INTRODUCTION
Keeping data secure in a mobile environment is not only a daunting challenge, but a critical requirement. HITECH, HIPAA, data-breach notification rules, and other increasingly stringent regulations in data security and privacy have added complexity for companies with mobile users. Loss and theft of systems and data is not only costly to your company, but can result in financial or legal exposure, and cause significant disruptions to business
Laptops with a new 2010 Intel® Core™ processor with Intel® Anti-Theft Technology (Intel® AT) provide IT administrators with intelligent protection of lost or stolen assets. Intel AT gives you the ability to disable your PC with a local or remote poison pill if the system is lost or stolen. This poison pill can delete essential cryptographic material from system hardware in order to disable
Intel AT includes several hardware-based detection mechanisms to detect potential loss/theft situations. When a suspicious situation is identified, Intel AT can activate “theft mode” and respond according to your company’s information technology (IT) policies. Because Intel AT has a flexible policy engine, you can specify the detection mechanism that asserts theft mode, the thresholds for timer intervals, and the theft-response action(s) to take.
Data Security
Today’s world runs on computing devices that are connected to each other through the global Web. Schools, hospitals, social networks, and even national defense systems are all driven by these technologies. Conservative estimates suggest that by 2015 we will have over 10 billion devices in active use—and the vast majority of these will be mobile and Web-enabled.
As our dependency on computing devices grows, so does our exposure to malicious code, viruses, cyber espionage, and malware. In June 2009, Kaspersky Lab, a well-known security specialist, detected the 25 millionth program designed for malicious intent. As a major provider of computing technology to the world, Intel Corporation takes its role in helping to protect users from attack very seriously. Below are the areas Intel believes are the cornerstones of secure computing environments:
Security assurance.
For Intel, creating more secure products means building to consistent and high design standards in everything we make. To understand where threats may emerge and to ensure that our standards maintain global currency, Intel regularly consults with global security experts and the security research community.
Standards and policy.
Due to Intel’s central role in global computing technology development, we continue to support and contribute to key security standards through organizations such as the Trusted Computing Group (TCG). In addition, Intel influences regulation and legislation to ensure that we continue to deliver relevant and compliant technologies.
Security innovation.
Intel continues to enhance systems so they run more securely and can handle the growing workloads more efficiently. A key component of this approach is providing more robust, vulnerability-resistant platforms. This is increasingly important as attackers start targeting base components such as firmware and controllers.
Secure ecosystems.
Intel products are only part of making computing more secure. The company recognizes the need to engage the entire technology ecosystem to cultivate more complete protections. With this in mind, Intel continues to grow its relationship with both software and hardware security vendors for complementary solutions. It also works with traditional general purpose software providers to encourage greater implementation of secure computing.
INTEL ANTI-THEFT TECHNOLOGY FOR LAPTOP SECURITY
What is it?
Intel® Anti-Theft Technology is an intelligent way for you to help secure the mobile assets of your workforce. This intelligent laptop security technology is built into select 2nd generation Intel® Core™ and 2nd generation Intel® Core™ vPro™ processor families. If a laptop is lost or stolen when the user is out of the office, the PC will be shut down and useless to thieves. It not only helps protect the intellectual property of your company at the pre-boot level, but also allows for fast reinstatement of a laptop without damage to information, should the laptop be recovered. Intel AT is available on select 2nd generation Intel Core and 2nd generation Intel Core vPro processor family–based laptops when activated with a service subscription from an Intel AT-enabled service.
Why it matters.
Laptop theft costs corporate America over USD 5.4 billion each year.1 In everyday life, this amounts to 12,000 laptops disappearing every week from U.S. airports alone, and a laptop being stolen every 53 seconds.1 The problem of data security becomes increasingly significant as employees are more mobile. Add to this the daunting challenges of healthcare privacy laws, and asset security can have a significant impact on your business.
How it works.
Protection for laptop users.
Intel Anti-Theft Technology (Intel AT) is built into the processor of your laptop, so it is active as soon as your machine is switched on even before startup. If your laptop is lost or stolen, a local or remote “poison pill” can be activated that renders the PC inoperable by blocking the boot process. This means that predators cannot hack into your system at startup. It works even without Internet access and, unlike many other solutions, is hardware-based, so it is tamper-resistant.
Laptop Security for your company.
Intel® AT is designed to give IT administrators maximum flexibility and secure control of network assets. Since it is built-in at the processor level, the IT administrator has a range of options to help secure mobile assets, such as:
- Disable access to encrypted data by deleting essential elements of the cryptographic materials that are required to access the encrypted data on the hard drive.
- Disable the PC using a “poison pill” to block the boot process, even if the boot order is changed or the hard drive is replaced or reformatted. Regardless of the PC’s state, it will check as soon as it starts to wake up for any kill pill that has been sent, including via text message.
- Customizable “Theft Mode” message allows the IT administrator to send a message to whoever starts up the laptop to notify them that it has been reported stolen.
- Excessive login attempts trigger PC disable after an administrator-defined number of failed attempts. At this point, the Intel AT trigger is tripped and the system locks itself down.
- Failure to check in with the central server can trigger PC disable when a check-in time is missed. The IT administrator can set system check-in intervals. Upon a missed check-in time, the system is locked down until the user or IT administrator reactivates the system.
Businesses now have built-in client-side intelligence to secure sensitive data, regardless of the state of the operating system, hard drive, boot order, or network connectivity. This hardware-based technology provides compelling tamper resistance and increased protection to extend your security capabilities anywhere, anytime on or off the network.
ASSET PROTECTION
Intel® Anti-Theft Technology is an intelligent way for you to help secure the mobile assets of your workforce. This intelligent laptop security technology is built into select 2nd generation Intel® Core™ and 2nd generation Intel® Core™ vPro™ processor families. If a laptop is lost or stolen when the user is out of the office, the PC will be shut down and useless to thieves. It not only helps protect the intellectual property of your company at the pre-boot level, but also allows for fast reinstatement of a laptop without damage to information, should the laptop be recovered. Intel AT is available on select 2nd generation Intel Core and 2nd generation Intel Core vPro processor family–based laptops when activated with a service subscription from an Intel AT-enabled service.
Intel Anti-Theft Technology (Intel AT) is built into the processor of your laptop, so it is active as soon as your machine is switched on—even before startup. If your laptop is lost or stolen, a local or remote “poison pill” can be activated that renders the PC inoperable by blocking the boot process. This means that predators cannot hack into your system at startup. It works even without Internet access and, unlike many other solutions, is hardware-based, so it is tamper-resistant.
Businesses now have built-in client-side intelligence to secure sensitive data, regardless of the state of the operating system, hard drive, boot order, or network connectivity. This hardware-based technology provides compelling tamper resistance and increased protection to extend your security capabilities anywhere, anytime on or off the network.
DATA PROTECTION
Intel® AES New Instructions (Intel® AES-NI)
What is it?
Intel® AES instructions are a new set of instructions available beginning with the all new 2010 Intel® Core™ processor family based on the 32nm Intel® microarchitecture codename Westmere. These instructions enable fast and secure data encryption and decryption, using the Advanced Encryption Standard (AES) which is defined by FIPS Publication number 197. Since AES is currently the dominant block cipher, and it is used in various protocols,.
The architecture consists of six instructions that offer full hardware support for AES. Four instructions support the AES encryption and decryption, and other two instructions supports
The AES instructions have the flexibility to support all usages of AES, including all standard key lengths, standard modes of operation, and even some nonstandard or future variants. They offer a significant increase in performance compared to the current pure-software implementations.
Beyond improving performance, the AES instructions provide important security benefits. By running in data-independent time and not using tables, they help in eliminating the major timing and cache-based attacks that threaten table-based software implementations of AES. In addition, they make AES simple to implement, with reduced code size, which helps reducing the risk of inadvertent introduction of security flaws, such as difficult-to-detect side Channelleaks.
This paper gives an overview of the AES algorithm and Intel's new AES instructions. It provides guidelines and demonstrations for using these instructions to write secure and high performance AES implementations. This version of the paper also provides a high performance library for implementing AES in the ECB/CBC/CTR modes, and discloses for the first time, the measured performance numbers.
The Advanced Encryption Standard (AES) algorithm is now widely used across the software ecosystem to protect network traffic, personal data, and corporate IT infrastructures. Data protection or encrypting data using mathematical algorithms to make data unreadable by unauthorized entities but reproducible by authorized entities is frequently specified or recommended as a way to ensure that data can be best protected.
Intel® AES-NI is a new instruction set for accelerating the encryption of data in the Intel® Xeon® processor 5600 series and the Intel® Core™ i5 processor 600 series. It is composed of seven new instructions that accelerate encryption and decryption, improve key generation and matrix manipulation, and aid in carry-less multiplication. Intel AES-NI also helps alleviate the performance challenges inherent in cryptographic processing.
