Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2917 Discussions

Are there anyway to let AMT use dedicated LAN port?

HKong5
Beginner
3,631 Views

Are there anyway to let mainboard's LAN port only visible to AMT, and disable any access from the operating system just like regular BMC does on server boards? Therefore I can plug AMT port and OS port to different switches to avoid security issues.

0 Kudos
7 Replies
JoseH_Intel
Moderator
3,601 Views

Hello HKong5,

 

Thank you for joining the Intel community

 

This is a pretty interesting question indeed. To be honest I've never heard about this been attempted and the reason might be that AMT is intended for consumer systems (desktops, laptops) which usually contain only 1 ethernet NIC and probably 1 WLAN controller. On servers, it is different because they come at a minimum with 2 NIC ports and sometimes 1 more dedicated for BMC. If this could be done it needed to be at BIOS level probably. I will look for related information and will let you know

 

Regards

 

Jose A.

Intel Customer Support

0 Kudos
HKong5
Beginner
3,601 Views

Thank you for your answer! I have a Lenovo TS440 server, which has only 1 onboard LAN port, it hasn't onboard BMC so I have to use AMT to do out band managment.

 

I'm have inserted a 10GbE NIC to PCIe slot for regular communication, and I want onboard NIC invisible to the operating system (make it dedicated for managment just like regular BMC does), therefore if someone hacks into my system, they can't access the managment network.

0 Kudos
JoseH_Intel
Moderator
3,601 Views

Hi HKong5,

 

In the OS, you can disable the NIC from it being accessible "in-band".

 

In this scenario, you can disable the AMT NIC (onboard from the OS, disabling in-band access to the NIC) in the OS and use the 10GbE NIC for in-band purposes.

 

Regards,

Jose A.

Intel Customer Support

 

0 Kudos
HKong5
Beginner
3,601 Views

Thank you, That's I have done. I just to ask there's anyway to force OS don't touch the AMT NIC. Because cracker may have root privilege to re-enable AMT NIC. So I want to find a neat way to disable OS access from firmware layer.

 

Maybe I should create a Point to Point link between firewall and AMT port. And can I disable AMT access from localhost?

0 Kudos
JoseH_Intel
Moderator
3,598 Views

Hello HKong5,


If you are planning on using AMT, technically, in his scenario, if someone has root privilege to OS, then they can always enable the AMT NIC in the OS. There is no way that we are aware of the OS to stop something like this. If you just wants it disabled and are not planning on using AMT, just leave it disabled in MEBx.


Regards

 

Jose A.

Intel Customer Support


0 Kudos
JoseH_Intel
Moderator
3,571 Views

Hello HKong5,


I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this ticket as resolved. This support interaction will be marked as closed automatically in the next 3 business days if no activity is received. I will follow up with you again next Thursday 2nd. If you prefer a different date just let me know. 


Regards


Jose A.

Intel Customer Support Technician



0 Kudos
JoseH_Intel
Moderator
3,517 Views

Hello HKong5,


We will proceed to mark this thread as resolved. If you have further issues or questions just go ahead and submit a new post.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
Reply