Solution: Improve Networked PC Security with Intel® vPro™ Processor Technology
Preface Intel has developed a series of unique solutions designed to show you how to combine Intel®-based ingredients to create new technology solutions for common business challenges. These solutions are backed by top-quality Intel® technology and support. This solution recipe explains how security for networked PCs can be improved with Intel® vPro™ processor technology and a suite of highly-regarded third-party software and hardware components. When you are ready to deploy this recipe, please refer to the related Configuration Guide, which includes step-by-step instructions for deploying this solution. You can find the guide by visiting: www.intel.com/reseller/vpro
Common Notations and Terms
Table of Contents
Trusted Platform Module (TPM): Found on Intel®
Solution Overview
2
Key Technology
3
Solution Benefits
5
Solution Recipe
7
Solution Support
9
vPro™ processor technology platforms, TPM is a microcontroller that stores keys, passwords, and digital certificates for applications such as e-mail and secure Web access. Trusted Computing Group (TCG): A not-for-profit organization formed to develop, define, and promote open standards for hardware-enabled, trusted computing and security technologies. Their goal: to help users protect their information assets (for example, data, passwords, keys). Virtual Private Network (VPN): A private communications network used within a company to communicate securely over a public network (Internet).
Solution: Improve Networked PC Security with Intel® vPro™ Processor Technology | Page 1
Solution Overview In response to growing security threats, many businesses are looking for ways to take their security systems to the next level. For example, Every business, regardless of network size,
some banks are considering requiring their online banking customers
should have a security plan that defines
to use biometric identification to access their accounts. More and more,
appropriate user behavior and identifies
government institutions are using digital signing technology for areas such
necessary security procedures.
as recording signatures to authorize an executive or judicial order or for filing of citizen and business tax returns.
Access rights. A business has three options regarding trust and their network:
Yet, for many small- and medium-sized businesses, creating a higher level
1) Trust everyone all the time; 2) Trust no one
of secure networks can be challenging. With a number of different products
at any time; 3) Trust some people, some of the
on the market, which ones do you choose to perform different security
time. The third option is the most commonly
tasks? And will they all work smoothly together on your system? It can
used in business.
be a difficult, time-consuming task. But PCs equipped with Intel® vPro™ processor technology, together with powerful third-party software and
Remote access. Use antivirus and firewall
hardware components, provide a complete solution that is optimized and
protection on the computing devices and create
validated for use with high-performance Intel® Core™2 Duo processors.
a secure VPN connection for remote users. Information protection. Outline guidelines for processing, storing, and transmitting your business-sensitive IT assets. Virus prevention. Reduce exposure to viruses with security software and user education. Provide users with a primer on safe computing practices. Password use. Require frequent changing of passwords, with alphanumeric, eightdigit passwords or add biometric based user authentication. Backup and recovery. Ensure continuous data backup; create a plan for data recovery. Solution: Improve Networked PC Security with Intel® vPro™ Processor Technology | Page 2
Benefits
Key Technology This solution recipe combines a carefully chosen combination of software
Firewall. Keep hackers out and control inbound and outbound traffic with
and hardware components that deliver a complete security solution. You
powerful Microsoft Windows Vista* Security software.
can be assured that these components have been tested and validated to work together, ensuring the highest level of performance.
Virtual Private Network (VPN). VPN Client software allows end-user PCs remote access to the company network. NETGEAR ProSafe VPN Firewall*
Hardware platform. Security applications consume a great deal of a
hardware is available for strong encryption and authentication and setting
PC’s processor cycles monitoring the flow of bits. But, with powerful
up the VPN Tunnels into the corporate net.
new Intel® Core™ 2 Duo processors, Intel® vPro™ processor technology delivers a significant increase in computing power over previous Intel technology—and that means better performance for end-user applications.
TPM management. Key products offer tools to address TPM management. For example, Wave Systems EMBASSY Trust Suite 6.0* can help IT manage TPM security settings, provides strong authentication tools, robust password management, and TPM key archive capabilities.
Trusted Platform Module (TPM). This microcontroller stores keys, passwords, and digital certificates. Built into the motherboard, TPM provides secure storage and key generation capabilities, so it can be used to create and/or store both user and platform identity credentials for use in authentication. Critical applications and capabilities such as secure e-mail, secure Web access, and local protection of data are made
Biometrics. An optional USB Biometric Fingerprint Reader can create additional layers of security for end users. The USB Biometric Fingerprint reader from APC* is one example, and provides a simple, secure way to manage passwords. With this device, the user’s fingerprint becomes the password.
much more secure using a TPM. Anti-virus. Applications, like McAfee VirusScan Enterprise 8.5* can b e included on end-user PCs and Symantec Antivirus 10.0* for servers to automate detection of viruses, worms, Trojan horses, spyware, and adware.
