Newer vPro Sports More Security Features
August 21, 2008
SAN FRANCISCO -- Intel is preparing the second generation of its vPro remote management technology and is promising more goodies in the third generation, which will take advantage of new features and functionality in the new Nehalem family.
vPro is not found in any single component of a computer. It is a combination of processor technologies, hardware enhancements, management and security features for remote PC administration. It allows administrators to access a system regardless of the operating system or whether the computer is on or off.
There are a number of requirements to be classified as a vPro PC, although most of those features are standard these days. They include multi-core processors, Intel Active Management Technology (AMT), remote configuration technology for AMT, wired and wireless network connection, Intel Trusted Execution Technology (TXT) and Intel Virtualization Technology.
vPro is one of those Intel (NASDAQ: INTC) products you don't hear about much, but according to Andy Tryba, director of marketing for the Digital Office Products division, more than 60 percent of the Fortune 100 have deployed and use it.
The new version, due next month, will be for Penryn-based systems. It will be one more generation before vPro is found on Nehalem systems, and Intel has been fairly steady about releasing vPro updates around the September timeframe, said Tryba.
Among the upcoming features in vPro will be the ability to remotely manage an encrypted hard disk. Right now that's not possible, since the computer's user needed to enter the password to let the remote manager in. The next generation will allow for power up and remote management without a password.
Currently, vPro has Cisco's Network Admission Control (NAC) but plans to add Microsoft Network Access Protection (NAP) as well, for administering Windows systems from a Server 2008 console.
Security is also enhanced by storing keys and other strong encryption passwords in silicon, not software, since software is the most common target of attack. It's also possible to intercept a password when it is being used in software. So Intel moved it to a harder point to crack, the silicon.
A better kill switch
Intel also plans to update the remote kill switch, which lets an administrator disable or wipe a laptop that's lost or stolen. But that requires the thief or person who found the lost laptop to turn it on and connect it to the Internet. The new vPro will allow an administrator to toast a laptop's contents even if they don't turn it on. Just walk into range of a wireless Internet network and your laptop will get the signal to self-destruct.
Going forward, Tryba said Intel is looking at both the Nehalem and the MID space. Nehalem is logical as it will be a desktop and eventually server platform. MID, however, would be a new one. "That whole market has a lot of the same needs as the regular laptop market so it would make sense," he told InternetNews.com.
Nehalem laptops will feature Intel Antitheft Technology, which Intel first announced at the April IDF in Shanghai, China. Built on the Intel Manageability System, this system will lock the system and lock the disk drive, so people cannot get at the data.
It could even use a laptop's built-in Webcam to show the face of the thief, which Intel demonstrated in a comical fashion here at the Intel Developer Forum (IDF). Pat Gelsinger, senior vice president and general manager of the Digital Enterprise group, disguised himself during a second keynote and stole a laptop from the stage, only to be exposed as using it and sitting in the audience a few minutes later.
Another new market for vPro is consumer. They are getting a subset of remote power on technology in the form of Remote Wake, which will power on a computer. Tryba said it's most likely use would be for Internet telephony, since a lot of them go through a PC, and it would spare having to leave a computer on or turning it on to make and receive phone calls.
Did you know all of the cool things that can be done with the TPM on your vPro platform
As a leading developer of software for the TPM I thought it would be valuable to outline a number of cool solutions that can be enhanced with the TPM. TPM 1.2 is a part of the vPro platform and can dramatically enhance the security of any corporate infrastructure. With tens of millions of devices already in the market the tpm technology is in a position to help.
As full disclosure Wave Systems Corp. Builds tools for both client and central management of TPMs. We supply Intel’s motherboard group with software that is bundled for free with their motherboards and has been for the last few years. We are also Dell’s supplier and Gateway’s supplier of TPM software. Finally we support Seagate’s hardware full disk encrypting drives and we demonstrated support for Intel’s new Danbury technology at last weeks IDF. Wave is on the board of the Trusted computing group and we broadly and actively contribute to the specifications and the community.
Let me start with a simple list of things one can do!
Did you know that your TPMs Can support strong multifactor authentication to the Windows Domain
Can support Strong wireless networking using 802.1x (really 802.11i) for both machine authentication and/or user authentication
Can support 802.1x or IPSec for strong machine authentication (this is a very powerful addition for any NAC implementation including Cisco CNAC)
Can provide a common key management infrastructure for any application needing key services Allowing the enterprise to centralize their desktop key management. This works with Microsoft EFS, Third Party File and Folder encryption and other Signing applications
Can be used to harden integrity measurements in Nac solutions using Microsoft NAP or trusted computing group TNC specs
Can fully support Windows XP and Windows Vista Deployments
Can harden any MSCAPI compatible certificates
Ultimately all of this is done by Leveraging the TPM’s CSP (cryptographic Service Provider) This is how any application can talk to the TPM. The CSP is third party provided software and is supplied by Either Your OEM or a company like Wave and is typically free from the OEM.
Due to a variety of reasons the biggest first step is to turn the TPM on and take ownership. This is done in the BIOS. One the TPM is activated it will ask the user to take ownership and now the device is ready to be used. There are server products that enable central management of Ownership for the corporate customer. Every Enterprise should be turning on their TPMs and taking ownership.
To get a feel for this I have posted an implementation guide for a wireless hot spot on our web site at this will provide a good flavor as to what needs to be done. If you build this type of bench lab it will give you a good idea of how TPMs could be broadly used.
To long a post but Perhaps a good starting point for discussion.
