Intel® vPro™ Technology

Next-Generation Streaming Clients Based on Intel® vPro™ Technology

Introduction

To improve management, security, and to reduce operational costs, many enterprises are moving towards centralized compute models in which operating systems, applications, and/or data are stored and managed centrally. The mechanisms for delivery of operating systems and data to remote clients and the end user experience vary greatly: they range from rendering the client user interface in a remote location by using technologies such as Remote Desktop Protocol (RDP) [10], to mechanisms such as streaming the operating system (OS) image to the clients over the network, by using a Preboot eXecution Environment (PXE) [9]. The newer mechanisms, which we call Dynamic Virtual Clients (DVCs), allow IT departments to centrally manage an application or OS image while still allowing it to execute at the client end-point, for a rich and responsive end-user experience.

Along with these emerging compute models, security continues to be a major focus for IT organizations of all sizes. A critical component in delivering a multilayered security strategy is protecting access to the network through end-point access control solutions such as IEEE 802.1x [8]. These solutions allow IT departments to enforce security policies and prevent rogue or unmanaged devices from infiltrating the enterprise's network, thereby minimizing the risk of contamination and data loss or theft. Many IT organizations began to implement stricter network access control mechanisms when they introduced Wireless Local Area Networks (WLANs) [14] into their computing environments. Because a WLAN client does not need to be physically connected to a network, it is important to control its access to the network. These access control protection mechanisms and vendor solutions were subsequently also extended to the wired network infrastructure.

As IT organizations look at new mechanisms for deploying applications and OS images by using client streaming technologies such as PXE [9], they need to be aware that their new technologies have to coexist and inter-operate with other technologies, such as those used for security and access control, and this coexistence can cause problems.

Over the last three years Intel has focused on embedding security and manageability functions into the hardware and firmware of corporate platforms. These security and management capabilities are included in platforms enabled with Intel® vPro™ technology [25] and include features such as secure access to the computer regardless of its power state or the health of the OS. We call this capability Out of Band (OOB) access, and it helps IT organizations significantly in their efforts to manage and troubleshoot platforms remotely, and to reduce costs and energy consumption. We enable this OOB access and many other capabilities by integrating a microcontroller into our chipsets. This microcontroller is the Intel® Management Engine (Intel® ME) [23], and it runs an embedded firmware stack, Intel® Active Management Technology (Intel® AMT) [21], that supports network connectivity, authentication, power control, and several other security and manageability functions.

In this article we describe how Intel vPro technology provides unique, novel solutions that can be utilized by enterprise IT organizations to build the next generation of streaming client platforms that provide the same flexibility as those of previous generations, without sacrificing security or user experience. Specifically, we describe how the Intel® Embedded Trust Agent [26], which is part of Intel vPro technology, provides a solution for OS streaming or PXE in 802.1x access control networks. These new mechanisms and solutions fall under the umbrella of DVCs, described earlier. Moreover, DVCs allow IT organizations to simplify management processes for updates and patches, improve data security, and deliver a robust solution for end users.

In this article we first present background information on PXE boot, 802.1x authentication protocols, and Network Access Control technologies. We describe why PXE does not work in 802.1x networks, and we examine the problems with existing workarounds. We follow this with a description of the Intel Embedded Trust Agent, and we describe how this agent enables OOB manageability in 802.1x networks. We then describe the architecture and algorithms that support PXE in 802.1x networks that use the Intel Embedded Trust Agent technology. Finally, we present some new challenges and solutions for next-generation streaming clients.

Back to Top