1

Short of flashing BIOS, there seems to be no way to disable the Intel ME.

So, is there a reliable way to block access to Intel ME, such using HW firewall (Firewall in front of the machine, not running on the same machine)?

If Intel ME was used legitimately, how exactly would it be accessed ?

Would it be access using the same IP (and same MAC address) as the normal NIC, or does it have separate interface ?

How could I on the firewall distinguish between traffic going to main NIC, ant traffic going to Intel ME ?

Would disabling the onboard NIC, and using some other PCI NIC help ?

Why is it so hard to find description how Intel ME actually works ?

I just need basic info, and cannot find in nowhere online.

This is not a duplicate question of the other other ME related posts. They do not address any of my questions. Further, I don't have the option of flashing my bios with me_cleaner.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Martin Vegter
  • 1,826
  • 4
  • 27
  • 39
  • 3
    From [Wikipedia](https://en.wikipedia.org/wiki/Intel_Management_Engine): '"...The ME has its own MAC and IP address for the out-of-band interface..."*. So it should be possible to block it with a firewall in front of the machine based on IP or MAC address. And you don't really need to disable the onboard NIC - just don't use it. – Steffen Ullrich Nov 26 '19 at 07:35
  • 4
    Unfortunately your question is broad and inconsistent: title asks specifically about blocking it with firewall in front of it while body asks about this and also other ways like disabling the NIC, about legitimate use, why documentation is hard to find etc. Possible duplicate of [What can I do about the Intel Management Engine?](https://security.stackexchange.com/questions/142947/what-can-i-do-about-the-intel-management-engine) – Steffen Ullrich Nov 26 '19 at 07:39
  • The NIC is just the part that helps you administer ME OUB. You need to solve the core problem, not tie one of its tentacles. ME can be accesses without using the specific OUB. – Overmind Nov 26 '19 at 08:48
  • ME is only listening for packets when it is provisioned. It isn’t provisioned by default. – myron-semack Nov 28 '19 at 00:46
  • @Steffen Ullrich - how can I find out the MAC address ? I don't see it anywhere in BIOS. – Martin Vegter Nov 29 '19 at 04:24

0 Answers0