INTEL vPRO Technology

PCs are essential in today’s enterprises, yet managing a PC fleet can consume a significant portion of IT’s time and budget. Finding ways to keep employees productive while keeping IT management costs low requires a combination of sound IT management practices and technology that maximizes benefits to users and minimizes effort for IT. The latest technology named vPro from Intel helps achieve the enterprises the same.

Intel vPro technology is a set of features built into a PC’s motherboard and other hardware. Intel vPro is not the PC itself, nor is it a single set of management features (such as Intel Active Management Technology (Intel AMT)) for sys-admins. Intel vPro is a combination of processor technologies, hardware enhancements, management features, and security technologies that allow remote access to the PC -- including monitoring, maintenance, and management -- independently of the state of the operating system (OS) or power state of the PC. Intel vPro is intended to help businesses gain certain maintenance and servicing advantages, security improvements, and cost benefits in information technology (IT) areas. Notebook and desktop PCs with Intel® vPro™ technology enable IT to take advantage of hardware-assisted security and manageability capabilities that enhance their ability to maintain, manage, and protect their business PCs.

2. FEATURES OF INTEL vPRO TECHNOLOGY 

2.1   Major Features At a Glance

A vPro PC includes:

• Multi-core, multi-threaded Intel Core 2 Duo or Quad processors.
• Intel Active Management Technology (Intel AMT).
• Remote configuration technology for AMT, with certificate-based security.
• Wired and wireless (laptop) network connection.
• Intel Trusted Execution Technology (Intel TXT).
• Support for IEEE 802.1x, Cisco Self Defending Network (SDN), and Microsoft Network Access Protection (NAP) in laptops, and support for 802.1x and Cisco SDN in desktop PCs.
• Intel Virtualization Technology, including Intel VT for memory, CPU, and Directed I/O, to support virtualized environments.
• Intel Execute Disable Bit.
• Support for Microsoft Windows Vista.

2.2  Features In Detail

2.2.1        Multi-core, multi-threaded Intel Core 2 Duo or Quad processors

A multi-core processor is a processing system composed of two or more independent cores (or CPUs). The cores are typically integrated onto a single integrated circuit die (known as a chip multiprocessor or CMP), or they may be integrated onto multiple dies in a single chip package.

A dual-core processor contains two cores, and a quad-core processor contains four cores. A multi-core processor implements multiprocessing in a single physical package. Cores in a multi-core device may be coupled together tightly or loosely. For example, cores may or may not share caches, and they may implement message passing or shared memory inter-core communication methods. The amount of performance gained by the use of a multi-core processor is strongly dependent on the software algorithms and implementation. In particular, the possible gains are limited by the fraction of the software that can be "parallelized" to run on multiple cores simultaneously. Many typical applications, however, do not realize such large speedup factors and thus, the parallelization of software is a significant on-going topic of research.

The Intel vPro technology makes use of the immense computing power delivered by the multicore CPUs. The commercially available processors used by the technology are the Inte Core 2 Duo and the Intel Core 2 Quad.

2.2.2        Intel Active Management Technology

Intel Active Management Technology (AMT) is hardware-based technology for remotely managing and securing PCs out-of-band. Or it is the set of management and security features built into vPro PCs and which are intended to make it easier for a sys-admin to monitor, maintain, secure, and service PCs. Intel AMT is hardware and firmware technology that builds certain functionalities into business PCs in order to make the PCs easier and less expensive for businesses to monitor, maintain, update, upgrade, and repair. Intel AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology. Intel AMT is designed into a secondary processor located on the motherboard.

AMT is not intended to be used by itself; it is intended to be used with a software management application. It gives a management application (and thus, the sys-admin who uses it) better access to the PC down the wire, in order to remotely and securely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it.

2.2.2.1  Intel AMT features:

Intel AMT includes hardware-based remote management features, security features, power-management features, and remote-configuration features. The features allow an IT tech to access an AMT PC when traditional techniques and methods to manage the PC are not available.

