Solution: Improve PC Security and Reliability with Intel® Virtualization Technology
Preface Intel has developed a series of unique solutions designed to show you how to combine Intel®-based ingredients to create new technology solutions for common business challenges. These solutions are backed by top-quality Intel® technology and support. This solution recipe illustrates how business productivity and PC security can be improved with Intel® Virtualization Technology (Intel® VT) — a hardwarebased technology for enabling virtualization in the PC1, featured on the Intel vPro processor technology platform with the revolutionary Intel® Core™2 Duo processor. When you are ready to deploy this recipe, please refer to the related Solution Configuration Guide, which includes step-by-step instructions to deploy this solution. You can find the guide by visiting: www.intel.com/reseller/vpro
Common Notations and Terms
Table of Contents
Virtualization: A virtualized computer can run multiple
Solution Overview
2
Key Technology
5
Solution Benefits
6
Solution Recipe
8
Solution Support
9
operating systems and applications on the same machine in independent partitions or “containers.” In other words, virtualization allows one computer to act as if it were several computers working in parallel. Intel® Virtualization Technology (Intel® VT): This technology permits one hardware platform to function as multiple virtual platforms. It offers improved system manageability, which helps limit downtime and maintain worker productivity. Virtual Machine Monitor (VMM): A layer of software that virtualizes a computer’s hardware resources (for example, CPU, memory, network interface) into multiple virtual machine environments.
1
“www.Intel.com,”ftp://download.intel.com/business/bss/products/client/digitaloffice/vt_desktopusage.pdf,
May 30, 2006
Solution: Improve PC Security and Reliability with Intel® Virtualization Technology | Page 1
Solution Overview Traditionally, virtualization has been purely software-based. But now, in PCs equipped with Intel® vPro™ processor technology and Intel VT, many virtualization capabilities are built directly into the hardware. This simplifies numerous computing processes for the virtualization software, resulting in more reliable and compatible virtualization solutions.
Software-only Virtualization In software-only virtualization solutions, the Virtual Machine Monitor (VMM) controls physical resources so that it can manage the demands of multiple “guest” operating systems. To provide that level of control, the VMM runs in the space traditionally reserved for the operating system, and guest operating systems run in the space traditionally
used for applications. Because the operating systems are not designed to run in this application environment, complex software workarounds are required for them to function reliably. This can create significant IT issues, including: • Potential incompatibility with legacy operating systems, which increases testing and validation requirements when consolidating legacy applications onto new servers • Increased likelihood of software conflicts due to the complexity of the VMM application • Additional performance overhead necessary to handle the complex software workarounds • Dependent VMM and operating system development, so the VMM vendor must continually adapt to operating system upgrades and patches (and vice-versa) • Synchronized upgrades and patching in IT environments, which adds to complexity, expense, and risk
Solution: Improve PC Security and Reliability with Intel® Virtualization Technology | Page 2
Intel® Virtualization Technology (Intel® VT) With Intel® VT, you get hardware-based virtualization that works with
On PCs with Intel® vPro™ processor technology, Intel® VT gives you the
compatible virtualization software. Together, they address the challenges
ability to create and control numerous separate virtual machines. Each
faced by software-only solutions. Specifically, Intel® VT offers:
of these partitions can be isolated and controlled independently of the
• A new, privileged space for the VMM that reduces the need for VMM intervention and allows guest operating systems to run directly on hardware • Handoffs between the VMM and guest operating systems that are supported in hardware, reducing the need for complex, compute-intensive, timeconsuming software transitions
others, creating work areas for multiple users on one PC. Each of the partitions can also be quickly reconfigured, allowing IT to add, delete, or transfer resources to meet changing business needs. With this technology, IT can strengthen network security, improve manageability, and boost productivity—all at the same time.
• Hardware-based memory protection, in which processor-state information for the VMM and each guest operating system is retained in dedicated address spaces, accelerating transitions and helping to ensure process integrity
Solution: Improve PC Security and Reliability with Intel® Virtualization Technology | Page 3
Security
Productivity
Businesses can isolate critical applications, such as accounting or Customer
Creating different partitions for IT and end users allows for upgrades and
Relationship Management (CRM) software, from the rest of the system. If
patches without interrupting workflow. You can also run multiple operating
a vulnerable part of the system gets infected, such as the e-mail or Web
systems and applications (for example, continue using older proprietary
browsing partition, it can be quarantined to prevent it from infecting other
software, but use new office software) and test upgrades to software
applications.
without interrupting end users.
Manageability
Suggested Uses
Virtualization support lets you maintain full control of a portion of a PC
Desktop PCs with Intel® vPro™ processor technology and Intel® VT are
to run security or management services in a dedicated space on the
specifically designed to address top IT challenges in security, productivity,
system. By housing the “management agents” in separate partitions, IT
and manageability at the hardware level. A typical setup may include
managers can monitor and manage these platforms without interrupting
virtual machines for key applications such as:
business operations. They can perform functions like hardware inventory management, provisioning, or diagnostics without interrupting the user.
Business critical applications can be segregated to separate partitions to reduce risk
Web Browser
• Isolation/Containment Partition: A separate partition to isolate and contain any virus infections that try to breach the network through a PC. Common sources include Web browsing, e-mail, and file sharing/downloads. • Voice Over Internet Protocol (VoIP) Partition: Create a dedicated space to host an “always on” VoIP (Internet-based phone service).
E-mail
VoIP Software
Other Office Applications
CRM, ERP, Accounting Applications
Operating System
Operating System
Operating System
Virtual machine manager Intel® vPro™ processor technology-based PC
Solution: Improve PC Security and Reliability with Intel® Virtualization Technology | Page 4
Key Technology Intel® VT Hardware-based virtualization technology that reduces the workload of virtualization software. This technology is optimized for Intel® Core™2 Duo desktop processors and provides more robust virtualization capabilities.
Intel® Core™ 2 Duo Desktop Processors Powerful Intel® Core™2 Duo desktop processors offer a substantial upgrade in processing capacity at reduced power-consumption levels.
Microsoft Virtual PC 2007 Optimized for use with Intel® Core™2 Duo desktop processors, Microsoft Virtual PC 2007 helps deliver your virtualization experience. Benefits include helping to secure desktop data, enabling easier remote network access and consolidating multiple desktop environments on to one PC or server.
Solution: Improve PC Security and Reliability with Intel® Virtualization Technology | Page 5
Solution Benefits Benefits for Intel® Channel Partner Program Members By offering desktops with Intel® vPro™ processor technology and Intel®
Education
VT, you can solidify your position as a vendor who offers complete
Schools could take advantage of the ability to run multiple operating
solutions, not just products. The best part about offering Intel® VT
systems and applications, broadening their offerings to students.
is that almost any company or business function has a legitimate
New Revenue Streams
need for it.
With Intel® VT, you also open the possibility of creating new revenue
Online Retail Sales
streams by extending your service offerings to customers, such as
Do any of your customers carry out business online with credit cards?
providing remote management of virtual machines. You can gain remote
They will certainly want to keep that information secure.
access to a customer’s virtual machine, even when remote management capability isn’t provided by the particular operating system or application.
Human Resources How about your customer’s HR records? You don’t want everyone in the company to have access to that information, so a separate, secure, virtual partition would be a good solution.
In addition, because you are able to create a dedicated service partition inside the customer’s server, you can run the service activities unnoticed and isolated from your customer’s end users.
Product Development Companies such as software development firms would appreciate the ability to keep different operating system partitions, which would allow for easy testing of their products on different platforms (for example, Microsoft Windows*, Linux*).
Solution: Improve PC Security and Reliability with Intel® Virtualization Technology | Page 6
Solution Benefits for Your Customers Desktop PCs with Intel® vPro processor technology and Intel® VT
Enhanced Manageability
provide simple remote management and tamper-resistant security
Configuration of multiple partitions allow IT to isolate end-user system
capabilities. This means IT has more control where they need it—at the
management agents, which otherwise might be vulnerable to end-user
console—which delivers a number of key benefits:
tampering. Separate partitions on a PC can also help improve manageability by providing the flexibility to migrate to newer operating systems while still
Improved PC Security Specific applications, such as e-mail or Web browsing, can be assigned
making use of older operating system environments and applications.
to their own partition on PCs. These separate partitions create a way
Easier Migration to New Software
for IT to isolate viruses and other threats so that they don’t infect
Many companies use custom software for areas such as human resources,
other PCs on the system. This translates to more server uptime and
logistics, or purchasing. When they migrate to a new operating system
more productivity for end users.
or office application, there is no need to immediately update all of the proprietary software. Instead, proprietary software can be assigned its
End Users Isolated from Security Settings
own partition and continue to function as usual. In addition, new operating
IT functions can be placed on separate partitions from end-user applications. This limits access to key security tools, such as anti-virus and firewall settings, which could be turned off by end users, exposing the PCs on your network to viruses, worms, or other malicious attacks.
system platforms and office applications can run concurrently with old software. Then, when end users are proficient with the new software, the old software can be removed from the system, creating more space— all of which saves both time and money.
Fewer Service Interruptions Automatic failover partitions provide an easy, cost-effective way to keep the system running. If an application fails, the system can automatically switch over to a parallel backup application, which limits downtime for end users.
Solution: Improve PC Security and Reliability with Intel® Virtualization Technology | Page 7
Solution Recipe Software Architecture
Components Necessary to Build
Microsoft Virtual PC 2007 makes the operating system and applications
• Intel® vPro™ processor technology-based platform with Intel® VT
run in a virtual machine environment. This makes these components
• Windows Vista* Business and Microsoft Virtual PC* 2007 or
hardware-independent (that is, hardware platform support is no longer
• Microsoft Windows XP* Pro SP2
required by these software components). The virtual machine can be
• Guest operating system (OS)—VPC 2007*, Microsoft Windows NT* 4.0
provisioned to any Intel® vPro™ processor technology-based platform and it
Server, Red Hat Linux Desktop* 4 update 2, Ubuntu* 5.10
can manage multiple operating systems and applications as a single unit by encapsulating them into virtual machines.
System Architecture
NOTE: The guest operating systems listed above are only a sampling of those that work with Intel® Virtualization Technology, not a complete list.
The Intel vPro processor technology-based platforms, coupled with Microsoft Virtual PC 2007, are ideal for enabling small- and mediumsized businesses to consolidate multiple client platforms into one highperformance platform at a low cost. It is easy to set up the software, and built-in Intel VT helps it run efficiently on Intel vPro processor technology-based platforms.
Solution: Improve PC Security and Reliability with Intel® Virtualization Technology | Page 8
Support
Solution Support Intel has tested the components in this virtualization solution for PCs recipe. For your convenience, Intel has worked with several independent software vendors, open source vendors, and application vendors to streamline technical support for this solution. For more information on the third-party hardware and software products, please download the Solution Configuration Guide (www.intel.com/reseller/vpro) to obtain the specific list of vendors and contacts.
Solution: Improve PC Security and Reliability with Intel® Virtualization Technology | Page 9
Intel, the Intel logo, Intel. Leap ahead. the Intel. Leap ahead. logo, Intel vPro, the vPro logo, Xeon, the Xeon logo, Intel Core and Core Inside are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others. Copyright © 2007, Intel Corporation. Intel Literature Center: 1-800-548-4725 Order Number: XXXXXX-XXXUS
Information in this document is provided in connection with Intel® products. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document. Except as provided in Intel’s terms and conditions of sale for such products, Intel assumes no liability whatsoever, and Intel disclaims any express or implied warranty, relating to sale and/or use of Intel products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right.