Remote Management using Intel AMT

Intel has released an embedded management technology called Active Management Technology (AMT). AMT was announced in 2005 and it is a key feature of their recently released Intel vPro processor family. AMT delivers secure hardware-based out of band management of client PCs and is intended to reduce desk-side visits by administrative staff. Intel foresees AMT will displace earlier hardware-based desktop management technologies such as:

• WOL (Wake On LAN): First released in 1997 WOL allows a shut-down network connected PC to be booted remotely. AMT extends these remote boot options
• PXE (Pre-boot eXecution Environment): PXE enables a PC to be booted from a network source. The PC's NIC (network interface card) looks on the local network for PXE boot server. AMT again extends this remote boot feature
• ASF (Alert Standard Format): ASF is an industry standard that allows for operating system-independent out of band management. The technology is embedded in the Intel and Broadcom NICs on the PC motherboards and it enables power management and receiving heartbeats from the client PCs (even when turned off) to provide advanced warning of system failures, asset tracking etc. However while ASF has been around for number of years and it is an accepted standard, it has not been widely supported by system management vendors as it has quite limited security and control features.

Intel's AMT clearly provides more security and functionality than the legacy ASF or WOL technologies.

The new features offered by AMT

• AMT's out-of-band management capabilities include not only the ability to reboot PCs and send alerts, but also allow remote control, remote BIOS updates, and access to event logs and asset information regardless of system state or operating system presence. Alerting is policy based rather than based on preset criteria, allowing additional flexibility in IT processes.
• AMT's system defense feature helps prevent the spread of viruses by proactively block incoming threats, reactively preventing infected PCs from spreading threats to other PCs on the network, alerting IT staff when personal firewall or anti-virus software has been disabled, and automatically keeping such protective software up to date.
• AMT also provides authentication and encrypted communication of management traffic so the features can only be activated by authorized management consoles, and because AMT is hardware and firmware-based, it cannot be removed (accidentally or intentionally) by end users.
• The virtual media key feature reboot from code on some virtual disk over the network, so if it has a corrupt (or viral) operating system or needs an upgrade, a patch or reconfiguration you can reboot from files on some other system on the LAN or from an attached USB memory device.
• A comparison of AMT compared with WOL and ASF is shown on the table below (taken from a recent Intel presentation to IEEE Communications Society). More details on AMT features and architecture can be found from the sites listed in Related Links.

          



Some AMT limitations

Clearly AMT is a powerful new tool for remote and out of band management of Intel PCs. The major third party software management vendors including Altiris, Cisco, CA, LANDesk and Microsoft have all integrated support for AMT, and PCs with AMT support are being released by leading vendors. New HP and Dell business desktops now ship with vPro processors and the Dell desktops, for example, have Altiris remote management software bundled that uses the AMT remote BIOS access/ configuration /remote-reboot features. However:

• AMT is Intel proprietary. Unlike IPMI, ASF and SMASH there is no industry standard and AMT is not available on any AMD processor. Currently it is only available on select Intel processors (such as the vPro) and it will be a long time before it is pervasive in the PC market (maybe never?). Whereas service processors and BMCs are now accepted stable technologies. They are standards based and they now are pervasively installed in the server market.
  
  
• AMT is a desktop client management technology and it is not a server technology. Intel has indicated that it intends for this AMT technology to play a role in server management down the track and AMT is being positioned as an appropriate solution now for managing small servers in small branches. However SMASH, IPMI and service processor are currently the Intel management solution for all their higher end Xeon CPU platforms, and if AMT remains proprietary it is unlikely to ever pervade in the client desktop and laptop markets, let alone make any impact at all in the server world.
  
  
• Also AMT simply does not have the features to displace service processors for server management. There is no out of band LAN access as AMT works over the main production network. So it is inappropriate for administering servers in datacenters with management LANs. And while it has lots of great features for client PC management at the operating system/applications layer (particularly in a Microsoft environment) it does not offer any virtual hardware KVM or support power, temperature and fan speed monitoring etc.

A recent Intel Technology Journal article Home PC Maintenance with Intel AMT identified issues in third parties using AMT to remotely manage home PCs connected via Internet ISPs. Basically the embedded AMT does not natively have the capacity to independently connect through the ISP and NAT firewall with the remote MSP if the PC is not functioning, and they propose the inclusion a hardware MSP proxy device at the home site to bridge the home PC and MSP management console.

          

In this model the MSP proxy sits behind the NAT firewall, directly communicates with the home PCs on the home LAN, and serves as a communication device for connecting through the ISP to the MSP service. Alternately this connection could be established through a secure tunnel from the MSP to an Opengear gateway device in the remote home (or remote small branch office).