Why Intel® AES-NI matters.
Encryption is a well-established method for data protection. It is most commonly used to secure transactions across networks, such as the Internet, where personal or financial information needs to be kept private. It is also often used in combination with authentication schemes to prevent undesired disclosure when data is being stored for later use such as on an encrypted drive or as an encrypted file stored in a cloud-based service.
How it works.
By implementing some complex and costly sub-steps of the AES algorithm in hardware, Intel AES-NI strengthens and accelerates execution of the AES application. With the addition of the seven new steps mentioned above, encryption of data can now happen faster, with greater security and more frequency.
MALWARE REDUCTION
Intel® Trusted Execution Technology (Intel® TXT)
What is it?
Intel® Trusted Execution Technology (Intel® TXT) is a hardware solution that validates the behavior of key components within a server or PC at startup. Known as the “root of trust,” the system checks the consistency in behaviors and launch time configurations against a “known good” sequence. Using this verified benchmark, the system can quickly assess whether any attempts to alter or tamper with the launch time environment have been made.
Why it matters.
Malware is a consistent and growing threat to IT. While the mechanisms of malware vary, they all seek to corrupt systems and disrupt business, steal data, or usurp control of platforms. As companies adopt more virtualized, shared, and multi-tenant infrastructure models, the perimeter of the traditional network infrastructure is more dispersed and exposed to vulnerabilities. Similarly, traditional approaches of looking for “known bad” elements (the approach of most anti-virus or anti-malware programs) are only partially effective at coping with the increasing volume and sophistication of attacks today. Intel TXT provides an additional enforcement point and a different “known good”–focused approach to check for malicious software on client and server platforms.
How it works.
Intel TXT provides an infrastructure rooted in the processor that enables an accurate comparison of all the critical elements of the launch environment against a “known good” source. Intel TXT creates a cryptographically unique identifier for each approved launch-enabled component, and then provides hardware-based enforcement mechanisms to block the launch of any code that does not match the approved code. This hardware-based approach provides the foundation on which a trusted platform solution can be built to better protect against software-based attacks. Intel TXT is designed to scale with the needs of your organization and help protect both the end user and the company infrastructure from malicious intent.
Benefits of Trusted Execution Technology
Three use models can help illustrate the flexibility and benefits of Trusted Execution Technology. The use models are
• Local verification
• Remote verification
• Multi-level operation
Local Verification
Local verification uses the measurement capability of Trusted Execution Technology to allow the local user to have confidence that the platform is executing in a known state. The confidence comes from the hardware ability of Trusted Execution Technology to properly measure the launched configuration and store the measurement in the platform Trusted Platform Module (TPM).
Remote Verification
Remote verification takes the measurements obtained by Trusted Execution Technology and stored in the TPM, and uses the TPM to inform remote (not executing on the platform) entities about the current platform configuration. Of essence in this use model is that the remote entity can rely on the properties of Trusted Execution Technology to provide the protections listed above.
Multi-level Operation
Multi-level operation takes advantage of the memory protections provided by Trusted Execution Technology to run two or more applications or operating systems that require strict separation and managed communication between the entities. Those wishing to rely on these properties make use of either local or remote verification to ensure that the proper environment is setup and executing.
INTEL IDENTITY PROTECTION TECHNOLOGY
What is it?
Intel® Identity Protection Technology (Intel® IPT) is another smart innovation from Intel. As identity thieves become more advanced in their hacking techniques, Intel has built two-factor authentication directly into the processors of select 2nd generation Intel® Core™ processor-based PCs, helping to prevent unauthorized access to your important personal accounts. Two-factor authentication is the standard in identity protection technology¹. Using one factor, something you know (like a username and password) and adding another factor, something you have (in the case of Intel IPT, a six-digit One-Time Password linked to your PC), two-factor authentication improves your level of security. With Intel IPT, this unique One-Time Password (OTP) changes every 30 seconds, so even if thieves are able to obtain your username or password, the code is difficult for thieves to predict.
Why it matters.
Identity theft is a growing global concern for individuals and businesses. Secure, but simple-to-use solutions are required as hackers devise new methods for obtaining usernames and passwords. Intel IPT is a powerful, additional layer of security that links your PC to the online account or financial asset that you select, decreasing the ability of thieves to access account information from non-associated computers. Intel IPT helps keep your accounts secure, even if your first layer of authentication is breached.
