Intel AMT over Wireless for McAfee ePO Deep Command

Version 2

    Introduction

    McAfee ePO Deep Command works with Intel® Active Management Technology (AMT) to provide beyond-the-operating-system security management.   When first testing Intel AMT, start with a wired intranet connection.    This will reduce the number of variables associated to the network connection.

    In addition to the wired interface, mobile Intel AMT platforms can also support connectivity via the 802.11 wireless interface.  

     

    Intel AMT over wireless is not officially supported by McAfee ePO Deep Command.    The information provided within this document focuses primarily on the behaviors of Intel AMT over wireless, demonstrating what is possible - not necessarily a fully supported solution.

     

    This document first provides a foundational explanation on the differences of Intel AMT via wired versus wireless connectivity.    Once the foundation is understood, the article includes a summary explanation on how to add wireless to Intel AMT configuration.    The material is intended for an advanced user of Intel AMT and covers only the main parts on using Intel AMT over an 802.11 wireless connection.

    All Intel AMT configuration events mentioned in this document use Intel Setup and Configuration Software (SCS) version 8.1, available via McAfee ePO Software Manager or at http://www.intel.com/go/scs

    Process Overview

    The following is a process overview for this article and how to approach configuration of wireless settings for Intel AMT

    • Start using Intel AMT in a wired environment before moving to wireless
    • Identify the wireless profile settings used within your environment
    • Define the wireless profile settings in the Intel AMT configuration profile
    • Validate the Intel AMT over wireless configuration in your environment

     

     

    Background on Intel AMT Wired and Wireless Connectivity

    Intel AMT was first built and introduced to work with a wired interface.  The simplified diagram below is a summary of how Intel AMT works in a wired mode.   In a wired mode, Intel AMT communications share the same physical network interface as the host operating system.

    AMTwireless_pic1.png

     

    Communications to Intel AMT commonly occur on the same IP address, specifically when the system is using IPv4 addresses issued via DHCP.   The Intel AMT wired network interface operates in a passive mode as long as the host operating system is alive and responding.    Communications to the device on ports 16992-16995 are intercepted by Intel AMT as long as the wired interface to the technology is open.


    If the host operating system stops responding due to a shutdown event or network driver disconnect, the Intel AMT wired network interface moves from a passive to active role.    In an active role, Intel AMT will negotiate DHCP addresses and so forth.   When the network driver on the host operating system is again available, the Intel AMT network interface returns to a passive state.

    The change from passive to active mode is demonstrated in the following example ping response.   At the start of the ping response, the host operating system is responding.   A temporary interruption occurs, simulated by disabling the network interface in the host operating system.   Within a few seconds, Intel AMT transitions to active mode and responds to the pings.   Later the network interface is re-enabled in the host operating system, an interruption to the ping responses occurs and then resumes.   One of the key differences  in the responses between the host operating system and Intel AMT is the TTL (Time-to-Live) value.    The host operating system TTL is 126, whereas Intel AMT TTL is 253.
    AMTwireless_pic2.png


    With a foundational understanding of a wired Intel AMT connection, the physical behaviors of a wireless Intel AMT connection are better understood.

    Intel AMT connectivity via wireless was introduced with version 4.0 of the firmware.   Due to physical silicon and circuitry differences for wireless, some behaviors will be different as compared to a wired connection.  

    Note: A future release of Intel AMT over wireless will align to a wired connection.   More information on Link Protection, Link Control, and Link Preference if available at http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_G uide/DOCS/Implementation%20and%20Reference%20Guide/WordDocuments/linkpreferencea ndlinkcontrol.htm.

    Shown in the summary diagram below, Intel AMT over wireless connection with a healthy operating system is actually routed through the host operating system.
    AMTwireless_pic3.png


    For this routing or redirection to occur, Intel AMT Local Management Service (LMS) and User Notification Service (UNS) drivers must be installed and loaded within the host operating system.   These drivers are part of a single installation provided by your OEM.  

    This difference in how communications occurs requires Intel AMT traffic to pass through the operating system network stack.   If a local firewall is preventing communications on ports 16992-16995 or if the wireless profile of the host operating system cannot complete the connection, Intel AMT communications will be interrupted.

    When the host operating system goes offline, Intel AMT will transition to an active mode.   Specifically, this event occurs when the host operating system network driver is no longer owning the wireless network interface. Wireless communications are now directed from the wireless network interface to Intel AMT as shown below.
    AMTwireless_pic4.png
    Only one service can actively own the wireless network interface.   Due to the occasional interruptions of a wireless connection that the host operating system may experience, Intel AMT has a built-in timer and heart-beat check to the operating system network interface to determine when to transition to active ownership of the network interface.    The transition between the host operating system and Intel AMT can occur only when the active owner relinquishes control.   A feature commonly referred to as “link preference” is available in the Intel firmware to determine whether Intel AMT or the host operating system network driver actively owns the wireless interface.

    As an example, the following ping response output shows the sequence of the host operating system owning the wireless network interface before transitioning to Intel AMT.   The transition occurred after the wireless network adapter was disabled within the host operating system.
    AMTwireless_pic5.png
    Later the host operating system network interface is re-enabled but the wireless profile does not immediately connect.   In this scenario, all network connectivity to target system has been lost.   The host operating system network driver actively owns the wireless interface but without a valid wireless profile connection the Intel AMT communications are also affected.
    AMTwireless_pic6.png
    After disabling the wireless network adapter in the host operating system, Intel AMT is now able to connect and communicate as shown below.
    AMTwireless_pic7.png

    The final example below shows a different scenario where the host operating system actively owns the wireless network interface.   From the McAfee ePO Console a Serial-over-LAN terminal session is started.   The request is seen by the Intel drivers of the host operating system and the link preference is changed from the host operating system to Intel AMT. 
    AMTwireless_pic8.png
    In this case, the Intel Management and Security Status (IMSS) shows that the host operating system has been disconnected with option to return the control.
    AMTwireless_pic9.png


    Wireless connectivity for Intel AMT has more considerations than a wired connection.   Understanding the connectivity characteristics will help in your own planning.   Part of that planning will require the wireless profile for Intel AMT to be defined and applied, as explained in the next section.