Access to the Intel AMT features relies on a hardware-based OOB communication channel. Because the channel operates below the OS level, the channel is independent of the state of the OS (present, missing, corrupted, down). The communication channel is also independent of the PC’s power state, the presence of a management agent, and the state of many hardware components (such as hard disk drives and memory).

Along with the communication channel, most AMT features are available OOB, regardless of PC power state. Other features are available after the PC is powered up (such as console redirection via serial over LAN (SOL), agent presence checking, and network traffic filtering). Because AMT has a remote power-up feature, a sys-admin can combine the OOB communication with the remote power-up feature and access PCs that were powered off at the start of the maintenance or service cycle.

Hardware-based AMT features include:

v  Encrypted, remote communication channel for network traffic between the IT console and Intel AMT.

v  Ability for a wired PC (physically connected to the network) outside the company’s firewall on an open LAN to establish a secure communication tunnel (via AMT) back to the IT console.

v  Remote power up / power down / power cycle.

v  Remote boot, via integrated device electronics redirect (IDE-R).

v  Console redirection, via serial over LAN (SOL).

v  Hardware-based filters for monitoring packet headers in inbound and outbound network traffic for known threats (based on programmable timers), and for monitoring known / unknown threats based on time-based heuristics. Laptops and desktop PCs have filters to monitor packet headers. Desktop PCs have packet-header filters and time-based filters.

v  Agent presence checking, via hardware-based, policy-based programmable timers. A “miss” generates an event; you can specify that the event generate an alert.

v  OOB alerting.

v  Persistent event log, stored in protected memory (not on the hard drive).

v  Access (preboot) the PC’s universal unique identifier (UUID).

v  Access (preboot) hardware asset information, such as a component’s manufacturer and model, which is updated every time the system goes through power-on self-test (POST).

v  Access (preboot) to third-party data store (TPDS), a protected memory area that software vendors can use, in which to version information, .DAT files, and other information.

2.2.2.2  Using Intel AMT:

Almost all AMT features are available even if PC power is off, the OS is crashed, the software agent is missing, or hardware (such as a hard drive or memory) has failed. The console-redirection feature (SOL) and network traffic filters are available after the PC is powered up.

Intel AMT supports these management tasks:

• Remotely power up, power down, power cycle, and power reset the computer.
• Remote boot the PC by remotely redirecting the PC’s boot process, causing it to boot from a different image, such as a network share, bootable CD-ROM or DVD, remediation drive, or other boot device. This feature supports remote booting a PC that has a corrupted or missing OS.
• Remotely redirect the system’s I/O via console redirection through serial over LAN (SOL). This feature supports remote troubleshooting, remote repair, software upgrades, and similar processes.
• Access and change BIOS settings remotely. This feature is available even if PC power is off, the OS is down, or hardware has failed. This feature is designed to allow remote updates and corrections of configuration settings. This feature supports full BIOS updates, not just changes to specific settings.
• Detect suspicious network traffic. In laptop and desktop PCs, this feature allows a sys-admin to define the events that might indicate an inbound or outbound threat in a network packet header. In desktop PCs, this feature also supports detection of known and/or unknown threats (including slow- and fast-moving computer worms) in network traffic via time-based, heuristics-based filters. Network traffic is checked before it reaches the OS, so it is also checked before the OS and software applications load, and after they shut down (a traditionally vulnerable period for PCs).
• Block or rate-limit network traffic to and from systems suspected of being infected or compromised by computer viruses, computer worms, or other threats. This feature uses Intel AMT hardware-based isolation circuitry that can be triggered manually (remotely, by the sys-admin) or automatically, based on IT policy (a specific event).
• Manage hardware packet filters in the on-board network adapter.
• Automatically send OOB communication to the IT console when a critical software agent misses its assigned check in with the programmable, policy-based hardware-based timer.  A "miss" indicates a potential problem. This feature can be combined with OOB alerting so that the IT console is notified only when a potential problem occurs (helps keep the network from being flooded by unnecessary "positive" event notifications).
• Receive PET events out-of-band from the AMT subsystem (for example, events indicating that the OS is hung or crashed, or that a password attack has been attempted).  You can alert on an event (such as falling out of compliance, in combination with agent presence checking) or on a threshold (such as reaching a particular fan speed).
• Access a persistent event log, stored in protected memory. The event log is available OOB, even if the OS is down or the hardware has already failed.
• Discover an AMT system independently of the PC's power state or OS state. Discovery (preboot access to the UUID) is available if the system is powered down, its OS is compromised or down, hardware (such as a hard drive or memory) has failed, or management agents are missing.
• Perform a software inventory or access information about software on the PC. This feature allows a third-party software vendor to store software asset or version information for local applications in the Intel AMT protected memory. (This is the protected third party data store, which is different from the protected AMT memory for hardware component information and other system information). The third-party data store can be accessed OOB by the sys-admin. For example, an antivirus program could store version information in the protected memory that is available for third-party data. A computer script could use this feature to identify PCs that need to be updated.
• Perform a hardware inventory by uploading the remote PC’s hardware asset list (platform, baseboard management controller, BIOS, processor, memory, disks, portable batteries, field replaceable units, and other information).  Hardware asset information is updated every time the system runs through power-on self-test (POST).

