Intel® vPro™ Technology

Next-Generation Streaming Clients Based on Intel® vPro™ Technology

Background and Problem Description

In a centralized compute model, the set of network protocols used to stream and load the OS onto a client (typically diskless) for remote boot is defined by the Preboot eXecution Environment (PXE) standard specification [9]. PXE has been around since the 1990s, and it is widely used in many industries in which diskless, end-user terminals dominate the installed compute base, including banking, finance, healthcare, education, and various other industries and institutions. PXE uses the Dynamic Host Configuration Protocol (DHCP) [18] and the Trivial File Transfer Protocol (TFTP) [19] to transfer the boot-loader (network bootstrap program or NBP) onto the client system, which in turn downloads the complete OS image onto the client from the boot server and boots that image. PXE is typically implemented as an Option ROM (OP-ROM) [9] inside the BIOS [27].

Security is an important consideration for most enterprises. 802.1x is a popular standard that is deployed by many enterprises for providing Layer-2 authentication in their networks. 802.1X is an IEEE standard for LAN, port-based, access control, and it is part of the IEEE 802.1 group of networking protocols. The 802.1x standard provides device authentication mechanisms for clients before they can access the network on a particular LAN port. It can be used for both wired and wireless (802.11) [14] networks, and it is based on the Extensible Authentication Protocol (EAP) framework [1] defined by the Internet Engineering Task Force (IETF). EAP is an authentication framework that relies on different EAP methods, defined in the IETF, to describe authentication protocols. Different EAP methods support both certificate- and password-based authentication. The 802.1x standard is also thought of as the simplest form of Network Access Control (NAC).

NAC defines a set of protocols that is used to secure an enterprise or corporate network before the client accesses the network. It provides mechanisms for the network to evaluate a client device both in terms of access credentials (authentication) and in terms of compliance to corporate IT policies. Cisco* Network Admission Control (C-NAC) [11], Microsoft* Network Access Protection (M-NAP) [12], and Trusted Computing Group's* Trusted Network Connect (TCG-TNC) [13] are all examples of NAC implementations in the industry. Typically, NAC builds on top of 802.1x-EAP methods or other protocols, such as IPSec [16], and it defines extensions for evaluating the clients' compliance with IT policies.

In a typical 802.1x/NAC protocol exchange such as the one shown in Figure 1, a client (herein known as a supplicant or Access Requestor-AR) exchanges data/credentials with an authentication (policy) server, via an authenticator, to seek access to a network. The supplicant or AR is a piece of software running on the client OS that implements the 802.1x/EAP protocol stack; the authenticator (known as a Network Access Device—NAD) is an Ethernet switch or wireless Access Point (AP); and the authentication server is an Authentication Authorization and Accounting (AAA) [17] server that implements the RADIUS [17] protocol to talk with the authenticator. When a client is connected to a switch (authenticator) on a port that is 802.1x enabled, the authenticator sends out an EAP-Request to the client requesting its credentials. The client supplicant sends its authentication credentials (such as username/password or digital certificate) in an EAP-Response message. The switch (authenticator) relays this response back to the authentication server over the RADIUS protocol. The authentication server decides whether the client should be granted network access based on IT policy and the client's credentials/data. The authenticator sends back the results to the switch that enforces the network access policy for the client, based on those results. For example, in the case of an Ethernet switch, the results would indicate which VLAN [20] (Corporate or Guest) the client can access.

Figure 1: 802.1x/network access control network

Why PXE Fails in 802.1x/NAC Networks
One of the common problems faced by many of these enterprises as they move towards adding security (based on 802.1x/NAC) into their network infrastructure is that this breaks existing OS streaming deployments, that is, PXE. As described earlier, 802.1x networks require that a client (supplicant) authenticate its credentials with the authentication server before it is granted network access. The reason why PXE does not work in 802.1x networks is because it does not have this 802.1x supplicant support or authentication credentials provisioned inside the legacy BIOS. Before platforms with Intel vPro technology were introduced, IT network administrators had to manually set exceptions for PXE in their corporate 802.1x networks. This process is both time-consuming for IT departments, and more importantly, the exceptions also make the corporate network less secure. In the next section of this article, we describe how the Intel® Embedded Trust Agent [26] helps support OOB manageability in 802.1x/NAC networks.

Back to Top