CollapseAll image

System Defense Policies

A System Defense policy contains a set of filters that are applied to incoming and outgoing network packets. Once a System Defense policy is activated, the Intel AMT device inspects each incoming and outgoing packet and performs the necessary action.

 Note:

An Intel AMT device can contain a maximum of 8 policies with a combined total of 80 filters.

 

Policy Status

A System Defense policy is either disabled, enabled, or active. A disabled policy cannot become active. For each network interface that supports System Defense:

   Only one policy can be active per network interface.

   There are at most three enabled policies per interface:

   One enabled policy can be set per interface by the System Defense feature.

   One enabled policy can be set per interface by the Agent Presence feature. An Agent Presence policy becomes enabled if an agent goes through a transition that enables the policy.

   The Environment Detection feature can be used to define a System Defense policy to enable when Intel AMT detects that a platform connects to a network outside the enterprise. The Environment Detection System Defense policy can be applied to both interfaces (depends which interface is connected to a network outside the enterprise).

   When multiple policies have been enabled, the Active Policy per interface is the enabled policy with the highest precedence. For example, a policy was enabled with a precedence of 1. Later, Agent Presence enables a policy with a precedence of 3. Initially the original policy is the active policy, but when Agent Presence activates its policy, it becomes the active policy. When creating a user defined policy, the precedence value is defined in the Precedence property.

Policy Timeouts

From Intel AMT release 4.x, when a policy has a defined timeout, the policy remains active only for the period of time defined.

   If the policy times out, it is replaced by another enabled policy with a lower priority. If no other policies exist, no policy is activated.

   If another policy with a higher priority is activated and then either times out or is deactivated, then the previous policy is activated and the timeout countdown starts again.

When creating a user defined policy, the timeout value is defined in the Timeout property.

Default Policies

From Intel AMT release 4.x, each interface can have a policy defined to be a default policy. When an interface has a default policy, Intel AMT activates the policy when there are no other active policies for that interface. If a policy with a defined timeout was activated and eventually timed out, the default policy is activated in its place. Note that timeout or precedence parameters have no meaning for default policies: When a default policy is active, it will not time out; when another policy is active, the default policy will never supercede it due to its precedence.

After creating and applying the policy to the Intel AMT device, use the EnableDefaultPolicy method to make the policy a default policy.

 

See Also:

   Creating and Applying System Defense Policies

   Deleting System Defense Policies

Copyright © 2006-2022, Intel Corporation. All rights reserved.