Service Agent collects the information and queues for transmission at the scheduled time. - At the appropriate time, client Service Agent code establishes Internet connection using System IDs and passwords created previously. 4

- VPN connection is established between the client system and IBM - Service Agent information flows to IBM destination (predetermined by Service Agent code) - Upon arrival at IBM, Service Agent information is transferred to the appropriate IBM database. Firewall Considerations When a VPN connection is used for Service Agent transmission with a firewall between the client network and the Internet, the firewall will need to be configured to allow Service Agent to connect to the IBM. The TCP/IP addresses that Service Agent will establish connections to are: 207.25.252.196 - IBM Boulder VPN Server 129.42.160.16 - IBM Rochester VPN Server You must enable the following ports and protocols: Protocol ESP Protocol UDP port 500 Protocol UDP port 4500 Privacy of Client information The inventory information that is gathered from Client systems is information typically collected verbally from Clients during phone calls with the IBM Support Center, pre-sales specialists, administrative clerks and other groups within IBM* that work with the Client to provide the best possible service (technical or administrative). These IBM groups will have electronic access to the information so that they can prepare, do advance problem determination and more efficiently serve IBM Clients *in some IBM organizations the representatives are not full- time IBM employees or may be vendors working under IBM direction and contract. These staff members are subject to same privacy and security guidelines as any IBM employee. Inventory information includes: your contact information: including names, phone numbers, and e-mail addresses; system utilization, performance, system failure logs, part feature codes, part number, part serial number, part locations, software inventory, operating system applications, PTF s, maintenance level and configuration values. All the inventory information can be viewed on the system using platform-specific commands. 5

Inventory information does not include the collection or transmission of any of your company s financial, statistical, personnel data, client information or your business plans. In addition, Service Agent may also provide a call home mechanism for other IBM offerings you may select in the future. The information collected by those offerings is covered in separate agreements. For example: Performance Management offerings. Portion of the Electronic Service Agent license agreement: Electronic Service Agent machine inventory information usage within IBM 4. Use of Information You agree to allow International Business Machines Corporations and its subsidiaries to store and use your contact information, including names, phone numbers, and e-mail addresses, anywhere they do business. Such information will be processed and used in connection with our business relationship, and may be provided to contractors, Business Partners, and assignees of International Business Machines Corporation and its subsidiaries for uses consistent with their collective business activities, including communicating with you (for example, for processing orders, for promotions, and for market research). The Program performs system utilization, performance and capacity planning ( Inventory Collection ) and system failure logs and preventative maintenance event ( Hardware Problem Reporting ) monitoring functions. You agree that IBM may use and share within IBM and with IBM Business Partners and third parties such as subcontractors and consultants under contract to IBM the data gathered from these monitoring functions ( Your Information ) for purposes of problem determination, assisting you with performance and capacity planning, assisting IBM to enhance IBM products and services and notifying you of your system status and solutions we have available. Your Information excludes the collection and transmission of your financial, statistical and personnel data and your business plans. You also agree that Your Information may be transferred to such entities in any country whether or not a member of the European Union. ------------------------------------------------------------------------------------------------------------------------------- January 2006 International Business Machines Corporation 2004 IBM United States Route 100 Somers, New York 10589 U.S.A. IBM, the IBM logo, eserver logo and Electronic Service Agent are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. Disclaimer The nature of maintaining a high-level security posture dictates that IBM and AT&T Global Services (AGNS) do not divulge in-depth details regarding the management of security: tools, processes and audits. The English language version of this document prevails over any other language version. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information