- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are there anyway to let mainboard's LAN port only visible to AMT, and disable any access from the operating system just like regular BMC does on server boards? Therefore I can plug AMT port and OS port to different switches to avoid security issues.
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello HKong5,
Thank you for joining the Intel community
This is a pretty interesting question indeed. To be honest I've never heard about this been attempted and the reason might be that AMT is intended for consumer systems (desktops, laptops) which usually contain only 1 ethernet NIC and probably 1 WLAN controller. On servers, it is different because they come at a minimum with 2 NIC ports and sometimes 1 more dedicated for BMC. If this could be done it needed to be at BIOS level probably. I will look for related information and will let you know
Regards
Jose A.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer! I have a Lenovo TS440 server, which has only 1 onboard LAN port, it hasn't onboard BMC so I have to use AMT to do out band managment.
I'm have inserted a 10GbE NIC to PCIe slot for regular communication, and I want onboard NIC invisible to the operating system (make it dedicated for managment just like regular BMC does), therefore if someone hacks into my system, they can't access the managment network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi HKong5,
In the OS, you can disable the NIC from it being accessible "in-band".
In this scenario, you can disable the AMT NIC (onboard from the OS, disabling in-band access to the NIC) in the OS and use the 10GbE NIC for in-band purposes.
Regards,
Jose A.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, That's I have done. I just to ask there's anyway to force OS don't touch the AMT NIC. Because cracker may have root privilege to re-enable AMT NIC. So I want to find a neat way to disable OS access from firmware layer.
Maybe I should create a Point to Point link between firewall and AMT port. And can I disable AMT access from localhost?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello HKong5,
If you are planning on using AMT, technically, in his scenario, if someone has root privilege to OS, then they can always enable the AMT NIC in the OS. There is no way that we are aware of the OS to stop something like this. If you just wants it disabled and are not planning on using AMT, just leave it disabled in MEBx.
Regards
Jose A.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello HKong5,
I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this ticket as resolved. This support interaction will be marked as closed automatically in the next 3 business days if no activity is received. I will follow up with you again next Thursday 2nd. If you prefer a different date just let me know.
Regards
Jose A.
Intel Customer Support Technician
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello HKong5,
We will proceed to mark this thread as resolved. If you have further issues or questions just go ahead and submit a new post.
Regards
Jose A.
Intel Customer Support Technician
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page