Filter threats and isolate PCs automatically based on IT policyLaptop and desktop PCs with a new Intel Core vPro processor include programmable filters that monitor inbound and outbound network traffic for threats. IT managers can use third-party software to define the policies that will trigger hardware-based isolation of a PC.
Both laptops and desktop PCs with a new Intel Core vPro processor use programmable, hardware-based filters for examining packet headers for suspicious behavior. Desktop PCs also include additional hardware- based filters that monitor the rate of outbound traffic to help identify suspicious behavior, including both fast-moving and slow-moving worms.
Both laptop and desktop PCs also include built-in isolation circuitry (see Figure 4). When a threat is identified, a policy and hardware-based “switch” can:
•Isolate the system by specific port(s) to halt a suspicious type of traffic.
•Disconnect the network data path to the OS (the remediation port remains open) to contain threats more quickly.
•Rate-limit network traffic to give a technician more time to investi- gate a threat.
During a quarantine, the isolation circuitry disconnects the PC’s network communication via hardware/firmware at the software stack in the OS. This is a more secure disconnect than traditional software- based isolation, which can be circumvented by hackers, viruses, worms, and user tampering.
Automated, continual checking for agentsTraditionally, IT organizations have used serial polling to verify the presence of security agents (or other business-critical applications). Because this method can saturate the network with healthy heartbeats (restrict- ing the bandwidth available for productive traffic), IT organizations often poll for compliance only once or twice a day – if that often.
In contrast, laptop and desktop PCs with a new Intel Core vPro processor use a regular, programmable “heartbeat” presence check, which is built into the Intel® Management Engine. The heartbeat uses a “watchdog” timer so third-party software can check in with the Intel Management Engine at programmable intervals, to confirm that the agent is still active. Each time an agent checks in, it resets its timer. If an agent hasn’t checked in before the timer goes off, the agent is presumed removed, tampered with, or disabled. The Intel Management Engine then automatically and immediately logs the alert and notifies (if specified) the IT console.
With hardware-based heartbeats, IT administrators no longer need to wait for multiple polls to identify a potential problem. The PC itself helps improve the reliability of presence checks and reduce the window of software vulnerability. And, these “healthy” heartbeats never leave the PC. Only when there is a problem is an alert sent across the network, so your network isn’t flooded with healthy heartbeat signals, and you still receive rapid notification of problems. For wireless laptops, agent presence checking is enabled even when operating outside the corporate network through a host OS-based VPN. This gives IT administrators greater visibility of these highly mobile and traditionally unsecured assets.
Combined with the remote power-up capability, the entire process of checking and reinstalling missing agents can also be automated, improving compliance further and saving additional resources.
User Application