Configuring System Defense policies

Intel vPro (version 2.0 and later) includes a System Defense feature, which enforces network security policies on managed devices. You can select and apply System Defense policies for managed devices.

When a System Defense policy is applied on an Intel vPro device, the device filters incoming and outgoing network packets according to the defined policies. When network traffic matches the alert conditions defined in a filter, an alert is generated and the device’s network access is blocked. The device is then isolated from the network until you complete the remediation steps for that policy.

LANDesk Management Suite contains predefined System Defense policies that you can apply to your Intel vPro devices. Each policy contains a set of filters that define what kind of network traffic is not allowed and what the resulting actions are when traffic meets the criteria of the filter.

When a System Defense policy is active on a managed device, the device monitors all incoming and outgoing network traffic. If a filter’s conditions are detected, the following occurs:

1. The managed device sends an ASF alert to the core server and an entry is added to the alert log.
2. The core server determines which policy has been violated and shuts down network access on the managed device.
3. The device is listed in the System Defense remediation queue.
4. To restore network access on the device, the administrator follows the appropriate remediation steps and then removes the device from the remediation queue; this restores the original System Defense policy on the device.

This process is described in more detail in the following sections.

Selecting and applying System Defense policies

Management Suite contains the following predefined System Defense policies that can be applied to Intel vPro devices. Policies are defined with parameters such as port number, packet type, and number of packets within a specific amount of time. When you enable a policy, it is registered with Intel vPro on the devices you have selected. Policies are saved as XML files on the managed device, in the CircuitBreakerConfig folder.

• BlockFTPSrvr: This policy prevents traffic through an FTP port. When packets are sent or received on FTP port 21, the packets are dropped and network access is suspended.

• LDCBKillNics: This policy blocks traffic on all network ports except for the following management ports:
  
  

  Port description	Number range	Traffic direction	Protocol
  LANDesk management	9593-9595	Send/receive	TCP, UDP
  Intel vPro management	16992-16993	Send/receive	TCP only
  DNS	53	Send/receive	UDP only
  DHCP	67-68	Send/receive	UDP only

  
  When the core server shuts down network access on a managed device, it actually applies this policy to the device. Then, when the device is removed from the remediation queue, the original policy is re-applied to the device.

• LDCBSYNFlood: This policy detects a SYN flood denial-of-service attack: it allows no more than 10,000 TCP packets with the SYN flag turned on, in one minute. When that number is exceeded, network access is suspended.

• UDPFloodPolicy: This policy detects a UDP flood denial-of-service attack: it allows no more than 20,000 UDP packets per minute on ports numbered between 0 and 1023. When that number is exceeded, network access is suspended.

• RemoveAllPolicy: Select this to remove all policies, unregistering them with Intel vPro on the selected devices.

To select a System Defense policy for all Intel vPro devices

1. On the core server, click Configure > Intel vPro options > General configuration.
2. Under Default System Defense setting, select a policy from the list.
3. Click OK.

To select a System Defense policy for one Intel vPro device

1. In the All devices list, right-click a managed Intel vPro device and select Intel vPro System Defense Policies.
2. Select a policy from the list.
3. Click Set Policy.

Turning on Enhanced System Defense

For devices equipped with Intel vPro 3.0 or later, you can enable Enhanced System Defense. This feature prevents malicious software attacks by continuously inspecting network traffic and evaluating it with enhanced heuristic filtering rules. It identifies and blocks suspicious behavior such as repeated actions generated by worms.

When suspicious behavior is detected, the device causing the problem is isolated from further network communication except for a remediation port, through which Management Suite can reinstate the System Defense policy and restore a network connection after the problem has been resolved.

To turn on Enhanced System Defense for all Intel vPro devices

1. On the core server, click Configure > Intel vPro options > General configuration.
2. Under Default Enhanced System Defense setting, select Turn on.
3. Click OK.

To turn on Enhanced System Defense for one Intel vPro device

1. In the All devices list, right-click a managed Intel vPro device and select Intel vPro Enhanced System Defense.
2. Click Turn on Enhanced System Defense, then click Set Configuration.

Restoring network access to devices in the remediation queue

If a device’s network access is suspended because of a System Defense policy, the device is listed in the remediation queue. It remains there until you remove it from the list, which reinstates the active policy on that device. Before you do that, you need to resolve the issue that placed the device in the queue. For example, if FTP traffic was detected, you need to verify that appropriate actions are taken to prevent further FTP traffic on the device.

To remove a device from the remediation queue

1. Click Configure > Intel vPro options > System Defense Remediation.
2. Select the devices that can have their original System Defense policy restored and click Remediate.

To remediate devices with Enhanced System Defense, click Configure > Intel vPro options > Enhanced System Defense Remediation in step 1 above.