Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Calvin_S_Intel
Employee
52 Views

Networking filter and policy (System defense/Circuit breaker)

Hi,

I have play around the filter and policy for a whilebut still not so clear about the usage. I got some questions to ask anyone who is familiar with the setting.

1. how to setupintranet only policy (ex: the intranet is start from 192.168.xxx.xxx)
2. how to setupftp block policy
3. Is there any advance usage that it can do?

After I enable onepolicy in AMT DTK->Networking->Policy. When an event (for example watchdog)triggered, policy will be changed to another policy.The question iswhich feature has highest priority? envirenment detection, watchdogs or heuristics policy?

Is there any document that havethe detail information on it?

Any feedback is welcome ^^

Cal

0 Kudos
2 Replies
Andrew_S_Intel2
Employee
52 Views

Quoting - Calvin

Hi,

I have play around the filter and policy for a whilebut still not so clear about the usage. I got some questions to ask anyone who is familiar with the setting.

1. how to setupintranet only policy (ex: the intranet is start from 192.168.xxx.xxx)
2. how to setupftp block policy
3. Is there any advance usage that it can do?

After I enable onepolicy in AMT DTK->Networking->Policy. When an event (for example watchdog)triggered, policy will be changed to another policy.The question iswhich feature has highest priority? envirenment detection, watchdogs or heuristics policy?

Is there any document that havethe detail information on it?

Any feedback is welcome ^^

Cal


The two documents out of the SDK I'd recommend are the System Defense and Agent Presence.pdf and Intel AMT WS-Management Flows.pdf. Note that the examples in the System Defense and Agent Presence pdf are against the legacy interface, and you should use the WS-Man interface instead, but the System Defense and Agent Presence PDF is still useful for understanding the higher level details.

The content in the WS-Management_Class_Reference folder will also be useful, the classes you are interested in will be under System Defense and Heurestics in the menu (open the index.html file in this folder to navigate through the classes).

Now, on to your specific questions.

1. For filtering on the local network (192.168.x.x), you could set up filters to only allow traffic from the local network and only allow traffic to be sent to the local network (this would be two separate filters, one for outgoing and one for receiving). For this you'd use the AMT_IPHeadersFilter class. A good example of creating a filter that leverages WinRM can be found in the WindowsIntel_AMTSamplesWS-ManagementSystemDefensec# folder in the SDK, look for the CreateIpHeadersFilter in the SystemDefense.cs file. For the Transmit filter, you'd want to filter on IPv4 packets, and use the HdrDestAddress and HdrDestMask properties to specify the local network appropriately. For the Receive filter, you'd want to filter on IPv4 packets, and then use the HdrSrcAddress and HdrSrcMask to specificy the local network appropriately. You'd also want to use the IsNegated property (part of the base class that AMT_IPHeadersFilter descends from, see the class definitions I mentioned previously for more details). Then you'd create a policy that included both filters, and set the RxDefaultDrop and TxDefaultDrop properties to true (see the CreatePolicy function in the code example I mentioned).

2. The capability to filter on the Application level of the OSI stack (including FTP) isn't available in the System Defense functionality. The filtering is on the Transport, Network, and Datalink layers. However, the standard ports for FTP are 20 and 21, and you can create a filter to block those ports. You would create a filter, and use HdrDestPortStart and HdrDestPortEnd to block all packets going to port 20 and 21 from the system.

3. Could you be more specific on advanced features? Alternatively, you could look through the classes in the WS-Man definitions to get a better feel for the exact functionality allowed.

The priorities for policies (regardless of what triggers those policies, Agent Presence, Heueristics, Environment Detection, or manually setting the policy) is entirely driven by the Precedence value set in the policies. If you set a manual policy with Precedence 3, and Agent Presence triggers and attempts to set a policy with Precedence 5, the new policy will be set. If the Precedence matches, it might or might not be set.
Calvin_S_Intel
Employee
52 Views

Quoting - Calvin

Hi,

I have play around the filter and policy for a whilebut still not so clear about the usage. I got some questions to ask anyone who is familiar with the setting.

1. how to setupintranet only policy (ex: the intranet is start from 192.168.xxx.xxx)
2. how to setupftp block policy
3. Is there any advance usage that it can do?

After I enable onepolicy in AMT DTK->Networking->Policy. When an event (for example watchdog)triggered, policy will be changed to another policy.The question iswhich feature has highest priority? envirenment detection, watchdogs or heuristics policy?

Is there any document that havethe detail information on it?

Any feedback is welcome ^^

Cal


The two documents out of the SDK I'd recommend are the System Defense and Agent Presence.pdf and Intel AMT WS-Management Flows.pdf. Note that the examples in the System Defense and Agent Presence pdf are against the legacy interface, and you should use the WS-Man interface instead, but the System Defense and Agent Presence PDF is still useful for understanding the higher level details.

The content in the WS-Management_Class_Reference folder will also be useful, the classes you are interested in will be under System Defense and Heurestics in the menu (open the index.html file in this folder to navigate through the classes).

Now, on to your specific questions.

1. For filtering on the local network (192.168.x.x), you could set up filters to only allow traffic from the local network and only allow traffic to be sent to the local network (this would be two separate filters, one for outgoing and one for receiving). For this you'd use the AMT_IPHeadersFilter class. A good example of creating a filter that leverages WinRM can be found in the WindowsIntel_AMTSamplesWS-ManagementSystemDefensec# folder in the SDK, look for the CreateIpHeadersFilter in the SystemDefense.cs file. For the Transmit filter, you'd want to filter on IPv4 packets, and use the HdrDestAddress and HdrDestMask properties to specify the local network appropriately. For the Receive filter, you'd want to filter on IPv4 packets, and then use the HdrSrcAddress and HdrSrcMask to specificy the local network appropriately. You'd also want to use the IsNegated property (part of the base class that AMT_IPHeadersFilter descends from, see the class definitions I mentioned previously for more details). Then you'd create a policy that included both filters, and set the RxDefaultDrop and TxDefaultDrop properties to true (see the CreatePolicy function in the code example I mentioned).

2. The capability to filter on the Application level of the OSI stack (including FTP) isn't available in the System Defense functionality. The filtering is on the Transport, Network, and Datalink layers. However, the standard ports for FTP are 20 and 21, and you can create a filter to block those ports. You would create a filter, and use HdrDestPortStart and HdrDestPortEnd to block all packets going to port 20 and 21 from the system.

3. Could you be more specific on advanced features? Alternatively, you could look through the classes in the WS-Man definitions to get a better feel for the exact functionality allowed.

The priorities for policies (regardless of what triggers those policies, Agent Presence, Heueristics, Environment Detection, or manually setting the policy) is entirely driven by the Precedence value set in the policies. If you set a manual policy with Precedence 3, and Agent Presence triggers and attempts to set a policy with Precedence 5, the new policy will be set. If the Precedence matches, it might or might not be set.

Hi Andrew,

Regarding advance usage,I was thinkingif there is something that I can show off using polices. I didn't notice the setting of precedence,it must be the one that confused me.

I'm just about to write somesmall amt utility first, and your rich information really helps me. I willneedsome time to digest them all, and get back to the thread if I find something new. Thanks Andrew ^^
Reply