securing the managed enterprise with intel®vpro ™processor ... · eliminate business-line...

1

Securing the Managed Enterprise with Securing the Managed Enterprise with IntelIntel®® vProvPro™™ Processor TechnologyProcessor Technology

Moishe Halibard, TMEMoishe Halibard, TME

AMT Design Center JerusalemAMT Design Center Jerusalem

Copyright © 2007, Intel Corporation. All rights reserved.

Legal DisclaimersLegal Disclaimers

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. Intel products are not intended for use in medical, life saving, or life sustaining applications.

Intel may make changes to specifications and product descriptions at any time, without notice.

The Intel products in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order.

All dates specified are target dates, are provided for planning purposes only and are subject to change.

† Hyper-Threading Technology requires a computer system with an Intel® Pentium® 4 processor supporting Hyper-Threading Technology and a Hyper-Threading Technology enabled chipset, BIOS and operating system. Performance will vary depending on the specific hardware and software you use. See http://www.intel.com/info/hyperthreading/ for more information including details on which processors support Hyper-Threading Technology.

∆ Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor family, not across different processor families. See http://www.intel.com/products/processor_number for details.

Φ Intel® EM64T requires a computer system with a processor, chipset, BIOS, operating system, device drivers and applications enabled for Intel EM64T. Processor will not operate (including 32-bit operation) without an Intel EM64T-enabled BIOS. Performance will vary depending on your hardware and software configurations. See www.intel.com/info/em64t for more information including details on which processors support Intel EM64T or consult with your system vendor for more information.

Montevina, Penryn, Cantiga, Santa Rosa, Crestline, Napa, Broadwater, Merom, Yonah and other code names featured are used internally within Intel to identify products that are in devel opment and not yet publicly announced for release. Customers, licensees and other third parties are not authorized by Intel to use code nam es in advertising, promotion or marketing of any pr oduct or services and any such use of Intel's internal code names is at the sole risk of the user.

Intel, Pentium, Celeron, Centrino, Intel Core Duo, Intel Core Solo, Intel SpeedStep, vPro and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

*Other names and brands may be claimed as the property of others.



AgendaAgenda

�� Introduction to IntelIntroduction to Intel®® vProvPro™™ Technology, including Technology, including value proposition and customer benefits value proposition and customer benefits

�� Security and management applications Security and management applications

�� Overview of the IntelOverview of the Intel®® Active Management Active Management Technology (IntelTechnology (Intel®® AMT) SDK and IntelAMT) SDK and Intel®® AMT AMT Developer Tool Kit Developer Tool Kit


AgendaAgenda

�� Introduction to IntelIntroduction to Intel®® vProvPro™™ Technology, including Technology, including value proposition and customer benefitsvalue proposition and customer benefits




Drive costs down while advancingto new levels of customer service

Eliminate business-line interruptions and ensure LOB continuity

Secure from without and within. Secure all assets and protect against attack.

Unified manageability profile. No outliers. One IT vision.

The Enterprise IT Challenge

CostsCosts

AvailabilityAvailability

SecuritySecurity

GovernanceGovernance


Enterprise Management Evolution Enterprise Management Evolution ––from SWfrom SW--only to Fullonly to Full--System ManagementSystem Management

Manageability is comprised of 3 Master Categories:

Discover, Heal, Protect

Software Solutions

Powerful

Function when the OS is present, healthy and equipped

Intel® vPro™ Technology Value-add to the Enterprise

Enterprise Management Console can reach the bare-metal

Even when OS is inoperable, compromised, or non-existent

Value to existing SW Solutions

Completes the Enterprise Management Promise

Evolves over time


Support for disSupport for dis--aggregation of resources.aggregation of resources.

XML Standards, selfXML Standards, self--describing objects, policies. describing objects, policies.

OOB mgmt, detect anomalies. OOB mgmt, detect anomalies. Online diagnostic when the system failsOnline diagnostic when the system failsBelow the O/S Agent (available when system Below the O/S Agent (available when system hangs, accepts updates)hangs, accepts updates)

Active location ID, Asset list available in any state, Active location ID, Asset list available in any state, NonNon--removable agents persistent across removable agents persistent across installation of new OS images. installation of new OS images.

Route unknown systems to the not ok corral, Route unknown systems to the not ok corral, isolate and fumigate. Need nonisolate and fumigate. Need non--removable removable agents, agents, ““circuit breakerscircuit breakers”” to stop anomalies.to stop anomalies.

Wish listWish listWish listWish listWish listWish listWish listWish list

Dynamic Resource Allocation: Dynamic Resource Allocation:

e.g., Memory/CPU, etc "harde.g., Memory/CPU, etc "hard--allocated" to allocated" to single appssingle apps

Application integration complexity: Application integration complexity:

e.g., Lack of standards to Integrate appse.g., Lack of standards to Integrate apps

OOB mgmt & online diagnostics:OOB mgmt & online diagnostics:e.g., Users remove agents. No automated e.g., Users remove agents. No automated FW/OS update. CanFW/OS update. Can’’t probe a hung t probe a hung system. Time to repair is largesystem. Time to repair is large

Asset management: Asset management: e.g., Hard to locate systems, query basic e.g., Hard to locate systems, query basic informationinformation

Protecting from inside: Protecting from inside: e.g., systems bringing in many virusese.g., systems bringing in many viruses

ProblemProblemProblemProblemProblemProblemProblemProblem

55

44

33

22

11

PriPriPriPriPriPriPriPri

IT Survey: Top 5 Problems IT Survey: Top 5 Problems (Source: 24 Fortune 100 MIS Departments)(Source: 24 Fortune 100 MIS Departments)

Intel® AMT Created to Address Top IT Issues

Intel® AMT provides a solution that:

� Augments existing SW solutions with new /

improved functionality

� Adds value in OS absent / agnostic

environment

� Functions when system is

down / hung / sleeping

� Is Tamper-resistant to OS / users

� WS-MAN

Protect

Discover

Heal


IntelIntel®® vProvPro™™ TechnologyTechnologyA Leap Forward in Business PCsA Leap Forward in Business PCs

• Remote HW and SW assets inventory• Remote diagnostics and repair, even when the

PC is powered down or the OS is inoperable• Manageability Agent Presence verification• Platform Stability – Intel® SIPP

Built-in Manageability

• Secure remote power-on and update• Hardware-based isolation and recovery• Security Agent Presence verification• Virtualized isolation and recovery• Virtualized intrusion protection

Strengthened Security

Energy-efficient Performance

• Dual-core Intel® Core™ Microarchitecture• Reduced power consumption

• Run security, management tasks in background• Ready for VoIP, collaboration, indexing, analytics• 64-bit application ready

• Available from major manufacturers• Supported by leading outsourcers• Software from leading ISVs

• Microsoft Vista* capable

Broad Industry Support


IntelIntel®® AMT:AMT: Discover, Heal, and ProtectDiscover, Heal, and ProtectDiscover, Heal, and ProtectDiscover, Heal, and ProtectDiscover, Heal, and ProtectDiscover, Heal, and ProtectDiscover, Heal, and ProtectDiscover, Heal, and Protect�� DiscoverDiscoverDiscoverDiscoverDiscoverDiscoverDiscoverDiscover all of your computing assetsall of your computing assets

–– IntelIntel®® AMT stores HW & SW asset information in AMT stores HW & SW asset information in FLASH memory and can be read anytime, even if OS is FLASH memory and can be read anytime, even if OS is hung or PC is off.hung or PC is off.

–– IntelIntel®® AMT does not rely on software agents AMT does not rely on software agents preventing accidental data losspreventing accidental data loss

�� HealHealHealHealHealHealHealHeal systems remotely regardless of system systems remotely regardless of system statestate–– IntelIntel®® AMT provides outAMT provides out--ofof--band access to remotely band access to remotely diagnose and repair PCs after SW, OS, or HW failuresdiagnose and repair PCs after SW, OS, or HW failures

–– Alerting & event logging help IT detect and diagnose Alerting & event logging help IT detect and diagnose problems quickly to reduce endproblems quickly to reduce end--user downtimeuser downtime

�� ProtectProtectProtectProtectProtectProtectProtectProtect against malicious attacksagainst malicious attacks–– IntelIntel®® AMT protects the network from virus and worm AMT protects the network from virus and worm attacks through packet filtering and heuristicsattacks through packet filtering and heuristics

–– IntelIntel®® AMT helps IT keep software versions and virus AMT helps IT keep software versions and virus protection upprotection up--toto--datedate


