Solution Recipe: Improve Networked PC Security with Intel vpro Technology

(1)

(2)

Preface

Intel has developed a series of unique Solution Recipes designed for channel members interested in providing complete solutions to their customers, backed by top-quality technology and support. A solution recipe describes how to combine Intel®-based ingredients to create new technology solutions for common business challenges.

This recipe explains how security for networked PCs can be improved with Intel® vPro™ technology and a suite of highly-regarded third-party software and hardware components. When you are ready to deploy this recipe, please refer to the related Deployment Guide, which includes step-by-step instructions. You can find the guide by visiting: www.intel.com/go/reseller/vpro or www.intel.com/go/solutions

Common Notations and Terms

Trusted Platform Module (TPM): Found on Intel vPro

technology platforms, TPM is a microcontroller that stores keys, passwords, and digital certificates for applications such as e-mail and secure Web access.

Trusted Computing Group (TCG): A not-for-profit

organization formed to develop, define, and promote open standards for hardware-enabled, trusted

computing and security technologies. Their goal: to help users protect their information assets (for example, data, passwords, keys).

Virtual Private Network (VPN): A private

communications network used within a company to communicate securely over a public network (Internet).

Meeting New Market Opportunities

One of the most critical challenges facing businesses today is finding ways to keep PCs secure from malicious attacks such as viruses or worms. These attacks typically enter the network via e-mails, attachments, or downloaded files, and they can destroy data and cripple networks. A downed network can freeze productivity and require huge amounts of time and money to repair. Channel members can enhance their relationships with their valued customers by helping them create more secure networks.

Your Customers’ Networks Are at Risk

In 2003, computer virus attacks cost global businesses an estimated USD 55 billion in damages.1_{If that number sounds alarming, consider this:}

93 percent of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. In addition, 50 percent of businesses that found themselves without data management for this same time period filed for bankruptcy immediately.2_{These statistics}

point to an escalating need for sophisticated security solutions.

While anti-virus software, combined with a firewall, provides a base level of protection for networks, today’s mobile business community demands a new level of vigilance to cover those connecting to the company’s network over a wireless connection or from offsite locations.

Make Your Customers’ Networks More Secure

So what can you do to raise the level of protection—particularly for your small- and medium-sized customers? Help them upgrade their network security by adding another layer of protection with Intel® vPro™ technology. This solution delivers a full security package that includes anti-virus software and firewalls as well as using encrypted data transfer for Virtual Private Networks (VPN) and additional user authentication tools such as biometric devices and Trusted Platform Modules (TPM). And, thanks to this more powerful and secure technology, the opportunity also exists for channel members to deliver on-going IT services to their customers—thus creating an additional revenue source.

Addressing New Market Opportunities

Solution Recipe: Improve Networked PC Security with Intel® vPro™ Technology | Page 2 1_{Reuters, “news.zdnet.com” January 16, 2004, http://news.zdnet.com/2100-1009_22-5142144.html,}

May 30, 2006.

2_{Data Recovery Performed Remotely white paper, “ontrack.com” 2003,}

(4)

Solution Overview

In response to growing security threats, many businesses are looking for ways to take their security systems to the next level. For example, some banks are considering requiring their online banking customers to use biometric identification to access their accounts. More and more, government institutions are using digital signing technology for areas such as recording signatures to authorize an executive or judicial order or for filing of citizen and business tax returns.

Yet, for many small- and medium-sized businesses, creating a higher level of secure networks can be challenging. With a number of different products on the market, which ones do they choose to perform different security tasks? And will they all work smoothly together on their system? It can be a difficult, time-consuming task. But PCs equipped with Intel vPro technology, together with powerful third-party software and hardware components, provide a complete solution that is optimized and validated for use with the new, high-performance Intel® Core™2 Duo processor family.

Every business, regardless of network size, should have a security plan that defines appropriate user behavior and identifies necessary security procedures.

Access rights. A business has three options

regarding trust and their network: 1) Trust everyone all the time; 2) Trust no one at any time; 3) Trust some people, some of the time. The third option is the most commonly used in business.

Remote access. Use antivirus and firewall

protection on the computing devices and create a secure VPN connection for remote users.

Information protection. Outline guidelines for

processing, storing, and transmitting your business-sensitive IT assets.

Virus prevention. Reduce exposure to viruses with

security software and user education. Provide users with a primer on safe computing practices.

Password use. Require frequent changing of

passwords, with alphanumeric, eight-digit passwords or add biometric based user authentication.

Backup and recovery. Ensure continuous data

(5)

Benefits

Solution Recipe: Improve Networked PC Security with Intel® vPro™ Technology | Page 4

Key Technology

This solution recipe combines a carefully chosen combination of software and hardware components that deliver a complete security solution. Customers can rest assured that these components have been tested and validated to work together, ensuring the highest level of performance.

Hardware platform. Security applications consume a great deal of

a PC’s processor cycles monitoring the flow of bits. But, with powerful new Intel Core 2 Duo processors, Intel vPro technology delivers a significant increase in computing power over previous Intel technology—and that means better performance for end-user applications.

Trusted Platform Module (TPM). This microcontroller stores keys,

passwords, and digital certificates. Built into the motherboard, TPM provides secure storage and key generation capabilities, so it can be used to create and/or store both user and platform identity credentials for use in authentication. Critical applications and capabilities such as secure e-mail, secure Web access, and local protection of data are made much more secure using a TPM.

Anti-virus. Applications, like Symantec Norton AntiVirus 2006*, can

be included on end-user PCs and Symantec AntiVirus 10.0* for servers to automatic detection of viruses, worms, Trojan horses, spyware, and adware.

Firewall. Keep hackers out and control inbound and outbound traffic

with powerful applications like Symantec Norton Personal Firewall* software (included as part of Symantec Norton Internet Security 2006*).

Virtual Private Network (VPN). VPN Client software allows end-user PCs

remote access to the company network. NETGEAR ProSafe VPN Firewall* hardware is available for strong encryption and authentication and setting up the VPN Tunnels into the corporate network.

Intel® Virtualization Technology (Intel® VT). This hardware-enhanced

virtualization technology from Intel permits one computer or server to run multiple operating systems and applications on the same machine in independent partitions or “containers.” This allows IT to run critical security applications in one virtual partition while end users continue working uninterrupted in the user partition.

TPM management. Key products offer tools to address TPM management.

For example, Wave Systems* EMBASSY Trust Suite 5.1* can help IT manage TPM security settings, provides strong authentication tools, robust password management, and TPM key archive capabilities.

Biometrics. An optional USB Biometric Fingerprint Reader can create

(6)

Filtering Threats and Isolating PCs

Software-only security solutions can be useful. But they also can be tampered with or disabled by hackers, viruses, or even end users themselves. Once the network is compromised, it is difficult for IT to make repairs, or even locate the PC if its management agents have been disabled.

Intel vPro technology enables third-party security software to identify threats before they reach the operating system, isolate compromised PCs more quickly, and ensure that security agents stay active.

Hardware filtering of data traffic. Programmable hardware-based

filters examine inbound and outbound network traffic to identify threats. When the filter detects a problem, a hardware-based “switch” can automatically disconnect the computer’s operating system from the network to contain threats more quickly. But, in this instance, only the network communications are shut down. Other applications, such as word processing or spreadsheets, are still available to the end user, minimizing the impact on productivity.

Security agent “heartbeat” checking. PCs with Intel vPro technology use

a regular, programmable “heartbeat” presence check for third-party security agents. This technology uses a watchdog timer so security software can check in with the computer’s management engine at programmable, one-second intervals, confirming that the security agent is still active. If an agent hasn’t checked in before the timer goes off, the computer presumes the agent has been removed, tampered with, or disabled. The management engine then logs an alert and notifies the IT console.

Non-volatile memory and Intel® Virtualization Technology (Intel® VT).

Even if a threat does get past the other defenses, IT has access to a persistent memory where critical information can be protected. With Intel VT, IT can also use self-contained, dedicated virtual environments to isolate and manage applications and data in the user partition. Creating separate partitions for the security application and end-user applications also keeps the end user from gaining access to crucial security devices, such as firewall settings.

Because PCs with Intel vPro technology have the ability to automatically sense threats and then isolate themselves from the rest of the network, they are much less likely to infect other PCs on the system. And, all of these security measures can be executed by IT even if the system power is off, or if the operating system is unavailable.

3 Layers of Defense

Xeon Server

Intel® Dual-Core Xeon® Processor 5000 sequence w/Intel® 5000P/V chipset 1000Base-T LAN capable Software:

RedHat Enterprise Linux 4 LanDesk Management Suite OR

SyAM Management Server

Server based on Intel® Xeon® processor 5000 Sequence

Intel® Dual-Core Xeon® Processor 5000 sequence w/Intel® 5000P/V chipset 1000Base-T LAN capable Additional Hardware: Intel Dialog A/C OR Digium A/C Software:

RedHat Enterprise Linux 4 LanDesk Management Suite OR

SyAM Management Server

Hardware filtering of data traffic

examine network traffic and cut off the network data path when a threat is recognized Security agent “heartbeat” checking

check traffic for threats, while hardware “heartbeats” make sure those security agents stay active

Non-volatile memory and Intel® Virtualization Technology and hardware-based virtual OS isolate critical

applications and information from unauthorized access

1

2

3

User OS/ environment

(7)

Solution Benefits

Benefits for Intel® Channel Partner Program Members

Offer an All-in-One Package

Small- to medium-sized businesses are looking for comprehensive security solutions. This need presents channel members with an excellent opportunity to offer a complete, all-in-one package security solution—a solution that reduces vulnerabilities and security risks for customers.

An Attractive Price-point

Intel vPro technology, with powerful new Intel Core 2 Duo processors and Intel VT, is a remarkably robust and reliable hardware option. It is priced accordingly, offering channel members a more attractive margin. In addition, components such as the Trusted Platform Module (TPM) can be added to customers’ systems, creating an additional revenue opportunity that addresses the specific security requirements at that installation.

Ongoing IT Service

(8)

Benefits for Your Customers

Today’s banks, government agencies, educational institutions, and businesses need the ability to quickly recognize potential technological threats, and contain, and neutralize them. PCs equipped with Intel vPro technology offer those capabilities.

Control User Access to Critical Areas

Intel VT allows IT to create separate partitions for security and end-user applications. This prevents end users from accidentally disabling anti-virus software or firewalls. If the system does find a problem, the PC is quarantined in its own partition so that it doesn’t contaminate other PCs on the network.

Improved Authentication

Advanced techniques such as TPM and biometric fingerprint readers help ensure that only authorized personnel have access to specific data and restricted areas of the network.

Proactive Intrusion Protection

Hardware-based filters monitor network traffic to identify threats and can automatically disconnect the computer’s operating system from the network if there is a problem. PCs with Intel vPro technology also have the ability to

monitor security agents to ensure that they are working correctly. If one of the agents goes missing, the management engine logs an alert and notifies the IT console.

Higher Performance

Powerful Intel Core 2 Duo processors and Intel® Core™ microarchitecture have significantly improved performance, so virus scans, software upgrades, back-ups, and other security tasks can be run in the background without slowing down end-user workflow.

(9)

Solution Recipe

Intel vPro technology offers customers an opportunity to upgrade their network security to a significantly higher level. To aid this process, Intel has developed a Solution Deployment Guide (www.intel.com/go/reseller/vpro or www.intel.com/go/solutions) that demonstrates how critical security concerns can be met with a complete solution.

Software Architecture

By utilizing Intel vPro technology, you can combine a more complete package of industry leading security software to offer customers improved networked PC security with:

• Microsoft Windows XP* operating system (solution is Windows Vista*-ready) • Symantec Norton Internet Security 2006

• NETGEAR ProSafe™ VPN* client software (remote access from PCs into the company network)

• Wave Systems EMBASSY Trust Suite 5.1 (helps IT manage TPM security settings and password management)

• Kingsoft Antivirus* (People’s Republic of China) • Kaspersky® Anti-Virus* 6.0 (Russia)

System Architecture

(10)

Components Necessary to Build

• PCs equipped with Intel vPro technology and security software solutions (see Software Architecture) • Integrated TPM eliminates need for external tokens

• Netgear ProSafe VPN Firewall* hardware • VPN tunnel for data encryption

• Servers with Intel™ Xeon® processor 5000 Sequence • Wireless access point

• Broadband modem

Networked PC Security Solution

Broadband Modem

Broadband Modem VPN Firewall (supports up to 8 tunnels)

Intel® vPro™ technology-based PC Servers with Intel® Xeon® processor 5000 Sequence Intel® vPro™ technology-based PC Intel® vPro™ technology-based PC Internet

(11)

Support

Solution Support

Intel has tested and verified the components in this security solution recipe. Please continue to use your existing Intel® Support Services (http://www.intel.com/go/ChannelSupport).

(12)

Intel, the Intel logo, Intel. Leap ahead. the Intel. Leap ahead. logo, Intel vPro, the vPro logo, Xeon, the Xeon logo, Intel Core and Core Inside are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

Intel Literature Center: 1-800-548-4725 Order Number: 313337-001US

Printed in USA/06/06/JW/KC/PDF