Follow

Introduction

INFINIDAT Remote Support is an optional software running on the Support Appliance (SA).

Purpose

The INFINIDAT Remote Support provides a means of creating a secure point-to-point connection for supporting InfiniBox, accelerating the resolution of support cases.

The connection through the Remote Support provides INFINIDAT Support with an access to the management interfaces and the backend code only. This is equivalent to attaching a keyboard and a screen to the InfiniBox with the added benefit of exposing a full audit trail of the support session.

The Remote Support provides the following:

  • On-demand secured connection to the InfiniBox on the customer site.
  • End-to-end encrypted channel.
  • Full customer control of the connection.
  • Full visibility and auditing of the session logs.

Terminology

RSA, SA

Remote Support

RSS

Remote Support Server

Security

Outbound tunnel

The outbound tunnel connection from the Support Appliance (SA) to the Remote Support System (RSS) is encrypted with TLS 1.2 (2048 bit AES encryption).

RSA tunnel

On top of that protocol the RSA tunnels regular SSH traffic, which is itself encrypted with SHA256.

Authentication

The authentication is handled by OpenSSH, which is one of the leading solutions in the world today for secure login.

Architecture

The Support Appliance (SA) requires a connection to the INFINIDAT RSS. The connection can be either direct or through a web proxy.

The storage administrator initiates the connection by accessing the SA (port 8000) using a standard browser.

Once a one-time password is set by the customer, the connection is possible only through the tunnel, and only with that password. The internal SSH daemon that serves the session is only listening to local connections (thus only accepting connections coming through the RSS). It is the RSA (and not the RSS) that validates the password. Thus, even if the RSS was jeopardized, it will not allow access to any of the open sessions.

Once a tunnel is stopped, the local process relaying communications to the internal SSH daemon is killed, and thus it becomes impossible to create connections into the SA.

Network topology

The Support Appliance (SA) is a separated server within the InfiniBox rack. It has its own dedicated Ethernet ports.

 

1

The customer initiates the connectivity via the Support Appliance and sends the password to the INFINIDAT support representative. 

2

The Support Appliance sends a request to the customer’s Proxy Server. 

3

The Support Appliance logs into the customer Proxy Server.

4

The Support Appliance creates a tunnel to the Remote Support Server.

5

The support personnel locate the connected InfiniBox system and connect to the Support Appliance via the Remote Support Server, using the provided password.

The outbound connection can go through the same network the administrator is connecting from, or through another network.

It is assumed that the Support Appliance (SA) can either:

  1. Directly reach the internet, or more specifically the RSS
  2. Can reach a proxy (HTTPS/SOCKS4/SOCKS5) enabling it to access the RSS
  3. Can reach a proxy through one or more intermediate hops, each hop being a simple, netcat-like TCP tunnel.
    See: Creating network hops further down this document.

Note

For obvious reasons, we recommend restricting the SA outgoing connection in either of the following ways:

  • To the RSS or to the Proxy only.
  • Based on the customer’s policy.

Both methods of restriction are carried out by the customer’s network or firewall settings.

For cases 1 and 2, the web UI allows the customer to directly configure the connectivity. For option 3, a tunnel should be established first, and only then can the web UI be directed to the first hop as RSS or proxy address.

Ethernet port connectivity

The following chart provides details on the ports that are used for Remote Support.

Setting-up the Remote Support

Always prefer using InfiniBox GUI for connecting to the Remote Support. In case that the InfiniBox GUI is not available, use the Challenge Response option.

Ports connectivity

Ports

Protocol

Source

Target

Purpose

8000

9000

TCP

Client (browser)

Support Appliance

HTTPs Remote Support Management

443

TCP

Support Appliance

Remote Support Servers:

Remote support session










Dedicated for MainFrame systems

Setting-up a remote-support connection from the InfiniBox GUI

To set-up a remote support connection from the InfiniBox GUI:

1


On the InfiniBox GUI, click the menu icon at the top-right corner of the screen and select Support Console.

The Support Console screen opens.


2

Fill in the following fields and click Connect.

  • Logged-in username - a username with an Admin role
  • Loggin-in user password - the password of this username
  • RSS Address - the address of the Support Console
    • Alternately, use an IP address
  • RSS Secret - the password that was generated by the connection initiator and sent to INFINIDAT
  • Terminate Connection - determine when to automatically terminate the connection
  • Proxy Protocol - determine whether to use a proxy
  • Proxy Address - set the address of the Proxy server

Screen Shot 2018-01-24 at 11.28.36.pngScreen Shot 2018-01-24 at 11.29.52.png

Click Connect.

The connection is established.

Challenge-response authentication

The remote support login is performed against the system management layer. For cases when the management layer is not available, we have an option to use challenge-response authentication.

1

Log into the Support Appliance using port 8000 to create a support connection that may require a proxy to reach the internet.


2

Set a session password and initialize a connection.

Optional:

  • Select a Proxy protocol
  • Select a session timeout on the Terminate Connection field. Once the timeout expires, the session disconnects regardless of the activity that may take place.
3

Notify the INFINIDAT support engineer about the connection and the password.

4

The INFINIDAT support engineer accesses the tunnel.

5When done, close the connection using the Stop button.

Session logs

Each of the sessions is fully recorded with ttyrec (read further here: ttyrec). The logs are kept on the RSS and are available to the customer on demand.

Creating network hops

To set up a tunnel, you can use this script (available from INFINIDAT Support). Run it (no dependencies aside from Python >=2.6):

$ python tunnel.py <local port> <remote address> <remote port>

Logically, the tunnel hops are under the customer control, and it is preferable for the customer or someone from the IT/netsec department at the customer site to be aware and in charge of the intermediate tunnel.

Auditing the support sessions

The Remote Support creates custom events on the InfiniBox for opening a remote support connection and when INFINIDAT Support connects to the system.

Depending on the Remote Support application version, the events can be either of the following.

CUSTOM_INFO_EVENTS

  • Event code: CUSTOM_INFO_EVENT
  • Event description: The following descriptions, depending on the reported action:
  • Support session started
  • Infinidat support connected to the system
  • Infinidat support disconnected from the system
  • Support session ended

Separate events for session started and ended

SUPPORT_CONNECTED

Infinidat support connected to the system

SUPPORT_DISCONNECTED

EXTERNAL  Infinidat support disconnected from the system

SUPPORT_SESSION_STARTED

EXTERNAL  Support session '{session_name}' started, will automatically be closed on {session_expiry_time}

SUPPORT_SESSION_ENDED

EXTERNAL  Support session '{session_name}' ended





Was this article helpful?
0 out of 0 found this helpful

0 out of 0 found this helpful

Comments