Intel's vPro promises to stop exploits before they hit the operating system
Intel introduced its vPro technology in 2006, then added in August 2007 Trusted Execution Technology, which verifies that software hasn't been tampered with. On Sept. 23, Intel unveiled the third generation of the vPro, with better efficiency and management.
Now, as vPro chipsets arrive in myriad motherboard products for desktops, servers, and laptops, Intel hopes baked-in security and nearly hands-off system management spell real gains for distributed enterprises with lots of remote workers when far-flung systems become compromised and must be removed from a network, or when anti-malware applications demand manual updates.
One problem, though, is that for full integration with enterprise applications, vendors--in particular, Microsoft--must design products to work with vPro. There's also the question of long-term viability: Firmware that requires reflashing to keep up with new and ever-more-insidious attack tools could be a tempting target, one that can be analyzed and deconstructed because the firmware can be dumped and disassembled.
The hope is that the basic principles currently at the heart of the worst forms of data intrusion, such as buffer overflow and port exploitation, will remain relatively static, and thus a basic, robust set of rules can watch at the core level to stop them before they stop us. Whether or not these best hopes and Intel's diligence will be enough to make this iteration of hardware security more effective than previous efforts remains to be seen.
The vPro is an on-chip/on-motherboard management suite that aims to take the pain out of anti-malware program updates, system isolation, and system restoration. Workstations and servers from hardware vendors such as Asus, Dell, Hewlett-Packard, and Toshiba include the vPro motherboard technology. These systems support Intel's Active Management Technology (AMT), which gives network and system administrators an array of tools not only to control the physical tracking of the asset, but also to detect network compromises and defend against them.
VPro's resource management tool can be accessed via HTTP, much as a management page for a router might be. Through the browser, the administrator can reboot the system, halt the boot process if the OS is compromised, and update system BIOS. The Web page also enables IT to reset hung operating systems, poll for hardware status, and use a network image to reinstall an OS if a remote system is corrupted.
VPro offers a set of rules or defined conditions for allowable network traffic, established in the firmware, enabling network managers to monitor for suspicious network traffic on NICs or TCP/UDP ports. When questionable traffic is detected, vPro can notify IT via an alert or automatically shut down processes. It can thwart a buffer overflow by flushing the network buffer before the malware has a chance to gain control of the system. Rules can be set up to isolate infected machines, stopping network traffic to or from the affected system. The vPro chipset does this independent of the OS.
Intel's vPro offerings leave the factory with some AMT options switched off. Intel told us it leaves it up to individual OEMs to determine if certain features are on or off, based on that OEM's client requirements. Remote provisioning can be configured down the line from the ISV console, while integrating specific features into an Active Directory structure, for example, will take "a bit more time." And we'll be interested to see whether a wide swath of software makers build hooks for vPro/AMT into their products.
In Part 2 of this Tech Road Map (see Sun's T5440 Server Is Built To Multitask) , we'll examine the roles of Intel, rival chipmaker AMD, and software vendors in giving teeth to this silicon watchdog.