Intel Corp will offer its OEMs and software partners a little more in the way of security with its 2007 line of vPro business desktop chipsets, codenamed ‘Weybridge.’
The bundles will feature some rudimentary network firewall capabilities, as well as the long-promised memory protection capabilities of the technology codenamed LaGrande.
The company isn’t prepared to say when the chips will ship, beyond the second half. It will be the second vPro-branded bundle from Intel, following up September’s apparently successful release.
Weybridge’s highlight would appear to be Trusted Execution Technology, formerly LaGrande, which Intel has been working for at least the four years since chief executive Paul Otellini announced it.
TET is a virtualization technology built on top of a Trusted Platform Module, designed to enable software makers to protect their applications from being exploited by malware after they are installed.
It firewalls off memory spaces so they are completely isolated, said Mike Ferron-Jones, Intel’s director of digital office platform marketing.
Applications calling on these functions will be able to load themselves into protected areas of memory, and then clean all traces of themselves from the hardware’s various caches and buffers after they are terminated, he said.
Also on the security front, updates to Intel’s Active Management Technology in the 2007 vPro bundle will enable the rudiments of network firewalling and network access control to be carried out in the hardware, according to Intel.
AMT has a set of 32 or 64 filters and its network stack that third-party software can use to block ports at the hardware level rather than the operating system. It is already included in vPro, but it’s dormant unless called by an application.
In 2007 with Weybridge we will be offering basic filtering technology built right into the firmware, so when anybody takes one of the out of the box they will have filtering capabilities right there, said
One of the two filters Intel will include can be set to notice when there is a sudden spike of connection attempts on any given port. The other will notice when there is a spike of connections spread more uniformly over a greater number of ports.
If in 10 milliseconds you see 500 connections on the email port, it might be indicative of worm trying to proliferate from your system, said Ferron-Jones.
This feature is obviously not a substitute for security software, but it can and will be used by security and network management vendors to improve their products. In a NAC scenario, it could help to isolate a machine at the hardware level, rather than at the OS or above.
vPro is the business desktop part of Intel’s strategy of platformization. That is, building more high-level functionality into chip bundles, rather than just focusing on volumes of commodity processors.
It worked with Centrino, the notebook bundle, and Intel is seeking to replicate it with Viiv for consumers and vPro for businesses. Ferron-Jones said that vPro is the fastest ramping to date of these three bundles.
In addition to the new security features, Intel will also start support some new management standards that it helped develop — WS-Man, for Web Services Management, and the Desktop Management Working Group’s eponymous 1.0 specification.
WS-Man is there to eventually replace Alert Standard Format 2.0, a protocol used by chips to communicate back to management consoles when there’s a problem, according to Ferron-Jones.
The problem with ASF, he said, is that it’s not very extensible, and it does not support transport-layer encryption, so all communications are sent in the clear.
The adoption of DMWG 1.0 is intended to bring standardization to how computer makers implement WS-Man instructions inside their machines. Currently, Ferron-Jones said, different vendors’ PCs deal with the receipt of ASF/WS-Man commands in unpredictable ways.