Intel® Active Management Technology (Intel® AMT) helps to decrease vulnerability to network attacks. Outbreak containment filters help to detect suspicious activity. This example examines the case where a day-zero virus (such as Slammer) attacks a network. Note that greater connectivity options, including public wireless hotspots, hotels, and home networks increase vulnerabilities. The example includes efforts to reduce network exposure once platforms infected with the virus begin propagating the infection across the network.

In a typical day-zero inbound virus protection scenario, infected platforms propagate the virus through the network. In many cases, manual IT intervention is required to prevent the spread of malware. In terms of day-zero outbound virus protection, intrusion detection software may identify suspicious platform behavior such as port sweeps, IP ping sweeps, etc. If suspicious behavior is found, the suspected packet stream will be blocked by the software.

Traditional environments facing malware attacks must scramble to reduce network exposure. Compromised software firewall agents leave platforms vulnerable to malware attacks. Network threats (once successful) can spread quickly throughout the network.  Distributed methods for detecting malware activity across multiple managed end nodes are limited. During an event, network managers have little recourse if a software firewall patch or update is not available.  These patches can take a day or more for the software firewall vendors to create, leaving networks vulnerable unless entire subnets are brought down.  Productivity is halted until the threat can be contained.

In an Intel AMT enabled environment, day-zero inbound and outbound virus protection benefits from Wired Network Outbreak Containment filters that scan incoming and outgoing network traffic, regardless of operating system or virus protection agent state. Scans for suspicious behavior compare five points of data (source and destination IP addresses and port numbers, as well as protocol type) against preset rules.

Additionally, heuristics based network traffic filters monitor the outbound network traffic for IP scans and port scans. Each node is able to compare a time slice of network traffic against the heuristics filters defined in the system defense engine. Based on time and number of occurrences of thresholds set in the filters, suspicious behavior is detected.

These filters are configurable via third-party console applications, which govern whether traffic identified as suspicious is dropped, alerted to the IT organization, or passed through (no action). Depending on the IT policy setup, filters can be programmed to protect the system from receiving or transmitting malware, resulting in reduced support calls and increased user productivity.

In order to reduce network exposure, the IT organization can detect suspicious activity at a node or series of nodes via alerts sent to a central control console. It can send real-time updates via the out-of-band (OOB) channel to susp ected nodes to block the suspicious traffic (allowing the user to remain connected and active with only the malware blocked) and update unaffected nodes with additional filter criteria. While a platform is in quarantine, console software can clean the system of malware, viruses, etc., using either a specific dedicated port or Serial-over-LAN (SOL)/IDE-R to boot the system to a known good image for remediation.

The following table summarizes the features and functionality utilized in this use case that are provided by Intel AMT or enabled by Intel AMT in third-party software:

In addition, the following functionality is performed by third-party management applications:

• Network Outbreak Containment (NOC) management application and database remotely updates, distributes, and tracks NOC events.
• Network-management application isolates and identifies infected systems.
• Remediation network facilities clean up infected systems and roll back filters to default policy settings.
• Mechanism to enable and disable network traffic heuristics-based enhanced system defense filters, as well as mechanism to set the time windows, thresholds, and actions to take once an event is detected.

Intel AMT enables better inbound protection by decreasing the number of virus attacks, malware, etc., that successfully infect the platform. The environment achieves that goal by means of programmable hardware filters that detect and stop known malware from affecting the platform, regardless of operating system health or virus protection agent state.

Likewise, Intel AMT enables better outbound protection, because fewer virus attacks, malware, etc., propagate to the network from an infected platform. It achieves that goal by means of programmable hardware-based network traffic heuristic filters that detect and stop many malware/worms from being transmitted and infecting other network connected pl atforms, regardless of virus protection agent state.

Improved inbound and outbound protection reduces the number of support calls (desk-side and all other forms) to repair systems infected by malware; fewer systems get infected, and those that do get infected are easier to remediate remotely. In a related benefit, end-user productivity is increased by requiring less time to be spent recovering from malware and allowing users to continue to operate (connected to the network) while only the malware is blocked (and other traffic is transmitted and received).

This use case enables IT organizations to save on support and productivity costs:

• Savings from Eliminating Support Issues: By reducing the number of systems that are affected by malware, support costs are reduced.
• Savings in End-user Productivity: By decreasing the number of end-users who are affected by malware, organizations can realize savings in terms of avoided end-user downtime.

The components required to configure a System Defense / Agent Presence (AP) Use Case are as follows:

• Management Console (MC) application. This is an application running on a system elsewhere on the network.
• An Intel® AMT system.
• Software agent application running in the host OS of the Intel AMT system platform.

The MC application is used to configure the Intel AMT device with the AP settings such as agent watchdog creation and timeout actions, along with any related and required System Defense policies. Note that in previous versions of Intel AMT, “System Defense” was referred to as “Circuit Breaker.” The existing APIs still contain the abbreviation “CB” in their names. These APIs are the System Defense APIs.

In the following example, a system has been identified by a central management console as possibly infected with a worm, and the central console would like to restrict the system so that it can communicate with only one subnet.

The following is a System Defense and Agent Presence Overview:

1. Management Console (MC) defines an INSPECTION AND REPAIR System Defense policy (priority 99).  In this policy, network traffic is limited to the inspection and repair subnet (192.168.1.*).
2. MC defines several Rate Limit filters.  For each filter, a Platform Event Trap (PET) is defined that will be sent to MC if the rate limit condition occurs:
   • If the number of SYN packets sent from the host is greater than 1000 per second, Intel AMT sends a PET to the MC.
   • If the number of ICMP (ping) packets sent from the host is greater than 500 per second, the Intel AMT sends a PET to MC.
3. MC receives PET messages indicating SYN or ping attacks.
4. MC places this host in the inspection and repair subnet by applying the INSPECTION AND REPAIR System Defense Policy.
5. MC opens a trouble ticket for an operator to inspect and repair this host.
6. A technician receives the trouble ticket, repairs the host, and marks the trouble ticket as completed.
7. MC is notified that the trouble ticket is closed.  MC deactivates and disables the INSPECTION AND REPAIR System Defense policy.

The following table provides some high-level instructions on how to create/disable/remove System Defense policies and create and register an agent presence watchdog.

In the following example, a system has been configured by a central management console with network traffic heuristic filters. The system gets infected by a virus and begins an IP port scan attack.

The following is the Enhanced System Defense Overview:

1. MC sends information to the Management Engine that sets the heuristic policies. The filters examine the outgoing traffic for IP scans, port scans and DOS attacks.
2. IT sets an event for each scenario in case the heuristic filter is tripped. Events can range from sending or storing an alert to rate limiting traffic or actually dropping the suspect packets.
3. System gets infected with a virus and begins IP port scan attack.
4. The filter counting the packets gets tripped. Once the filter is tripped the corresponding policy is executed. Suspect packets are dropped and an alert in sent to the console.
5. MC receives PET messages indicating IP port scan attacks.
6. MC opens a trouble ticket for an operator to inspect and repair this host.
7. A technician receives the trouble ticket, repairs the host, and marks the trouble ticket as completed.
8. MC is notified that the trouble ticket is closed.  MC deactivates the System Defense policy and clears the heuristics state.

The following table provides some high-level instructions on how to create/disable/remove heuristics System Defense policies.

Note: See the “System Defense Feature and Agent Presence Overview.pdf” [PDF 335KB] or the “Intel® AMT Network Interface Guide.pdf” [PDF 2.45MB] documents located in the Intel AMT SDK for further details.