Stratus ActiveService™ Network
This paper provides a security overview and understanding of the Stratus ActiveService Network and the ancillary infrastructure used to provide Stratus customers with exceptional service.
Table of Contents
Introduction
Security and the Stratus Service Infrastructure
Stratus Service Management Platform by ServiceNow
ActiveService Network (ASN)
Stratus Call Home Service
OpenVOS ASN Connections
Call-home Alerts
Remote Access
ASN Dial-up Connections
Remote Access by BeyondTrust
Frequently Asked Questions
Introduction
Stratus products provide the highest levels of uptime and availability and are designed with a very robust serviceability architecture called ActiveServiceTM Network (ASN). Stratus products are self-monitoring and can be configured to report on system health issues, for example, a failure of a hardware component over the internet using the ASN. This capability enables 24x7x365 monitoring of hardware and software platforms by the Stratus Customer Assistance Center (CAC). Stratus products contain hundreds of sensors which continuously monitor the platform against predetermined thresholds. When a threshold is exceeded, the monitoring agent uses the ASN to securely send an alert to the Stratus CAC where it is processed against a robust rules engine to determine whether the alert is something actionable or informational. If informational, the alert is stored in the ASN database for reference and available to the Stratus support team if ever needed. If the alert is actionable, a support case is created against the system reporting it and dispatched to the Stratus support team for triage review and response.
The ActiveService Network is an integral part of Stratus’ uptime solution, detecting problems and sending them to the experts at Stratus for immediate action and follow-up around the clock. Knowing what caused a software or hardware failure and putting actions in place to prevent it from happening in the future is vital to raising the bar on the availability of mission-critical applications.
Significant problems or even outages are prevented by this continuous monitoring and oversight service enabled by the Stratus ASN feature and available with Stratus service offerings.
Stratus products can also be configured to enable remote support allowing our support engineers to diagnose and determine root cause of problems with your system. Remote access is an integral part of our service operation and allows support engineers to be far more effective and efficient while reducing the time to resolve a problem.
Remote access can be performed in two ways:
2.
Attended Remote Access – the end user joins a web remote desktop session and remains connected throughout the diagnostic session.
Unattended Remote Access – the end user approves a remote access request sent by a support engineer, allowing a remote session to be performed without their attendance. 1.
All aspects of an unattended remote access session are captured and stored as part of the support case used to document the service request. This provides a full audit of who, what, when, and for how long the remote access session was conducted.
This document has been developed to address the various security concerns that customers may have when considering the implementation of the Stratus ASN to support their Stratus systems.
It provides an overview of how the ASN works and looks in detail at the various measures and options that can be put in place to minimize security risks, and their implications regarding the level of service Stratus can provide.
Security and the Stratus Service Infrastructure
Stratus has strategically designed its Customer Service infrastructure by leveraging industry-leading platforms that adhere to best practice security methodologies. The service offering encompasses a range of platforms, including:
ServiceNow for our service management platform and Service Portal.
BeyondTrust enables remote service capabilities and is integrated with ServiceNow.
Microsoft Azure to host product call home front-end and integrated with ServiceNow for backend rules processing and workflow management.
Okta for Single Sign-on (SSO) and multi-factor authentication.
Industry standard encryption protocols.
Stratus implements and follows the principle of least privilege (POLP), a concept in computer security that limits users’ access rights to only what are strictly required to do their jobs. Users are granted permission to read, write, or execute only the applications, systems, and processes necessary to do their jobs.
Stratus Service Management Platform by ServiceNow
Stratus uses the Customer Service Management (CSM) product from market leader ServiceNow for our service management platform. This platform includes a host of features and functionality to support and optimize a global service operation, such as:
Case management – tracking of service requests and related correspondence, analysis, and resolution.
Event Management – rules engine and workflow management of call-home alerts which allow the proactive remote monitoring of the Stratus product installed base.
Service Portal – a secure, customer accessible portal providing seamless, real-time case management between Stratus CAC and our customers for cases regardless of channel reported (system reported, phone, or web). The Service Portal also houses several useful self-help resources including knowledge base, software downloads, and product documentation.
