The System Defense Network Isolation capabilities are based on a set of packet filters that are applied to both in-bound and out-bound packet streams. These filters allow the management console to pass or block specific IP-based network flows and to keep traffic counts or log the occurrence of these flows. Intel AMT supports 32 in-bound (Rx) and 28 out-bound (Tx) filters per policy. One each of the Tx and Rx filters is used as the “else” (non-matching) filter. If anti-spoofing is enabled, it utilizes two Tx filters.
The filters support bit-level masking of IP Source and Destination Addresses and support ranges on Source and Destination Ports and TCP flags.
The following figure illustrates how Intel AMT with System Defense can block or isolate the client PC from specific TCP/IP flows.
The client PC contains the following components:
• LAN Interface – Provides access to the network. For Intel AMT it is a wired Ethernet connection to the network. Intel AMT Releases 2.5/2.6 and 4.0 also support a wireless LAN connection. Beginning with Release 9.5, some platforms have no wired interface. The trusted wireless LAN driver executing on the host performs System Defense packet filtering.
• Tx/Rx Filters – Transmit and Receive filters.
• Intel AMT – The only component that is able to set/modify the configuration of the Tx/Rx Filters via requests from the management console.
• Wired Comms Driver – The network driver running in the context of the client OS. This driver is considered not trusted and has no access to the filter configuration.
• Application – An application or service running in the OS context, and using the network for communication.
Copyright © 2006-2022, Intel Corporation. All rights reserved.