| February 11, 2010 11:00 PM PST | |
Intel® Active Management Technology (Intel® AMT) helps to safeguard the operation of critical manageability functions by helping to remove the threat associated with User partition software agents being removed without detection. Such removal could make the system vulnerable to network attacks, or it could render critical management functions non-operational. This is particularly a problem if agents are disabled on a notebook that is connected to 3rd party network and tunneling back to the corporate LAN over VPN.
In the scenario without Intel® AMT in this use-case example, malware attacks and infects the User environment (User partition or single partition), disabling software agents. The platform becomes vulnerable to malware and is capable of mounting attacks on the network. Additionally, software agents can be intentionally or unintentionally disabled or removed by users, negating the value of the manageability and security software.
In the scenario with the addition of Intel® AMT, fewer viruses and other malware propagate to the network from an infected platform, since network heuristics can detect and stop worms (by detecting IP scans and port scans) and Denial of Service attacks. That has the effect of reducing support calls (including those that result in costly desk-side visits) to repair systems infected by malware, since fewer systems become infected, and those that are infected are easier to remediate remotely.
In addition, the Intel® AMT scenario results in increased end user productivity, since less time is spent recovering from malware. End-user productivity is also increased on infected systems, since a user can continue to operate, even while connected to the network, while only the malware is blocked and other traffic is transmitted and received.
Once the alert is received, the console takes appropriate action based on company policy, which can reduce the number of support calls received to remedy the affects of agent removal. This action can include utilizing Intel® AMT system defense features to isolate the system from the network while leaving a port open to allow the console to force a reinstall of the disabled agent.
In addition, the following functionality is performed by third-party management applications:
Fewer support calls are required to remedy the effects of agent disabling or misconfiguration, since the reinstall of the agent may be automatic based on company policy. The organization also obtains user productivity gains due to increased platform stability, reducing the chance of malware infections.
During initialization, the software agent registers with the local Intel® AMT device, providing the required security credentials. Once registered, the software agent sends heartbeat signals to the Intel® AMT device indicating it is still active. If the Intel® AMT device does not receive the heartbeat signal from the local software agent within the heartbeat interval timeout period, the AP actions are triggered.
The following steps are required in order to create an Agent Watchdog:
The following SDK sample source code provides WS-Man Samples of the components involved for implementing a Hardware Inventory Management use case:
In the scenario without Intel® AMT in this use-case example, malware attacks and infects the User environment (User partition or single partition), disabling software agents. The platform becomes vulnerable to malware and is capable of mounting attacks on the network. Additionally, software agents can be intentionally or unintentionally disabled or removed by users, negating the value of the manageability and security software.
In the scenario with the addition of Intel® AMT, fewer viruses and other malware propagate to the network from an infected platform, since network heuristics can detect and stop worms (by detecting IP scans and port scans) and Denial of Service attacks. That has the effect of reducing support calls (including those that result in costly desk-side visits) to repair systems infected by malware, since fewer systems become infected, and those that are infected are easier to remediate remotely.
In addition, the Intel® AMT scenario results in increased end user productivity, since less time is spent recovering from malware. End-user productivity is also increased on infected systems, since a user can continue to operate, even while connected to the network, while only the malware is blocked and other traffic is transmitted and received.
Conventional Limitations of Software Agents
In a traditional environment, management consoles poll or scan the User environment to ensure that platform-resident software agents are present. This activity takes up network bandwidth and only works if the platform is powered on, the User operating system is present and operational, and the platform is attached to the corporate LAN. Many systems typically cannot be polled, including mobile client systems, those that are powered off, those that are non-responsive, those that are misconfigured, etc. Acting on non-responsive platforms is time-consuming and may yield inaccurate results.Using Intel® AMT to Overcome Limitations
Intel® AMT-enabled third-party software agents in the User environment register with the Intel AMT® firmware. Once they are registered, third-party management-console software checks for User agent presence on a periodic basis determined by corporate policy. The polling is performed locally and does not impact network performance, which allows agent checks to be performed more frequently. For example, the Intel® AMT firmware can check to see if User environment agents are present every 10 seconds. If agents don't respond to the poll, an alert is sent to the management console.Once the alert is received, the console takes appropriate action based on company policy, which can reduce the number of support calls received to remedy the affects of agent removal. This action can include utilizing Intel® AMT system defense features to isolate the system from the network while leaving a port open to allow the console to force a reinstall of the disabled agent.
Key Functionality Enabled by Intel® AMT that Underlies this Use Case
The following table summarizes the features and functionality utilized in this use case that are provided by Intel® AMT or enabled by Intel® AMT in third-party software:| Feature | Functionality |
| Agent presence services in User environment | Polls systems for presence of User partition software agent |
In addition, the following functionality is performed by third-party management applications:
- Third-party software agents must be capable of registering with the Intel® AMT Agent Presence Monitor.
- Third-party management-console must be enabled for Intel® AMT alerts.
- Third-party software must be capable of restarting and/or replacing an unresponsive agent.
- Third-party software must be capable of managing the corporate policy.
The Advantage of Intel® AMT§
Intel® AMT provides local, hardware-based detection of agents in the User environment. Coupled with remediation software on the third-party management console, this detection virtually eliminates the user's or malware's ability to circumvent protection capabilities. This mechanism also lessens the network traffic and server utilization needed to centrally poll for agent presence, by eliminating the need for polling software and hardware.Fewer support calls are required to remedy the effects of agent disabling or misconfiguration, since the reinstall of the agent may be automatic based on company policy. The organization also obtains user productivity gains due to increased platform stability, reducing the chance of malware infections.
Business Value of the Intel® AMT Solution
This use case enables IT organizations to save on support and productivity costs:- Savings from Eliminating Support Issues: By reducing the number of systems that are affected by malware, support costs are reduced.
- Savings in End-user Productivity: By decreasing the number of end-users who are affected by malware, organizations can realize savings in terms of avoided end-user downtime.
User Partition Agent Presence Usage Model Implementation
The components required to configure User partition agent presence are as follows:- A Management Console (MC) application running on a system elsewhere on the network.
- An Intel® AMT system.
- A software agent application running in the host OS of the Intel® AMT system platform.
During initialization, the software agent registers with the local Intel® AMT device, providing the required security credentials. Once registered, the software agent sends heartbeat signals to the Intel® AMT device indicating it is still active. If the Intel® AMT device does not receive the heartbeat signal from the local software agent within the heartbeat interval timeout period, the AP actions are triggered.
The following steps are required in order to create an Agent Watchdog:
| Step | Description |
| 1 | Create an Agent Presence watchdog for an agent. Specify: |
| 2 | Optional - define a System Defense policy to enable/disable when the agent state changes.
|
| 3 | The MC specifies a set of watchdog actions (a state transition table.) Each action specifies what happens when the agent state changes from a specific state to a specific new state.
|
| 4 | The foregoing actions create an Agent Presence watchdog timer, associate a timeout event within the Intel® AMT device, and initiate the countdown timer. |
| 5 | When an agent state changes, the actions defined for this state change are executed by the Intel® AMT device. State changes can occur as a result of:
|
The following SDK sample source code provides WS-Man Samples of the components involved for implementing a Hardware Inventory Management use case:
- AgentPresence
- SystemDefense
For more complete information about compiler optimizations, see our Optimization Notice.
Comments (0) 
Trackbacks (1)
- Intel AMT software: LMS, HECI, MEI… why do I need those? Part 10 in the series
December 18, 2009 9:00 AM PST
Leave a comment 
To obtain technical support, please go to Software Support.