Endpoint Access Control: AMT2.5 for NAC, AMT4.0 and AMT 5.0 for NAP

Intel® Active Management Technology (Intel® AMT) helps secure network endpoints by validating their compliance with network policies. Endpoint access control (EAC) feature allows the IT administrators to implement differentiated policy enforcement and configuration based on the security state of the end point. This example examines the case where a system with non-compliant software configuration is attempting to request the access to the network.

Greater connectivity options, including public wireless hotspots, hotels and home networks increase the vulnerability of notebook PCs. Notebook PCs often become vulnerable when disconnected from the network.  When the PC is reconnected to the network, there is the potential threat to the business. Rogue desktop systems (non-IT managed, not properly configured or a visitor’s system) plugged into a corporate network could open a security hole, allowing an external visitor or hacker to snoop the network, and could be the source of spreading malware onto the network. This example includes efforts to isolate the non-compliant systems and automate the system remediation to bring them into compliance with network security policies.

802.1x networks have the ability to authenticate systems before allowing them on the network, but have no ability to validate postures to ensure proper virus protection, proper OS patches, and that no unauthorized software is installed.  Non-802.1x networks do not have the ability to authenticate the system.  Non-compliant systems (those without proper virus protection, OS patches, or unauthorized software) can connect to the network and potentially become the source of distributing malware into the network.  Visitors have the ability to connect to the network. Once connected to the network, they can sniff traffic and view mission critical application traffic and/or access data stored on the network. 

At every connection or on demand, a client system's profile is securely surveyed in a trusted manner. The "system posture" (including credentials, configuration, and system data) along with Intel® AMT configuration parameters (Firmware Version, TLS enabled, SOL enabled etc.) , is compared to current requirements. For systems not meeting the minimum standards, the Policy Decision Point (PDP) conveys a health assessment for the system and limits or denies network access.  If network access is restricted, a User Notification is displayed to convey to the end user that normal network operation will be delayed until remediation is complete.  The system is then redirected to a software configuration system or placed in a remediation network for upgrading to minimum standards.  Rogue systems plugged into the network are now identified and the access is controlled based on policy.  Full authentication and posture checking before allowing network access can greatly reduce the potential for malware to propagate onto the network, allows for the IT admin to maintain all systems in compliance with current policies, and limits rogue or visitor systems from gaining network access.

The following table summarizes the features and functionality utilized in this use case that are provided by Intel AMT or enabled by Intel AMT in third-party software:

In addition, the following functionality is performed by third-party management applications:

• Verification of PDP results and actions based upon health assessment of the endpoint.

Intel AMT enables the acquisition of accurate endpoint state and attributes information for network admission control, via “always-available” communication, regardless of the PC’s power state, the state of the OS, or the absence of management agents. It achieves this goal by means of exchanging the authentication and posture information by the firmware. Accurate identification of machines in a pre-boot environment results in improved automation and enforcement of secure network policies.

This use case enables IT organizations to enforce endpoint access control:

• Non-compliant systems:  By limiting access to systems that do not conform to company policies for virus protection, OS patches, etc., the potential for introducing the malware into the network is greatly reduced.
• Unauthorized systems: By limiting the network access of rogue or visitor systems, the potential for snooping or compromising the company’s confidential data is greatly reduced. 
• Posture compliance: By automatically forcing a system onto a remediation network to update the posture when a policy is not met, IT can more closely monitor and ensure system compliance with corporate policies.

The components required to configure Endpoint Access Control use case are as follows:

• Management Console (MC) application. This is an application running on a system elsewhere on the network acting as a PDP to assess the health information of the end points and take appropriate actions regarding the access to the network.
• Posture Validation Server. Server plug-in to verify the posture information sent by Intel® AMT system. This can be part of the MC also.
• An Intel® AMT system.
• Posture plug-in application running in the host OS of the Intel AMT system platform.

The MC application is used to configure the Intel AMT device and manage the events generated by the Intel AMT device. MC will configure the Intel AMT device to enable EAC allowing the firmware to send posture information at every connection or on-demand.

In the following example, a system has been identified by a central management console as non-compliant with corporate minimum standards, and the central console would like to restrict the system access to only remediation network allowing it to be upgraded to minimum standards. The following is the Endpoint Access Control Overview:

1. Management Console (MC) defines the minimum standards specifications for the endpoints in the network.  Systems meeting the standards are allowed full network access.
2. MC defines the policy for remediation network. For each endpoint not meeting the minimum standards, the network access is restricted to only remediation network.
3. MC receives posture information from a non-compliant system.
4. MC places this system in the remediation network.
5. After the host is upgraded to meet the minimum standards, posture information is sent again to the MC.
6. MC verifies the posture information and grants full access to the network.

The following table provides some high-level instructions on how to enable/disable/gather EAC settings.

Note:  See the "System Defense Feature and Agent Presence Overview" [PDF], "Intel AMT Posture Validation Server Sample" [PDF], and "Intel® AMT Network Interface Guide" [PDF] documents located in the Intel AMT SDK for further details.