Intel vPro
Encyclopedia
Intel vPro technology is computer hardware technology to allow remote access to the PC (including monitoring, maintenance, and management) independent of the state of the operating system
(OS) or power state of the PC. It consists of a set of features built into a PC's motherboard
and other hardware
. Intel vPro technology is not the PC itself, nor is it a single set of management
features (such as Intel Active Management Technology
/Intel AMT) for sys-admins. Intel vPro is a combination of processor
technologies, hardware enhancements, management features, and security technologies
Intel vPro technology is intended to help businesses gain certain maintenance and servicing advantages, security improvements, and cost benefits in information technology
(IT) areas.
Intel Core 2 Duo or Quad processors are central processing units (CPUs).
Intel Centrino 2
processor technology is a package of technologies that includes the Intel Core 2 Duo. Intel Centrino 2 is designed for mobile PCs, such as laptops and other small devices. Core 2 and Centrino 2 have evolved to use Intel's latest 45-nm manufacturing processes, have multi-core processing, and are designed for multithreading
.
Intel vPro technology is a set of technologies built into the hardware of the laptop or desktop PC. The technology is targeted at businesses, not consumers. A PC with vPro includes Intel AMT
, Intel Virtualization Technology
(Intel VT), Intel Trusted Execution Technology (Intel TXT), a gigabit
network connection, and so on. There may be a PC with a Core 2 processor, without vPro built in. However, vPro features require a PC with at least a Core 2 processor. Current versions of vPro are built into PCs with Core 2 Duo or Core 2 Quad processors and more recently some versions of Core i5 and Core i7 processors.
Intel AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology. Intel AMT is a set of remote management and security features designed into the PC’s hardware and which allow a sys-admin with AMT security privileges to access system information and perform specific remote operations on the PC. These operations include remote power up/down (via wake on LAN), remote / redirected boot
(via integrated device electronics redirect, or IDE-R), console redirection (via serial over LAN
), and other remote management and security features.
A vPro PC includes:
is the set of management and security features built into vPro PCs and which are intended to make it easier for a sys-admin to monitor, maintain, secure, and service PCs. Intel AMT (the management technology) is sometimes mistaken for being the same as Intel vPro (the PC "platform"), because AMT is one of the most visible technologies of an Intel vPro-based PC.
Intel AMT includes:
Hardware-based management has been available in the past, but it has been limited to auto-configuration
using DHCP or BOOTP
for dynamic IP allocation and diskless workstations, as well as Wake On LAN for remotely powering on systems.
, so you can connect out-of-band using dedicated VNC-compatible Viewer technology, and have full KVM (Keyboard, Video, Mouse) capability throughout the power cycle - including uninterrupted control of the desktop when an operating system loads. Clients such as VNC Viewer Plus from RealVNC
also provide additional functionality that might make it easier to perform (and watch) certain Intel AMT operations, such as powering the computer off and on, configuring the BIOS, and mounting a remote image (IDER).
wired and wireless LAN
wireless communication for all remote management features for PCs inside the corporate firewall
. Intel vPro supports encrypted
communication for some remote management features for wired and wireless LAN
PCs outside the corporate firewall
.
and support IEEE 802.11
a
/g
/n
wireless protocols
.
For wireless laptops on battery
power, communication with AMT features can occur when the system is awake
and connected to the corporate network
. This communication is available if the OS
is down or management agents
are missing.
AMT out-of-band
communication and some AMT features are available for wireless or wired laptops connected to the corporate network over a host OS-based virtual private network
(VPN) when laptops are awake
and working properly.
communication while roaming
.
vPro PCs version 4.0 or higher support security for mobile communications by establishing a secure tunnel for encrypted
AMT communication with the managed service provider when roaming
(operating on an open, wired LAN
outside the corporate firewall
). Secure communication with AMT can be established if the laptop is powered down or the OS is disabled. The AMT encrypted communication tunnel is designed to allow sys-admins to access a laptop or desktop PC at satellite offices where there is no on-site proxy server
or management server appliance
.
Secure communications outside the corporate firewall
depends on adding a new element—a management presence server (Intel calls this a “vPro-enabled gateway”) -- to the network infrastructure. This will require integration with network switch
manufacturers, firewall vendors, and vendors who design management consoles
in order to create an infrastructure that supports encrypted roaming
communication
. So although encrypted roaming communication is enabled as a feature in vPro PCs version 4.0 and higher, the feature may not be fully useful (except in having a "ready" PC) until the infrastructure is functional.
and other system hardware
. Because the vPro security technologies are designed into system hardware instead of software, they are less vulnerable to hackers
, computer viruses, computer worms, and other threats that typically affect an OS or software applications installed at the OS level (such as virus scan, antispyware
, inventory, and other security or management applications).
For example, during deployment of vPro PCs, security credentials, keys, and other critical information are stored in protected memory
(not on the hard disk drive), and erased when no longer needed.
, as well as other vendors’ security features:
settings, Intel AMT management features, and other sensitive features or data; and protect security credentials and other critical information during deployment (setup and configuration of Intel AMT) and vPro use.
Intel Core 2 Duo or Quad processors
, or Centrino 2 processors.
PCs with Intel vPro require specific chipsets. Intel vPro releases are usually identified by their AMT version.
Note that AMT release 2.5 for wired/wireless laptops and AMT release 3.0 for desktop PCs are concurrent releases.
Note that AMT release 2.5 for wired/wireless laptops and AMT release 3.0 for desktop PCs are concurrent releases.
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
(OS) or power state of the PC. It consists of a set of features built into a PC's motherboard
Motherboard
In personal computers, a motherboard is the central printed circuit board in many modern computers and holds many of the crucial components of the system, providing connectors for other peripherals. The motherboard is sometimes alternatively known as the mainboard, system board, or, on Apple...
and other hardware
Hardware
Hardware is a general term for equipment such as keys, locks, hinges, latches, handles, wire, chains, plumbing supplies, tools, utensils, cutlery and machine parts. Household hardware is typically sold in hardware stores....
. Intel vPro technology is not the PC itself, nor is it a single set of management
Remote administration
Remote administration refers to any method of controlling a computer from a remote location.Software that allows remote administration is becoming increasingly common and is often used when it is difficult or impractical to be physically near a system in order to use it, or in order to access web...
features (such as Intel Active Management Technology
Intel Active Management Technology
Intel Active Management Technology is hardware-based technology for remotely managing and securing PCs out-of-band.Currently, Intel AMT is available in desktop PCs with Intel Core 2 processor with Intel vPro technology and available in laptop PCs with Centrino or Centrino 2 platform with vPro...
/Intel AMT) for sys-admins. Intel vPro is a combination of processor
Central processing unit
The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...
technologies, hardware enhancements, management features, and security technologies
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
Intel vPro technology is intended to help businesses gain certain maintenance and servicing advantages, security improvements, and cost benefits in information technology
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
(IT) areas.
vPro, AMT, Centrino 2, and Core 2 relationships
There are numerous Intel brands. However, the key differences between vPro (a platform), AMT (a technology), Centrino 2 (a package of technologies), and Core 2 (a processor) are as follows:Intel Core 2 Duo or Quad processors are central processing units (CPUs).
Intel Centrino 2
Centrino
The Centrino brand represents Intel Wi-Fi and WiMAX adapters. It was formerly a platform-marketing initiative from Intel until January 7, 2010....
processor technology is a package of technologies that includes the Intel Core 2 Duo. Intel Centrino 2 is designed for mobile PCs, such as laptops and other small devices. Core 2 and Centrino 2 have evolved to use Intel's latest 45-nm manufacturing processes, have multi-core processing, and are designed for multithreading
Thread (computer science)
In computer science, a thread of execution is the smallest unit of processing that can be scheduled by an operating system. The implementation of threads and processes differs from one operating system to another, but in most cases, a thread is contained inside a process...
.
Intel vPro technology is a set of technologies built into the hardware of the laptop or desktop PC. The technology is targeted at businesses, not consumers. A PC with vPro includes Intel AMT
Intel Active Management Technology
Intel Active Management Technology is hardware-based technology for remotely managing and securing PCs out-of-band.Currently, Intel AMT is available in desktop PCs with Intel Core 2 processor with Intel vPro technology and available in laptop PCs with Centrino or Centrino 2 platform with vPro...
, Intel Virtualization Technology
X86 virtualization
In computing, x86 virtualization is the facility that allows multiple operating systems to simultaneously share x86 processor resources in a safe and efficient manner, a facility generically known as hardware virtualization...
(Intel VT), Intel Trusted Execution Technology (Intel TXT), a gigabit
Gigabit
The gigabit is a multiple of the unit bit for digital information or computer storage. The prefix giga is defined in the International System of Units as a multiplier of 109 , and therefore...
network connection, and so on. There may be a PC with a Core 2 processor, without vPro built in. However, vPro features require a PC with at least a Core 2 processor. Current versions of vPro are built into PCs with Core 2 Duo or Core 2 Quad processors and more recently some versions of Core i5 and Core i7 processors.
Intel AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology. Intel AMT is a set of remote management and security features designed into the PC’s hardware and which allow a sys-admin with AMT security privileges to access system information and perform specific remote operations on the PC. These operations include remote power up/down (via wake on LAN), remote / redirected boot
Booting
In computing, booting is a process that begins when a user turns on a computer system and prepares the computer to perform its normal operations. On modern computers, this typically involves loading and starting an operating system. The boot sequence is the initial set of operations that the...
(via integrated device electronics redirect, or IDE-R), console redirection (via serial over LAN
Serial over LAN
Serial Over LAN is a mechanism that enables the input and output of the serial port of a managed system to be redirected over IP.On some managed systems, notably blade server systems, the serial ports on the managed computers are not normally connected to a traditional serial port socket...
), and other remote management and security features.
vPro features
Intel vPro is a platform or set of PC hardware features. PCs with vPro have three main elements: 1) Core 2 Duo/Quad or Centrino 2 processor for business applications; 2) integrated components (such as 64-bit graphics) to reduce the number of discrete components in the system; and 3) hardware-based management and security technology (such as Intel AMT).A vPro PC includes:
- Multi-core, multi-threaded Intel Core 2 Duo or Quad processors.
- Intel Active Management Technology (Intel AMT), a set of hardware-based features targeted at businesses and which allow remote access to the PC for management and security tasks, when an OS is down or PC power is off. Note that AMT is not the same as Intel vPro; AMT is only one element of a vPro PC.
- Remote configuration technology for AMT, with certificate-basedCertificate authorityIn cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
security. Remote configuration can be performed on “bare-bones” systems, before the OS and/or software management agents are installed. - Wired and wirelessWireless LANA wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...
(laptop) network connection. - Intel Trusted Execution Technology (Intel TXT), which is used to verify a launch environment and establish the root of trust, which in turn allows software to build a chain of trustChain of trustIn computer security, a chain of trust is established by validating each component of hardware and software from the bottom up. It is intended to ensure that only trusted software and hardware can be used while still remaining flexible.-Introduction:...
for virtualized environments. Intel TXT also protects secrets during power transitions for both orderly and disorderly shutdowns (a traditionally vulnerable period for security credentials). - Support for IEEE 802.1xIEEE 802.1XIEEE 802.1X is an IEEE Standard for port-based Network Access Control . It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN....
, CiscoCiscoCisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...
Self Defending NetworkNetwork Access ControlNetwork Access Control is an approach to computer network security that attempts to unify endpoint security technology , user or system authentication and network security enforcement.-Background:Network Access Control is a computer networking solution that uses a set of protocols to define and...
(SDN), and MicrosoftMicrosoftMicrosoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Network Access ProtectionNetwork Access ProtectionNetwork Access Protection is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first introduced in Windows Server 2008....
(NAP) in laptops, and support for 802.1x and Cisco SDN in desktop PCs. Support for these security technologies allows Intel vPro to store the security posture of a PC so that the network can authenticate the system before the OS and applications load, and before the PC is allowed access to the network. - Intel Virtualization Technology, including Intel VT for memory, CPU, and Directed I/O, to support virtualized environments. Intel VT is hardware-based technology, not software-based virtualization. Intel VT lets you run multiple OSs (traditional virtualization) on the same PC or run a specialized or critical application in a separate space—a virtual PC on the physical system—in order to help protect the application or privacy of sensitive information.
- Execute Disable Bit which, when supported by the OS, can help prevent some types of buffer overflow attacks.
- Support for MicrosoftMicrosoftMicrosoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Windows VistaWindows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
, including Microsoft Windows Vista BitLocker with an industry-standard Trusted Platform ModuleTrusted Platform ModuleIn computing, Trusted Platform Module is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security...
version 1.2 and Intel graphics support for Windows Vista AERO graphical user interfaceGraphical user interfaceIn computing, a graphical user interface is a type of user interface that allows users to interact with electronic devices with images rather than text commands. GUIs can be used in computers, hand-held devices such as MP3 players, portable media players or gaming devices, household appliances and...
.
Remote-management
Intel AMTIntel Active Management Technology
Intel Active Management Technology is hardware-based technology for remotely managing and securing PCs out-of-band.Currently, Intel AMT is available in desktop PCs with Intel Core 2 processor with Intel vPro technology and available in laptop PCs with Centrino or Centrino 2 platform with vPro...
is the set of management and security features built into vPro PCs and which are intended to make it easier for a sys-admin to monitor, maintain, secure, and service PCs. Intel AMT (the management technology) is sometimes mistaken for being the same as Intel vPro (the PC "platform"), because AMT is one of the most visible technologies of an Intel vPro-based PC.
Intel AMT includes:
- Encrypted remote power up/down/reset (via wake on LAN, or WOL)
- Remote/redirected bootBootingIn computing, booting is a process that begins when a user turns on a computer system and prepares the computer to perform its normal operations. On modern computers, this typically involves loading and starting an operating system. The boot sequence is the initial set of operations that the...
(via integrated device electronics redirect, or IDE-R) - Console redirection (via serial over LANSerial over LANSerial Over LAN is a mechanism that enables the input and output of the serial port of a managed system to be redirected over IP.On some managed systems, notably blade server systems, the serial ports on the managed computers are not normally connected to a traditional serial port socket...
, or SOL) - Preboot access to BIOSBIOSIn IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....
settings - Programmable filtering for inbound and outbound network trafficNetwork traffic controlIn computer networking, network traffic control is the process of managing, prioritising, controlling or reducing the network traffic, particularly Internet bandwidth, used by network administrators, to reduce congestion, latency and packet loss. This is part of bandwidth management...
- AgentSoftware agentIn computer science, a software agent is a piece of software that acts for a user or other program in a relationship of agency, which derives from the Latin agere : an agreement to act on one's behalf...
presence checking - Out-of-bandOut-of-bandThe term out-of-band has different uses in communications and telecommunication. In case of out-of-band control signaling, signaling bits are sent in special order in a dedicated signaling frame...
policy-based alerting - Access to system information, such as the PC’s universal unique ID (UUID), hardware asset information, persistent event logs, and other information that is stored in dedicated memory (not on the hard drive) where it is accessible even if the OS is down or the PC is powered off.
Hardware-based management has been available in the past, but it has been limited to auto-configuration
Auto-configuration
Auto-configuration is the automatic configuration of devices without manual intervention, without any need for software configuration programs or jumpers. Ideally, auto-configuring devices should just "plug and play"...
using DHCP or BOOTP
BOOTP
In computer networking, the Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address from a configuration server. The BOOTP protocol was originally defined in RFC 951....
for dynamic IP allocation and diskless workstations, as well as Wake On LAN for remotely powering on systems.
VNC-based KVM remote control
In vPro 6.0 PCs with i5 or i7 processors and embedded Intel graphics, Intel AMT embeds a proprietary VNC ServerVirtual Network Computing
In computing, Virtual Network Computing is a graphical desktop sharing system that uses the RFB protocol to remotely control another computer...
, so you can connect out-of-band using dedicated VNC-compatible Viewer technology, and have full KVM (Keyboard, Video, Mouse) capability throughout the power cycle - including uninterrupted control of the desktop when an operating system loads. Clients such as VNC Viewer Plus from RealVNC
RealVNC
RealVNC is a company that provides remote access software. The software consists of a server and client application for the Virtual Network Computing protocol to control another computer's screen remotely.-History:...
also provide additional functionality that might make it easier to perform (and watch) certain Intel AMT operations, such as powering the computer off and on, configuring the BIOS, and mounting a remote image (IDER).
Wireless communication
Intel vPro supports encryptedEncryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
wired and wireless LAN
Wireless LAN
A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...
wireless communication for all remote management features for PCs inside the corporate firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
. Intel vPro supports encrypted
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
communication for some remote management features for wired and wireless LAN
Wireless LAN
A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...
PCs outside the corporate firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
.
vPro laptop wireless communication
Laptops with vPro include a gigabit network connectionGigabit Ethernet
Gigabit Ethernet is a term describing various technologies for transmitting Ethernet frames at a rate of a gigabit per second , as defined by the IEEE 802.3-2008 standard. It came into use beginning in 1999, gradually supplanting Fast Ethernet in wired local networks where it performed...
and support IEEE 802.11
IEEE 802.11
IEEE 802.11 is a set of standards for implementing wireless local area network computer communication in the 2.4, 3.6 and 5 GHz frequency bands. They are created and maintained by the IEEE LAN/MAN Standards Committee . The base version of the standard IEEE 802.11-2007 has had subsequent...
a
IEEE 802.11a-1999
IEEE 802.11a-1999 or 802.11a is an amendment to the IEEE 802.11 specification that added a higher data rate of up to 54 Mbit/s using the 5 GHz band. It has seen widespread worldwide implementation, particularly within the corporate workspace...
/g
IEEE 802.11g-2003
IEEE 802.11g-2003 or 802.11g is an amendment to the IEEE 802.11 specification that extended throughput to up to 54 Mbit/s using the same 2.4 GHz band as 802.11b. This specification under the marketing name of Wi-Fi has been implemented all over the world...
/n
IEEE 802.11n
IEEE 802.11n-2009 is an amendment to the IEEE 802.11-2007 wireless networking standard to improve network throughput over the two previous standards—802.11a and 802.11g—with a significant increase in the maximum net data rate from 54 Mbit/s to 600 Mbit/s with the use of four...
wireless protocols
Communications protocol
A communications protocol is a system of digital message formats and rules for exchanging those messages in or between computing systems and in telecommunications...
.
AMT wireless communication
Intel vPro PCs support wireless communication to the AMT features.For wireless laptops on battery
Battery (electricity)
An electrical battery is one or more electrochemical cells that convert stored chemical energy into electrical energy. Since the invention of the first battery in 1800 by Alessandro Volta and especially since the technically improved Daniell cell in 1836, batteries have become a common power...
power, communication with AMT features can occur when the system is awake
Sleep mode
Sleep mode refers to a low power mode for electronic devices such as computers, televisions, and remote controlled devices. These modes save significant electrical consumption compared to leaving a device fully on and idle, but allow the user to avoid having to reset programming codes or wait for a...
and connected to the corporate network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
. This communication is available if the OS
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
is down or management agents
Software agent
In computer science, a software agent is a piece of software that acts for a user or other program in a relationship of agency, which derives from the Latin agere : an agreement to act on one's behalf...
are missing.
AMT out-of-band
Out-of-band
The term out-of-band has different uses in communications and telecommunication. In case of out-of-band control signaling, signaling bits are sent in special order in a dedicated signaling frame...
communication and some AMT features are available for wireless or wired laptops connected to the corporate network over a host OS-based virtual private network
Virtual private network
A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
(VPN) when laptops are awake
Sleep mode
Sleep mode refers to a low power mode for electronic devices such as computers, televisions, and remote controlled devices. These modes save significant electrical consumption compared to leaving a device fully on and idle, but allow the user to avoid having to reset programming codes or wait for a...
and working properly.
Encrypted communication while roaming
Intel vPro PCs support encryptedEncryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
communication while roaming
Roaming
In wireless telecommunications, roaming is a general term referring to the extension of connectivity service in a location that is different from the home location where the service was registered. Roaming ensures that the wireless device is kept connected to the network, without losing the...
.
vPro PCs version 4.0 or higher support security for mobile communications by establishing a secure tunnel for encrypted
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
AMT communication with the managed service provider when roaming
Roaming
In wireless telecommunications, roaming is a general term referring to the extension of connectivity service in a location that is different from the home location where the service was registered. Roaming ensures that the wireless device is kept connected to the network, without losing the...
(operating on an open, wired LAN
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
outside the corporate firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
). Secure communication with AMT can be established if the laptop is powered down or the OS is disabled. The AMT encrypted communication tunnel is designed to allow sys-admins to access a laptop or desktop PC at satellite offices where there is no on-site proxy server
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
or management server appliance
Server appliance
A server appliance is a computer appliance that works as a server. It is designed so that the end-user does not need to understand the details of the operating system or the commands associated with it. Server appliances have their hardware and software preconfigured by the manufacturer. The...
.
Secure communications outside the corporate firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
depends on adding a new element—a management presence server (Intel calls this a “vPro-enabled gateway”) -- to the network infrastructure. This will require integration with network switch
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
manufacturers, firewall vendors, and vendors who design management consoles
Intelligent Platform Management Interface
The Intelligent Platform Management Interface is a standardizedcomputer system interface used by system administrators to manage a computer system and monitor its operation....
in order to create an infrastructure that supports encrypted roaming
Roaming
In wireless telecommunications, roaming is a general term referring to the extension of connectivity service in a location that is different from the home location where the service was registered. Roaming ensures that the wireless device is kept connected to the network, without losing the...
communication
Communication
Communication is the activity of conveying meaningful information. Communication requires a sender, a message, and an intended recipient, although the receiver need not be present or aware of the sender's intent to communicate at the time of communication; thus communication can occur across vast...
. So although encrypted roaming communication is enabled as a feature in vPro PCs version 4.0 and higher, the feature may not be fully useful (except in having a "ready" PC) until the infrastructure is functional.
vPro security
vPro security technologies and methodologies are designed into the PC’s chipsetChipset
A chipset, PC chipset, or chip set refers to a group of integrated circuits, or chips, that are designed to work together. They are usually marketed as a single product.- Computers :...
and other system hardware
Hardware
Hardware is a general term for equipment such as keys, locks, hinges, latches, handles, wire, chains, plumbing supplies, tools, utensils, cutlery and machine parts. Household hardware is typically sold in hardware stores....
. Because the vPro security technologies are designed into system hardware instead of software, they are less vulnerable to hackers
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
, computer viruses, computer worms, and other threats that typically affect an OS or software applications installed at the OS level (such as virus scan, antispyware
Spyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
, inventory, and other security or management applications).
For example, during deployment of vPro PCs, security credentials, keys, and other critical information are stored in protected memory
Memory protection
Memory protection is a way to control memory access rights on a computer, and is a part of most modern operating systems. The main purpose of memory protection is to prevent a process from accessing memory that has not been allocated to it. This prevents a bug within a process from affecting...
(not on the hard disk drive), and erased when no longer needed.
Security and privacy concerns
There are still many potential security concerns for PC's with vPro. There is apparently no way to disable vPro on a PC and most users cannot detect outside access to their PC via the vPro hardware based technology. Moreover, Sandy Bridge and most likely future chips will have "the ability to remotely kill and restore a lost or stolen PC via 3G".Security features
Intel vPro supports industry-standard methodologies and protocolsCryptographic protocol
A security protocol is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods.A protocol describes how the algorithms should be used...
, as well as other vendors’ security features:
- Intel Trusted Execution Technology (Intel TXT).
- Industry-standard Trusted Platform ModuleTrusted Platform ModuleIn computing, Trusted Platform Module is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security...
version 1.2 (TPM). - Support for IEEE 802.1xIEEE 802.1XIEEE 802.1X is an IEEE Standard for port-based Network Access Control . It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN....
, Preboot Execution EnvironmentPreboot Execution EnvironmentThe Preboot eXecution Environment is an environment to boot computers using a network interface independently of data storage devices or installed operating systems.PXE was introduced as part of the Wired for Management framework by Intel and is described in the specification The Preboot...
(PXE), CiscoCiscoCisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...
Self Defending NetworkNetwork Access ControlNetwork Access Control is an approach to computer network security that attempts to unify endpoint security technology , user or system authentication and network security enforcement.-Background:Network Access Control is a computer networking solution that uses a set of protocols to define and...
(SDN), and MicrosoftMicrosoftMicrosoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Network Access ProtectionNetwork Access ProtectionNetwork Access Protection is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first introduced in Windows Server 2008....
(NAP) in laptops, and support for IEEE 802.1xIEEE 802.1XIEEE 802.1X is an IEEE Standard for port-based Network Access Control . It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN....
, Preboot Execution EnvironmentPreboot Execution EnvironmentThe Preboot eXecution Environment is an environment to boot computers using a network interface independently of data storage devices or installed operating systems.PXE was introduced as part of the Wired for Management framework by Intel and is described in the specification The Preboot...
(PXE), and CiscoCiscoCisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...
Self Defending NetworkNetwork Access ControlNetwork Access Control is an approach to computer network security that attempts to unify endpoint security technology , user or system authentication and network security enforcement.-Background:Network Access Control is a computer networking solution that uses a set of protocols to define and...
(SDN) in desktop PCs. - Execute Disable Bit.
- Intel Virtualization TechnologyX86 virtualizationIn computing, x86 virtualization is the facility that allows multiple operating systems to simultaneously share x86 processor resources in a safe and efficient manner, a facility generically known as hardware virtualization...
(Intel VT).
Technologies and methodologies
Intel vPro uses several industry-standard security technologies and methodologies to secure the remote vPro communication channel. These technologies and methodologies also improve security for accessing the PC’s critical system data, BIOSBIOS
In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....
settings, Intel AMT management features, and other sensitive features or data; and protect security credentials and other critical information during deployment (setup and configuration of Intel AMT) and vPro use.
- Transport layer securityTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
protocol, including pre-shared keyPre-shared keyIn cryptography, a pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. To build a key from shared secret, the key derivation function should be used. Such systems almost always use symmetric key...
TLS (TLS-PSKTLS-PSKTransport layer security pre-shared key ciphersuites is a set of cryptographic protocols that provide secure communication based on pre-shared keys . These pre-shared keys are symmetric keys shared in advance among the communicating parties.There are several ciphersuites: The first set of...
) to secure communications over the out-of-bandOut-of-bandThe term out-of-band has different uses in communications and telecommunication. In case of out-of-band control signaling, signaling bits are sent in special order in a dedicated signaling frame...
network interface. The TLS implementation uses AESAdvanced Encryption StandardAdvanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
128-bit encryption and RSA keys with modulus lengths of 2048 bits. - HTTP digest authentication protocol as defined in RFC 2617. The management console authenticates IT administrators who manage PCs with Intel AMT
- Single sign-onSingle sign-onSingle sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
to Intel AMT with Microsoft WindowsMicrosoft WindowsMicrosoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
domainDomain nameA domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System ....
authentication, based on the Microsoft Active DirectoryActive DirectoryActive Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
and KerberosKerberosKerberos may refer to:* Cerberus, the hound of Hades * Kerberos saga, a science fiction series by Mamoru Oshii* Kerberos , a computer network authentication protocol* Kerberos Dante, a character from Saint Seiya...
protocols. - A pseudorandom number generatorPseudorandom number generatorA pseudorandom number generator , also known as a deterministic random bit generator , is an algorithm for generating a sequence of numbers that approximates the properties of random numbers...
(PRNG) in the firmwareFirmwareIn electronic systems and computing, firmware is a term often used to denote the fixed, usually rather small, programs and/or data structures that internally control various electronic devices...
of the AMT PC, which generates high-quality session keySession keyA session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is traffic encryption key or TEK, which refers to any key used to encrypt messages, as opposed to other uses, like encrypting other keys .Session keys can introduce...
s for secure communication. - Only digitally signedDigital signatureA digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
firmware images (signed by Intel) are permitted to load and execute. - Tamper-resistant and access-controlled storage of critical management data, via a protected, persistent (nonvolatile) data store (a memory area not on the hard drive) in the Intel AMT hardware.
- Access control lists for Intel AMT realms and other management functions.
vPro hardware requirements
The first release of Intel vPro was built with an Intel Core 2 Duo processor. The current versions of Intel vPro are built into systems with 45 nm45 nanometer
Per the International Technology Roadmap for Semiconductors, the 45 nm technology node should refer to the average half-pitch of a memory cell manufactured at around the 2007–2008 time frame....
Intel Core 2 Duo or Quad processors
Central processing unit
The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...
, or Centrino 2 processors.
PCs with Intel vPro require specific chipsets. Intel vPro releases are usually identified by their AMT version.
Laptop PC requirements
Laptops with Intel vPro require:- For Intel AMT release 4.1 (Intel Centrino 2 with vPro technology):
- 45 nm Intel Core2 Duo processor T, P sequence 8400, 8600, 9400, 9500, 9600; small form factor P, L, U sequence 9300 and 9400, and Quad processor Q9100.
