Intel Active Management Technology Operating System Intel Hardware

Intel Active Management Technology Operating System Intel Hardware Intel AMT

Intel Active Management Technology Operating System Intel Hardware Intel AMT

Intel® Active Management Technology Core™2 Duo

Changing the Game: Intel® Active Management Technology Out-of-band system management Remote management regardless of power on/off state or OS state Direct connection via TCP/IP firmware stack Tamper-resistance Hardware/firmware solution Persistence Nonvolatile storage of state Survives power outages and system rebuilds

Out-of-band system management Discover PCs and their configuration on the network independent of their operational state Remote hardware/software inventories Securely wake & update PCs Remote troubleshooting and recovery Remotely repair a PC Prevent critical security code from being disabled Process monitoring (e.g. anti-virus) Detect & block anomalous network behavior Network packet filtering for inbound/outbound traffic Proactive alerting

WS-Management for In-band and Out-of-band Machine Boundary Management Applications WS-Man Listener WS-Man (OS Running) WDM provider User Intel® AMT Driver Kernel Hardware Intel® AMT Controller WS-Man (pre-boot, post crash) Intel, Microsoft and other industry players have announced WS-Management to help address the cost and complexity of IT management

Intel Active Management Technology

Intel AMT architecture

Intel® Active Management Technology Discover Your Assets ? IT Management Console PCs on Network Discover: Intel® AMT downloads HW & SW asset information from the BIOS and OS into non-volatile memory during boot, which can be accessed by IT anytime because users can’t remove or prevent IT access to the information.

NAC Framework Solutions: Client Security Example solution built with Intel CTA = Cisco Trust Agent NAC = Network Admission Control Intel® AMT provides configuration state information to CTA Intel® AMT is granted access to enterprise network 3 Posture Plug-In CTA NAC-Enabled Network Intel Platform Intel AMT communicates platform HW / SW state to NAC and supports remediation of quarantined platforms The main attribute of Intel AMT is that it works independently of the operating system, which allows new methods of discovery, healing, and protection on your network. Intel calls this ability out-of-band management. With Intel AMT, administrators can discover networked systems in their environments, regardless of the system power state or operating system condition. The administrators can use the remote control capabilities to heal a networked system, even if the operating system (OS) has failed. Intel will provide a posture plug-in for Cisco Trust Agent. The plug-in will provide platform configuration information to CTA, allowing Intel AMT to meaningfully participate in the Cisco NAC infrastructure. The data sent to the Cisco Trust Agent includes: BIOS revision level Intel AMT firmware revision level Intel AMT status Intel AMT configuration settings Other NAC-compliant plug-ins will also report their posture levels to the NAC Access Control Server (ACS). In the event that a given plug-in reports a noncompliant configuration setting, Cisco ACS will block access to the corporate network. Intel AMT can be used for updating/healing the system to a compliant posture. For example, if the OS firewall policies on a platform were noncompliant, the IT administrator could use the Intel AMT third-party data store to push an updated policy on to the platform for remediation of it. The firewall posture plug-in would recognize this change and initiate a new NAC exchange to let the platform onto the corporate network. 1 Intel® AMT NAC Policy Server assess AMT posture and grants network access based on IT policy 2

Management Console from ISV partners Embedded IT: Proof of concept for wireless manageability and Security demo Management Console from ISV partners Enterprise Intranet Mobile Concept PC IT embeds rule to detect a specific network based attack in NB Client’s Manageability Engine The Manageability Engine detects specific attack and alerts IT and isolates PC from network IT then takes following actions via Out of Band Channel: Queries PC to fix issue Restores PC to network

Securing AMT Hardware/firmware solution Only firmware images digitally signed by Intel are allowed to run OOB communication done via TLS with RSA keys of length 1536 bits Server authentication Optional client authentication Maximum of 4 sessions HTTP Digest authentication RFC 2617 for authenticating users Access controlled storage of critical data to non-volatile data store in AMT hardware Random number generator in firmware to generate high-quality keys Hardware acceleration of cryptographic primitives

Extra slides

EDS Pilot of Intel® Active Management Technology

Hardware Enhanced Manageability Intel® Active Management Technology with Microsoft* System Management Server 2003 plug-in Discover & Wake Up the PC (Even if Powered Down) Heal: Use Serial Over LAN (SOL) to Configure BIOS if PC is Not Responding Protect Against Malicious Software Attacks Intel® Active Management Technology requires the platform to have an Intel® AMT-enabled chipset, network hardware and software.  The platform must also be connected to a power source and an active LAN port.