Do you ever wonder where Spam comes from?  I have no idea where the meat-like version of Spam comes from (nor do I wish to ponder that mystery). But it is pretty well established that a huge component of the e-mail and IM Spam that we all know and hate is generated by automated programs (bots) installed on thousands or even millions of unsuspecting systems.  These bots are remotely controlled via command-and-control or even peer-to-peer networks (botnets) to do the bidding of the bot developer—such as propagate Spam or other malicious software or generate denial of service attacks against designated targets.  And all of this could happen without most people even knowing their system is doing anything. 

Botnets are the end result of many malware exploits—as viruses, worms, Trojans, drive-by or click-through attacks may deliver and propagate the bot payload. They are also a crystal clear example of how the objective of attacks have changed from hit-and-run high-profile grabs for fame to instead focus on stealth and establishing and retaining control of assets. Botnets are an ideal tool for the nefarious—they can command huge numbers of widely distributed systems at trivial costs.  While it is hard to estimate how many systems are part of a botnet, the potential is staggering.  For example, the much-publicized Conficker worm is estimated* to have placed more than 4 million unique IP addresses under the control of “bot-masters”. And this huge resource base allows the bot-masters to rent control of these resources to spammers or other agents looking for ways to generate attacks or other nuisances with low risk of being detected.  In essence, they are allowing criminals and spammers to outsource the generation of their malicious activities. It is a frightening business model indeed.

It is also a difficult challenge for IT. Thanks to botnets, it is possible for an IT manager or CIO to get a call from out of the blue asking why their systems are attacking some other company or government entity’s systems.  Or discover a botnets of 100’s of computers with their company.  These type of events can happen to the best IT departments (even Intel or the US Government). Clearly, IT needs tools to help prevent such scenarios, and the antivirus and intrusion detection/prevention industry is working hard to keep up with the rapid growth in the delivery vehicles for bot code.  The other weapon for IT managers is traffic analysis – looking for strange patterns of activity (such as bursts of e-mail traffic from selected systems or floods of network traffic generated against specific targets) that falls outside of business norms to determine if there is another business being conducted with their assets.  While being part of a networked world has wonderful, powerful benefits, it is not without enhanced risk. A botnet is not a network you ever want a member of.

Intel technologies like Trusted Execution Technology (TXT) and instruction set optimizations such as STTNI can be part of these solutions.  Intel® TXT can be used in solutions that help protect systems from software attacks which provide the malware payloads to compromise systems.  In fact, Intel TXT (to be available with Westmere server systems) provides an entirely new protection capability for most systems—providing evaluation of the launch environment and enforcing “known good” code execution. This is important because most malware tools execute only once the system is booted—so Intel TXT provides a valuable complementary protection. And to help with the growing burden of run-time malware and attack analysis, new (with Nehalem) instructions that accelerate string manipulation can boost content inspection software ability to detect anomalies.  And research and development will ensure Intel continues to develop and deploy building blocks to help IT address today’s challenges and tomorrow’s.

We can do that most effectively only if we’re trying to solve the right problems.  Are your systems under attack? (yes, they are). What types of solutions are most effective for you?  Where is the greatest exposure? Is the pain in stopping attacks or cleaning up after them? This is certainly worth thinking about—before some Government agency comes calling asking why your systems are sending them so much spam!

*http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking

It has been a couple of years since I’ve had the opportunity and pleasure of attending an IDF, but I remember the experience well.  While I had been in the technology industry for many years and was familiar with major tradeshows like Comdex, Interop, CeBit, etc, I recall being amazed that a single company could be the catalyst for such a huge event.  But as I experienced it, it made more sense: after all, Intel sells a very broad line of products to a huge array of customers.  And our products are among the most technologically advanced and complex in the world—yet they are only critical components to solutions that require a wide range of complementary parts—system boards, test tools, compilers, software, BIOS and integrators—to name just a few.  And IDF is the critical venue to galvanize this huge and surprisingly efficient cadre of fellow travelers that will help build upon and deliver our technologies to the world.  It is where we educate, communicate and differentiate, and it is a great showcase for Intel.

This year, I’m excited to be able to participate.  As I wrote a few weeks ago, I’m looking forward to being able to use this showcase to help establish Intel’s focus on server security. We’ve got a couple of key new features—Intel® Trusted Execution Technology (TXT) and Advanced Encryption Standard new instructions (AES-NI) for encryption processing—that promise to make secure processing for servers more complete and efficient.  You can get a glimpse of what Leslie Xu and Michael Kounavis will cover for AESNI. I’ll be working with Mahesh Natu and some friends in the fellow traveler community to help introduce TXT for servers. Like many others, we’ll be using this opportunity to: conduct training for developers (session ECTS002); show the technology in action in a really cool Server Zone demo (Booth #517), and generally help build awareness for TXT and security in general.  I’m really looking forward to the demo.  It is one thing to offer a cool feature, but it is a whole new level of anticipation when one can so clearly visualize how this technology can be deployed to make users’ environments better.

I know that we’re eager to share our enthusiasm and engage the developers and customers that will make our technologies a success.  I’m also keen to get to see other great things coming out of Intel and our fellow travelers. What are you eager to see and hear about at IDF?

I have written in the past about key IT considerations while implementing virtualization.

One of the key elements that change going from a non-virtualized environment to virtual environment is the security model. The security model needs some additional considerations going to virtual environment.

I and a few of my colleagues who meet with IT end customers deploying virtualization on a regular basis have realized that there are some frequently asked questions/concerns and also misconceptions about protection in virtualized environment.

We also did a bit of research on types of documents available to help IT understand the topic of security model in virtualized environment better, but found most articles to be either outright dismissive of security concerns or took a very opposite theoretical and conservative view on lack of security.