- Mobile 45 nm Intel GS45, GM47, GM45 and PM45 Express Chipsets (Montevina with Intel Anti-Theft Technology) with 1066 FSB, 6 MB L2 cache, ICH10M-enhanced.
- For Intel AMT release 4.0 (Intel Centrino 2 with vPro technology):
- 45 nm Intel Core2 Duo processor T, P sequence 8400, 8600, 9400, 9500, 9600; small form factor P, L, U sequence 9300 and 9400, and Quad processor Q9100.
- Mobile 45 nm Intel GS45, GM47, GM45 and PM45 Express Chipsets (Montevina) with 1066 FSB, 6 MB L2 cache, ICH9M-enhanced.
- For Intel AMT release 2.5 and 2.6 (Intel Centrino with vPro technology):
- Intel Core2 Duo processor T, L, and U 7000 sequence3, 45 nm Intel Core2 Duo processor T8000 and T9000
- Mobile Intel 965 (Broadwater-Q) Express Chipset with ICH8M-enhanced.
Note that AMT release 2.5 for wired/wireless laptops and AMT release 3.0 for desktop PCs are concurrent releases.
Desktop PC requirements
Desktop PCs with vPro (called “Intel Core 2 with vPro technology”) require:- For AMT release 5.0:
- Intel Core2 Duo processor E8600, 8500, and E8400 ; 45 nm Intel Core2 Quad processor Q9650, Q9550, and Q9400.
- Intel Q45 (Eaglelake-Q) Express Chipset with ICH10DO.
- For AMT release 3.0, 3.1, and 3.2:
- Intel Core2 Duo processor E6550, E6750, and E6850; 45 nm Intel Core2 Duo processor E8500, E8400, E8300 and E8200; 45 nm Intel Core2 Quad processor Q9550, Q9450 and Q9300.
- Intel Q35 (Bearlake-Q) Express Chipset with ICH9DO.
Note that AMT release 2.5 for wired/wireless laptops and AMT release 3.0 for desktop PCs are concurrent releases.
- For AMT release 2.0, 2.1 and 2.2:
- Intel Core 2 Duo processor E6300, E6400, E6600, and E6700.
- Intel Q965 (Averill) Express Chipset with ICH8DO.
See also
- Desktop and mobile Architecture for System HardwareDesktop and mobile Architecture for System HardwareDASH is a DMTF standard on requirements for implementing the Desktop and Mobile Architecture for System Hardware....
(DASH) - Active Management TechnologyIntel Active Management TechnologyIntel Active Management Technology is hardware-based technology for remotely managing and securing PCs out-of-band.Currently, Intel AMT is available in desktop PCs with Intel Core 2 processor with Intel vPro technology and available in laptop PCs with Centrino or Centrino 2 platform with vPro...
(AMT) - Intel AMT versionsIntel AMT versionsIntel Active Management Technology is hardware-based technology built into PCs with Intel vPro technology. AMT is designed to help sys-admins remotely manage and secure PCs out-of-band when PC power is off, the operating system is unavailable , software management agents are missing, or hardware...
- Intel Core 2Intel Core 2Core 2 is a brand encompassing a range of Intel's consumer 64-bit x86-64 single-, dual-, and quad-core microprocessors based on the Core microarchitecture. The single- and dual-core models are single-die, whereas the quad-core models comprise two dies, each containing two cores, packaged in a...
- Centrino 2
- CentrinoCentrinoThe Centrino brand represents Intel Wi-Fi and WiMAX adapters. It was formerly a platform-marketing initiative from Intel until January 7, 2010....
- Intel ViivIntel ViivViiv was a platform initiative from Intel similar to Intel's Centrino and vPro. Initially , it was a collection of computer technologies with a particular combination of Intel ingredients to support a "media PC" concept...
- User-Centric Proactive IT Management
- Frontline Performance Intelligence
- Intel CIRA (Client-Initiated Remote Access)
External links
- Resource to help install (activate) vPro systems
- Intel Centrino 2 Explained (CNET)
- vPro on Intel.com
- Intel vPro is everything we said it would be
- Intel vPro to Boost Security - Energy Efficiency - Cost Reduction
- Blogcast of the vPro Launch
- Intel vPro Chipset Lures MSPs, System Builders (ChannelWeb, Aug 2007)
- Intel(r) vPro(TM) Expert Center
- PRO TOOL WIKI
- ROI PODcast