Is There Victory in VoIP?
The channel’s biggest stumbling block with VoIP may be a mental one...
IS VPRO STILL SAFE WITH WEYBRIDGE?
Some of the most influential people in history are the ones you rarely hear about. How much did jester William Sommers influence King Henry VIII? How integral was Edison's assistant, William Joseph Hammer, to the birth of the incandescent light? Due credit rarely falls on those outside the headlines. Similarly, few may ever credit Intel with pioneering remote management.
While the industry and analyst community is abuzz with discussions of the remote managemenft revolution, you don't hear the word "vPro" so much these days. There are two main reasons for this that are worth bearing in mind. The first is that when vPro debuted in the spring of 2006, Intel was still heavily involved in promoting platforms rather than components. Six months later, that mindset had reversed and still has yet to change. Intel has done a formidable job of blanketing the world in Core 2 Duo messaging, and while Core 2 is promoted as a vPro component, one definitely does not equal the other. Components and platforms aren't even apples and oranges; they're more like apples and alpha waves–two entirely different discussions.
The other side of vPro's opaque presence has to do with the complexity of platform messaging. People like "mono-messages," and vPro arrived with three pillars: performance, security, and manageability. The dual-core performance slant overlapped with messaging coming out of the consumer arena and, in the beginning, wasn't picky about emphasizing Core microarchitecture over the Pentium D's NetBurst design. As a result, the power savings story was weakened, and there wasn't a clear message tied to multi-core multitasking. The security slant vacillated between being about anti-malware packet filtering technology (System Defense) built into the motherboard and virtualized appliance technology enabled through third-party software. But the System Defense algorithms of 2006 were first-generation and hard to point at and say, "Look, it's working!" Meanwhile, the virtualized security solution vendors seemed content to wait for vPro to go mainstream before committing to a new category.
That left manageability as vPro's onef and only widely promoted message, but by the time that happened, the marketing shift from platforms to components was complete. Intel continued to work on growing and advancing vPro, and the vPro-ready DQ965GF motherboard and Core 2 Duo combo remained a favorite foundation for system builders even when the vPro platform itself was overlooked. In the end, we could say that first-generation vPro succeeded in bringing the idea of desktop PC remote management to the SMB masses. Management was no longer only an enterprise server story. People knew that desktop management was inevitable and en route. If they knew it was already shipping and affordable under the name "vPro," that was a bonus.Enter Weybridge
Near the end of August, Intel quietly launched Weybridge, the second generation of the vPro technology platform. Being that we at Tech Insight are eternal optimists and occasionally briefed about upcoming announcements before they happen, we hoped that there would be a big Weybridge
 |
| STICKER VALUE. Just a few key components and a pass through the validation utility earns you a badge. But the perceived value of vPro to buyers can be considerable. |
"There are certainly a lower percentage of system builders providing managed services today," says Jason Saganski, channel manager for Intel desktop boards. "But I've heard from several resellers that the promise they see is that, if they're deploying systems that are vPro-capable today, as they start deciding to move into managed services in two or three years, they'll already have an install base to go back to and say, "Hey, 80% of your machines support this kind of enhanced service. I think the time is right for you to jump into this." For a lot of resellers, this is a deployment period while they're gaining the education needed to get into these services in the near future."
However, some resellers are ready now–more than probably anybody suspects–because there just isn't that much complexity in remote management. Partner up with a management console ISV, send a few techs through basic training, and have them take turns wearing the beeper for 24x7 alert support, provided that such support is even a part of your service agreements. A tech on the evening shift could apply patches and power off remote systems while the early morning tech could power them back on and confirm full client operation before 7:00 a.m. Quite literally, a reseller can go from zero to an operational managed services business in under one week.
The advantage of Weybridge is that the reseller now has a better value proposition to offer as part of his services. The hardware message is narrower. Specifically, Weybridge is based on the Core 2 Duo processor family and the Q35 Express northbridge. By now, the Core 2 Duo as a family and its Core microarchitecture need no introduction, and we gave considerable ink in Tech Insight 5 to the 3 Series chipsets, which include the Q35.
What we haven't detailed previously is that a stepping change in the Core 2 line last summer yielded a big |
2D OR NOT 2D? The Core 2 Duo remains the key vPro processor. But if pricing on the Core 2 Quad is near the C2D, why settle for two cores? |
 |
| THE HEART OF WEYBRIDGE. Intel's Q35 chipset, while dovetailing with the CPU and LAN controller, is the key behind vPro's top updates, fueling advances in performance, security, and power savings. |
The TPM and TXT
The TPM may not seem like a new vPro addition. Intel's popular Guardfish motherboard (DQ965GF) from last year, like all Intel vPro boards, featured the hard-mounted encryption chip, but the TPM was not a platform requirement. With Weybridge, it is, which means you're now sure to find TPMs present on third-party vPro motherboards.
One example of how the TPM boosts security under Weybridge is for a checksum to be created of a secure boot profile. The system analyzes a normal boot configuration, applies an algorithm to the software components and boot sequence, and then creates a hash–a sort of mathematical summary or snapshot of that configuration obtainable only through that hash algorithm. This snapshot is stored in the TPM, which integrates flash memory storage in a non-hackable environment. With this snapshot created and stored, every time the vPro system boots, it can quickly analyze the boot environment and create a new checksum. If this new checksum matches the one stored in the TPM, then the system is safe and allowed to boot normally. If not, then the system can either send an alert to the remote admin or halt booting altogether.
This TPM-based checksum confirmation eliminates the risk that vPro's virtualization capabilities will be abused. For instance, a rootkit (a collection of software tools that enable administrator-level access to a computer or network) on a desktop PC could enable a hacker to install a rogue hypervisor (the software that manages virtual machines on a system). This would essentially be a malicious virtual machine that could camouflage itself to look and act like the original virtual machine, monitor user keystrokes, access sensitive system data, and cause all manner of mayhem locally and on the LAN. However, a rogue hypervisor will not hash out to the same checksum as a TPM-guarded checksum. The boot sequence can be locked down at the motherboard level before an operating system even gets to load.
This is one facet of the Trusted Execution Technology (TXT) that Intel builds into Weybridge and specifically in the Core 2 Duo E6x50 processors. Formerly, TXT was known by the code-name LaGrande Technology. The whole point of TXT is to use hardware security to thwart software-based attacks and exploits. A rogue hypervisor is only one example. In the same vein, Weybridge's TXT has the new ability to restrict Direct Memory Access (DMA) because virtual machines that can write to memory areas outside of their proscribed limits are a significant security risk. TXT fixes this problem in either of two ways. First, DMAs can be mapped to a specific virtual machine so that the request goes only to a specified area in memory. Alternatively, TXT can enforce specific boundaries within the memory space for DMA requests. Think of it as the difference between wooden stakes showing the boundary of a piece of acreage and an electric fence. This should seal off the possible risk of spoofed DMA requests. In yet another instance, TXT can prevent malicious access to memory from Ring 0. Without this, malware can rifle through memory pages looking for all kinds of sensitive data that can, in turn, be beamed across the Internet.
For years, malicious software has been able to insert itself between the core system components and external devices, such as the monitor (via the frame buffer) or the keyboard and mouse, in order to relay data to an outside hacker. In 2007, TXT is locking down the most central system components because those are the ones that Intel can manufacture and control most directly. In time, you may see peripherals and graphics adapters add TXT support as well.
 |
| SECURITY IN LAYERS. The client protection baked into vPro starts in the CPU and works outward to other primary components and finally to compatibility with industry security standards. |
Trusted Execution Technology is a central piece of vPro's latest security picture, but there's more to be seen. In the same mode as TXT, Weybridge delivers Intel Virtualization for Directed I/O (VT-d). This feature prohibits unauthorized DMA requests by hardware that would span virtual machines lacking access permission. This is a necessary step for making sure that if the security of one virtual machine is compromised, it can't bleed out into other VMs on the same machine. And don't forget that even first-gen vPro had its strong security points, such as employing 128-bit TLS encryption between the admin console and remote clients. This operates much like the SSL encryption that secures reliable online retailers and shoppers. Weybridge carries all these security attributes forward from last year.
As mentioned earlier, the 2006 version of vPro introduced System Defense, a set of hardware and firmware resources baked into the southbridge and LAN controller that could detect malicious patterns in network traffic. With Weybridge, we now have time-based System Defense filters. These filters perform calculations on a few seconds of data stored in memory, such as counting the number of IP addresses hitting a given port in a certain time span. (Previous-generation System Defense analyzed packets individually, not collectively.) An unusual number of sockets opened on a port might signal malicious behavior. The system can respond in several ways. Rate limits may be imposed on network traffic. Certain ports can be shut down, or all ports can be iced, save only one for remediation, effectively putting the system in quarantine. Traditional software-based quarantining is less secure because it can still be bypassed by malware or nefarious insiders. Note that the heuristic filters in System Defense are customizable and typically set by filtering packages from ISVs, such as Altiris or LANDesk.
Additionally, there are two very common and often necessary protocols in the IT world–802.1x and Cisco Network Access Control (NAC)–that have hitherto been at odds with out-of-band management. You could have a network that either supported these protocols or allowed for out-of-band manageability, but not both. And many admins want all of these things. These two protocol sets govern the securing of network nodes (PCs, in this case) before they're given access to the LAN. They rely on "posture profiles" stored within the PC being presented to the 802.1x- or Cisco NAC-enabled network switch (or access point in the case of 802.1x) for verification. Conventionally, these profiles were stored in software, so if the operating system is down, a console system had to ignore whether or not that client was presenting the proper 802.1x or NAC security credentials. This is why Intel created its Embedded Trust Agent for Weybridge. This little bit of Cisco-certified software resides in the persistent memory resources built into all vPro motherboards. Even if the system is out-of-band, the motherboard can still present its security credentials to the network. There's no more need to allow insecure remote management.
 |
| DASHING INTO AMT. Many people don't realize that Intel was one of the principal authors of the DASH management standard. DASH is now a subset within Weybridge's AMT and security capabilities. |
In the never-ending stream of industry brands, code names, and acronyms, it's sometimes easy to forget that Intel Active Management Technology (AMT) was a remote management solution for servers long before it reached desktops under the vPro platform umbrella. AMT is in many ways the heart of vPro, and you could argue that vPro generation updates are dependent on AMT advances. With Weybridge, we had the concurrent releases of Intel AMT 2.5 and 3.0. The difference is that 2.5 is for Centrino Pro mobile platforms, and 3.0 is for wired desktops. Intel Embedded Trust Agent is a feature that, on notebooks, requires AMT version 2.6. We're not covering this to add complexity to the subject, only to make you aware that you need to track on AMT versions in order to be sure which features your systems support.
On a similar note, there's some confusion in today's market surrounding remote manageability standards. Some people seem to think that the DASH and WS-MAN standards compete with Intel AMT and vPro, and this is absolutely wrong.
The Distributed Management Task Force was founded in 1992 as an open standards organization dedicated to developing and maintaining IT systems management technologies. In October of 2000, the DMTF released version 1.0a of the Alert Standard Format (ASF) specification. DMTF founding member Intel supplied most of the code for ASF, which defined management and alerting interfaces for systems below the level of the operating system. ASF was an early step in the relationship between clients and management consoles. The trouble with ASF is that it had too many security holes and too much room for vendor interpretation to survive.
In October of 2004, AMD, Dell, Intel, Microsoft, and Sun came up with a new plan for DMTF adoption: Web Services for Management (WS-MAN) version 1.0. WS-MAN encrypts the console-to-client connection and uses stronger authentication to make sure only authorized management consoles are offering commands. WS-MAN is more open to add-on function support than ASF, and these add-ons can help the standard to become more secure over time. Moreover, just as WS-MAN defines management "outside the box," 2007's Desktop and mobile Architecture for System Hardware (DASH) defines management within it, allowing for functions such as remote control over power on/off states, asset inventory, alerting, and the ability to remotely configure boot selection. Like vPro, DASH also provides for heartbeat monitoring, which uses hardware resources in each client to report back to the console that applications in the approved client configuration are present and functioning normally.
Intel AMT is not a rival system to DASH and WS-MAN. Intel was the primary code contributor to both standards. But when the industry wasn't making sufficient progress with advancing the open standards, Intel took both technologies, added more functionality to them, and called the result Active Management Technology.
With Weybridge, Intel adds support for DASH and WS-MAN to vPro. In fact, Weybridge will support DASH 1.0 as its default internal management protocol and only implement AMT in instances where features are not defined by DASH. Intel AMT is built on top of DASH and WS-MAN, in a sense, and a console system will be able to manage DASH/WS-MAN-compatible systems and vPro systems simultaneously. It's just that the admin will have more flexibility and functionality with the vPro machines. With vPro, clients can have features such as System Defense, TXT, and the other Weybridge innovations described above. This is why pushing vPro as a system-wide platform makes more sense than limiting the discussion to remote management. DASH is a starting point that vPro only improves on. In any case, your customers should not let the DASH discussion be a purchase killer.  |
| THE LEADING STAR. Intel's DQ35JO ("Johannesburg") motherboard is the go-to SKU for vPro desktops in early 2008. Based on the Q35 chipset, this board has every feature a business needs for improved ROI. |
Weybridge has a poster child: the DQ35JO. Certainly, you can find solid vPro motherboards from reputable third-party manufacturers, such as ASUS and Gigabyte. But if you have to lead with one board, we believe that the message of a validated bed of critical components all coming from one manufacturer, supported by one driver group, and backed by the best motherboard warranty in the business will carry a lot of weight with clients.
Equipped with the Q35/ICH9DO chipset, the DQ35JO is a deceptively ordinary-looking microATX board: LGA775 socket compatible with up to quad-core Core 2 processors, four DDR2 800 slots, passive aluminum heatsink on the northbridge, four expansion slots (1 x16 PCIe, 2 x1 PCIe, 1 PCI), and the usual power ports. But look more closely and you'll start to see why this affordable board is such a must-have for offices from SOHO to enterprise.
Start with the northbridge. Buried inside the silicon is Intel's GMA 3100 integrated graphics processor, outfitted with Clear Video Technology for sharper, more vibrant video playback and full support for the Windows Vista Aero interface. Even better, the DQ35JO board integrates both VGA and DVI ports on the rear panel, enabling dual-head output for essentially no additional cost. The southbridge works with the 82566DM Gigabit controller to enable AMT 3.0 support as well as RAID 0, 1, and 5 across six onboard 3 Gb/s SATA ports. One of these six SATA ports supports conversion via an included backplane extension cable into an eSATA port compatible with external eSATA hubs. Having a full-speed eSATA backup drive can be a valuable part of a complete, protected small-office solution. Users can have up to 12 USB 2.0 ports, and there's even onboard FireWire 400.
Aside from the usual Intel Desktop Utilities, DQ35JO buyers get Norton AntiVirus, Diskeeper 9 Home Edition, Skype, and Typepad. The Wave EMBASSY Trust Suite provides powerful TPM-based tools for data protection, and the single-user SyAM System Client makes the machine functional with SyAM management console software for clients ready to implement remote management services now.
The DQ35JO board isn't required for success with selling vPro, but it's an easy way to slip into the vPro conversation. The board comes with Intel's three-year and advance replacement warranty, which should entice most IT buyers. With the board in place, you can move on to talking about Weybridge, both from a hardware capability and then a security standpoint. Most resellers haven't realized it yet, but vPro is one of the best tools you have for generating more business in every type of commercial account. Leverage Intel's platform and you'll be competitively ahead of the market.