Steven Sprague CEO
Wave Systems Corp.
Steve,
Does Wave integrate with IdM and provisioning products (other than Microsoft)? Does it support protocols like LDAP and RADIUS?
Where I can find this information?
If it's available, please send me this information at alex golod, Sr. Infrastructure Spec. at EDS
Taking Intel® vPro™ To the Streets
07 Jan 2008
EDS Introduces Intel® vPro™ Processor Technology To Its Clients If a computer fails in the woods and there's no one there to see it, is the screen still blue?
For companies that use personal computers (PCs) to operate machinery in remote locations, like lumberyards or oil fields, the question isn't just philosophical; it's reality. When a hard to reach PC goes down, it can take hours, even days, for a technician to get there and repair the machine.
But with vPro, the latest innovative technology EDS is working on with Global Alliance partner Intel, such a repair can be done remotely. Intel® vPro™ and Intel® Centrino® Pro processor technology incorporates remote management capabilities and virtualization technology into the hardware of a machine. So, when a PC crashes, no matter where it is located, a technician can fix the problem without leaving his desk.
This new technology incorporates never-before-available remote management capabilities and virtualization technology into the hardware of a machine. So, when a PC crashes, no matter where it is located, a technician can diagnose and potentially fix the problem without leaving his desk.
Having remote control over hardware can be a huge benefit to EDS and Intel clients. From easily fixing computer problems to greater energy efficiency, Intel vPro processor technology for desktop PCs and the notebook equivalent Intel Centrino Pro processor technology connect directly to business issues, including innovation, that EDS clients face every day.
“Depending on the client's business environments and issues, almost everyone we've talked to sees a different benefit [with Intel vPro processor technology],” said Jill Tillery, Intel alliance director for EDS.
For some, the main benefit is the energy cost savings that comes with the ability to more securely and reliably remotely power a PC on and off. Typically, companies run patches on PCs when there's downtime at night. Today, those PCs have to be left on overnight to be updated.
“They're burning a lot of electricity today to ensure that off-hour updates are successful,” Tillery said.
Since Intel began developing the technology more than three years ago, EDS has worked closely with the company from development to client demos to activations.
“At Intel, we're experts at building processors, but when it comes to management and security, we thought EDS would be great to work with because of their background in that space,” said Gary Kirtley, EDS alliance director for Intel.
“Together, we're bringing innovation to both EDS customers and Intel customers.”
Intel vPro processor technology is one innovative technology EDS is investing in for growth, which is an enterprise goal for EDS in 2007.
Demonstrating Intel vPro
When EDS demonstrated the new hardware capabilities to a leading global mobile electronics and systems technology company, the client was impressed that it could remotely power machines on and off.
“A light bulb turned on when the client saw they could remotely lock down a PC to protect intellectual property,” said Jerry Steenson, an EDS global service delivery executive.
Another major selling point was improved user productivity and less downtime.
The EDS team staged a hard drive crash scenario to show that with Intel vPro processor technology, the PC can be brought back up in thin client mode so that the user can access the Web and company network even if the PC's hard drive is down. Productivity is not completely lost.
“Gone will be the day when an employee calls in a PC problem and his or her day is done,” Tillery said.
The mobile electronics company and Client EDS – specifically a call center in Winnipeg, Canada – are the first production pilot scenarios using Intel vPro processor technology.
The pilot programs will tell EDS and the users of the technology where to go from here and how fast it can be implemented across the enterprise. Insights gained will help Intel and EDS plan for future releases of the Intel vPro and Intel Centrino Pro processor technology – as far out as 2010.
“We [Intel] are already in labs with EDS, working on tomorrow's technology and we will continue to do so,” Kirtley said.
EDS expects to lower costs and save time at its call center in Winnipeg through the improved remote functionality, including remote re-imaging of machines.
At the end of a PC lease, before returning a machine to the vendor, the hard drive must be wiped. “Today, we sometimes pay a substantial amount of money per machine,” said Bruce Weeks, service delivery executive for Client EDS.
With the new PCs, re-imaging and disk wipes can be done without having to send a technical person to do it onsite, which can take hours. The whole process can be done remotely, which saves a lot of time and money.
EDS and Intel Worked Together On Intel vPro
EDS first got involved with Intel vPro processor technology while it was still in the development phase. EDS took the new hardware into its Top Gun program while it was still being developed and provided Intel with feedback on its technology.
“[The relationship with Intel] represents how we should be working with our Alliance partners,” said Jeff Wade, lead architect.
Intel and EDS have worked together through every phase to get Intel vPro processor technology where it is today. From development, bringing the technology to customers, and finally putting it into production, EDS and Intel have been a team.
“No other company is as involved as we are,” Wade said.
EDS' level of involvement puts its understanding of the technology at least six to 12 months ahead of the competition. And the collaboration benefits Intel to have another channel for market intelligence.
“Through talking to clients and working with Intel [EDS] can say to Intel: ‘This is what companies are really looking for,'” said Liesa Harkness, engineer.
Deploying Intel vPro On Every Business PC
As hardware producers come out with new models, eventually Intel vPro and Intel Centrino Pro processor technology could be in the hardware of every deployed business PC.
“Now it's the newest thing, but over time it will become standard,” Tillery said.
However, in order for enterprises to take advantage of it, there has to be a change in business processes.
“We're working together on the ground floor on this,” Harkness said. “When this technology is across the board, [EDS will be] a couple of years ahead of the game.”
AI