2.2.2.3 How It Works:

An AMT PC stores system configuration information in protected memory. For PCs version 4.0 and higher, this information can include the name(s) of appropriate “whitelist” management servers for the company. When a user tries to initiate a remote session between the wired PC and a company server from an open LAN, AMT sends the stored information to a management presence server (MPS) in the “demilitarized zone” ("DMZ") that exists between the corporate firewall and client (the user PC's) firewalls. The MPS uses that information to help authenticate the PC. The MPS then mediates communication between the laptop and the company’s management servers.

Because communication is authenticated, a secure communication tunnel can then be opened using. Once secure communications are established between the IT console and Intel AMT on the user's PC, a sys-admin can use the typical AMT features to remotely diagnose, repair, maintain, or update the PC.

2..2.2.4 Intel AMT Security Technologies and Methodologies:

AMT includes several security schemes, technologies, and methodologies to secure access to the AMT features during deployment and during remote management.

AMT security technologies and methodologies include:

v  Transport Layer Security, including pre-shared key TLS (TLS-PSK)

v  HTTP authentication

v  Digitally signed firmware

v  Pseudo-random number generator (PRNG) which generates session keys

v  Protected memory (not on the hard disk drive) for critical system data, such as the UUID, hardware asset information, and BIOS configuration settings

v  Access control lists

As with other aspects of Intel AMT, the security technologies and methodologies are built into the chipset.

2..2.2.5  Depiction of Advantages Offered By Intel AMT:

2.2.3        Intel Trusted Execution Technology

Intel Trusted Execution Technology (Intel TXT), is a highly versatile set of hardware extensions to Intel processors and chipsets that, with appropriate software, enhance the platform security capabilities. It is a hardware extension to some of Intel's microprocessors and respective chipsets, intended to provide users and organizations (governments, enterprises, corporations, universities, etc.) with a higher level of trust while accessing, modifying or creating sensitive data and code. It will be very useful, especially in the business world, as a way to defend against software-based attacks aimed at stealing sensitive information. Designed to help protect against software-based attacks, Intel Trusted Execution Technology integrates new security features and capabilities into the processor, chipset and other platform components. The hardware rooted security enables the ability to increase the confidentiality and integrity of sensitive information

from software-based attacks, protect sensitive information without compromising the usability of the platform, and deliver increased security in platform-level solutions through measurement and protection capabilities. It provides a general-purpose safer computing environment capable of running a wide variety of operating systems and applications.

