Intel touts security with second-gen VPro PCs

Intel will release its "LaGrande" security technology in the second half of the year with the launch of its second-generation VPro business desktop technology.

The first generation of VPro-branded PCs--computers designed to be easy to manage and less susceptible to network attacks--went on sale in 2006. VPro, along with Centrino for mobile PCs and Viiv for home entertainment PCs, is a "platform" brand Intel uses to cover product bundles including processors, chipsets and network technology.

Not all PCs businesses buy are VPro models, but most corporate pilot projects lead to more widespread use, said Mike Ferron-Jones, director of Intel's digital office platform marketing. "We're positioning VPro as a step above your ordinary business PC," he said.

One major feature in the second-generation VPro, code-named Weybridge, is a security technology code-named LaGrande Technology (LT) and now formally bearing the name Trusted Execution Technology (TXT). Intel began touting LaGrande in 2002.

Security is a major issue for administrators at large corporations who have had to reckon with worms and viruses that would spread like wildfire from one computer to another. Such attacks have died down since the years of LaGrande's inception, though some risk remains. LaGrande can help curtail other security risks as well, Ferron-Jones said.

TXT has three components, Ferron-Jones said. First, it stores the digital fingerprints of software in a protected region called the trusted platform module; every time the software is run, it checks to make sure the software still matches that fingerprint to see that it hasn't been compromised. Second, it walls off an application's memory so that other applications, operating systems or hardware can't change it. And third, if an application crashes or is crashed, TXT scrubs its data from memory and chip caches so attack software can't snoop for residual data.

Another security feature is a new version of Intel Active Management Technology that can nip worm propagation in the bud. The current VPro systems must be programmed by a third party, but Intel will build into the second version some basic abilities to detect suspicious network traffic so that potentially infected PCs can be isolated from corporate networks, Ferron-Jones said.

"Every customer who buys the Weybridge platform will be able to get a baseline of filtering," he said.

Another new feature in the Weybridge version of VPro will be support for two new remote management standards, one called Web Services Management and another from a committee called the Desktop Mobile Working Group.

Weybridge will debut in desktop PCs in the second half of 2007. For mobile PCs, the first-generation VPro will arrive in Intel's "Santa Rosa" version of Centrino in the second quarter of 2006, and the second-generation will arrive in 2008, Ferron-Jones said.

[caelli]

Intel LaGrande - grand or shrunk?

The LaGrande article makes some claims as did the original 2002 Intel announcement (See C/Net article referenced in this article). BUT --- and BUT again -- that whole LaGrande technology, was clearly linked at the time with Microsoft's "Palladium" (later NGSCB) scheme for security. What this involved, and IT WAS SEEN AS CRUCIAL AT THE TIME, was a new protection "ring" structure for the Intel Pentium, the so-called "Ring -0". Coupled with what Microsoft then called its "Nexus" trusted sub-operating system scheme, this whole package was to provide high trust in the vital CHANNELS between the parts of the PC, e.g. the keyboard, mouse, smart card reader/writer, screen, etc. And it was to be intimately conencted to that Trusted Platform Alliance (now Trusted Platform Group) TPM (Trusted Platform Module) chip and supporting software/firmware.

Of course all this, in principle, just would NOT be needed if the original MULTICS based security design of Intel's IA32, 4-ring, segmented and capability enforcing memory, structure had been used and maintained!!! It wasn't - and that is history as the riskier RISC 2-state machine philosophy of the late 1980s took hold (MS Windows'NT, LINUX, etc)

So - C/Net News - help - just WHAT HAS INTEL ANNOUNCED? Is this the "LaGrande" of 2002/3? Are there now 5 protection rings? Does Intel offer a new "NEXUS" style security enforcing sub-system? How on earth does all this fit with a dual core (32/64bit) structure? How does it all work in a pure 64bit sturcture (Itanium style, etc.)?

Great article but - wow - what question it raises!!

Intel - give us the full details - "where's the beef?"

Bill Caelli

[Stating]

Seems Like Thin Client, Fat Server A Better Model

You have companies like Intel and Microsoft trying to throw yet more complexity and $cost at a problem that they have failed to solve now for the past 15 years. A decentralized solution to a decentralized problem won't work.

The worse the problem of PC infections becomes, the more I gravitate to the Sun Microsystems model of thin clients and fat servers (I know, McNealy didn't invent this, but he sure championed it). It's a lot easier to protect one big server, running one copy of the OS, one set of application programs, one set of security patches, one antivirus/spyware program, and one firewall, than to maintain 100s or 1,000s of individual PCs sitting out there in Userland. It's also a really stupid use of resources when you consider how much CPU/memory/disk idle time that $2,000 device on your desktop has vs. how much heat and power it consumes. What's the total actual utilization time that the resources are busy working at the speed of light, a few minutes a day? SETI figured that out when they distributed their signal crunching screensaver.