The vPro's on-chip safeguards take system management to a new level--but questions remain.
Intel's vPro promises to stop exploits before they hit the operating system
The notion of hardware-based security isn't new; think Wake-on-LAN, BIOS-based antivirus utilities, and Trusted Platform Module. But it has yet to make a real dent in malware infections. Now the newest iteration of Intel's vPro chip-based security is poised to revolutionize IT's tactics in this fight--or at least give us a little breathing room.
Intel introduced its vPro technology in 2006, then added in August 2007 Trusted Execution Technology, which verifies that software hasn't been tampered with. On Sept. 23, Intel unveiled the third generation of the vPro, with better efficiency and management.
Now, as vPro chipsets arrive in myriad motherboard products for desktops, servers, and laptops, Intel hopes baked-in security and nearly hands-off system management spell real gains for distributed enterprises with lots of remote workers when far-flung systems become compromised and must be removed from a network, or when anti-malware applications demand manual updates.
One problem, though, is that for full integration with enterprise applications, vendors--in particular, Microsoft--must design products to work with vPro. There's also the question of long-term viability: Firmware that requires reflashing to keep up with new and ever-more-insidious attack tools could be a tempting target, one that can be analyzed and deconstructed because the firmware can be dumped and disassembled.
The hope is that the basic principles currently at the heart of the worst forms of data intrusion, such as buffer overflow and port exploitation, will remain relatively static, and thus a basic, robust set of rules can watch at the core level to stop them before they stop us. Whether or not these best hopes and Intel's diligence will be enough to make this iteration of hardware security more effective than previous efforts remains to be seen.
The vPro is an on-chip/on-motherboard management suite that aims to take the pain out of anti-malware program updates, system isolation, and system restoration. Workstations and servers from hardware vendors such as Asus, Dell, Hewlett-Packard, and Toshiba include the vPro motherboard technology. These systems support Intel's Active Management Technology (AMT), which gives network and system administrators an array of tools not only to control the physical tracking of the asset, but also to detect network compromises and defend against them.
VPro's resource management tool can be accessed via HTTP, much as a management page for a router might be. Through the browser, the administrator can reboot the system, halt the boot process if the OS is compromised, and update system BIOS. The Web page also enables IT to reset hung operating systems, poll for hardware status, and use a network image to reinstall an OS if a remote system is corrupted.
VPro offers a set of rules or defined conditions for allowable network traffic, established in the firmware, enabling network managers to monitor for suspicious network traffic on NICs or TCP/UDP ports. When questionable traffic is detected, vPro can notify IT via an alert or automatically shut down processes. It can thwart a buffer overflow by flushing the network buffer before the malware has a chance to gain control of the system. Rules can be set up to isolate infected machines, stopping network traffic to or from the affected system. The vPro chipset does this independent of the OS.
Intel's vPro offerings leave the factory with some AMT options switched off. Intel told us it leaves it up to individual OEMs to determine if certain features are on or off, based on that OEM's client requirements. Remote provisioning can be configured down the line from the ISV console, while integrating specific features into an Active Directory structure, for example, will take "a bit more time." And we'll be interested to see whether a wide swath of software makers build hooks for vPro/AMT into their products.
Intel has tackled the issue of data security head-on, from road warriors' notebooks all the way to the servers in the data center they're connecting to. Intel promises big security gains through vPro's on-chip management, limiting or completely stopping network exploits before they have a chance to compromise operating systems. It claims vPro's remote asset management tools will boost physical security and accountability.
Intel is banking hard on vPro making big, rapid inroads and being adopted by the likes of Apple, Microsoft, and various Linux distributions. Asus, Dell, Hewlett-Packard, Toshiba, and others are shipping vPro-powered workstations and servers. Currently, no competitors make on-chip security a priority, so the vPro could further solidify Intel's status as market leader.
Antivirus software can no longer go it alone. As botnet and buffer overflow attacks become the weapons of choice for hackers, Intel has a major stake in upping the ante in the war on malware by addressing security holes. However, Intel also faces the prospect of diminishing security returns over time as attackers figure out workarounds for its on-chip safeguards. Intel's vPro promises to stop exploits before they hit the operating system
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.