The environment supporting the ServiceNow Platform is a dedicated cloud, fully owned and operated by ServiceNow. This infrastructure supports a multi-instance, logically single tenant architecture that enables isolation of customers from each other and provides real-time visibility of customer data location.
Key security benefits are provided through the application of extensive automation, implementation of a consistently available global infrastructure, and standardized operational processes. Customers can augment their instances with integrations to their own applications, services, and infrastructure as well as adopt built-in platform security features such as data encryption and network access control. Finally, ServiceNow believes its customers are well served by its application of relevant, measurable, and industry recognized information security frameworks. These include ISO/IEC 27001, 27017, 27018, and 27701, as well as accreditation with regional standards and regulations. Transparent disclosure is an additional element of assurance available to all customers. This includes, but is not limited to, provision of the SSAE18 audit reports and ISO certificates.
Reliability of the platform is paramount and thus includes high-availability and disaster recovery capabilities. The Service Portal is further secured by the following controls:
Authentication & authorization implemented via Okta, an industry leading identity provider.
Multi-factor authentication required for all connections.
All communications to the platform are encrypted using TLS 1.2 or greater.
Privileged access controls visibility as appropriate for customers and Stratus staff.
Please refer to “Securing the Now Platform,” an overview of the ServiceNow security program document for additional details.
ActiveService Network (ASN)
The Stratus ActiveService Network is a platform that provides the capabilities for Stratus products to:
Send alerts of error conditions to Stratus via the Stratus Call Home Service.
Send Stratus regular “heartbeats,” the absence of which can trigger an alert indicating a lack of system connectivity to the ASN.
Provides secure capability to enable remote access to customer installed Stratus systems.
The customer has complete control over whether to activate or deactivate these features, which can be customized. Please refer to the diagram below of the ASN architecture.
Stratus Call Home Service
The Stratus Call Home Service is a capability integrated into all Stratus products which enables them to send alerts to a Stratus customer service team. The Call Home Service infrastructure is hosted on Microsoft Azure using best practice security controls including reverse proxy with web application firewalls (WAF), stateful firewalls, and zero-trust configuration. High-availability and disaster recovery are also built into the solution.
Alerts sent to Stratus contain a summary of information including a Site ID, a Stratus provided unique identifier, which allows Stratus to identify the system reporting the alert. Additional information about the error or failure condition is included which allows the Stratus service team to determine the appropriate action to take when received. It’s important to note that the alerts do not contain any sensitive information that would create a security risk to the customer.
All communication from the Call Home Service is initiated by the customer system and there is no inbound connectivity required. For successful Call Home operation, SSL/TLS communication to the following URLs is required:
Inetcallhome.stratus.com (ftServer products)
Inetcallhomev2.stratus.com (ftServer products)
Callhome.stratus.com (ztC Edge and everRun products)
Avancecallhome.stratus.com (everRun and Avance products)
Zenasnhome.stratus.com (reserved for future Stratus Products)
Rsntunnel.ecacsupport.com (V Series and VOS products)
OpenVOS ASN Connections
Stratus OpenVOS products use the ASN network for call home alerts as well as remote access connections using TLS 1.2 protocol. Both connection processes are described below.
Call-home Alerts
Outgoing call-home alerts are transmitted and sent to the Stratus ASN containing no user or sensitive data. Only Stratus ASN can determine the source of the call-home alert using Stratus ServiceNow Customer Service Management application. The OpenVOS call home process flow is described below:
The OpenVOS system initiates the connection to the Stratus ASN when sending an alarm to the Stratus HUB.
Alerts or heartbeats originate at the OpenVOS level on the server and use the systems’ RSN Console to connect and transmit to the Stratus ASN using TLS 1.2.
This encrypted connection is verified by the corresponding digital certificate to reinforce a trusted and secure connection to the Stratus ASN.
Stratus advises its customers to restrict the outgoing connection to the inetcallhome.stratus.com URL and the corresponding digital certificate sites.
