Intel AMT Features > System Defense > Detailed Description > System Defense Filter Types

System Defense Filter Types

The following table describes the types of filters used in the System Defense feature.

Filter

Description

User Defined Filters

The behavior of user defined filters is defined using the following properties:

FilterDirection:

     Transmit Filter – Intel AMT applies transmit filters to packets transmitted from the host client PC to the network. Such filters can be used to block all traffic from a host suspected as infected by malicious software so that it will not impact other hosts or the network.

     Receive Filter – Receive filters are applied to packets received from the network by the host client PC. Such filters can be used to block all packets received by the host after boot until an antivirus agent starts.

FilterProfile:

     Drop – Drop and discard the packet.

     Pass – Allow the packet to continue.

     Statistics Filter – The management console application can use a statistics filter to collect statistical data. Intel AMT counts the number of packets that match the condition in the filter. The management console application can read these counters, and reset them.  Note that there may be a difference between the number of the filtered packets and the actual statistics count values due to the overhead involved with statistics management. This includes differences which may appear between similar filters.

     Rate Limit – The management console application can define rate limit filters that limit the number of  specific types of packets per second received or transmitted. A Rate Limit filter behaves like a statistics filter with a threshold in that it counts packets like a statistics filter, but it has the additional action of cutting off traffic if the threshold is reached. Each second the Rate Limit filter allows matching packets to pass until the threshold number is reached and blocks all other matching packets for the remainder of the second. For example the IT manager can specify a filter limiting the number of SYN packets per second sent from the host to the network.

Default Filter

A default “Else” filter, for both receive and transmit directions, is available to catch all packets not matched to any of the policy filters. The default filters are defined in AMT_SystemDefensePolicy in the following properties.

Transmit Filters:

TXDefaultDrop

TXDefaultCount

TXDefaultMatchEvent

Receive Filters:

RXDefaultDrop

RXDefaultCount

RXDefaultMatchEvent

AntiSpoofing Filter

Spoofing is a term used for a host trying to falsify its identity by sending IP packets with a source IP address different from its assigned IP address. Intel AMT implements anti-spoofing by checking all outgoing packets, and comparing the source IP to the network interface IP address. If the IP addresses do not match, the packets will be dropped. Anti-spoofing uses two transmit filters.

Anti spoofing is an option defined in the AMT_SystemDefensePolicy.AntiSpoofingSupport property.

 

 Note:

   The maximum number of Tx and Rx Statistical Filters and Rate Limit Filters combined in a policy is 16 (IPv4) or 4 (IPv6). From Intel AMT Release 3.0 there can be 16 IPv6 filters (including Rx and Tx else filters if they are defined to be counted).

   The management console can define both IPV4 filters and IPV6 filters. Since an IPV6 address length is 16 bytes, four of the 31 filter entries in either direction are required for one IPv6 address. The maximum number of IPV6 filters in a policy is 7 transmit and 7 receive filters.

   As of Intel AMT Release 3.0, a single filter can support a full IPv6 address, so there can be 32 in-bound and 28 outbound IPv6 filters.

 

See Also:

   Create an Ethernet Filter

   Create an IP Filter

   Delete a Specific Filter

   Get the Statistics of the Active Policy

   Get the Heuristic Statistics (Including Current State)

   Clear the Heuristic System Defense Statistics

Copyright © 2006-2022, Intel Corporation. All rights reserved.