Reducing Operational Costs Reducing Operational Costs Reducing Operational Costs Reducing Operational Costs Reducing Operational Costs Reducing Operational Costs Reducing Operational Costs Reducing Operational Costs -------- ITOsITOsITOsITOsITOsITOsITOsITOs

EDS Lab Evaluation Tests**

Atos-Origin Lab Evaluation Tests*

Asset Inventory

Hardware Problem: Reduced Deskside Visits

User Productivity: Time to Get Them Back Up

Software Problem: Reduced Deskside Visits

**Source: Improving Asset Inventories and

Reducing IT Costs with Intel® vPro™ Technology

*Source: Improving IT Services and Increasing

User Uptime with

Intel® vPro™ Technology

Not in scope

55% reduction

83% reduction

90% reduction

50% reduction

2 hours instead of 1 day

75% reduction

Not measured in test

Function Tested


AgendaAgenda


�� Security and management applicationsSecurity and management applications



Local Applications : OEM or 3 rd party S/W

Enterprise Consoles

Intel Silicon

Platform Mgmt Interface – XML/SOAP

Firmware BIOS: OEM, IBV Network

The Whole SolutionThe Whole SolutionThe Whole SolutionThe Whole SolutionThe Whole SolutionThe Whole SolutionThe Whole SolutionThe Whole Solution

OEM Platform

Intel

OEM/IBV

ISV/OEM


PCs with IntelPCs with Intel®® vProvPro™™ Technology Technology Supported by Leading ISVs & IT OutsourcersSupported by Leading ISVs & IT Outsourcers

Copyright © 2006 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel. Leap ahead., the Intel. Leap ahead. logo, vPro and Intel Deskbrand are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

*Other names and brands may be claimed as the property of their respective owners.

HP OpenView


AgendaAgenda



�� Overview of the IntelOverview of the Intel®® Active Management Active Management Technology (IntelTechnology (Intel®® AMT) SDK and IntelAMT) SDK and Intel®® AMT AMT Developer Tool KitDeveloper Tool Kit


IntelIntel®® AMT SDK AMT SDK –– What is it?What is it?

�� Documentation & Tools for Developers Documentation & Tools for Developers

�� One unified SDK for Intel AMT 4.0 and 5.0One unified SDK for Intel AMT 4.0 and 5.0

�� Continually EvolvingContinually Evolving

�� Available publiclyAvailable publicly

–– http://softwarecommunity.intel.com/isn/home/managehttp://softwarecommunity.intel.com/isn/home/manageability.aspxability.aspx

�� The SDK is also used for:The SDK is also used for:

–– Internal validationInternal validation

–– Building compliance test toolsBuilding compliance test tools

–– OEM testingOEM testing


IntelIntel®® AMT SDK AMT SDK –– WhatWhat’’s in it?s in it?

1.1. DocumentationDocumentation

2.2. InterfacesInterfaces–– WSDL files for EOIWSDL files for EOI

–– MOF files for WSMOF files for WS--Man Man

–– Libraries for Storage and RedirectionLibraries for Storage and Redirection

3.3. SamplesSamples–– Setup and ConfigurationSetup and Configuration

–– Redirection (including a GUI sample application)Redirection (including a GUI sample application)

–– All EOI APIsAll EOI APIs

–– StorageStorage

–– Name Resolution and Host InformationName Resolution and Host Information

–– WSWS--Man samples Man samples


SDK Components SDK Components –– DocumentationDocumentation

�� The SDK The SDK isis, first and foremost, detailed documentation on , first and foremost, detailed documentation on using Intelusing Intel®® AMT. AMT.

�� The SDK contains detailed guides on the following topics:The SDK contains detailed guides on the following topics:

–– General SDK usageGeneral SDK usage

–– IntelIntel®® AMT network interface (SOAP)AMT network interface (SOAP)

–– WSWS--Man data model and usage flows Man data model and usage flows

–– IntelIntel®® AMT features (such as System Defense, Redirection, AMT features (such as System Defense, Redirection, Configuration and Storage)Configuration and Storage)

–– ISV Coexistence GuidelinesISV Coexistence Guidelines

–– Validation guideValidation guide

�� The SDK documentation is in PDF format and searchable.The SDK documentation is in PDF format and searchable.


SDK Components SDK Components –– InterfacesInterfaces

�� The SDK contains all the needed interface definitions for The SDK contains all the needed interface definitions for communicating with Intelcommunicating with Intel®® AMT:AMT:–– WSDL and MOF files:WSDL and MOF files:

–– Most IntelMost Intel®® AMT features are SOAP based. The SDK contains the WSDL AMT features are SOAP based. The SDK contains the WSDL files which define the various EOI SOAP interfaces, as well as Mfiles which define the various EOI SOAP interfaces, as well as MOF files OF files documenting the CIM Model that represent WSdocumenting the CIM Model that represent WS--Man interfaces.Man interfaces.

–– Libraries:Libraries:

–– Redirection libraryRedirection library: Redirection is not done via SOAP, but a proprietary : Redirection is not done via SOAP, but a proprietary Intel protocol (although a few Redirection configurations are doIntel protocol (although a few Redirection configurations are done ne over SOAP). For this purpose the SDK contains a Redirection librover SOAP). For this purpose the SDK contains a Redirection library, ary, which encapsulates usage of the Redirection feature. The SDK doewhich encapsulates usage of the Redirection feature. The SDK does s not contain the sources of the Redirection library, nor any not contain the sources of the Redirection library, nor any documentation on its internal working.documentation on its internal working.

–– Storage libraryStorage library: Storage itself is done over SOAP, but the interface : Storage itself is done over SOAP, but the interface itself is very complex. The storage library encapsulates the actitself is very complex. The storage library encapsulates the actual ual Storage EOI SOAP calls. The SDK contains full sources of the StoStorage EOI SOAP calls. The SDK contains full sources of the Storage rage library.library.

Note Note -- WSWS--Man storage interfaces do not require a library.Man storage interfaces do not require a library.


SDK Components SDK Components –– SamplesSamples

�� Demonstrating the use of the different IntelDemonstrating the use of the different Intel®®AMT features and interfacesAMT features and interfaces

�� Not intended to be distributed to end usersNot intended to be distributed to end users

��Many parameters for the various API calls are Many parameters for the various API calls are hard coded in the sampleshard coded in the samples

��May be used as a starting pointMay be used as a starting point


Intel AMT DTK Goals & ObjectivesIntel AMT DTK Goals & Objectives

�� Educate people on Intel AMT value and usages.Educate people on Intel AMT value and usages.

�� Reference tools for developers & testers.Reference tools for developers & testers.

�� Research platform for trying new ideas.Research platform for trying new ideas.

�� Accelerate development of Intel AMT software.Accelerate development of Intel AMT software.

�� Early adoption software for new features.Early adoption software for new features.


Intel AMT DTK Component ApplicationsIntel AMT DTK Component Applications

Intel AMT OutpostIntel AMT Outpost(Agent)(Agent)

Intel AMTIntel AMT

HECI / SOL

Intel AMT CommanderIntel AMT Commander(Console)(Console)

Intel AMT DirectorIntel AMT Director(Setup & Config)(Setup & Config)

Intel AMT MonitorIntel AMT Monitor(Monitor)(Monitor)

Intel AMT SwitchboxIntel AMT Switchbox(Proxy & Monitor)(Proxy & Monitor)

Private Network

Internet

ConsolesConsoles BrowsersBrowsers


SummarySummary

�� IntelIntel®® vProvPro™™ Technology brings new power to enterprise Technology brings new power to enterprise administration. See administration. See http://http://www.intel.com/products/vprowww.intel.com/products/vpro

�� IntelIntel®® AMT opens new management vistas for AMT opens new management vistas for programmers. See programmers. See http://www.intel.com/technology/platformhttp://www.intel.com/technology/platform--technology/inteltechnology/intel--amtamt

�� IntelIntel®® AMT SDK including samples is publicly available for AMT SDK including samples is publicly available for download and perusal. See download and perusal. See http://http://softwarecommunity.intel.com/isn/home/manageabsoftwarecommunity.intel.com/isn/home/manageability.aspxility.aspx

�� IntelIntel®® DTK contains numerous applications built using the DTK contains numerous applications built using the SDK to demonstrate the power of IntelSDK to demonstrate the power of Intel®® AMT, and give AMT, and give ideas to developers for their own applications. See ideas to developers for their own applications. See http://softwarecommunity.intel.com/articles/eng/1034.hhttp://softwarecommunity.intel.com/articles/eng/1034.htmtm

securing the managed enterprise with intel®vpro ™processor ... · eliminate business-line...

Documents