Remote Access
There are 5 levels of security in place for OpenVOS remote access connections as described in the process below:
A Stratus service engineer accesses the ASN to request a remote access connection which requires a username/password login and multi-factor authentication via Okta.
Once the multi-factor authentication has been satisfied, a connection request is made to the ASN requiring the customer system to acknowledge the request. The OpenVOS system performs periodic polling of the ASN to see if a request to connect exists and will grant the pending connection.
When the customer system has established connection to the Stratus ASN, a Stratus service engineer can then establish a remote access session to the system. This request uses a username/password login which is held on the RSN Console of the customer system.
The customer must unmask (unlock for remote connection) the system before a remote access session can be established using the “maint_request” OpenVOS command.
Once the server has been set for unmask then the final user authentication against OpenVOS can take place. The customer has complete control of login requirements including password length and complexity as well as permissions and access levels of the authenticated user. Restrictions to specific directories are set and managed by the customer and cannot be modified by Stratus.
ASN Dial-up Connections
Although used far less frequently, Stratus ASN still provides support for modem connected systems for bi-directional connectivity, enabling call home alerts and remote access. The telecommunications industry has started to announce end of support for the analog lines required for modem connectivity as early as the end of 2025.
Stratus is taking proactive steps to assist customers in moving from modem to internet connectivity to avoid disruption in service. Stratus will soon provide a formal end of life announcement for modem support to the affected customer base. In the meantime, Stratus will continue to support modem connectivity as described below.
ASN modem dial up connections initiated by Stratus are established via a callback process. An enquiry call is made from Stratus to the ftServer system at which time a username and password is supplied. The ftServer system breaks the connection then validates the username and password against an internal database under the control of the customer. If valid, the ftServer system then dials an ASN Hub at a preconfigured phone number. The ftServer system then presents a valid system serial number and password prior to being granted access to the ASN. If this validation is successful, the ASN Hub looks for and completes the connection to a Stratus customer service engineer. This prevents an unauthorized person in possession of the ftServer system’s phone number (and even username/password) from connecting to the site from an unauthorized location.
Remote Access by BeyondTrust
Stratus products can be configured to enable remote support allowing our support engineers to diagnose and root cause problems with your system. Remote access is an integral part of our service operation and allows support engineers to be far more effective and efficient while reducing the time to resolve a problem.
Remote access can be configured to perform in two ways:
Attended Remote Access – the end user receives a web meeting invitation and clicks a link to join a remote web session (Stratus uses Zoom or Teams for attended remote access). The end user needs to attend the full remote session while the Stratus support engineer conducts diagnostic and troubleshooting steps. The end user would need to either run all commands as instructed by the support engineer or provide control to the Stratus support engineer (preferred for efficiency) and remain connected throughout the diagnostic session.
Unattended Remote Access – the end user approves a remote access request sent by Stratus support engineer, allowing a single remote session to be performed without their attendance. Once approved, the support engineer can connect to the system and complete their diagnostic and troubleshooting steps.
To ensure the security of these unattended remote access connections, Stratus utilizes the Privileged Remote Access solution from BeyondTrust, which is widely recognized as an industry leader in secure remote service capability. The BeyondTrust solution incorporates robust security measures, including the mandatory use of SSL/TLS for every connection made to the remote access site and only accessible by authorized customer service representatives. All aspects of a remote access session are captured and stored as part of the support case used to document the service request. This provides a full audit of:
Who connected – the details of the Stratus authenticated user performing the remote session.
When and how long they connected – the specific dates, times, and duration of the connected session.
What actions were performed while connected during the remote session – includes a full video playback of the remote session, a list of commands executed, and files transferred.
BeyondTrust places a strong emphasis on security and compliance by obtaining certifications from various industry standards like ISO 27001, and SOC2 Compliance, etc. For more details, please refer to the Privileged Remote Access Security in Cloud Whitepaper (beyondtrust.com).
Frequently Asked Questions
Why would Stratus require the use of a remote access session to my Stratus product(s)?
