System Defense Policies

A System Defense policy contains a set of filters that are applied to incoming and outgoing network packets, combined with actions to take when a packet matches/does not match the conditions in the filter. System Defense policies are loaded onto a platform containing an Intel AMT device by a management console application. Once a System Defense policy is activated, the Intel AMT device inspects each incoming and outgoing packet and performs the necessary action specified in the policy.

System Defense policies can only be set over the network interface by remote management consoles, but not by a local agent.

Active Policy

A System Defense policy is either disabled, enabled, or active. A disabled policy cannot become active. For each network interface that supports System Defense:

   Only one policy can be active per network interface. Intel AMT Releases 2.5/2.6 and 4.x support both a wired and wireless interface.

   There are at most four enabled policies per interface:

   One enabled policy can be set per interface by the System Defense feature.

   One enabled policy can be set per interface by the Agent Presence feature. An Agent Presence policy becomes enabled if an agent goes through a transition that enables the policy.

   The Environment Detection feature can be used to define a System Defense policy to enable when Intel AMT detects that a platform connects to a network outside the enterprise. (Intel AMT Release 2.5 and later). The Environment Detection System Defense policy can be applied to both interfaces (depends which interface is connected to a network outside the enterprise).

   The “Heuristic Circuit Breaker” feature included from Intel AMT Releases 3.0  through 11.6 (not including 4.x) can specify a System Defense policy per interface to enable if the feature detects a defined event.

   When multiple policies have been enabled, the Active Policy per interface is the enabled policy with the highest precedence (determined in the AMT_SystemDefense.PolicyPrecedence   property). For example, A policy was enabled with a precedence of 1. Later, Agent Presence enables a policy with a precedence of 3. Initially the original policy is the active policy, but when Agent Presence activates its policy, it becomes the active policy.

Policy Timeouts

When a policy has a defined timeout, the policy remains active only for the period of time defined.

   If the policy times out, it is replaced by another enabled policy with a lower priority. If no other policies exist, no policy is activated.

   If another policy with a higher priority is activated and then either times out or is deactivated, then the previous policy is activated and the timeout countdown starts again.

Default Policies

From release 4.x, each interface can have a policy defined to be a default policy. When an interface has a default policy, Intel AMT activates the policy when there are no other active policies for that interface. If a policy with a defined timeout was activated and eventually timed out, the default policy is activated in its place. Note that timeout or precedence parameters have no meaning for default policies: When a default policy is active, it will not time out; when another policy is active, the default policy will never supercede it due to its precedence.

Consider the following example: A management console creates several new System Defense policies. Some of the policies have a defined timeout and some of them have no defined timeout. After creating the policies, one is set to be the default by associating the policy to AMT_NetworkPortDefaultSystemDefensePolicy. Say policy M is the default policy. It will become active as long as there are no other enabled policies.

Suppose that now the console enables policy N, which has a timeout of 10 minutes. Policy N becomes active, and the timer starts counting. After 10 minutes policy N will be disabled and policy M – the default – will be enabled. Note that if there is an enabled policy due to another application it will be enabled when policy N times out. The default policy M will be activated only when there are no other active policies on the specified hardware interface.

After some time, the console re-enables policy N. The timer starts counting again, but after 5 mintues, an agent presence application enables a different policy with a higher precedence. That policy becomes active, and the count down for policy N is stopped. After the agent presence policy is expired or removed, policy N (which is still enabled) can become active again, and the countdown will be restarted at 10 minutes.

After ME reset the timeout countdown is restarted.

 

See Also:

   Create a System Defense Policy

   Enable a System Defense Policy

   Disable a System Defense Policy

   Delete a System Defense Policy

   Get Active and Enabled Policies

   Get and Set the Policy Timeout

   Get Active and Enabled Policies

   Enable/Disable a Default System Defense Policy

   Set a Heuristics System Defense Policy

   Delete a Heuristics System Defense Policy

Copyright © 2006-2022, Intel Corporation. All rights reserved.