Intel AMT is designed with a complete set of management functions to meet deployment needs. Let us take a closer look at just four key enabling features of Intel AMT of particular importance to Point-of-Sale as well as to other mission-critical embedded applications.
Out of Band Management
Prior to Intel AMT, remote management depended on the operating system as well as having a remote management software agent up and running on the client. If the operating system (OS) was locked up, then the software agent was prevented from working and the remote management capability was lost. Intel AMT provides a completely separate hardware subsystem that runs a dedicated TCP/IP stack and thus creates an "out-of-band" management communication channel. This capability makes it possible to inspect inbound/outbound packets before the OS has visibility to them. Effectively what you end up with is two logical network connections (one in-band, one out-of-band) using one physical RJ45 networking connector. This allows Intel AMT to offer a substantial number of management tasks that can significantly improve uptime and reduce maintenance costs. As illustrated in Figure 2, having a completely independent communication channel also allows for remote management functions to take place effectively 100 percent of the time and without regard to the state of the OS, such that blue screens and even powered down systems are still accessible by the help desk or IT personnel. Maintaining connectivity enables support personnel to more rapidly and accurately diagnose the failure condition, which in turn reduces the number of physical support visits.
Serial-over-LAN Redirection Capability
One of the key features of Intel AMT is its support for Serial-over-LAN redirection. Serial-over-LAN (SOL) is a mechanism that allows the input and output of the serial port of the client system to be redirected using Internet Protocol (IP) to other computers on the network, in this case, the remote management server(s). With Serial-over-LAN, the POS client's text-based display output could be redirected to the remote management console. This allows the help desk see the remote client's Power On Self Test (POST) sequence or navigate and control the client's BIOS settings.
IDE Redirection Capability
IDE Redirection (IDER) allows an administrator to redirect the client's IDE interface to boot from an image, floppy, or CD device located in or accessible by the remote management server. Once an IDER session is established, the managed client can use the server device as if it were directly attached to one of its own IDE channels. Intel AMT registers the remote device as a virtual IDE device on the client. This can be useful for remotely booting an otherwise unresponsive computer. A failing client, for example, could be forced to boot from a diagnostic image anywhere on the network. The administrator could then take action and perform any operation, ranging from a basic boot sector repair to a complete reformatting of the client disk thereby restoring the client back to a working state.
Both SOL and IDER may be used together.
Is Intel AMT secure? This is an important question that is often asked in the early stages of Intel AMT evaluation, especially for organizations handling personal information or financial transactions. This is the case with many embedded systems such as ATMs and point-of-sale workstations. Intel AMT integrates comprehensive security measures to provide end-to-end data integrity, both within the client as well as between the client and the remote management server(s). IT administrators can optionally encrypt all traffic between the management console and the Intel AMT clients. This encryption is based on standard Secure Socket Layer (SSL)/Transport Layer Security (TLS) encryption protocols that are the same technologies used today on secure Web transactions. Each major component of the Intel AMT framework is protected.
Only firmware images approved by Intel can run on the Intel AMT subsystem hardware. The signing method for the flash code is based on public/private key cryptography. The Intel AMT firmware images are encrypted using a firmware signing key (FWSK) pair. When the system powers up, a secure boot sequence is accomplished by means of the Intel ME boot ROM verifying that the public FWSK on flash is valid, based on the hash value in ROM. If successful, the system continues to boot from flash code.
Network security is provided by the industry standard SOAP/HTTPS protocol, which is the same communication security employed by leading e-commerce and financial institutions. They cannot be changed.
Intel AMT supports 802.1x network access security. This allows Intel AMT to function in network environments requiring this higher level of access protection. This capability exists on both the Intel AMT-capable wired and wireless LAN interfaces.
Available authentication methods include:
- Transport Layer Security (TLS)
- Tunneled Transport Layer Security (TTLS)
- Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
- Protected Extensible Authentication Protocol (PEAP)
- Extensible Authentication Protocol (EAP)
- Generic Token Card (GTC)
- Flexible Authentication via Secure Tunneling (FAST)
Intel AMT also supports combination of authentication methods such as EAPFAST TLS, PEAP MS-CHAP v2, EAPFAST MS-CHAP v2, EAP GTC, and EAPFAST GTC.
These key attributes of Intel AMT can be utilized and designed into embedded platforms to enhance the product's reliability, manageability, and serviceability.