Although Stratus products are designed for continuous availability, there are occasions when Stratus will need to remotely connect to the systems, either to verify the systems’ self-diagnosis, or to assist in the resolution of a software related issue. Stratus’ ability to provide support and complete a conclusive root cause analysis is severely compromised without the use of remote support and may significantly increase the time it takes to resolve the issue.
What options do I have to restrict Stratus remote access?
Every operating system (OS) used on Stratus hardware and software platforms that support remote access allows customers to stop, disable, and in some cases fully uninstall remote access software. Inbound ASN remote access can be disabled by the customer on the fly using Stratus’ provided tools.
In addition to restricting unattended remote access using specific tools, for some systems customers may choose to provide one-time OS login passwords to Stratus support personnel. This approach can further improve the security imposed on remote access.
What utilities and tools does Stratus use during a remote support session?
Upon establishing a remote support session via the ASN, the support staff typically use the general administration tools appropriate to the base operating system. Windows, Linux, and VMWare provide tools for dump analysis, log review, etc. Additionally, the Stratus AUL software provides data capture of the hardware state that support staff can examine.
What auditing of support activity is there?
The remote access solution from BeyondTrust features a complete audit capability tracking each connection. Details tracked include time, date, and duration of the remote session, who conducted the remote session, what commands were run, and what files transferred. These audit details are associated with the support case through integration between BeyondTrust and ServiceNow, providing a seamless audit trail.
How much access does Stratus have to my network and the files in it?
Stratus access is restricted to what you’ve provided with the login ID. It is the customer’s responsibility to assign the correct level of authorization to the Stratus login. A local administrator account is required to provide support, but this does not imply access at domain level. Like any other Windows login, it is possible to restrict the access of the Stratus login using standard Group Policies.
What are your provisions for detecting and responding to “Hacking” or denial of service (DDOS) attacks?
Stratus employs an Intrusion Prevention System that notifies network engineers who are on call 24x7.
What ports are proposed for use on our firewall? What protocols?
The following is a list of URLs and ports that may need to be opened:
ocsp.digicert.com
Customer sites need to access the Digital Certificate URL to verify the SSL certificate and get the latest certificate revocation lists. Stratus currently uses Digicert as its trusted Certificate Authority vendor.
Where is the user record or identification defined, who defines the user, and who maintains those records?
Stratus customer service engineers access the ASN using account login credentials managed and maintained by the Stratus IT organization. All logins require Multi-Factor Authentication (MFA) using Okta identify and access management. The Stratus products owned and operated by the customer use local accounts created and maintained by the customer to determine access and privileges for Stratus customer service engineers’ access to the system.
Where are access attempts by an unauthorized user logged?
The ASN maintains logs for successful and failed access attempts; Attempts to access the ASN via the dial-in modems are logged by Windows RRAS. The Stratus IT and Security organization have processes and procedures in place to detect unauthorized attempts or suspicious activity and take necessary measures to ensure security at all times.
Does the system log off inactive users? What time settings are available and how are they established?
The ASN has a provision for breaking idle connections after a configurable amount of time. The security policies of the customer systems are under the control of the individual customers who own them.
The BeyondTrust solution will also break idle connections not only to the remote system, but also logout an idle user from BeyondTrust’s Privileged Remote Access console. Currently, both timeouts are set for one hour. This means that after one hour an idle user will be disconnected from the remote system and logged out from BeyondTrust’s Privileged Remote Access console. The security policies of the customer system are under the control of the individual customers who own them.
Has Stratus tested their server to ensure that connection attempts without valid site id are rejected?
Yes. This has been tested and evaluated by a third-party security audit firm.
Is it possible to submit an authentication request with an altered password, serial number, and second password? Can we observe an authentication attempt in order to watch it fail? Has Stratus tested this?
Yes, it is possible, and we can arrange to alter this information for a test. Stratus has performed this test.
Does Stratus ASN Hub mask customers IP addresses?
The IP addresses known to the ASN during the connection are Stratus addresses, which are temporarily assigned to the customer system only for the duration of the connection.