Organizations may be on the cusp of widespread real-world implementation of one of today's most intriguing network security developments: Intel's vPro processor technology. This hardware-based offering promises improved management and security of desktops, laptops and servers. But does vPro or any other type of security on a chip truly represent a chance for the good guys to pull ahead of the bad guys?
First, let's address what vPro is. In a nutshell, it's the name of a chipset and related technologies made by microprocessor giant Intel Corp. It is designed to safeguard network security credentials in a hardware-based way, serving as an alternative to traditional software-based methods.
There are distinct advantages to implementing security in hardware rather than software, starting with the fact that hardware tends to be inherently more difficult to access and alter. When a serial number, network address, or set of cryptographic keys is embedded in a piece of hardware, the data cannot be altered as easily, and the messing is harder to hide. Hardware can be made tamper-resistant, tamper-evident, or even tamper-responsive, meaning the device can destroy stored data if someone tries to alter it.
Of course, numerous real-world caveats apply to these assertions. Hardware security can often be subverted over time and thus weakened (think MAC address spoofing, which undermines the ability to reliably identify a specific network interface). Hence hardware security often turns out to be less invincible than it first appears.
That said, the vPro functionalities provided by Intel and its partners -- as well as the parallel open source efforts of the Distributed Management Task Force (DMTF) laid out in the Desktop and mobile Architecture for System Hardware (DASH) -- allow enterprises to comply with a number of well-established security maxims, the first being "you cannot secure what you can't manage, and you can't manage what you can't map." Surprisingly, many organizations aren't aware of the risk-mitigation states of their devices, with respect to software versions, security patches, malware infections and security defenses, such as antivirus protection.
And while a lot of good network management technologies have been developed over the years, most are not able to provide what vPro now offers. Earlier hardware was unable to provide out-of-band, wired and wireless, power-state independent, communication with, and configuration of, all computers on the company network. Doing so requires an enabling chipset, including CPU and network interface. Not surprisingly, developers of previous network management products have been reworking their wares to take advantage of these capabilities.
It is now possible, from a central console, to not only detect all of the CPUs that are on the network, but also to detect what state they are in and act accordingly. This can help admins answer questions such as:
- Are devices infected?
- If so, they can be reliably quarantined.
- Are their patches up to date?
- If not, can they be updated from the centralized console, even if they are not powered up.
Of course, all of this technology has been in the works for a while. Some of the functionality was delivered on chips released in 2006. More recently, the software specifically designed to support these features has been expanded and improved, making it increasingly difficult to argue that the vPro approach is 'not there yet.'
Separately, it's a sure bet that those parties interested in penetrating network security -- whether they are white hat hackers looking to increase that security or black hat hackers trying to defeat it -- are also evaluating the vPro technology closely, as its hardware-based approach does not make it immune from attack. In an interesting exchange on the Cryptography Mailing List last summer, one message heading read: "Free Rootkit with Every New Intel Machine." This take on vPro demonstrates that there are those who understand that any new security technology also represents a new opportunity for attackers to infiltrate enterprise systems.
Like all other security measures, vPro is capable, at least in theory, of abuse. While attack scenarios are easy to imagine, at this point they would seem to be a long way from practical application. Enterprises that deploy Intel's vPro -- or the DASH-compliant products being delivered by rival vendors such as Advanced Micro Devices Inc. (AMD) and Broadcom Corp. -- can expect to enjoy a period of enhanced security, just as early adopters of firewalls benefited from attackers directing their efforts at less-protected targets. Unfortunately, we can also predict with some reliability that widespread enterprise deployment of vPro will lead to attacks on the most common vPro implementations.
Nevertheless, vPro and similar technologies may soon join firewalls as part of the common enterprise network security baseline. The technology will be something that organizations will be expected to deploy, especially those having to protect sensitive customer data. Failure to do so may poke a hole in any post-breach claims that all reasonable measures were taken to protect customer data.
About the author:
Stephen Cobb has nearly three decades of experience in computer audit, security, and data privacy. He authored a comprehensive manual of personal computer security in 1992 and has been a CISSP since 1996. One of the first analysts to predict that privacy concerns would become a leading driver of enterprise security, Stephen published a privacy handbook for businesses in 2002. A co-founder of two successful security startups, he helped develop ground-breaking network security technology acquired by Symantec in 2004. When he is not busy advising clients or conducting seminars, Stephen is an adjunct professor of Information Assurance at Norwich University, Vermont, where he helped create the curriculum for the award-winning Master of Science in Information Assurance degree.