Solution: Improve Networked PC Security with Intel® vPro™ Processor Technology | Page 3
Filtering Threats and Isolating PCs Software-only security solutions can be useful. But they also can be tampered
Security agent “heartbeat” checking. PCs with Intel® vPro™ processor
with or disabled by hackers, viruses, or even end users themselves. Once the
technology use a regular, programmable “heartbeat” presence check for
network is compromised, it is difficult for IT to make repairs, or even locate the
third-party security agents. This technology uses a watchdog timer so
PC if its management agents have been disabled.
security software can check in with the computer’s management engine at programmable, one second intervals, confirming that the security agent
Intel® vPro™ processor technology enables third-party security software to identify threats before they reach the operating system, isolate compromised PCs more quickly, and ensure that security agents stay active.
is still active. If an agent hasn’t checked in before the timer goes off, the computer presumes the agent has been removed, tampered with, or disabled. The management engine then logs an alert and notifies the IT console.
Hardware filtering of data traffic. Programmable hardware-based filters examine inbound and outbound network traffic to identify threats. When
Non-volatile memory and Intel® Virtualization Technology (Intel®
the filter detects a problem, a hardware-based “switch” can automatically
VT). Even if a threat does get past the other defenses, IT has access to
disconnect the computer’s operating system from the network to contain
a persistent memory where critical information can be protected. With
threats more quickly. But, in this instance, only the network communications
Intel® VT, IT can also use self-contained, dedicated virtual environments
are shut down. Other applications, such as word processing or spreadsheets,
to isolate and manage applications and data in the user partition. Creating
are still available to the end user, minimizing the impact on productivity.
separate partitions for the security application and end-user applications also keeps the end user from gaining access to crucial security devices, such as firewall settings. Because PCs with Intel® vPro™ processor technology have the ability to
Filtering Threats and Isolating PCs
automatically sense threats and then isolate themselves from the rest of the network, they are much less likely to infect other PCs on the system.
3 Layers of Defense
User OS/ environment
And, all of these security measures can be executed by IT even if the system power is off, or if the operating system is unavailable.
1
Hardware filtering of data traffic examine network traffic and cut off the network data path when a threat is recognized
2
Security agent “heartbeat” checking check traffic for threats, while hardware “heartbeats” make sure those security agents stay active
3
Non-volatile memory and Intel® Virtualization Technology and hardware-based virtual OS isolate critical applications and information from unauthorized access
Server based on Intel® Xeon® processor 5000 Sequence Intel® Dual-Core Xeon® Processor 5000 sequence w/Intel® 5000P/V chipset 1000Base-T LAN capable Additional Hardware: Intel Dialog A/C OR Digium A/C Software: RedHat Enterprise Linux 4 LanDesk Management Suite OR SyAM Management Server
Solution: Improve Networked PC Security with Intel® vPro™ Processor Technology | Page 4
Solution Benefits Benefits for Intel® Channel Partner Program Members Offer an All-in-One Package Small- to medium-sized businesses are looking for comprehensive security solutions. This need presents channel members with an excellent opportunity to offer a complete, all-in-one package security solution — a solution that reduces vulnerabilities and security risks for customers. An Attractive Price-point Intel® vPro™ processor technology, with powerful new Intel® Core™ 2 Duo processors and Intel® VT, is a remarkably robust and reliable hardware option. It is priced accordingly, offering channel members a more attractive margin. In addition, components such as the Trusted Platform Module (TPM) can be added to customers’ systems, creating an additional revenue opportunity that addresses the specific security requirements at that installation. Ongoing IT Service Beyond that, some channel members may even wish to go as far as offering their customers ongoing IT service. With new remote management capabilities, including the ability to perform security tasks on PCs that may not have power or a functional operating system, channel members now have a cost-effective way of becoming IT contractors for their customers.
Solution: Improve Networked PC Security with Intel® vPro™ Processor Technology | Page 5
Solution Benefits for Your Customers Today’s banks, government agencies, educational institutions, and businesses
Proactive Intrusion Protection
need the ability to quickly recognize potential technological threats, and
Hardware-based filters monitor network traffic to identify threats and can
contain, and neutralize them. PCs equipped with Intel® vPro™ processor
automatically disconnect the computer’s operating system from the network
technology offer those capabilities.
if there is a problem. PCs with Intel® vPro™ processor technology also have the ability to monitor security agents to ensure that they are working correctly.
Control User Access to Critical Areas
If one of the agents goes missing, the management engine logs an alert and
Intel® VT allows IT to create separate partitions for security and end-user
notifies the IT console.
applications. This prevents end users from accidentally disabling anti-virus software or firewalls. If the system does find a problem, the PC is quarantined
Higher Performance
in its own partition so that it doesn’t contaminate other PCs on the network.
Powerful Intel® Core™ 2 Duo processors and Intel® Core™ microarchitecture
Improved Authentication Advanced techniques such as TPM and biometric fingerprint readers help ensure that only authorized personnel have access to specific data and restricted areas of the network.
have significantly improved performance, so virus scans, software upgrades, back-ups, and other security tasks can be run in the background without slowing down end-user workflow. Creating a hassle-free, all-in-one security solution like this could be complicated and time-consuming. But with Intel® vPro™ processor technology, all of the decision making, testing, and optimizing has already been done. That means you can get a complete solution and be comfortable knowing that it will function smoothly.
Solution: Improve Networked PC Security with Intel® vPro™ Processor Technology | Page 6
Solution Recipe Intel® vPro™ processor technology offers you an opportunity to upgrade your network security to a significantly higher level. To help you with this process, Intel has developed a Solution Configuration Guide (visit: www.intel.com/ reseller/vpro) that demonstrates how critical security concerns can be met with a complete solution.
Software Architecture
System Architecture
By utilizing Intel® vPro™ processor technology, you can combine a more
Intel® vPro™ processor technology offers IT the ability to gain much greater
complete package of industry leading security software to offer customers
control over desktop PC security, thanks to hardware-based security
improved networked PC security with:
features. Driven by the powerful new Intel® Core™ 2 Duo processor, Intel®
• Windows Vista* or Microsoft Windows XP* operating systems • McAfee VirusScan Enterprise 8.5* • NETGEAR ProSafe VPN* client software (remote access from PCs into the company network) • Wave Systems EMBASSY Trust Suite 6.0* (helps IT manage TPM security settings and password management)
vPro™ processor technology delivers a significant increase in computing power over previous Intel technology. In addition, the solution couples highly-regarded third-party security software with Intel® VT, the Trusted Platform Module (TPM), VPN hardware firewalls, and an optional biometric fingerprint reader to create a significant improvement in security.
Solution: Improve Networked PC Security with Intel® vPro™ Processor Technology | Page 7
Components Necessary to Build • PCs equipped with Intel® vPro™ processor technology and security software solutions (see Software Architecture) • Integrated TPM eliminates need for external tokens • NETGEAR ProSafe VPN Firewall* hardware • VPN tunnel for data encryption • Servers with Intel® Xeon® processor 5000 sequence • Wireless access point • Broadband modem
Networked PC Security Solution VPN Tunnel encrypts your data
VPN Firewall (supports up to 8 tunnels)
Internet Broadband Modem
Broadband Modem
Servers with Intel® Xeon® processor 5000 Sequence Intel® vPro™ processor technologybased PC
Intel® vPro™ processor technologybased PC Intel® vPro™ processor technologybased PC
Solution: Improve Networked PC Security with Intel® vPro™ Processor Technology | Page 8
Support
Solution Support Intel has tested and verified the components in this security solution recipe. For your convenience, Intel has worked with several independent software, open source, and application vendors to streamline technical support for this solution. For more information on the third-party hardware and software products, please download the Solution Configuration Guide (www.intel.com/reseller/vpro) to obtain the specific list of vendors and contacts.
Solution: Improve Networked PC Security with Intel® vPro™ Processor Technology | Page 9
Intel, the Intel logo, Intel. Leap ahead. the Intel. Leap ahead. logo, Intel vPro, the vPro logo, Xeon, the Xeon logo, Intel Core and Core Inside are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others. Copyright © 2007, Intel Corporation. Intel Literature Center: 1-800-548-4725 Order Number: XXXXXX-XXX US 1 Intel® Virtualization Technology requires a computer system with a processor, chipset, BIOS, virtual machine monitor (VMM) and for some uses, certain platform software enabled for it. Functionality, performance or other benefit will vary depending on hardware and software configurations. Intel Virtualization Technology-enabled BIOS and VMM applications are currently in development. Information in this document is provided in connection with Intel products. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document. Except as provided in Intel’s terms and conditions of sale for such products, Intel assumes no liability whatsoever, and Intel disclaims any express or implied warranty, relating to sale and/or use of Intel products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right.
