Intel's VPro to boost security

VPro systems, due to be broadly available in the third quarter, will be able to run security software in an environment isolated from the main operating system, making it tamper proof, Intel and security specialist Symantec said at an event here unveiling the VPro brand.

"It's perfect," Enrique Salem, senior vice president at Symantec, said in an interview. "You can't disable security. Not only can't the end-user disable it, malware can't disable it. Hardware is helping us enforce that nobody can access the bits in this sealed space."

Salem compared running security software in its own space on a PC to installing a dedicated security appliance. It will run on its own operating system with access granted only for updates to the security features. This should foil common attempts by Trojan horses that try to disable security software on PCs, for example.

Cordoning off the security software is possible through Intel Virtualization Technology (VT), new hardware support for virtualization. This allows for the creation of a secure partition on the PC, which can be used to run applications such as a firewall, intrusion prevention, antivirus and other security software, Intel and Symantec said.

"This application is very specifically endorsing virtualization at the client level," Thomas Kilroy, vice president and general manager of Intel's Digital Enterprise Group, said in an interview. "It is a killer application, if you will...Now you are able to deliver a level of manageability and security transparent to the user."

Intel is giving Symantec and other desktop security software sellers a new sales pitch as Microsoft readies its entry onto the security market, said Pete Lindstrom, an analyst with Spire Security in Malvern, Pa. "This is a pretty clear shot across the bow at Microsoft," he said.

Yet Lindstrom points out that the new security pitch won't make the security software impervious to attacks. "It is by no means clear that this software is going to withstand attacks any better than any other software," Lindstrom said. "For example, the initial trust relationship is key, as is the follow-on ability to update its management information."

The industry has made several attempts at building hardware to support security. Perhaps the highest-profile attempt was four years ago, when Microsoft unveiled Palladium, later renamed Next-Generation Secure Computing Base. NGSCB also promised to isolate parts of a computer from malicious code. In addition, it would foil attacks that use logging devices by encrypting data as it moves between hardware components in a PC.

Today, NGSCB appears to have been put on the back burner. Instead, Microsoft is adding support for another, more common hardware-based security technology to Windows Vista: the Trusted Platform Module, or TPM, which offers protected storage of encryption keys, passwords and digital certificates.

But Intel is bringing something new to the PC. Virtualization is almost unknown on client systems. It is common on high-end servers to consolidate jobs otherwise handled by a group of servers onto a single system.

VPro PCs will allow a single "service partition" that can be host to a single product. The virtualization technology is operating-system agnostic. Software makers can include any operating system they like to run their product on. Companies including Symantec already sell security appliances that run Linux, for example.

The limitation to the service partition is intentional; it will prevent any compatibility clashes between software products. "Because nothing else is happening in this virtual space, any compatibility issues go away," Salem said. "Administrators are going to be more confident in deploying updates quickly."

Several software makers are developing products to take advantage of the technology. These include Symantec, Trend Micro, CA, Altiris and LANDesk, according to information from Intel and the software companies.

VPro stickers will start appearing during the next few months on PCs that contain Intel's Conroe processor, a new chipset and an Intel networking chip, Intel CEO Paul Otellini said at the event.

VPro systems with the virtualization feature are designed for business users, not consumers, Intel stressed at the event. Symantec, however, predicts the technology, or something similar, will make it to consumer PCs at some point.

"Today we use it on business platforms," Salem said. "I expect virtualization will become a standard part of computing over time, everywhere."