11
White Paper: The All New 2010 Intel® Core™ vPro™ Processor Family: Intelligence that Adapts to Your Needs
Robust security schemes for remote communication
The hardware-based communication and manageability capabilities
are secured through a variety of robust methodologies, technologies,
and schemes. These include:
• Transport Layer Security (TLS).
• HTTP authentication.
• Enterprise-level authentication using Microsoft Active Directory*
(Kerberos).
• Access control lists (ACLs).
• Digital firmware signing.
• Other advanced methodologies and technologies (refer to the
Intel® vPro™ Technology Expert Center at communities.intel.com/
docs/DOC-1370).
The security measures built into laptop and desktop PCs with a new
Intel Core vPro processor can be active even when the PC is off, soft-
ware agents have been disabled, or the OS is unresponsive. These
measures help ensure the security of stored information and the
confidentiality and authentication of the communication channel
and hardware-based capabilities.
Better protection through smarter security
Security remains one of the highest priorities for IT. The number of
security incidents has grown dramatically each year and the nature
of these threats has changed as the motivations of attackers have
shifted from bragging rights to financial gain. The cost of a data breach
is also rising. A recent survey of 43 companies in 2008 found that the
average cost of a lost or stolen laptop is $49,000.
22
The all new 2010 Intel Core vPro processor family can make it easier
to protect data and assets. Once Intel vPro technology is activated,
IT can take advantage of intelligent new security features, such as
hardware-based PC disable and full manageability for encrypted PCs.
For example, IT can use programmable defense filters to automatically
guard against viruses and malicious attacks. When Intel AT is also acti-
vated, IT can use anti-theft triggers to help determine when a laptop
is in unauthorized hands, and lock down the machine to thwart data
breaches attempted by thieves. These features help IT secure laptop
and desktop PCs, both inside and outside the corporate network.
• Push updates down the wire, regardless of PC power state.
– Remotely and securely power up PCs from the IT console to prepare
them for patching.
– Automatically deploy more updates and critical patches off-hours or
when it won’t interrupt the user.
– Check a PC’s software version information, .DAT file information,
and other data stored in nonvolatile memory, and find out if
anything needs updating without waking up a PC.
– Reduce power consumption and lower energy bills by powering
down PCs during off-hours, while still maintaining remote access
for security updates.
• Intel Anti-Theft Technology (Intel AT), which includes programmable
triggers and “poison pill” features for identifying and responding –
locally or remotely – to loss or theft of the system. Intel AT allows IT
to disable access to data encryption keys and the PC at a hardware-
level, while still allowing rapid and remote reactivation. Intel AT must
be enabled (on) in order for IT to take advantage of these intelligent
security features.
• Programmable filtering of inbound and outbound network traffic.
• Isolation of systems that are suspected of being compromised –
even if they are out of band or outside the corporate firewall.
• Agent presence checking, with continuous, intelligent polling for
the presence of software agents, to help make sure security remains
in place. IT can also use this capability to reduce unauthorized applica-
tion usage by up to 100%.
23
• Alerting from inside and outside the corporate network, such
as for agent presence checking and inbound/outbound filtering of
threats even if the OS is inoperable, software agents are missing,
or a hard drive has failed or been removed.
• Dedicated memory, which better protects critical system information
(such as hardware-based encryption keys) from viruses, worms, and
other threats. An authorized IT technician can remotely access this
protected memory to identify system ID, firmware version number,
and other system information – even if PC power is off, the OS is
unavailable, or hardware (such as a hard drive) has failed.
• Manageability of PCs with encrypted hard drives, to remotely
unlock encrypted drives that require pre-boot authentication, even
when the OS is unavailable (for example, if the OS is inoperable
or software agents are missing). Remotely manage data security
settings even when PC is powered down.
• Out-of-band management even in secure environments, such as
802.1x, PXE, Cisco SDN*, and Microsoft NAP* environments.
• Hardware acceleration for AES-NI encryption, to off-load some
of the performance burden of encryption from the processor.
8
• Intel® Trusted Execution Technology
19
(Intel® TXT), which uses
a hardware-rooted process to establish a root of trust, allowing soft-
ware to build a chain of trust from the “bare-metal” hardware
to a fully functional VMM. Intel TXT also protects secrets (security
credentials) during power transitions. For more information about
Intel TXT, visit www.intel.com/technology/security.
• Hardware-assisted virtualization to help secure PCs and support
emerging use models, including multiple images, shared PCs, legacy
OS support (such as for Windows XP mode in Windows 7), application
and OS streaming, and virtual “containers.”
Note: IT can take advantage of hardware-assisted Intel® Virtualization
Technology (Intel® VT) to improve performance for users running a
legacy OS (for example, Windows* XP) in Windows 7.