Intel Trusted Execution Technology capabilities include:

v  Protected execution and memory spaces where sensitive data can be processed out of view of any other software.

v  Sealed storage shields encryption keys and other data from attack while in use or stored.

v  Attestation enables a system to provide assurance that it has correctly invoked the Intel Trusted Execution Technology environment, as well as enable a verified measurement of the software running in the protected space.

v  Measured launch capability to help:

Ø  Reduce IT support costs with improved services

Ø  Enable decentralized or remote computing

Ø  Verify platform configuration with a higher level of assurance

v  Memory protection to help:

Ø  Enhance protection of system resources

Ø  Increase confidentiality and integrity of data

Ø  Improve assurance of data transfers and resources

Ø  Improve protection of sensitive information

2.2.3.1 TXT Architecture:

The Intel TXT protects five points on a server/client machine that are:

v  The processor: With a private environment for applications, so that the hardware resources (such as memory pools) are locked to the calling applications and cannot be accessed whether for read or write by any other process running on the platform;

v  The chipset: Enforces security on the main board by controlling more accurately the memory management policy, enhancements to memory access mechanisms, channel control mechanisms for hardware extensions (user I/O, Graphics, etc.) and secure interface to the TPM;

v  The user input: Protection states over keyboard, and mouse, allowing users to interact with trusted platform applications, without the risk of being compromised being observed by other running software;

v  The display interface: This feature enables trusted platform applications to send display data to specific context (a window for example) memory buffer, preventing running software from stealing the transmitted information;

v  The TPM device: Helps the system startup (in conjunction with ROM-BIOS startup routines), manages the keys, and provides attestations for the system's trusted status.

2.2.3.2  Benefits of Trusted Execution Technology:

Three use models can help illustrate the flexibility and benefits of Trusted Execution Technology.

v  Local verification

Local verification uses the measurement capability of Trusted Execution Technology to allow the local user to have confidence that the platform is executing in a known state. The confidence comes from the hardware ability of Trusted Execution Technology

to properly measure the launched configuration and store the measurement in the platform Trusted Platform Module (TPM).

v  Remote verification

Remote verification takes the measurements obtained by Trusted Execution Technology and stored in the TPM, and uses the TPM to inform remote (not executing on the platform) entities about the current platform configuration. Of essence in this use model is that the remote entity can rely on the properties of Trusted Execution Technology to provide the protections listed above.

v  Multi-level operation

Multi-level operation takes advantage of the memory protections provided by Trusted Execution Technology to run two or more applications or operating systems that require strict separation and managed communication between the entities. Those wishing to

rely on these properties make use of either local or remote verification to ensure that the proper environment is setup and executing.

2.2.4        Support for MS Network Access Protection

Another major feature and advantage that the vPro technology offers is its support for Microsoft Network Access Protection(NAP).  NAP is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first utilized in Windows XP Service Pack 3, Windows Vista and Windows Server 2008. With Network Access Protection, system administrators of an organization's computer network can define policies for system health requirements. Examples of system health requirements are whether the computer has the most recent operating system updates installed, whether the computer has the latest version of the anti-virus software signature, or whether the computer has a host-based firewall installed and enabled. Connecting or communicating computers have their health status evaluated. Computers that comply with system health requirements have full access to the network. Administrators can configure health policies that make it possible to ensure that computers not in compliance with system health requirements have restricted access to the network.

2.2.4.1  Working:

A Network Access Protection (NAP) deployment consists of NAP clients, NAP enforcement points, NAP health policy servers, and remediation servers. NAP clients are computers that report system health to a NAP enforcement point. A NAP enforcement point is a computer or network access device that can require the evaluation of a NAP client’s health state and optionally provide restricted network access or communication. NAP enforcement points can be IEEE 802.1X-capable switches or VPN servers, DHCP servers, or Health Registration Authorities (HRAs) that run Windows Server 2008. The NAP health policy server is a computer running the Network Policy Server (NPS) service in Windows Server 2008 that stores health requirement policies and provides health evaluation for NAP clients. Health requirement policies are configured by the administrator and can include settings that require that NAP client computers have the latest antivirus definitions and security updates installed, a personal firewall enabled, and other settings.

