Manageability
Intel® Active Management Technology (Intel® AMT) helps to safeguard the operation of critical manageability functions by helping to remove the threat associated with critical software agents being removed without detection. In this use case example, malware attacks and infects a platform, disabling software agents. The platform now is vulnerable to malware and is capable of mounting attacks on the network. Additionally, software agents can be intentionally or unintentionally disabled or removed by users, negating the value of the manageability and security software.
In a traditional environment, management consoles poll platform-resident software agents to ensure that they are present. This activity takes up network bandwidth and only works if the platform is powered on, the operating system is present and operational, and the platform is attached to the corporate LAN. Many systems typically cannot be polled, including mobile client systems, those that are powered off, those that are non-responsive, etc., leading to time-consuming issues that may yield inaccurate results.
Intel AMT enabled third-party software agents register with the Intel AMT firmware. Once they are registered, third-party management-console software configures how often it will poll for agent presence. The polling is performed locally and does not impact network performance. For example, the Intel AMT firmware can check to see if the agents are present every 10 seconds. If agents don't respond to the poll, an alert is sent to the management console.
If configured to do so, the system will take immediate action based on the policy that was preconfigured, such as isolating the system from network access, while leaving a port open to allow the console to force a reinstall of the disabled agent. In other configurations, the management console will determine the action to take upon receiving an alert from the system. Both mechanisms can reduce the number of support calls received to remedy the affects of agent removal and reduce the amount of time the system remains vulnerable.
The following table summarizes the features and functionality utilized in this use case that are provided by Intel AMT or enabled by Intel AMT in third-party software:
| Feature | Functionality |
| Agent presence services in host OS environment | Polls systems for presence of management software agent |
In addition, the following functionality is performed by third-party management applications:
Intel AMT provides local, hardware-based protection of client agents, which virtually eliminates the user's or malware's ability to circumvent protection capabilities. This mechanism also lessens the requirements in terms of network traffic and server utilization that are needed to centrally poll for agent presence, by eliminating the need for polling software and hardware. To reduce the change of malware masquerading as the agent, certificate-based security may be used to ensure the identity of the agent when it registers and at each check of agent presence.
Fewer support calls are required to remedy the effects of agent disabling or misconfiguration, since the reinstall of the agent may be automatic based on company policy. The organization also obtains user productivity gains due to increased platform stability, reducing the chance of malware infections.
This use case enables IT organizations to save on support and productivity costs:
The components required to configure Agent Presence (AP) are as follows:
The MC application is used to configure the Intel AMT device with the AP settings such as agent watchdog creation and timeout actions along with any related and required System Defense policies.
During initialization, the software agent registers with the local Intel AMT device, providing the required security credentials. Once registered, the software agent sends heartbeat signals to the Intel AMT device indicating it is still active. If the Intel AMT device does not receive the heartbeat signal from the local software agent within the heartbeat interval timeout period, the AP actions are triggered.
The following steps are required in order to create an Agent Watchdog:
| Step | API Call | Description |
| 1 | ConsoleWatchdogCreate() | Creates an Agent Presence watchdog for an agent. The function specifies:
|
| 2 | ConsoleWatchdogSetCbPolicy() | Optionally this is called by the remote management application calls this to define a System Defense policy to enable/disable when the agent state changes.
|
| 3 | ConsoleWatchdogSetActions() | This is called by the MC to specify a set of watchdog actions (a state transition table.) Each action specifies what happens when the agent state changes from a specific state to a specific new state.
|
| 4 | The foregoing actions create an Agent Presence watchdog timer, associate a timeout event within the Intel AMT device, and initiate the countdown timer. | |
| 5 | When an agent state changes, the actions defined for this state change are executed by the Intel AMT device. State changes can occur as a result of: The agent registering with the Intel AMT device from the local host using AgentWatchdogRegister() The agent sends a heartbeat using AgentWatchdogHeartbeat() The timer expires: The agent has not registered or has not sent a heartbeat signal so the timer expires. The agent reports shutdown using AgentWatchdogShutdown(). |
|
Note: See the “System Defense Feature and Agent Presence Overview.pdf” or the “Intel® AMT Network Interface Guide.pdf” documents located in the Intel AMT SDK for further details.
§ The following assumptions underlie the analysis in this use case:
RESOURCES:
