Psp software appliance and communications strategy, Psp software appliance – Extreme Networks SECURITY OVERVIEW 120350-00 User Manual

Page 6

background image

PSP Security Overview

Premier Services Program (PSP) Tools: Security Overview


PSP Software Appliance and Communications Strategy

PSP Software Appliance

Hardening the software appliance.

The software appliance runs as a service on a Windows server

2000/2003 or XP platform. The appliance software delivered by Extreme Networks contains all the
components/services it needs; all non-critical Windows services, aside from basic networking, may be
disabled to reduce the attack surface of the appliance server. The customer is responsible for managing
the Windows computer hosting the PSP software appliance including patches and updates to the OS.

Software updates and monitoring.

Extreme Networks continually monitors the health of the appliance

to ensure that it is running correctly and is up-to-date. The PSP software running on the customer's
Windows computer has an auto-update feature that "pulls" new software versions from the PSP
datacenter as they are made available through the software release process.

Communications between the PSP Software Collector and the PSP Datacenter.


communications between the software collector and the Extreme Networks hosted application are
secured through Transport Layer Security (TLS). Authentication is performed bi-directionally through
RSA 2048-bit X.509 certificates and data is encrypted using 256-bit Advanced Encryption Standard
(AES) encryption.

Communications through Customer's proxy server.

The PSP software appliance can communicate

through an HTTP proxy server where the proxy authentication for Internet access is setup to no- or
basic-authentication. Communicating through the proxy does not change the security of the
communications to the PSP Datacenter described above. Please check the list of verified proxy servers/
types in the PSP product documentation.

No command or control capabilities.

The PSP software collector has no command or control

capabilities over any devices in the customer network; it collects read-only performance data.

Data collection on specified devices only.

The PSP software collector collects data only on those

devices that the customer specifies.

Simple Network Management Protocol (SNMP) data collection.

The PSP software collector collects

read-only data utilizing SNMP versions 1, 2c, or 3. SNMP data is collected from the management
information bases (MIBs) supported by the customer's devices.

Flow data collection.

The PSP software collector can be configured by the customer to collect sFlow or

NetFlow data only from devices that are explicitly configured to export that data to the software
appliance. The PSP software collector is not an in-line device in the communications path, thus it does
not alter the reliability or security of network traffic.

Access controlled through access control lists (ACLs).

As a recommended best practice, the customer

should restrict the access of SNMP data by setting the permitted SNMP requestors through ACLs on
each device.