How it works.
Intel IPT is built into select 2nd generation Intel® Core™ processor-based PCs, so there's no need to memorize a code or attach a security device to your computer. When you access an Intel IPT-integrated web site, Intel IPT will automatically prompt you to associate your PC with your online asset. On subsequent logins, you will be asked to provide an easily accessed six-digit code. Intel IPT's smart technology makes this process simpler and more secure, changing your code at regular intervals before your account can be hacked.
Intel® Identity Protection Technology for business.
Intel IPT is an intelligent solution for businesses that have considered or utilized token-based authentication solutions in the past. Token-based solutions have required decision makers to weigh their costs against the benefit of the added protection: the cost of the back end service or software, the cost of the physical tokens, and the management costs and logistics of shipping replacement tokens, tracking them, and even activating them.
Intel IPT eliminates costs related to physical tokens by providing a secure place for codes and algorithms to execute: the PC itself. Before Intel IPT, this required separate token hardware. With Intel IPT, when a user goes to your web site, SaaS application, or VPN, the PC effectively becomes the token.
The codes generated by Intel IPT are applicable in a variety of security situations. Not only can Intel IPT help to secure consumer assets, but it can also be used to protect employee VPNs, suppliers, and partners. Banking, financial, social networking, gaming, healthcare, real estate, and SaaS application businesses can all benefit from affordable protection with Intel IPT.
Intel® Identity Protection Technology for software vendors.
Identity protection software vendors (ISVs) view two-factor authentication and One-Time Password (OTP) solutions as the standard for securing online accounts. Intel IPT allows vendors to store their OTP algorithms inside the processor itself, in a secure chipset called the Manageability Engine (ME). Intel's hardware solution eliminates the complexity and unstable nature of OTP software solutions, as well as the user-dependent problems of tokens.
For over 12 years, identity protection software vendors have successfully secured billions of transactions. Intel IPT makes it easier on ISVs by providing a place to secure user identities on the chip.
INTEL VPRO
Intel vPro technology is a set of features built into a PC's motherboard and other hardware. Intel vPro is not the PC itself, nor is it a single set of management features (such as Intel Active Management Technology/Intel AMT) for sys-admins. Intel vPro is a combination of processor technologies, hardware enhancements, management features, and security technologies that allow remote access to the PC (including monitoring, maintenance, and management) independent of the state of the operating system (OS) or power state of the PC. Intel vPro is intended to help businesses gain certain maintenance and servicing advantages, security improvements, and cost benefits in information technology (IT) areas.
Intel vPro technology Features
Intel vPro is a platform or set of PC hardware features. PCs with vPro have three main elements: 1) Core 2 Duo/Quad or Centrino 2 processor for business applications; 2) integrated components (such as 64-bit graphics) to reduce the number of discrete components in the system; and 3) hardware-based management and security technology (such as Intel AMT).
A vPro PC includes:
- Multi-core, multi-threaded Intel Core 2 Duo or Quad processors.
- Intel Active Management Technology (Intel AMT), a set of hardware-based features targeted at businesses and which allow remote access to the PC for management and security tasks, when an OS is down or PC power is off. Note that AMT is not the same as Intel vPro; AMT is only one element of a vPro PC.
- Remote configuration technology for AMT, with certificate-based security. Remote configuration can be performed on “bare-bones” systems, before the OS and/or software management agents are installed.
- Wired and wireless (laptop) network connection.
- Intel Trusted Execution Technology (Intel TXT), which is used to verify a launch environment and establish the root of trust, which in turn allows software to build a chain of trust for virtualized environments. Intel TXT also protects secrets during power transitions for both orderly and disorderly shutdowns (a traditionally vulnerable period for security credentials).
- Support for IEEE 802.1x, Cisco Self Defending Network (SDN), and Microsoft Network Access Protection (NAP) in laptops, and support for 802.1x and Cisco SDN in desktop PCs.[13][14] Support for these security technologies allows Intel vPro to store the security posture of a PC so that the network can authenticate the system before the OS and applications load, and before the PC is allowed access to the network.
- Intel Virtualization Technology, including Intel VT for memory, CPU, and Directed I/O, to support virtualized environments. Intel VT is hardware-based technology, not software-based virtualization. Intel VT lets you run multiple OSs (traditional virtualization) on the same PC or run a specialized or critical application in a separate space a virtual PC on the physical system in order to help protect the application or privacy of sensitive information.
