These steps summarize how the System Defense feature works:
1. The management console connects to Intel AMT over the network through a secure Out-of-Band channel. The management console sets System Defense policies used by Intel AMT to control the configuration of Transmit (Tx) and Receive (Rx) Filters.
2. Intel AMT selects the Active Policy based on the policy precedence.
3. Intel AMT activates the filters associated with the Active Policy.
4. Each packet sent or received by client applications passes through the Tx/Rx Filters allowing the System Defense filters to isolate specific flows.
System Defense policies can only be set over the network interface by a remote application (a local agent cannot do this task).
Hardware and software components of System Defense
This diagram shows the hardware and software components used to implement System Defense.
The client PC contains the following components:
• LAN Interface – Provides access to the network.
• Tx/Rx Filters – Transmit and Receive filters.
• Intel AMT – The only component that is able to set/modify the configuration of the Tx/Rx Filters via requests from the management console.
• Wired Comms Driver – The network driver running in the context of the client OS. This driver is considered not trusted and has no access to the filter configuration.
• Application – An application or service running in the OS context, and using the network for communication.
How a packet is processed
This diagram shows the processing flow of a packet processed by System Defense filters.
For each received/transmitted packet:
1. Check with each filter in the active policy.
2. If any filter matched:
• If one of the matched filters is a drop filter or a rate limit filter that has reached its threshold, drop the packet.
• Else, pass the packet.
3. If the packet does not match any filter, check the default filter:
• If Drop: Drop the packet.
• Else: Allow the packet to pass to the OS driver or to the network.
When a packet matches the conditions in a filter the following actions can take place:
• If the filter is a drop filter, the packet is discarded. It is not sent to the host driver or to the network.
• If the filter is a rate limit filter and the number of packets exceeds the threshold, the packet is dropped.
• If an event is defined for this filter, an event is raised by the Intel AMT event manager. Management console applications can register with the Intel AMT device to receive PET alerts on these events and/or store the events in the Intel AMT event log. An event is raised only once per filter until the next call toread or reset statistics.
An example of a management console using System Defense
In this example the management console has identified a system as possibly infected with a worm and therefore restricts the system so that it can communicate with only one subnet.
1. The management console defines an INSPECTION AND REPAIR System Defense policy (priority 99). In this policy, network traffic is limited to the inspection and repair subnet (192.168.1.*).
2. The management console defines several Rate Limit filters. For each filter, a PET is defined that will be sent to management console if one of the following occurs:
• If the number of SYN packets sent from the host is greater than 1000 per second
• If the number of ICMP (ping) packets sent from the host is greater than 500 per second
3. The management console receives PET messages indicating SYN or ping attacks.
4. The management console places this host in the inspection and repair subnet by applying the INSPECTION AND REPAIR System Defense policy.
5. The management console opens a trouble ticket for an operator to inspect and repair this host.
6. A technician receives the trouble ticket, repairs the host, and marks the trouble ticket as completed.
7. The management console is notified that the trouble ticket is closed and deactivates and disables the INSPECTION AND REPAIR System Defense policy.
Copyright © 2018, Intel Corporation. All rights reserved.