    Wireless Profile Settings

    Adding to the base requirements of a wired connection, a wireless profile includes security settings to ensure a device is connected to the correct and expected network.   In addition to assigning that profile to the host operating system, Intel AMT must be aware of the wireless profile settings.

    The following prerequisites apply to wireless profiles with Intel AMT.   The settings and profiles are defined within the Intel® Setup and Configuration Service (SCS) console:

    • WiFi Protected Access (WPA) or WPA2 settings must exist in the environment
    • Proper network resolution of wireless IP addresses in the environment
    • The wireless profile of the host operating system must be applied to Intel AMT
    • Up to 15 wireless profiles can be defined
    • Enabling of the wireless network interface within Intel AMT
    • If 802.1x authentication is used for wireless connections, an 802.1x connection must be defined in addition to the Intel AMT wireless profile
    • If an external wireless switch exists on the device, it must be in the “On” or “Enabled” position
    • Initial Intel AMT configuration must occur via a wired intranet connection
      • Note: This is a core requirement for McAfee ePO Deep Command AMT configuration policies and actions.   An alternative method, Host Based Configuration, allows Intel AMT configuration via wireless or VPN connections.
    • For automatic replication of User Defined wireless profiles form the host operating system to Intel AMT, Intel AMT version 6.x or higher with Intel PROSet\Wireless software is required.

    The examples below are for reference only.   More information is available via the Intel SCS console user guide included with the complete download, specifically the section on “Defining Network Settings”.  (see http://www.intel.com/go/scs)

    To include wireless in the Intel AMT configuration profile, select Network Configuration and WiFi Connection as part of the optional settings.
    AMTwireless_pic10.png
    In the first example, WPA with TKIP encryption is used within the environment.   Shown below are the wireless profile settings for the host operating system and Intel AMT.  
    AMTwireless_pic11.png
    In the second example, WPA2 with AES encryption and an 802.1x profile is used in the environment.   Shown below are the wireless profile settings for the host operating system and Intel AMT.
    AMTwireless_pic12.png
    The 802.1x settings provide authentication of the wireless connection.   Shown below is one example how the settings compare between the host operating system and the Intel AMT configuration profile.
    AMTwireless_pic13.png
    As shown on the right side of the above diagram, Intel AMT can be configured with other 802.1x protocols.   This particular 802.1x example used the EAP-TLS protocol in connection with a Microsoft IAS-NAP as the RADIUS Server with a trusted root certificate from DC1.vprodemo.com


    In addition to directly assigning User Defined profiles, the following option within the Intel AMT Configuration profile will allow a profile to be replicated from the host operating system to Intel AMT.  
    AMTwireless_pic14.png
    Synchronization of wireless profiles can be useful for networks outside of the corporate environment if Remote Access policies have been defined within the AMT profiles of the McAfee ePO Console.   Directly defining the wireless profiles for enterprise network is commonly preferred.


    If the synchronization option is selected, Intel AMT version 6.x is required along with Intel PROSet Wireless software on the client system.   If the host operating system connects to a new wireless network, a prompt will appear on the Intel AMT client similar to the following example.
    AMTwireless_pic15.png
    For initial testing of Intel AMT over wireless, the option to synchronize wireless profiles may be useful.   For deployment in a production environment, the option may be unfavorable due to user interface prompts.

     

    Once the preferred Intel AMT configuration profile with wireless settings is defined for your environment, apply it via the mechanisms provided within McAfee ePO Deep Command version 1.5.

    Testing Intel AMT over Wireless  

    Once the Intel AMT configuration has been applied, physically disconnect the wired LAN connection from the system.   Ensure the host operating system wireless is connected.    Using another system on the network, such as where the McAfee ePO Console is loaded, open an Intel AMT WebUI session to the target client.

    Shown in the example below, a wireless IP address is seen by Intel AMT with a healthy operating system
    AMTwireless_pic16.png
    Next - disable the wireless network connection within the host operating system of the client.   Click the Refresh button within the Intel AMT WebUI window.   If the page reloads successfully with a Wireless IP address shown, this confirms Intel AMT over wireless is working.

     

    To complete your testing, try a few Intel AMT Actions via the McAfee ePO Console.   Shown below, the Boot to BIOS operation was performed.   Both the Serial-over-LAN and McAfee KVM viewer windows are open.
    AMTwireless_pic17.png

    Concluding Thoughts

     

    Intel AMT over wireless extends your beyond-the-operating-system security management capabilities provided with McAfee ePO Deep Command.   McAfee ePO Deep Command was built and validated using a wired connection, both LAN and WAN (Click here learn more on how to setup McAfee ePO Deep Command Gateway Service). 

     

    Known wireless profiles, such as corporate environment, can be set via the Intel AMT configuration profile.   External wireless profiles, such as home office, can be detected via Intel ProSet drivers and assigned into Intel AMT.   As extreme use case would be a personal WiFi hotspot via your 3G/4G smartphone - this model has been demonstrated.

     

    WiFi hotspots that require user logon\authentication – such as Gogo, T-Mobile at a Starbucks, etc – will not work if a per session login or acknowledgement required.

     

    This document is intended to demonstrate the "art of the possible".    If new to McAfee ePO Deep Command or Intel AMT, click here for an index listing of related materials

     

     

    The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries