利用者:Y717/わーくすぺーす/その5
インテル アクティブ・マネジメント・テクノロジー (Intel Active Management Technology, Intel AMT) とは、PCの遠隔管理とアウトオブバンド管理を目的とした、ハードウェアベースの技術[1][2][3][4][5]。現在、Intel AMT は Intel vPro テクノロジを搭載する Intel Core 2 プロセッサと、vPro テクノロジを含む Centrino または Centrino 2 プラットフォームのラップトップPCで利用可能である[1][6]。
Intel AMT の概要
[編集]Intel AMT は、監視、保守、更新、アップグレードが要求されるビジネス PC 向けの機能として、ハードウェアとファームウェアによって提供される技術[1]。Intel AMT は、Intel vPro テクノロジ搭載 PC に含まれる、Intel Management Engine のパーツである[2]。Intel AMT は、マザーボード上のセカンダリ・プロセッサとして配置するように設計されている。
AMT は自身の PC を管理対象とした使用を意図しておらず、ソフトウェア管理アプリケーションとの併用が想定されている[1]。これは、管理アプリケーション及びそれを利用するシステム管理者に対して、遠隔機能を搭載しない PC での困難あるいは不可能な作業のために、遠隔から安全にタスクを実行するように有線を通して最適なアクセスを提供する[1][3][7][8]。
ハードウェアベース管理とソフトウェアベース管理
[編集]ハードウェアベース管理はソフトウェアベース管理とは異なり、その代替となる[1][2]。ハードウェアベース管理は、TCP/IP スタックを通してコミュニケーション・チャネルを使用してソフトウェア・アプリケーションとは異なるレベルで動作し、これはオペレーティングシステム中のソフトウェアスタックを透過するソフトウェアベース・コミュニケーションとは異なる。ハードウェアベース管理は、オペレーティングシステムの存在や、それに付随してインストールされるエージェントに依存しない。
DHCP, BOOTP, WOL と AMT によるハードウェアベース管理の比較
[編集]ハードウェアベース管理は、Intel または AMD ベースのコンピュータで利用可能になっている。しかし、これはDHCP、またはダイナミック IP 割り当てとディスクレス・ワークステーションを用いたBOOTP などを用いた自動設定、Wake-on-LAN (WOL) のような遠隔電源管理システムなど、大規模な用途に限定されていた[9]。
Intel AMT は、TLSセキュアな通信と強固な暗号化を使用するなど、追加のセキュリティを提供する[2]。
Intel AMT の特徴
[編集]Intel AMT は、ハードウェアベースの遠隔管理、セキュリティ、電源管理、自動設定などの特徴を含んでいる[1][10]。これらは、IT 技術者が AMT PC に遠隔からアクセスすることを許すものである[7]。
Intel AMT は、OSレベルの動作を下回って、ハードウェアベースのアウトオブバンド (OOB) コミュニケーションチャネルに依存しており、このチャネルは OS の状態(存在の有無、状態不明、破損、停止など)とは関係しない[1]。このコミュニケーションチャネルは、PC の電源状態、管理エージェントの有無、ハードディスクドライブやランダムアクセスメモリのようなハードウェアコンポーネントの状態とも関係しない。
AMT の最大の特徴は、PC の電源状態に関わらず OOB が利用できる点である[1]。その他の特徴として、Serial over LAN (SOL) を経由したコンソールのリダイレクション、エージェントの存在確認、そしてネットワーク帯域フィルタリングなどで、PC に対して電力供給が行われている事が必要である[1]。Intel AMT は、リモートからの電源投入を処理できる。
ハードウェアベースの特徴は、スクリプト処理との組み合わせで自動的なメンテナンスとサービスを可能にする[1]。
ラップトップ及びデスクトップ PC におけるハードウェアベースの AMT の特徴
[編集]ハードウェアベースの AMT は、次の特徴を含む:
- IT コンソールと Intel AMT 間のネットワークトラフィックの為の遠隔コミュニケーションチャネルの暗号化[1][2]
- Ability for a wired PC (physically connected to the network) outside the company's firewall on an open LAN to establish a secure communication tunnel (via AMT) back to the IT console.[1][2] Examples of an open LAN include a wired laptop at home or at an SMB site that does not have a proxy server.
- Remote power up / power down / power cycle through encrypted WOL.[1][2]
- Remote boot, via integrated device electronics redirect (IDE-R).[1][2]
- Console redirection, via serial over LAN (SOL).[1]
- Hardware-based filters for monitoring packet headers in inbound and outbound network traffic for known threats (based on programmable timers), and for monitoring known / unknown threats based on time-based heuristics. Laptops and desktop PCs have filters to monitor packet headers. Desktop PCs have packet-header filters and time-based filters.[1][2][11]
- Isolation circuitry (previously and unofficially called "circuit breaker" by Intel) to port-block, rate-limit, or fully isolate a PC that might be compromised or infected.[1][2][11]
- Agent presence checking, via hardware-based, policy-based programmable timers. A "miss" generates an event; you can specify that the event generate an alert.[1][2][11]
- OOB alerting.[1][2]
- Persistent event log, stored in protected memory (not on the hard drive).[1][2]
- Access (preboot) the PC's universal unique identifier (UUID).[1][2]
- Access (preboot) hardware asset information, such as a component's manufacturer and model, which is updated every time the system goes through power-on self-test (POST).[1][2]
- Access (preboot) to third-party data store (TPDS), a protected memory area that software vendors can use, in which to version information, .DAT files, and other information.[1][2]
- Remote configuration options, including certificate-based zero-touch remote configuration, USB key configuration (light-touch), and manual configuration.[1][2][12]
- Protected Audio/Video Pathway for playback protection of DRM-protected media.
ラップトップ PC における AMT の追加の特徴
[編集]AMT を搭載するラップトップは、ワイヤレスに関する技術を含んでいる:
- Support for IEEE 802.11 a/g/n wireless protocols[1][6][13][14]
- Cisco-compatible extensions for Voice over WLAN[1][6][13][14]
Intel vPro プラットフォームの特徴
[編集]Intel AMT は、Intel vPro テクノロジ搭載 PC 向けのセキュリティと管理に関する技術である[1][9]。Intel vPro 搭載 PC は、他にも多くの「プラットフォーム」(一般的なPCの特徴)の技術と特徴を含んでいる。
Intel AMT の使用
[編集]PC の電源が切れている、OS がクラッシュした、ソフトウェア・エージェントが見当たらない、またはハードディスクドライブやメモリといったハードウェアのトラブルが起きたような場合でも、AMT の特徴のほとんどは利用可能である[1][2]。The console-redirection feature (SOL), agent presence checking, and network traffic filters are available after the PC is powered up.[1][2]
Intel AMT は、次の管理タスクをサポートする :
- Remotely power up, power down, power cycle, and power reset the computer.[1]
- Remote boot the PC by remotely redirecting the PC’s boot process, causing it to boot from a different image, such as a network share, bootable CD-ROM or DVD, remediation drive, or other boot device.[1][7] This feature supports remote booting a PC that has a corrupted or missing OS.
- Remotely redirect the system’s I/O via console redirection through serial over LAN (SOL).[1] This feature supports remote troubleshooting, remote repair, software upgrades, and similar processes.
- Access and change BIOS settings remotely.[1] This feature is available even if PC power is off, the OS is down, or hardware has failed. This feature is designed to allow remote updates and corrections of configuration settings. This feature supports full BIOS updates, not just changes to specific settings.
- Detect suspicious network traffic.[1][11] In laptop and desktop PCs, this feature allows a sys-admin to define the events that might indicate an inbound or outbound threat in a network packet header. In desktop PCs, this feature also supports detection of known and/or unknown threats (including slow- and fast-moving computer worms) in network traffic via time-based, heuristics-based filters. Network traffic is checked before it reaches the OS, so it is also checked before the OS and software applications load, and after they shut down (a traditionally vulnerable period for PCs[要出典]).
- Block or rate-limit network traffic to and from systems suspected of being infected or compromised by computer viruses, computer worms, or other threats.[1][11] This feature uses Intel AMT hardware-based isolation circuitry that can be triggered manually (remotely, by the sys-admin) or automatically, based on IT policy (a specific event).
- Manage hardware packet filters in the on-board network adapter.[1][11]
- Automatically send OOB communication to the IT console when a critical software agent misses its assigned check in with the programmable, policy-based hardware-based timer.[1][11] A "miss" indicates a potential problem. This feature can be combined with OOB alerting so that the IT console is notified only when a potential problem occurs (helps keep the network from being flooded by unnecessary "positive" event notifications).
- Receive Platform Event Trap (PET) events out-of-band from the AMT subsystem (for example, events indicating that the OS is hung or crashed, or that a password attack has been attempted).[1] You can alert on an event (such as falling out of compliance, in combination with agent presence checking) or on a threshold (such as reaching a particular fan speed).
- Access a persistent event log, stored in protected memory.[1] The event log is available OOB, even if the OS is down or the hardware has already failed.
- Discover an AMT system independently of the PC's power state or OS state.[1] Discovery (preboot access to the UUID) is available if the system is powered down, its OS is compromised or down, hardware (such as a hard drive or memory) has failed, or management agents are missing.
- Perform a software inventory or access information about software on the PC.[1] This feature allows a third-party software vendor to store software asset or version information for local applications in the Intel AMT protected memory. (This is the protected third party data store, which is different from the protected AMT memory for hardware component information and other system information). The third-party data store can be accessed OOB by the sys-admin. For example, an antivirus program could store version information in the protected memory that is available for third-party data. A computer script could use this feature to identify PCs that need to be updated.
- Perform a hardware inventory by uploading the remote PC's hardware asset list (platform, baseboard management controller, BIOS, processor, memory, disks, portable batteries, field replaceable units, and other information).[1] Hardware asset information is updated every time the system runs through power-on self-test (POST).
VNC ベースの KVM 遠隔制御
[編集]メジャーバージョン 6 より、Intel AMT はプロプライエタリな VNC Server を組み込んでおり、VNC 互換ビューア技術によってアウトオブバンドに接続でき、デスクトップにおけるオペレーティングシステムの読み込みでの継続した制御を含む、電源サイクルを通しての完全な KVM(キーボード、ビデオ、マウス)能力を持つ。さらに、RealVNC の VNC Viewer Plus などのクライアントは、コンピュータの電源のON/OFF、BIOSの設定、リモートイメージのマウンティング (IDER) など、監視や業務での Intel AMT のオペレーションを簡単化する追加機能を提供する場合がある。
AMT によるアウトオブバンド通信
[編集]Intel AMT は、Intel Management Engine の一部である。Intel AMT の特徴となる全てのアクセスは、PC のハードウェア、ファームウェアとして搭載される Intel Management Engine を介して行われる[1]。AMT 通信は PC の OS の状態に依存せず、Management Engine の状態に依存している。
AMT アウトオブバンド通信は、Intel Management Engine の一部としてTCP/IP ベースのファームウェアスタックとして設計されており、システムハードウェアに搭載されている[1]。AMT はTCP/IP スタックに基づいている事から、ネットワーク・データパスを経由する通信は、その内容が OS に渡されるよりも早く、 AMT による遠隔通信が処理される。
AMT アウトオブバンド (OOB) 通信における有線と無線 PC の比較
[編集]Intel AMT は、有線と無線ネットワークをサポートする[1][6][13][15]。バッテリー電源で稼働する無線ノートにおいて OS がダウンしていた場合、企業ネットワークへの接続に接続して OOB 通信はシステムを起動させることができる。OOB communication is also available for wireless or wired notebooks connected to the corporate network over a host OS-based virtual private network (VPN) when notebooks are awake and working properly.
AMT out-of-band (OOB) secure communication outside the corporate firewall
[編集]AMT version 4.0 and higher can establish a secure communication tunnel between a wired PC and an IT console outside the corporate firewall.[1][16] In this scheme, a management presence server (Intel calls this a "vPro-enabled gateway") authenticates the PC, opens a secure TLS tunnel between the IT console and the PC, and mediates communication.[1][17] The scheme is intended to help the user or PC itself request maintenance or service when at satellite offices or similar places where there is no on-site proxy server or management appliance.
Technology that secures communications outside a corporate firewall is relatively new. It also requires that an infrastructure be in place, including support from IT consoles and firewalls.
How it works
[編集]An AMT PC stores system configuration information in protected memory. For PCs version 4.0 and higher, this information can include the name(s) of appropriate "whitelist" management servers for the company. When a user tries to initiate a remote session between the wired PC and a company server from an open LAN, AMT sends the stored information to a management presence server (MPS) in the "demilitarized zone" ("DMZ") that exists between the corporate firewall and client (the user PC's) firewalls. The MPS uses that information to help authenticate the PC. The MPS then mediates communication between the laptop and the company’s management servers.[1]
Because communication is authenticated, a secure communication tunnel can then be opened using TLS encryption. Once secure communications are established between the IT console and Intel AMT on the user's PC, a sys-admin can use the typical AMT features to remotely diagnose, repair, maintain, or update the PC.[1]
Intel AMT security measures
[編集]Because AMT allows access to the PC below the OS level, security for the AMT features is a key concern.
Security for communications between Intel AMT and the provisioning service and/or management console can be established in different ways depending on the network environment. Security can be established via certificates and keys (TLS public key infrastructure, or TLS-PKI), pre-shared keys (TLS-PSK), or administrator password.[1][2]
Security technologies that protect access to the AMT features are built into the hardware and firmware. As with other hardware-based features of AMT, the security technologies are active even if the PC is powered off, the OS is crashed, software agents are missing, or hardware (such as a hard drive or memory) has failed.[1][2][18]
Using AMT in a secure network environment
[編集]Because in-band remote management does not usually occur over a secured network communication channel, businesses have typically had to choose between having a secure network or allowing IT to use remote management applications without secure communications to maintain and service PCs.[1]
Modern security technologies and hardware designs allow remote management even in more secure environments. For example, Intel AMT supports IEEE 802.1x, Preboot Execution Environment (PXE), Cisco SDN, and Microsoft NAP.[1]
All AMT features are available in a secure network environment. With Intel AMT in the secure network environment:
- The network can verify the security posture of an AMT-enabled PC and authenticate the PC before the OS loads and before the PC is allowed access to the network.
- PXE boot can be used while maintaining network security. In other words, an IT administrator can use an existing PXE infrastructure in an IEEE 802.1x, Cisco SDN, or Microsoft NAP network.
Intel AMT in a secured network environment: how it works
[編集]Intel AMT can embed network security credentials in the hardware, via the Intel AMT Embedded Trust Agent and an AMT posture plug-in.[1][2] The plug-in collects security posture information, such as firmware configuration and security parameters from third-party software (such as antivirus software and antispyware), BIOS, and protected memory. The plug-in and trust agent can store the security profile(s) in AMT's protected, nonvolatile memory, which is not on the hard disk drive.
Because AMT has an out-of-band communication channel, AMT can present the PC's security posture to the network even if the PC's OS or security software is compromised. Since AMT presents the posture out-of-band, the network can also authenticate the PC out-of-band, before the OS or applications load and before they try to access the network. If the security posture is not correct, a system administrator can push an update OOB (via Intel AMT) or reinstall critical security software before letting the PC access the network.
Security postures supported by Intel AMT versions
[編集]Support for different security postures depends on the AMT release:
- Support for IEEE 802.1x and Cisco SDN requires AMT version 2.6 or higher for laptops, and AMT version 3.0 or higher for desktop PCs.[1][19][20]
- Support for Microsoft NAP requires AMT version 4.0 or higher.[1]
- Support for PXE boot with full network security requires AMT version 3.2 or higher for desktop PCs.[1]
Intel AMT security technologies and methodologies
[編集]AMT includes several security schemes, technologies, and methodologies to secure access to the AMT features during deployment and during remote management.[1][2][18] AMT security technologies and methodologies include:
- Transport Layer Security, including pre-shared key TLS (TLS-PSK)
- HTTP authentication
- Single sign-on to Intel AMT with Microsoft Windows domain authentication, based on Microsoft Active Directory and Kerberos
- Digitally signed firmware
- Pseudo-random number generator (PRNG) which generates session keys
- Protected memory (not on the hard disk drive) for critical system data, such as the UUID, hardware asset information, and BIOS configuration settings
- Access control lists (ACL)
As with other aspects of Intel AMT, the security technologies and methodologies are built into the chipset.
Versions
[編集]Intel AMT versions can be updated in software to the next minor version. New major releases of Intel AMT are built into a new chipset, and are updated through new hardware.[2]
Management Engine firmware modules
[編集]- Active Management Technology (AMT)
- Alert Standard Format (ASF)
- Quiet System Technology (QST), formerly Advanced Fan Speed Control (AFSC)
- Trusted Platform Module (TPM)
Provisioning and integration of Intel AMT
[編集]AMT supports certificate-based or PSK-based remote provisioning (full remote deployment), USB key-based provisioning (“one-touch” provisioning), manual provisioning[1] and provisioning using an agent on the local host ("Host Based Provisioning"). An OEM can also pre-provision AMT.[12]
The current version of AMT supports remote deployment on both laptop and desktop PCs. (Remote deployment was one of the key features missing from earlier versions of AMT and which delayed acceptance of AMT in the market.)[7] Remote deployment lets a sys-admin deploy PCs without “touching” the systems physically.[1] It also allows a sys-admin to delay deployments and put PCs into use for a period of time before making AMT features available to the IT console.[21]
Intel vPro PCs can be sold with AMT enabled or disabled
[編集]PCs with Intel AMT can be sold with AMT enabled or disabled. The OEM determines whether to ship AMT with the capabilities ready for setup (enabled) or disabled. Your setup and configuration process will vary, depending on the OEM build.[12]
Intel AMT includes a Privacy Icon application, called IMSS,[22] that notifies the system's user if AMT is enabled. It is up to the OEM to decide whether they want to display the icon or not.
Disabling and re-enabling Intel AMT
[編集]Intel AMT supports different methods for disabling the management and security technology, as well as different methods for reenabling the technology.[1][21][23][24]
Disabling Intel AMT
[編集]AMT can be partially unprovisioned using the AMT security credentials to erase configuration settings, or fully unprovisioned by erasing all configuration settings, security credentials, and operational and networking settings; or by resetting a specific jumper on the motherboard.[25]
A partial unprovisioning leaves the PC in the setup state. In this state, the PC can self-initiate its automated, remote configuration process. A full unprovisioning erases the configuration profile as well as the security credentials and operational / networking settings required to communicate with the Intel Management Engine. A full unprovisioning returns Intel AMT to its factory default state.
Re-enabling Intel AMT
[編集]Once AMT is disabled, in order to enable AMT again, an authorized sys-admin can reestablish the security credentials required to perform remote configuration by either:
- Using the remote configuration process (full automated, remote config via certificates and keys).[1]
- Physically accessing the PC to restore security credentials, either by USB key or by entering the credentials and MEBx parameters manually.[1]
Returning AMT to factory default
[編集]There is a way to totally reset AMT and return in to factory defaults. This can be done in two ways:
Setup and integration tools
[編集]Setup and integration of Intel AMT is supported by a setup and configuration service (for automated setup), an AMT Webserver tool (included with Intel AMT), and AMT Commander, an unsupported and free, proprietary application available from the Intel website.
関連項目
[編集]- Intel vPro
- Intel Core 2
- Intel Centrino
- Host Embedded Controller Interface (HECI)
- Alert Standard Format (ASF)
- Distributed Management Task Force (DMTF)
- Intelligent Platform Management Interface (IPMI)
- Baseboard management controller (BMC)
- Trusted Platform Module (TPM)
- Northbridge (computing) (NB)
- Southbridge (computing) (SB)
- I/O Controller Hub (ICH)
- Out-of-band management
- Lights out management
- HP Integrated Lights-Out (HP/Compaq specific)
- Intel CIRA
参考文献
[編集]- ^ a b c d e f g h i j k l m n o p q r s t u v w x y z aa ab ac ad ae af ag ah ai aj ak al am an ao ap aq ar as at au av aw ax ay az ba bb bc bd be bf bg bh bi bj bk bl “Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology” (PDF). Intel (2008年). 2011年3月20日時点のオリジナルよりアーカイブ。2008年8月7日閲覧。 引用エラー: 無効な
<ref>
タグ; name "vPro-4-0+3-0WP"が異なる内容で複数回定義されています - ^ a b c d e f g h i j k l m n o p q r s t u v w x “Architecture Guide: Intel Active Management Technology”. Intel (2008年6月26日). 2008年8月12日閲覧。 引用エラー: 無効な
<ref>
タグ; name "AMT architecture"が異なる内容で複数回定義されています - ^ a b “Remote Pc Management with Intel's vPro”. Tom's Hardware Guide. 2007年11月21日閲覧。
- ^ “Intel vPro Chipset Lures MSPs, System Builders”. ChannelWeb. August 2007閲覧。
- ^ “Intel Mostly Launches Centrino 2 Notebook Platform”. ChannelWeb. July 2008閲覧。
- ^ a b c d “Intel Centrino 2 with vPro Technology” (PDF). Intel. 2008年7月15日閲覧。
- ^ a b c d “Revisiting vPro for Corporate Purchases”. Gartner. 2008年8月7日閲覧。
- ^ “Measuring the Value of Intel Core2 Processor with vPro Technology in the Enterprise”. Intel (2006年). 2008年8月14日閲覧。 [リンク切れ]
- ^ a b “A new dawn for remote management? A first glimpse at Intel's vPro platform”. ars technica. 2007年11月7日閲覧。
- ^ “Intel vPro Technology”. Intel. 2008年7月14日閲覧。
- ^ a b c d e f g “Intel Active Management Technology System Defense and Agent Presence Overview” (PDF). Intel (2007年2月). 2008年8月16日閲覧。
- ^ a b c “Intel Centrino 2 with vPro Technology”. Intel. 2008年6月30日閲覧。
- ^ a b c “New Intel-Based Laptops Advance All Facets of Notebook PCs”. Intel. 2008年7月17日時点のオリジナルよりアーカイブ。2008年7月15日閲覧。
- ^ a b “Understanding Intel AMT over wired vs. wireless (video)”. Intel. 2008年8月14日閲覧。 [リンク切れ]
- ^ “Technical Considerations for Intel AMT in a Wireless Environment”. Intel (2007年9月27日). 2008年8月16日閲覧。
- ^ “Intel Active Management Technology Setup and Configuration Service, Version 5.0” (PDF). Intel. 2008年8月4日閲覧。(see CIRA configuration discussion)
- ^ “Intel AMT - Fast Call for Help”. Intel (2008年8月15日). 2008年8月17日閲覧。(Intel developer's blog)
- ^ a b “New Intel vPro Processor Technology Fortifies Security for Business PCs (news release)”. Intel (2007年8月27日). 2007年9月12日時点のオリジナルよりアーカイブ。2007年8月7日閲覧。
- ^ 引用エラー: 無効な
<ref>
タグです。「802.1x
」という名前の注釈に対するテキストが指定されていません - ^ 引用エラー: 無効な
<ref>
タグです。「Cisco SDN
」という名前の注釈に対するテキストが指定されていません - ^ a b “Part 3: Post Deployment of Intel vPro in an Altiris Environment: Enabling and Configuring Delayed Provisioning”. Intel (forum). 2008年9月12日閲覧。
- ^ http://software.intel.com/en-us/blogs/2009/07/17/intel-management-and-security-status-imss-advanced-configurations-part-9/
- ^ “Intel vPro Provisioning” (PDF). HP (Hewlett Packard). 2008年6月2日閲覧。
- ^ “vPro Setup and Configuration for the dc7700 Business PC with Intel vPro Technology” (PDF). HP (Hewlett Packard). 2008年6月2日閲覧。 Note: large document
- ^ “Part 4: Post Deployment of Intel vPro in an Altiris Environment Intel: Partial UnProvision vs. Full UnProvision vs. Factory Default”. Intel (forum). 2008年9月12日閲覧。