Traditionally speaking - if security is improved, manageability suffers.  The reverse of this is true also - traditionally.

 

 

Intel vPro presents a different approach and perspective to this common understanding - consider some of the usage models and scenarios described at the follow link.  http://www.intel.com/business/vpro/index.htm  (see the "improve security" and "extend manageability" links on this page under Resources - lower right side)

 

 

The above links demonstrates and introduces the usage models and capabilities.  But - what about ensuring the security of the platform.  As commonly inquired - "Could vPro be used maliciously?".  Considering that any tool of value - even the screwdriver sitting in a garage or a desk drawer - could be used maliciously, the question might be better phrased - "What are the built-in security features of Intel vPro?"  The following is only a summary and overview - yet should provide some comfort in the platform.  (BTW: Are you aware of all the security features in current environments, or would introducing vPro perhaps expose a long term policy or technological oversight?  Just a thought.)

 

  • Internal security - Use of Intel digitally signed firmware. In some cases, the OEM will also require their digital signature for firmware updates. The non-volatile RAM (NVRAM) has strict security and access control. There is a small section referred to as "3rd party datastore" or 3PDS. Access to this area requires registration with Intel and granting of a token. Communications into the management engine occur through secure channels - whether from the operating system or from the network interface. Generally speaking - compromising the internal security would indicate there are bigger problems in the environment.

  • Enterprise setup and configurationsecurity - Enterprise mode setup and configuration is handled via either a pre-shared secret or certificate based authentication. (see related blog on the latter). The configuration uses secure handshakes, authentication, and so forth. Replay attacks are prevented. With the latest configuration service, option to require authentication or approval of systems to be provisioned\configured. Pre-shared keys are changed after configuration, and subsequently based on definable schedules. Minimal setup rights can be used to limit exposure of accounts to perform setup\configuration. Security audit logs and event logs monitor activities. The process also has dependencies on the enterprise DHCP, DNS, PKI\CA, and so forth. Generally speaking - if the enterprise setup and configuration service is compromised, there are bigger problems wtihin the environment (whether technological, social networking, policy\procedure, etc)

  • Operator Security - Roles, permissions, and AMT security realm access control come into play here. This effectively defines who is allowed to configure the "configuration services", who is allowed to authorize or change vPro configurations, and who is allowed to utilize functions on configured vPro systems. The "who" could be defined by a user, group, service, etc.In addition - use of Kerberos for user rights mgmt and so forth provides an integration into the Microsoft Active Directory. Thus a group of users can be defined withe various levels of access control and capability. Plus - all security related actions and configuration changes can be logged. Generally speaking - if an operator compromising vPro security, there are likely bigger problems in the environment (eg. policies, procedures, etc)

  • Communication Security - Once a system configured, transport layer security (TLS) or Mutual TLS can used to secure management traffic. User sessions can authenticated using a digest protocol or Kerberos.

  • Infrastructure Security - Since vPro effectively hasa separate management computer inside, this management engine can be configured for environments supporting wireless profiles (WPA or WPA2), VLAN, Network Access Control, 802.1x, etc.

  • Operational Client Security - On top of all the configuration security items is the end-user usage and capabilities. Items such as System Defense, Agent Presence, remote power management, and so forth.

 

This returns to the first question - Can manageability and security be raised together for client management? 

 

 

Open to hear from the community on your thoughts - whether in agreement or disagreement.