|
Enterprise IT departments are being asked to secure and manage an increasingly heterogeneous enterprise computing
environment with less and less resources. IT departments face the need to satisfy multiple end-user client usage models
and support requirements. Additionally, the IT manager faces a substantial increase in attacks to mission-critical
applications and services with for hire attacks becoming more prevalent. As the enterprise increases in size, the
scalability of existing manageability solutions is becoming a serious issue. Manageability solutions that require human
intervention to discover, diagnose, and remediate system problems cannot scale to meet the requirements of large
enterprise computing [4, 5]. One solution to these problems is to rely on the client platform's capability to secure,
discover, diagnose, and remediate itself. In order for this to occur, manageability and security features need to be
"embedded" into the client platform.
EIT usage models
Based on the issues IT departments face in managing their assets we came up with a set of usages that provide the
capabilities required to address these issues. In this section we describe these usages and discuss how they address the
challenges.
Client isolation and recovery
Among the challenges IT departments face today is the need to satisfy multiple end-user client usage models and support
requirements. In response to these greatly varied requirements, the end user may even be granted
"Administrator" rights on the client PC to install the custom software and hardware required to perform a
specific job. Unfortunately, in this scenario, the end user leverages this access to install additional, non-IT
validated software and hardware or disable IT security services. This results in unstable and unsecured PC
configurations threatening the overall enterprise environment. Even though this additional un-validated software and
hardware causes problems, end users still expect IT to support them when the client PC services and data stored on the
PC become unreliable and unavailable, regardless of what the end-user Service Level of Agreement stipulates.
IT departments benefit from the ability to isolate key manageability and security services from end-user access while
still maintaining the same level of flexibility and performance for end-user services. The Digital Office Embedded IT
platform strategy emphasizes isolating manageability and security services to a virtual manageability appliance based on
Intel® VT via the CIR usage model. Additionally, the strategy anticipates that the manageability appliance will provide a
rich environment for manageability and security vendors to innovate their product offerings. The CIR usage model
provides the ability to remotely manage the client PC during times when the primary operating environment is
unavailable. IT needs this "out-of-band" management capability in the client PCs to enable support when the
end user most desires it.
The user of a CIR-enabled platform is a corporate user. The user is aware of the primary operating environment referred
to as the User OS (the User Partition). IT management software runs isolated from the user's OS in its own appliance-like
virtual Service Partition. In fact, the end user has no knowledge or awareness that the virtual Service Partition
exists. Within the Service Partition a Service OS is used to provide an environment for IT manageability services to do
the following:
-
Disable malicious code or user actions.
-
Prevent invalid/unsecured client configurations from adversely affecting resources on the production network.
-
Patch or repair infected clients.
-
Prevent situations when a worm or user deletes critical OS files.
Below are use cases of a CIR-enabled system. They are stated as problems from the customer's (either end-user or IT
department) point of view.
-
Virus detection and containment.
-
Malicious code or the user can disable features such as Intrusion Detection, Firewall Capabilities, and Asset
Management.
-
Content access enforcement differs based on environment and location.
-
Clients that have an invalid or unsecured configuration can adversely affect other clients on a production network.
-
Infected clients cannot be patched or repaired.
-
A worm or the user deleted critical OS files.
Endpoint Access Control
The Endpoint Access Control (EAC) usage, also known as Network Access Control, is a major feature of the Digital Office
initiative. In the EAC, usage client access to an enterprise is contingent on the client platform being in an acceptable
state. The enterprise determines the parameters of acceptability expressed in the form of an access policy. The policy
is interpreted by a Policy Decision Point (PDP), which in response controls Policy Enforcement Points (PEPs) that
respond by controlling access. Access controls can include any of the following:
-
Unrestricted access.
-
Conditional access based on traffic filtering.
-
Restricted access where only specific resources are accessible.
EAC follows a methodology that can be broken down into the following general steps:
-
Collection–monitoring, reading and storage of security measurements of the client system.
-
Reporting–formatting collected measurements for consumption by a PDP.
-
Evaluation–interpretation of reports and organizational policies.
-
Enforcement–applies access control rules.
-
Remediation–applies configuration rules designed to bring the platform into compliance.
The EIT strategy emphasizes distribution of PDP functionality to an Intel VT Service Partition through delegation. EAC
policies relating to the evaluation of measurements is provisioned to a Service Partition-hosted PDP process. This
process may evaluate measurements directly and forward a summary to the enterprise PDP, or measurements may be forwarded
unmodified. The PDP response is interpreted by the Service Partition-hosted PDP process, and it maps the result to a
format and structure that is meaningful to the client platform. See Figure 1 for the EAC architectural diagram.
The EIT strategy places a strong emphasis on locating enforcement mechanisms inside the client platform while continuing
to extend control interfaces to the enterprise network. Protection of enforcement mechanisms from user applications is
achieved through Intel VT to create a Service Partition. User applications and OSs function within a single User
Partition. Partitioning of Host and Management environments provide isolation of EAC enforcement mechanisms and ensures
that threats originating from the host environment will not defeat the goals of enterprise-controlled EAC.
The Service Partition is a collection point for host traffic destined for enterprise networks. Traffic filters that
implement EAC enforcement policies are applied by a firewall contained in the Service Partition. Use of hardware-based
filters, such as those implemented in the chipset, is under the control of the firewall process in the Service OS
running in the Service Partition.
The Service Partition is an endpoint of communication for the platform. When connecting over an entrusted communication
layer, a Virtual Private Network (VPN) must be constructed to establish a trustworthy connection to the enterprise
network. VPN terminology broadly refers to any channel security protocol that provides data integrity or data
confidentiality. A VPN therefore can be constructed at any layer in a network protocol stack. The client side of the VPN
that is used for EAC originates within the Service Partition (and not the User Partition). The keys used to authenticate
the endpoint and to protect channel data are managed by the Service Partition. Use of hardware-based
encryption/decryption of network traffic is controlled by a VPN management process in the Service Partition. Even if
packets are encrypted/decrypted in a hardware component, the logical endpoint of communication is still the VPN process.
Figure 1: End point access control architecture
click image for larger view
Outbreak Containment
Outbreak Containment (OC) provides the capability to contain the threat once an outbreak is detected. In a scenario
where the client is infected, the client may be switched to a private network to enable remediation. In more serious
threat scenarios, the client may be powered off to protect it from the network. In a known threat scenario, the client
is updated with a patch to protect it against the outbreak.
The OC process starts when an outbreak is declared and enabled from the Management Console. The process is enabled by
configuring OC filters that enable deep packet inspection for monitoring network traffic. The OC Filter Manager analyzes
the collected data to assess the client health and generates a report for appropriate actions. The report can be either
sent to a centralized Intrusion Prevention System (IPS), a decision-making system with a database for further analysis
(Figure 2). The IPS will analyze the threat situation aggregating data from all clients. The Management Console gets the
threat report from the database. If the report indicates a threat, an IT technician initiates steps to protect against
the threat. In such a situation, the client is isolated from the network and a trusted out-of-band (OOB) channel is used
to patch the client against the threat from network.
Figure 2: Outbreak containment applied at firewall
Embedded PC Health
Embedded PC Health (EPCH) usage reduces the client PC lifecycle costs by providing embedded asset management,
provisioning, self-diagnostic, self-repair, and self-optimization capabilities within the Intel® platform. This OS-
independent framework, based on AMT, utilizes platform-specific knowledge from Intel's processor, chipset and NIC. For
details on AMT the reader is referred to [4].
This framework complements existing activities of system vendors services organizations, and manageability framework
providers by adding persistent, secure, and reliable self-managing agents that support these autonomic frameworks. These
programmable agents offer Independent Software Vendors and Original Equipment Manufacturers (OEMs) the ability to
differentiate their offerings while benefiting from standardized capabilities and interfaces. They are accessible in an
OOB mode, allowing for reconnaissance and management actions even if a PC has not yet been provisioned with an OS, or if
the OS is dysfunctional.
The following is a summary of the main objectives of the EPCH:
-
Deployable: Utilize currently deployed protocols and services in the IT environment. Minimize the need to develop
and deploy new protocols and services.
-
Highly available: Provide remote management capabilities regardless of the operational state of the PC hardware or
OS.
-
OS-independence: Provide a base set of platform management functions and interfaces regardless of the OS type or
version installed on the PC.
-
Tamper-resistant: Prevent the end user from removing or disabling the remote management service.
Security implications
The addition of virtualization, service partition, and management processors to address security and reliability goals
may seem at first counter productive due to increased overall complexity. Complexity implies greater opportunity for
vulnerabilities to remain hidden and the threat of new attacks to continue.
The good news is EIT adds complexity where it is needed; it creates safer execution environments and improves the
ability to detect and prevent attacks. Among these improvements is boot verification. A technique relied upon by malware
is to silently install attack code into core OS files and in boot code. Each time the system boots, the malware is
reinserted and reinvoked. Anti-virus scanners are helpful, but can be spoofed by compromised OS code that lies about its
existence.
In EIT systems, only code that is approved by IT or its manufacturer can be loaded. If attack code is successful in
inserting itself into the system, the EIT verified boot procedure will detect the modification and apply an appropriate
remediation action that can include failing to load the attack code or booting a safe-mode environment that hasn't been
compromised.
Even legitimate code contains vulnerabilities that can be exploited by attackers. For example, a network driver is
always subject to attacks on the networking protocols. If an attacker is successful in exploiting a vulnerability, the
executable code in memory could become compromised. As systems become more reliable, they reboot less often making
active attacks to memory more profitable to attackers. EIT is countering this threat by monitoring memory pages that
should not change or should change in a prescribed way. Monitoring agents serve as integrity sentinels that notify the
VMM whenever an invalid page access is attempted. The VMM can respond by blocking such accesses. Integrity Agents are
themselves protected by a VM boundary where direct access between partitions is not allowed.
Should an attack be successful resulting in compromised EIT services, the VMM can respond by placing the platform into a
more secure state. This can be achieved by alerting a management console, blocking I/O, and causing one or more VMs to
cease operating. The latter is usually applied as a last resort if other corrective action fails and when a convenient
time (for the user) can be identified. Automated and semi-automated dismantling of execution environments is analogous
to boot verification; the core principle being that the system is always able to operate securely.
A fundamental tenet of EIT security mechanisms is the ability to create isolated execution environments that are less
susceptible to attack. Intel VT and LaGrande Technology (LT) are instrumental in creating such environments. LaGrande
Technology can be used to create a trusted environment even when most other parts of the system become compromised
including memory, disk, and I/O. From this vantage point, it is possible to construct an environment from any remaining
uncompromised components. By incorporating remediation capabilities into each primitive environment, actions can be
taken that are most appropriate to the severity of the attack or failure [3].
|
;)
