More Ideas for Network Filtering with Intel AMT

A few months ago I posted a 3 part series on defining and using Intel AMT network filters. The first article is posted at http://www.symantec.com/connect/articles/part-1-using-network-filtering-enhance-your-security-control

Since that article, a few customers have made some intriguing requests.

One customer wanted to use VNC instead of pcAnywhere in the filter configuration - thus allowing a VNC remote session. The only change is the port number. pcAnywhere uses 5631. VNC uses port 5900. Thus adjust the port settings for VNC. This is shown in the attached TXT file - just rename to .XML if you want to use.

Other requests have included ideas such as:

• Instead of the notification server, could a Deployment Server or Package server be defined? The short answer is yes - network communications could be restricted to allow connectivity only between the target client and a defined server based on port\protocol\direction
• Could an event trigger this change or response within the platform? Again - short answer is yes. This one is a little more difficult since it will require an orchestration of events to send the filter policy to the client. Some have directly queried about the " heuristics" capability. Heuristics refer to a policy definition applied to the hardware, which will monitor all traffic and automatically respond based on event signatures. Although supported by the Intel AMT firmware, defining and applying heuristic filters is not presently supported by Symantec\Altiris. For more information on System Defense heuristics see http://software.intel.com/en-us/articles/intel-active-management-technology-use-case-7-hardware-based-isolation-and-recovery-protect/
• Can a local agent such as SEP send a command to the local hardware to trigger the custom network filter? Presently this is not supported by the hardware\firmware. More specifically, security features of the driver (hardware embedded controller interface) along with local security access control of the firmware prevents a direct configuration change of the system defense network filters. If there are sufficient requests from end customers - perhaps this could be changed

The customized network filters are currently unique to the Symantec Management platform - specifically the ability to easily and quickly define, along with determining a default vs. one-time use.

Are these other ideas out there on using customized network filters? I'm very interested to hear about them.

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries