Intel AMT is hardware and firmware technology that builds certain functionality into business PCs in order to monitor, maintain, update, upgrade, and repair PCs. Intel AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology. Intel AMT is designed into a secondary (service) processor located on the motherboard.
AMT is not intended to be used by itself; it is intended to be used with a software management application.[1] It gives a management application (and thus, the system administrator who uses it) better access to the PC down the wire, in order to remotely and securely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it
Hardware-based management and software-based management
Hardware-based (or out-of-band) management is different from software-based (or in-band) management and software management agents. Hardware-based management works at a different level than software applications, uses a communication channel (through the TCP/IP stack) that is different from software-based communication (which is through the software stack in the operating system). Hardware-based management does not depend on the presence of an OS or locally installed management agent.
DHCP, BOOTP, WOL vs Intel AMT hardware-based management
Hardware-based management has been available on Intel/AMD based computers in the past, but it has largely been limited to auto-configuration using DHCP or BOOTP for dynamic IP allocation and diskless workstations, as well as Wake-on-LAN (WOL) for remotely powering on systems
Intel AMT features
Intel AMT includes hardware-based remote management, security, power-management, and remote-configuration features. These features allow an IT technician to access an AMT featured PC remotely.
Intel AMT relies on a hardware-based out-of-band (OOB) communication channel that operates below the OS level, the channel is independent of the state of the OS (present, missing, corrupted, down). The communication channel is also independent of the PC's power state, the presence of a management agent, and the state of many hardware components (such as hard disk drives and memory).
Most AMT features are available OOB, regardless of PC power state. Other features require the PC to be powered up (such as console redirection via serial over LAN (SOL), agent presence checking, and network traffic filtering).[1] Intel AMT has remote power-up capability.
Hardware-based features can be combined with scripting to automate maintenance and service.
Hardware-based AMT features in laptop and desktop PCs
Hardware-based AMT features include:
- Encrypted, remote communication channel for network traffic between the IT console and Intel AMT.
- Ability for a wired PC (physically connected to the network) outside the company's firewall on an open LAN to establish a secure communication tunnel (via AMT) back to the IT console. Examples of an open LAN include a wired laptop at home or at an SMB site that does not have a proxy server.
- Remote power up / power down / power cycle through encrypted WOL.
- Remote boot, via integrated device electronics redirect (IDE-R).
- Console redirection, via serial over LAN (SOL).
- Keyboard, video, mouse (KVM) over network.
- Hardware-based filters for monitoring packet headers in inbound and outbound network traffic for known threats (based on programmable timers), and for monitoring known / unknown threats based on time-based heuristics. Laptops and desktop PCs have filters to monitor packet headers. Desktop PCs have packet-header filters and time-based filters.
- Isolation circuitry (previously and unofficially called "circuit breaker" by Intel) to port-block, rate-limit, or fully isolate a PC that might be compromised or infected.
- Agent presence checking, via hardware-based, policy-based programmable timers. A "miss" generates an event; you can specify that the event generate an alert.
- OOB alerting.
- Persistent event log, stored in protected memory (not on the hard drive).
- Access (preboot) the PC's universal unique identifier (UUID).
- Access (preboot) hardware asset information, such as a component's manufacturer and model, which is updated every time the system goes through power-on self-test(POST).
- Access (preboot) to third-party data store (TPDS), a protected memory area that software vendors can use, in which to version information, .DAT files, and other information.
- Remote configuration options, including certificate-based zero-touch remote configuration, USB key configuration (light-touch), and manual configuration.
- Protected Audio/Video Pathway for playback protection of DRM-protected media.
Intel® Active Management Technology Overview (pdf file)
Intel AMT Release 2.0 is a component of the Intel® vPro workstation platform. It uses a number
of elements in the Intel vPro platform architecture. Figure 1 shows the relationship between these
elements.
The Intel AMT functionality is contained in the firmware (ME FW).
• The firmware image is stored in the Flash memory.
• The Intel AMT capability is enabled using the Intel® Management Engine (Intel® ME) BIOS extension as implemented by an OEM platform provider. A remote application performs enterprise setup and configuration.
• On power-up, the firmware image is copied into the Double Data Rate (DDR) random-access memory (RAM).
• The firmware executes on the Intel ME processor and uses a small portion of the DDR RAM (Slot 0) for storage during execution. RAM slot 0 must be populated and powered on for the firmware to run.
Intel AMT stores the following information in the Flash (ME Data):
• OEM-configurable parameters
• Setup and configuration parameters such as passwords, network configuration, certificates,
and access control lists (ACLs)
• Other configuration information, such as lists of alerts and System Defense policies
• The hardware configuration captured by the BIOS at startup
Intel AMT Release 2.5 Architecture
Intel AMT Release 2.5 extends active management to enterprise wireless mobile computing. As
shown in Figure 2 below, the architecture has a mobile version of ICH8, the Crestline MCH and a
wireless NIC.
資料來源: http://en.wikipedia.org/wiki/Intel_Active_Management_Technology
http://software.intel.com/sites/default/files/m/2/3/8/9/c/17992-intel_amt_overview.pdf
沒有留言:
張貼留言