- Execute Disable Bit which, when supported by the OS, can help prevent some types of buffer overflow attacks.
- Support for Microsoft Windows Vista, including Microsoft Windows Vista BitLocker with an industry-standard Trusted Platform Module version 1.2 and Intel graphics support for Windows Vista AERO graphical user interface.
Remote-Management Features
Intel AMT is the set of management and security features built into vPro PCs and which are intended to make it easier for a sys-admin to monitor, maintain, secure, and service PCs.[2] Intel AMT (the management technology) is sometimes mistaken for being the same as Intel vPro (the PC "platform"), because AMT is one of the most visible technologies of an Intel vPro-based PC.
Intel AMT includes:
- Encrypted remote power up/down/reset (via wake on LAN, or WOL)
- Remote/redirected boot (via integrated device electronics redirect, or IDE-R)
- Console redirection (via serial over LAN, or SOL)
- Preboot access to BIOS settings
- Programmable filtering for inbound and outbound network traffic
- Agent presence checking Out-of-band policy-based alerting
- Access to system information, such as the PC’s universal unique ID (UUID), hardware asset information, persistent event logs, and other information that is stored in dedicated memory (not on the hard drive) where it is accessible even if the OS is down or the PC is powered off.
Hardware-based management has been available in the past, but it has been limited to auto-configuration using DHCP or BOOTP for dynamic IP allocation and diskless workstations, as well as Wake On LAN for remotely powering on systems.
VNC-based KVM Remote Control
In vPro 6.0 PCs with embedded Intel graphics, Intel AMT embeds a proprietary VNC Server, so you can connect out-of-band using dedicated VNC-compatible Viewer technology, and have full KVM (Keyboard, Video, Mouse) capability throughout the power cycle - including uninterrupted control of the desktop when an operating system loads. Clients such as VNC Viewer Plus from RealVNC also provide additional functionality that might make it easier to perform (and watch) certain Intel AMT operations, such as powering the computer off and on, configuring the BIOS, and mounting a remote image (IDER).
Wireless Communication
Intel vPro supports encrypted wired and wireless LAN wireless communication for all remote management features for PCs inside the corporate firewall.[2] Intel vPro supports encrypted communication for some remote management features for wired and wireless LAN PCs
Wireless Communication for Laptops
Laptops with vPro include a gigabit network connection and support IEEE 802.11 a/g/n wireless protocols.[2][20][21]
Wireless Communication for Intel AMT
Intel vPro PCs support wireless communication to the AMT features.
For wireless laptops on battery power, communication with AMT features can occur when the system is awake and connected to the corporate network. This communication is available if the OS is down or management agents are missing.
AMT out-of-band communication and some AMT features are available for wireless or wired laptops connected to the corporate network over a host OS-based virtual private network (VPN) when laptops are awake and working properly.
[edit] Encrypted Communication while Roaming
Intel vPro PCs support encrypted communication while roaming. vPro PCs version 4.0 or higher support security for mobile communications by establishing a secure tunnel for encrypted AMT communication with the managed service provider when roaming (operating on an open, wired LAN outside the corporate firewall). Secure communication with AMT can be established if the laptop is powered down or the OS is disabled.The AMT encrypted communication tunnel is designed to allow sys-admins to access a laptop or desktop PC at satellite offices where there is no on-site proxy server or management server appliance.
Secure communications outside the corporate firewall depends on adding a new element a management presence server (Intel calls this a “vPro-enabled gateway”) to the network infrastructure. This will require integration with network switch manufacturers, firewall vendors, and vendors who design management consoles in order to create an infrastructure that supports encrypted roaming communication. So although encrypted roaming communication is enabled as a feature in vPro PCs version 4.0 and higher, the feature may not be fully useful (except in having a "ready" PC) until the infrastructure is functional.
Security and Intel vPro PCs
vPro security technologies and methodologies are designed into the PC’s chipset and other system hardware. Because the vPro security technologies are designed into system hardware instead of software, they are less vulnerable to hackers, computer viruses, computer worms, and other threats that typically affect an OS or software applications installed at the OS level (such as virus scan, antispyware, inventory, and other security or management applications).[2]
For example, during deployment of vPro PCs, security credentials, keys, and other critical information are stored in protected memory (not on the hard disk drive), and erased when no longer needed.
Intel vPro Security Features
Intel vPro supports industry-standard methodologies and protocols, as well as other vendors’ security features:
- Intel Trusted Execution Technology (Intel TXT).
- Industry-standard Trusted Platform Module version 1.2 (TPM).
- Support for IEEE 802.1x, Preboot Execution Environment (PXE), Cisco Self Defending Network (SDN), and Microsoft Network Access Protection (NAP) in laptops, and support for IEEE 802.1x, Preboot Execution Environment (PXE), and Cisco Self Defending Network (SDN) in desktop PCs.
- Execute Disable Bit.
- Intel Virtualization Technology (Intel VT).
Intel vPro Security Technologies and Methodologies
Intel vPro uses several industry-standard security technologies and methodologies to secure the remote vPro communication channel. These technologies and methodologies also improve security for accessing the PC’s critical system data, BIOS settings, Intel AMT management features, and other sensitive features or data; and protect security credentials and other critical information during deployment (setup and configuration of Intel AMT) and vPro use.
- Transport layer security protocol, including pre-shared key TLS (TLS-PSK) to secure communications over the out-of-band network interface. The TLS implementation uses AES 128-bit encryption and RSA keys with modulus lengths of 2048 bits.[25][26][27]
- HTTP digest authentication protocol as defined in RFC 2617. The management console authenticates IT administrators who manage PCs with Intel AMT
- Single sign-on to Intel AMT with Microsoft Windows domain authentication, based on the Microsoft Active Directory and Kerberos protocols.
- A pseudorandom number generator (PRNG) in the firmware of the AMT PC, which generates high-quality session keys for secure communication.
- Only digitally signed firmware images (signed by Intel) are permitted to load and execute.
- Tamper-resistant and access-controlled storage of critical management data, via a protected, persistent (nonvolatile) data store (a memory area not on the hard drive) in the Intel AMT hardware.
- Access control lists for Intel AMT realms and other management functions.
Hardware requirements
The first release of Intel vPro was built with an Intel Core 2 Duo processor. The current versions of Intel vPro are built into systems with 45 nm Intel Core 2 Duo or Quad processors, or Centrino 2 processors.
PCs with Intel vPro require specific chipsets. Intel vPro releases are usually identified by their AMT version
INTEL ACTIVE MANAGEMENT TECHNOLOGY
Intel Active Management Technology (AMT) is hardware-based technology for remotely managing and securing PCs out-of-band. Currently, Intel AMT is available in desktop PCs with Intel Core 2 processor with Intel vPro technology and available in laptop PCs with Centrino or Centrino 2 platform with vPro technology
Intel AMT security measures
Because AMT allows access to the PC below the OS level, security for the AMT features is a key concern.
Security for communications between Intel AMT and the provisioning service and/or management console can be established in different ways depending on the network environment. Security can be established via certificates and keys (TLS public key infrastructure, or TLS-PKI), pre-shared keys (TLS-PSK), or administrator password.
Security technologies that protect access to the AMT features are built into the hardware and firmware. As with other hardware-based features of AMT, the security technologies are active even if the PC is powered off, the OS is crashed, software agents are missing, or hardware (such as a hard drive or memory) has failed.
[edit] Using AMT in a secure network environment
Because in-band remote management does not usually occur over a secured network communication channel, businesses have typically had to choose between having a secure network or allowing IT to use remote management applications without secure communications to maintain and service PCs.
Modern security technologies and hardware designs allow remote management even in more secure environments. For example, Intel AMT supports IEEE 802.1x, Preboot Execution Environment (PXE), Cisco SDN, and Microsoft NAP.
All AMT features are available in a secure network environment. With Intel AMT in the secure network environment:
- The network can verify the security posture of an AMT-enabled PC and authenticate the PC before the OS loads and before the PC is allowed access to the network.
- PXE boot can be used while maintaining network security. In other words, an IT administrator can use an existing PXE infrastructure in an IEEE 802.1x, Cisco SDN, or Microsoft NAP network.
Intel AMT in a secured network environment: how it works
Intel AMT can embed network security credentials in the hardware, via the Intel AMT Embedded Trust Agent and an AMT posture plug-in. The plug-in collects security posture information, such as firmware configuration and security parameters from third-party software (such as antivirus software and antispyware), BIOS, and protected memory. The plug-in and trust agent can store the security profile(s) in AMT's protected, nonvolatile memory, which is not on the hard disk drive.
