Blocking out-of-band external requests to Intel AMT's network ports

Hello,

I’ve been wondering about whether IPFire is suitable for monitoring/blocking out-of-band communication originating from Intel AMT and/or blocking external requests to Intel AMT’s known network ports. Alright, I’m done. Final version.

I know nothing about Intel AMT.
a little reading.

You could make a service group with the ports you want to block. From Any zone.
And or limit users of said service group.
Not sure if this is what your looking to do?

Hi,

welcome to the IPFire community. :slight_smile:

This depends on the system the Intel AMT in question is present. If that is another machine in your network, IPFire can restrict such connections - they are ordinary TCP/IP connections after all - in the same way it can deal with any other network connection.

However, if Intel AMT is active on the same hardware IPFire is running on, there is little it can do about that substantially, as Intel AMT and similar techniques are designed to run independent from any operating system. If so, you can either disable AMT (and hope that the proprietary mainboard firmware will really do so), or switch to a different hardware.

A while ago, I wrote a short blog series where I rambled a bit about various IT security aspects relevant to IPFire users. Given your question, the firewall part of this series might be an interesting read.

Thanks, and best regards,
Peter Müller

6 Likes

Thank you for the heartly welcome. :smile:

Yes, it’s another machine that I’d like to restict connections to and from, not the one that will have IPFire installed onto (non-Intel). I’d like to restrict all connections listed in that table Intel® AMT SDK Implementation and Reference Guide

1 Like

Hi,

thanks for your reply.

I see, this should be rather simple then: Create a service group containing all these ports, and create a firewall rule permitting or denying network traffic to this service group on the system in question afterwards.

(It is best to deny all network connections, and only allow the source IP addresses you expect management traffic from. Your mileage may vary, and depends on your network though. :slight_smile: )

Thanks, and best regards,
Peter Müller

3 Likes

Note: the above links have been provided for informational/defensive purposes only.

2 Likes

Thank you for the prompt reply. :+1:

Yes it’s another back door
To remotely manage a pc.
So 1 person can manage/ mismanage
Hundreds of PC’s remotely.
Instead of hiring more IT professionals
To go to the PC and manage it.
Saves time and money.
Creates no jobs.
And a nice new insecure product.

2 Likes