When a NAP-capable client computer contacts a NAP enforcement point, it submits its current health state. The NAP enforcement point sends the NAP client’s health state to the NAP health policy server for evaluation using the RADIUS protocol. The NAP health policy server can also act as a RADIUS-based authentication server for the NAP client.

The NAP health policy server can use a health requirement server to validate the health state of the NAP client or to determine the current version of software or updates that need to be installed on the NAP client. For example, a health requirement server might track the latest version of an antivirus signature file.

If the NAP enforcement point is an HRA, it obtains health certificates from a certification authority for NAP clients that are determined to be compliant with health requirements.

If the NAP client is determined to be noncompliant with health requirements, it can optionally be placed on a restricted network. The restricted network is a logical subset of the intranet and contains resources that allow a noncompliant NAP client to correct its system health. Servers that contain system health components or updates are known as remediation servers. A noncompliant NAP client on the restricted network can access remediation servers and install the necessary components and updates. After remediation is complete, the NAP client can perform a new health evaluation in conjunction with a new request for network access or communication.

2.2.5        Intel Virtualization Technology

Intel Virtualization Technology enables a CPU to act as if it were several CPUs working in parallel, in order to enable several operating systems to run at the same time in the same machine. With support from the processor, chipset, BIOS, and enabling software, Intel VT improves traditional software-based virtualization. Virtualization solutions enhanced by Intel VT allow a platform to run multiple operating systems (OSs) and applications as independent virtual machines, allowing one computer system to function as multiple "virtual" systems. For example, IT managers can create a single build with multiple and different OSs, software, and legacy applications. Hardware-assisted Intel VT and software-based virtualization technologies also extend to the home user. Creating virtual "partitions" and isolating multiple user environments, home users can dedicate resources to specific activities like PC games, personal finance, and photo and video libraries, while simultaneously improving defenses against viruses or spyware.

  

There is some software on the market that enables virtualization and probably VMware is the most famous one. With this technique, a single CPU can act if it were several CPUs running in parallel, allowing the system to run several operating systems at the same time. The advantage that CPUs with Virtualization Technology offer above software virtualization is that it has some new instructions to control virtualization. With them, controlling software (called VMM, Virtual Machine Monitor) can be simpler, thus improving performance compared to software-only solutions.

2.2.6        Execute Disable Bit

Another major feature of the vPro technology is its ability to support Intel’s Execute Disable Bit functionality. It adds powerful security features and proves to be one of the major hidden strength of the vPro technology. It can help prevent certain classes of malicious buffer overflow attacks when combined with a supporting operating system.

Execute Disable Bit allows the processor to classify areas in memory by where application code can execute and where it cannot. When a malicious worm attempts to insert code in the buffer, the processor disables code execution, preventing damage and worm propagation.

Replacing older computers with Execute Disable Bit-enabled systems can halt worm attacks, reducing the need for virus-related repairs. In addition, Execute Disable Bit may eliminate the need for software patches aimed at buffer overflow attacks. By combining Execute Disable Bit with anti-virus, firewall, spyware removal, e-mail filtering software, and other network security measures, IT managers can free IT resources for other initiatives.

2.2.7        Wired and Wireless Network Connection

The vPro technology offers full support for both wired and wireless network connections. Laptops with vPro include a gigabit network connection and support IEEE 802.11 a/g/n wireless protocols. For wireless laptops on battery power, communication with AMT features can occur when the system is awake and connected to the corporate network. This communication is available if the OS is down or management agents are missing.