So with the help of our architects we developed the below white paper with an intent to help IT managers, strategists and implementers understand resource protection in virtualized environment better. We also address some of the frequently asked questions and typical misconceptions with security in virtual datacenter.

The white paper essentially takes a balanced view and provides an overview of security model changes, challenges and considerations that organizations must address when implementing virtualization. It introduces hardware, software, and policy measures available to help address those challenges, including their strengths and limitations and then closes with a brief discussion of some key issues associated with security in emerging cloud computing usage models.

Let us know what you feel.

Manageability, security, and performance are always hot topics in the computing world. At times the focus shifts between them as needs and technologies change, but these areas have remained key vectors of enterprise computing for a long time. However, in many cases these usability vectors conflict with each other. IT managers’ desire for security and manageability may lead to extra applications and process hoops for end users, which can decrease performance. Increasing the ability to remotely and seamlessly manage a pc almost always adds security headaches that must be dealt with. Enterprise IT design is always about finding the right tradeoffs and improving the process over time.

One technology that has been around for quite a while to help improve security is IPsec (aka, IP Security). IPsec is a set of protocols for securing and authenticating IP packets by encrypting their contents in an end-to-end manner. Most people are familiar with IPsec as the underlying technology for facilitating Virtual Private Network (VPN) connections from the outside of an organization’s LAN to inside the network. IPsec secures the Internet to Intranet tunnel in this case.

Using IPsec to set up a VPN can be a bit of a pain because you have to key in an access code or password and it’s far from seamless. On the IT manager’s side, this setup does not eliminate security problems because the VPN tunnel only secures the network pipe once it is established. There is nothing stopping the end user from browsing the web on their work computer or somehow exposing it to a virus before connecting to the corporate network in a secured way. This has a few downsides from a manageability perspective. First, the security is compromised because of potential infections transferred from an insecure network to the corporate network due to lack of continuously active protection. Second, the manageability of this solution is lacking because enterprise systems outside of the corporate network are not manageable until the user manually connects to the VPN gateway.

So while using IPsec to help create a VPN connection provides functionality that is secure and provides outside-in access to the corporate network, it requires additional configuration by the end user, is not seamless for either user or administrator, and is generally provided by an additional application running on the system. This is all non-optimal.

Enter Microsoft* DirectAccess*. In Windows* Server 2008 r2 for servers and Windows* 7* for clients Microsoft* will be supporting a seamless IPsec support layer called DirectAccess*. What this will provide is the ability to integrate the encryption/authentication of IPsec directly into the Operating System so the end user connects securely outside and inside the corporate network to the systems and applications they need via IPsec. Because this is integrated into the OS, the set up of the security and connection details are more seamless from both an IT person and end user perspective. Initial configuration is obviously required, and each IT organization must set up the security policies to their own specifications, but once that is done the system is up and running.

Microsoft*’s implementation of this functionality at the OS level, so each application can have its own secure IPsec tunnel. This can provide secure access both outside and inside of the corporate network. Up until recently, using IPsec internally has not been of much focus, but recent estimates suggest 80% of successful attacks come from internal threats, so encrypting and authenticating internal data is now in focus for IT administrators. Microsoft* DirectAccess* allows for this new seamless security model.

Now this all sounds well and good… but what’s the catch? Well, a key angle here to note is that IPsec is a highly CPU intensive technology. Encryption and decryption of IP packets in real time can easily swamp a CPU core when attempting to push much more than a few hundred megabits of network data. For a typical end user system, a few megabits of data across a few IPsec connection applications will likely not cause much heartache, but for network servers that are hosting potentially thousands of simultaneous IPsec connections while trying to drive multiple Gigabits of I/O the performance results will be much more… uhh, what’s a nice way to say ‘unimpressive’?

In order to solve this issue, Intel networking products offload the computationally expensive encryption engine (AES-128) onto the LAN Controller while the IPsec configuration, management, policy creations etc all remain in the OS to keep usability simple. Intel offers both dual port 1 and 10 Gigabit networking solutions that support not only solid performance on standard networking workloads and advanced virtualization features, but also the ability to offload IPsec in hardware to improve system performance under large IPsec I/O workloads.

For companies looking to enable IPsec into their network environment using DirectAccess*, they have the potential to improve security, reduce complexity, and enhance manageability of their end clients. They just need to remember that in order to make this all work seamlessly on the server side without choking off processing performance, offloading the IPsec workloads to I/O hardware will be a requirement.

Intel® Ethernet® can deliver this support in adapter or down on motherboard form factors while supporting a wide range of Enterprise class performance and virtualization features. So is this a way to improve security and manageability without impacting performance? It seems that way to me.

-----

Ben Hacker

For more information on DirectAccess* -- http://www.microsoft.com/servers/directaccess.mspx

I'm blogging here today from the Intel Premier IT Professional (IPIP) event in Denver, Colorado. This is a really amazing setting at the Center for the Perfoming Arts in downtown Denver. There are some 200 industry professionals here networking and sharing best practices around client and server technologies with some of the main topics including Intel's technology roadmap, security, client and server virtualization. For those who couldn't be here, check the IPIP Website for event details and to download the presentations. In addition to updates on this blog, Josh Hilliker and I will have an event wrap-up on Blog Talk Radio, stay tuned for the details. Check back to this blog for event updates as they occur.

Wm. Hank Lea

Community Manager

Open Port-The Server Room

2pm- Event Update

Here's some cool video of XEON 7300-series(4P)running a database transaction application:

And another video showing the XEON 5400-series (2P) running the Black-Scholes Option Pricing benchmark:

And a third demo showing the XEON 5400-series in a workstation configuration running 3D rendering application: