Intel vPro network security policies

Intel vPro includes a System Defense feature, which enforces network security policies on managed devices. Ivanti® Endpoint Manager applies a System Defense policy to Intel vPro devices. Each device filters incoming and outgoing network packets according to the defined policies.

When network traffic matches the alert conditions defined in a filter, an alert is generated and the device’s network access is blocked. The device is then disconnected from the network until you reconnect the access using the System Defense Remediation feature.

How Intel vPro System Defense policies are applied

When a System Defense policy is active on a managed device, the device monitors all incoming and outgoing network traffic. If a filter’s conditions are detected, the following occurs:

  1. The managed device sends an ASF alert to the core server and an entry is added to the alert log.
  2. The core server determines which policy has been violated and shuts down network access on the managed device.
  3. The device is listed in the System Defense remediation queue.
  4. To restore network access on the device, the administrator follows the appropriate remediation steps and then removes the device from the remediation queue; this restores the System Defense policy on the device.

Intel vPro System Defense policies

Intel vPro System Defense technology allows network filtering at the level of the Intel AMT chip. Systems that have been compromised and are a threat to the network can be remotely quarantined, with certain ports and IP addresses remaining open for remediation, without posing a threat to the rest of the network.

Ivanti® Endpoint Manager contains the following predefined System Defense policies.

  • BlockFTPSrvr: This policy prevents traffic through an FTP port. When packets are sent or received on FTP port 21, the packets are dropped and network access is suspended.

  • LDCBKillNics: This policy blocks traffic on all network ports except for the following management ports:

    Port descriptionNumber rangeTraffic directionProtocol
    Ivanti management9593-9595Send/receiveTCP, UDP
    Intel vPro management16992-16993Send/receiveTCP only
    DNS53Send/receiveUDP only
    DHCP67-68Send/receiveUDP only

    When the core server shuts down network access on a managed device, it actually applies this policy to the device. Then, when the device is removed from the remediation queue, the original policy is re-applied to the device.

  • LDCBSYNFlood: This policy detects a SYN flood denial-of-service attack: it allows no more than 10,000 TCP packets with the SYN flag turned on, in one minute. When that number is exceeded, network access is suspended.

  • UDPFloodPolicy: This policy detects a UDP flood denial-of-service attack: it allows no more than 20,000 UDP packets per minute on ports numbered between 0 and 1023. When that number is exceeded, network access is suspended.