TechWeb

Intel vPro Lays Security Groundwork For Desktop PCs

Aug 27, 2007 (02:08 PM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=201802569


Security in desktop PCs has long been a function of software, but with Intel's new vPro platform the chipmaker is looking to reduce vulnerabilities by taking the battle against viruses and malicious code to the hardware.

VPro, unveiled on Monday, offers a host of security features that try to batten down the hatches when a virus storm lashes the network. In addition, version 2 of the platform released last year includes management features that if exploited by software vendors would give IT staff better control over corporate desktops.

The support of software vendors is key to Intel becoming a major provider of security technology in the corporations. "The various pieces of the ecosystem -- operating system, hardware, and virtualization -- basically need to be on the same page, and that can be difficult," Gordon Haff, analyst for Illuminata, told InformationWeek. "In general, features in hardware are going to have to be exploited by software."

But without security built into the CPU and surrounding chipset, desktops won't be as secure as possible. "If you just go with software, then somebody will get to (the computer)," Jim McGregor, analyst for In-Stat, said.

The latest vPro platform is comprised of the Intel Core 2 Duo processor and the Q35 Express chipset. New to the platform is what Intel calls Trusted Execution Technology (TXT), which is mostly about offering software developers the option of programming to features in the chipset that protect applications once a virus or other malicious code has invaded a desktop system. The features include booting software into a known, trusted state set when the application is first installed, preventing compromised software from being launched.

TXT also offers assigned memory partitions, so an application can be launched into its own sandbox, inaccessible from other software or hardware. The third key security feature prevents access to data that's left in memory, a processor cache, or elsewhere in the system when software is closed or crashes.

Security features hard-coded into vPro, which means they are automatically deployed, are part of the platform's management capabilities, which Intel calls Active Management Technology. The new features involve the filtering of outbound traffic from a system.

If AMT notices an excessive number of new connection attempts from a single port or a group of ports, then the technology isolates the desktop's operating system by dropping all communications with other systems and applications on the network. However, it maintains communications with an IT department's software management console, such as in Hewlett-Packard's OpenView, or IBM's Tivoli. This potentially prevents a virus that has reproduced itself in an infected machine from spreading on the network, Intel said.

The vPro processor technology also offers an embedded agent that can be exploited by users of Cisco Systems' "self-defending network" products. Essentially, Cisco networking equipment can be configured to use the agent to check whether a desktop logging on to a corporate system has an approved version of the operating system, the right type of anti-virus software and the current set of patches.

Intel claims that despite adding all the new features to vPro, the technology uses less power than last year's version. The CPU idle power has been reduced by more than 60%, and the chipset's idle power and maximum power for full operation has been cut by more than 50%, Gregory Bryant, VP and general manager of Digital Office Platform Division, said.

The professional, or corporate, version of Intel's notebook platform, called Centrino Pro, is available, but without any of the new features in the desktop version. A Centrino Pro version that's "roughly equivalent" to the latest rev of vPro is codenamed Montevina and set for release in the first half of next year, Bryant said.

Major computer makers and channel resellers are now selling desktops with the new vPro processor, Intel said. The chipmaker also said that 350 companies were deploying the technology worldwide.

Nevertheless, McGregor cautioned that adoption will be gradual, given that before the technology's full potential can be used, every current desktop in a corporation would have to be replaced, which means many companies won't adopt vPro until their ready to replace their current PCs. "It's important (to companies) in the long term, but not necessarily in the short term," McGregor said of vPro.