Because AMT has an out-of-band communication channel, AMT can present the PC's security posture to the network even if the PC's OS or security software is compromised. Since AMT presents the posture out-of-band, the network can also authenticate the PC out-of-band, before the OS or applications load and before they try to access the network. If the security posture is not correct, a system administrator can push an update OOB (via Intel AMT) or reinstall critical security software before letting the PC access the network.
Security postures supported by Intel AMT versions
Support for different security postures depends on the AMT release:
- Support for IEEE 802.1x and Cisco SDN requires AMT version 2.6 or higher for laptops, and AMT version 3.0 or higher for desktop PCs.
- Support for Microsoft NAP requires AMT version 4.0 or higher.
- Support for PXE boot with full network security requires AMT version 3.2 or higher for desktop PCs.
Intel AMT security technologies and methodologies
AMT includes several security schemes, technologies, and methodologies to secure access to the AMT features during deployment and during remote management. AMT security technologies and methodologies include:
- Transport Layer Security, including pre-shared key TLS (TLS-PSK)
- HTTP authentication
- Single sign-on to Intel AMT with Microsoft Windows domain authentication, based on Microsoft Active Directory and Kerberos
- Digitally signed firmware
- Pseudo-random number generator (PRNG) which generates session keys
- Protected memory (not on the hard disk drive) for critical system data, such as the UUID, hardware asset information, and BIOS configuration settings
- Access control lists (ACL)
As with other aspects of Intel AMT, the security technologies and methodologies are built into the chipset.
ADVANTAGES
Data Security
Today’s world runs on computing devices that are connected to each other through the global Web. Schools, hospitals, social networks, and even national defense systems are all driven by these technologies. Conservative estimates suggest that by 2015 we will have over 10 billion devices in active use and the vast majority of these will be mobile and Web-enabled.
As our dependency on computing devices grows, so does our exposure to malicious code, viruses, cyber espionage, and malware. In June 2009, Kaspersky Lab, a well-known security specialist, detected the 25 millionth program designed for malicious intent. As a major provider of computing technology to the world, Intel Corporation takes its role in helping to protect users from attack very seriously. Below are the areas Intel believes are the cornerstones of secure computing environments:
Security assurance.
For Intel, creating more secure products means building to consistent and high design standards in everything we make. To understand where threats may emerge and to ensure that our standards maintain global currency, Intel regularly consults with global security experts and the security research community.
Standards and policy.
Due to Intel’s central role in global computing technology development, we continue to support and contribute to key security standards through organizations such as the Trusted Computing Group (TCG). In addition, Intel influences regulation and legislation to ensure that we continue to deliver relevant and compliant technologies.
Security innovation.
Intel continues to enhance systems so they run more securely and can handle the growing workloads more efficiently. A key component of this approach is providing more robust, vulnerability-resistant platforms. This is increasingly important as attackers start targeting base components such as firmware and controllers.
Secure ecosystems.
Intel® products are only part of making computing more secure. The company recognizes the need to engage the entire technology ecosystem to cultivate more complete protections. With this in mind, Intel continues to grow its relationship with both software and hardware security vendors for complementary solutions. It also works with traditional general purpose software providers to encourage greater implementation of secure computing.
These principles are the foundation of Intel’s approach to security. How the company applies them falls into three main areas. To learn more about the innovations Intel is enabling in security, click on one of these categories
CONCLUSION
For Intel, creating more secure products means building to consistent and high design standards in everything we make. To understand where threats may emerge and to ensure that our standards maintain global currency, Intel regularly consults with global security experts and the security research community. Due to Intel’s central role in global computing technology development, we continue to support and contribute to key security standards through organizations such as the Trusted Computing Group (TCG). In addition, Intel influences regulation and legislation to ensure that we continue to deliver relevant and compliant technologies. Intel continues to enhance systems so they run more securely and can handle the growing workloads more efficiently. A key component of this approach is providing more robust, vulnerability-resistant platforms. This is increasingly important as attackers start targeting base components such as firmware and controllers. Intel® products are only part of making computing more secure. The company recognizes the need to engage the entire technology ecosystem to cultivate more complete protections. With this in mind, Intel continues to grow its relationship with both software and hardware security vendors for complementary solutions. It also works with traditional general purpose software providers to encourage greater implementation of secure computing.
REFERENCES
1. www.google.com
3. www. Apple.com
4. www. intel.com
5. www.seminarsforyou.com
For Complete Report: Contact Me @ Facebook
0 comments:
Post a Comment