AMT out-of-band communication and some AMT features are available for wireless or wired laptops connected to the corporatenetwork over a host OS-based virtual private network (VPN) when laptops are awake and working properly.

2.2.7.1  Encrypted Communication while Roaming:

Intel vPro PCs support encrypted communication while roaming. vPro PCs version 4.0 or higher support security for mobile communications by establishing a secure tunnel for encrypted AMT communication with the managed service provider when roaming (operating on an open, wired LAN outside the corporate firewall). Secure communication with AMT can be established if the laptop is powered down or the OS is disabled. The AMT encrypted communication tunnel is designed to allow sys-admins to access a laptop or desktop PC at satellite offices where there is no on-site proxy server or management server appliance.

Secure communications outside the corporate firewall depends on adding a new element -- a management presence server (Intel calls this a “vPro-enabled gateway”) -- to the network infrastructure. This will require integration with network switch manufacturers, firewall vendors, and vendors who design management consoles in order to create an infrastructure that supports encrypted roaming communication. So although encrypted roaming communication is enabled as a feature in vPro PCs version 4.0 and higher, the feature may not be fully useful (except in having a "ready" PC) until the infrastructure is functional.

3. BENEFITS

3.1 Benefits Offered By Intel vPro Technology

Now the billion dollar question- what benefits does the Intel vPro technology offers for enterprises? Many major software companies have been working to develop new, and/or update current, applications to take advantage of the vPro platform. These hardware innovations, when combined with compatible software solutions, represent the superior manageability and strengthened security behind the Intel vPro brand. Major benefits can be summed up as:

1.      Energy Efficiency:

 One of the proven benefits of the technology is its energy efficiency. The Core 2 Duo processor is 40 percent faster and more efficient than the Pentium 4. The Core 2 Duo uses 65 watts of power compared to the 85 watts of a Pentium 4 processor. It generates less heat, which keeps the computers cooler. Because the systems are cooler, the fans don't need to run as often, which means they're quieter and use even less electricity.

2.      Active Management Technology:

The ATM capability is designed to improve desktop management by letting IT personnel access and manage computers even when the systems are powered off or the operating systems won't boot up. This could be a huge benefit to small businesses that rely on managed service providers for data security, disaster recovery, data backup or a number of other remote-access services. For example, let’s say you contract with a company to provide your small business with remote desktop management. Your PCs can be serviced and maintained as long as they're on and the OS is working properly. But should a system fail, your IT provider has to send a technician for on-site repair. That means down time for the company as they wait for the technician to arrive. In theory, this could let you take care of important maintenance tasks at a time that won't adversely impact the company’s employees' productivity.

 3.VirtualizationTechnology:
The VT that's a part of the Core 2 Duo processor is designed to help protect systems from security threats. According to Intel documents, systems with vPro help compliant third-party security software identify more threats before they reach the OS, isolate infected systems more quickly and update PCs regardless of their power state.

Security software vendors will be able to take advantage of vPro's virtualization technology and create virtual appliances that handle security and tasks in a tamper-resistant area on a system's hard drive. This area is set apart from the system's OS, invisible to the user and accessible only by authorized IT technicians. This provides improved security to the enterprises with less time and cost spent on it.

4. CONCLUSION

 Inspite of all criticisms being raised, which is common for every new technologies, the Intel vPro technology proves itself a powerful technology for pacing the growth of enterprises around the globe. It certainly is the answer to the quest of enterprises for cost reduction, without compromising the quality of service and their ever growing needs. Researches around the globe have shown that the use of vPro technology has helped industries gain forehand in their respective areas when compared to those who don’t use it. Although the implementation of the technology needs some initial investment, it is tolerable when considering the benefits offered by adapting to it. Also, Intel is vigilant in providing technical support to enterprises for using vPro technology. Moreover, new versions and updates of the technology is coming from Intel, by eliminating the faults of previous versions. In short, enterprises around the globe are on the go with this entirely new technology from Intel.