Creating a Custom System Defense filter using PowerShell

Let us go over how to use the Intel vPro Technology Module for PowerShell to create a custom Intel vPro System defense filter and policy.

This functionality is new in version 3.2.5!

First, let’s verify that no System Defense data is set using Get-AMTSystemDefense

get-amtsystemdefense.PNG

Nothing set – so let’s just call Set-AMTSystemDefense. This maintains the previous behavior, and sets a demo System defnse up that block all traffic except management traffic to the vPro AMT!

set-default.PNG

Now to clear it using Clear-AMTSystemDefense

set and clear.PNG

What about a custom policy? Well, just pass in an xml file!

set-xml.PNG

So what is in the XML file?

Here is a look at a sample policy -

<?xml version="1.0"?>

<SystemDefensePolicySet>

<ArrayOfFilter xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">

<Filter xsi:type="AMT_Hdr8021Filter">

    <Name>defaultBlock</Name>

    <PolicyName>defaultPolicy</PolicyName>

    <filterSchema>http://intel.com/wbem/wscim/1/amt-schema/1/AMT_Hdr8021Filter</filterSchema>

    <CreationClassName>n/a</CreationClassName>

    <SystemName>n/a</SystemName>

    <SystemCreationClassName>n/a</SystemCreationClassName>

    <FilterProfile>1</FilterProfile>

    <FilterDirection>0</FilterDirection>

    <ActionEventOnMatch>false</ActionEventOnMatch>

    <HdrProtocolID8021>2048</HdrProtocolID8021>

  </Filter>

</ArrayOfFilter>

<ArrayOfPolicies xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">

            <Policy xsi:type="AMT_systemDefensePolicy">

            <PolicyName>defaultPolicy</PolicyName>

                        <PolicyPrecedence>0</PolicyPrecedence>

                        <AntiSpoofingSupport>3</AntiSpoofingSupport>

                        <TxDefaultDrop>false</TxDefaultDrop>

                        <TxDefaultMatchEvent>false</TxDefaultMatchEvent>

                        <TxDefaultCount>true</TxDefaultCount>

                        <RxDefaultDrop>false</RxDefaultDrop>

                        <RxDefaultMatchEvent>true</RxDefaultMatchEvent>

                        <RxDefaultCount>false</RxDefaultCount>

                        <Active>true</Active>

            </Policy>

</ArrayOfPolicies>

</SystemDefensePolicySet>

A System Defense policy contains a set of filters that are applied to incoming and outgoing network packets, combined with actions to take when a packet matches or does not match the conditions in the filter.

Policy Supported Fields

InstanceID

Enter any value (the value is overridden)

PolicyName

“ExamplePolicy” - Enter a meaningful name that you can use later to search for this instance. Maximum length 16.

PolicyPrecedence

In case multiple policies are being activated simultaneously, the policy with the highest precedence value takes effect

AntiSpoofingSupport

Anti Spoofing has the highest priority for blocking

FilterCreationHandles

A list of Filter Creation Handles to be included in the Policy

TxDefaultDrop

Specifies whether the TX packet should be dropped on filter match

TxDefaultMatchEvent

Specifies whether an Event should be created in the Event Manager when this filter is matched

Tx DefaultCount

Specifies whether to count filter matches

RxDefaultDrop

Specifies whether the RX packet should be dropped on filter match

RxDefaultMatchEvent

Specifies whether an Event should be created in the Event Manager when this filter is matched

RxDefaultCount

Specifies whether to count filter matches

System Defense has two types of filters that can be created, an Ethernet Filter and an IP Filter.

Ethernet Filter belongs to the class AMT_Hdr8021Filter. The 8021Filter allows 802.1.source and destination MAC addresses, as well as the 802.1 protocol ID, priority, and VLAN identifier fields, to be expressed in a single object to classify and identify traffic.

AMT_Hdr8021Filter Supported Fields

Name

Defines the label by which the Filter Entry is known and uniquely identified

PolicyName

The name of the policy that this filter will be used in.

CreationClassName

Indicates the name of the class or the subclass used in the creation of an instance

SystemName

The scoping ComputerSystem’s Name

SystemCreationClassName

The scoping ComputerSystem’s CreationClassName

HdrProtocolID8021

This property is a 16-bit unsigned integer, representing an Ethernet protocol type

FilterProfile

Specifies the type of behavior exhibited by the filter

FilterDirection

Specifies the traffic direction (transmit or receive) that the filter governs

ActionEventOnMatch

Specifies whether an Event should be created in the Event Manager when this filter is matched

FilterProfileData

An extra data parameter which is used depending on the FilterProfile: It is left blank for Drop/Pass/Statistics filters, but is required for Rate Limit filters

IPFilter belongs to the class AMT_IPHeadersFilter. This filter contains the most commonly required properties for performing filtering on IP, TCP or UDP headers. Properties in an instance of the IPHeadersFilter are treated as ‘all values’.

AMT_IPHeadersFilter Supported Fields

Name

Defines the label by which the Filter Entry is known and uniquely identified

PolicyName

The name of the policy that this filter will be used in.

CreationClassName

Indicates the name of the class or the subclass used in the creation of an instance

SystemName

The scoping ComputerSystem’s Name

SystemCreationClassName

The scoping ComputerSystem’s CreationClassName

HdrIPVersion

Identifies the version of the IP addresses for IP header filters

HdrSrcAddress

HdrSrcAddress is an OctetString, of a size determined by the value of the HdrIPVersion property, representing a source IP address

HdrSrcMask

HdrSrcMask is an OctetString, of a size determined by the value of the HdrIPVersion property, representing a mask to be used in comparing the source address in the IP header with the value represented by the HdrSrcAddress property

HdrDestAddress

HdrDestAddress is an OctetString, of a size determined by the value of the HdrIPVersion property, representing a destination IP address

HdrDestMask

HdrDestMask is an OctetString, of a size determined by the value of the HdrIPVersion property, representing a mask to be used in comparing the destination address in the IP header with the value represented in the HdrDestAddress property

HdrProtocolID

8-bit unsigned integer, representing an IP protocol type

HdrSrcPortStart

Represents the lower end of a range of UDP or TCP source ports

HdrSrcPortEnd

Represents the upper end of a range of UDP or TCP source ports

HdrDestPortStart

Represents the lower end of a range of UDP or TCP destination ports

HdrDestPortEnd

Represents the upper end of a range of UDP or TCP destination ports

TCPFlagsOn

A set of flags whose effective value in the TCP header of each packet must be ON for filter to take effect

TCPFlagsOff

A set of flags whose effective value in the TCP header of each packet must be OFF for filter to take effect

FilterProfile

Specifies the type of behavior exhibited by the filter

FilterDirection

Specifies the traffic direction (transmit or receive) that the filter governs

ActionEventOnMatch

Specifies whether an Event should be created in the Event Manager when this filter is matched

FilterProfileData

An extra data parameter which is used depending on the FilterProfile: It is left blank for Drop/Pass/Statistics filters, but is required for Rate Limit filters