Which NIC for security?

O

OpenSource Ghost

Limp Gawd
Joined
Feb 14, 2022
Messages
237
After looking at how an encapsulated Wake-On-LAN Magic Packet wrapped in TCP (to pass through any router) can arrive onto motherboard's built-in NIC and be processed by Intel MEI (Management Engine Interface) to exploit hardware driver header via IOCTL commands, I decided to buy a standalone 1Gbps or 2.5Gbps NIC.

I don't know which one to get. Security doesn't appear as a feature in any NIC description. I definitely want one that uses its own chipset, does not rely on Intel MEI, continues to receive driver updates, preferably has its own secure memory enclaves, can do some filtering on its own, doesn't support insecure features, such as Wake-On-LAN, Magic Packet, PXE Boot, monitoring/promiscuous mode or whatever else is frequently exploitable. Is there anything close to that out there?
 
I think they do not list it because it is not really an issue. Every NIC supports those features because they are often needed or used, and if they are getting exploited, then someone is likely already with in your network and you have bigger issues. Are there active PoC's for that of those services you listed?

Intel / Chelsio / Mellanox are the main players in the enterprise space...
 
I doubt anyone aside from authorized users is in my network. What I described was something that was demonstrated to me by local "academia" in a lab test environment. I just really didn't like it, especially the nearly-undetectable execution.

I guess any NIC is better than on-board NIC connected to Intel MEI.
 
if its an MEI exploit then get a non-intel nic. otherwise, what MrG said.
 
If you don't like Intel ME, that's fine, don't use a NIC that's wired for it. I think it's gotta be a motherboard NIC, but if you've got multiple NICs on the motherboard, probably only one will be wired up.

Typically, you can disable PXE, both in your bios and on the card ... you might be able to find some cards without it, but it's going to be older cards built to be cheap, in my experience. Better to get ex-enterprise cards, they're cheap now too. Intel 1G/10G is going to just work with no fuss.
 
Intel MEI is something only in specific motherboards, so 2 options are either stop buying those devices, but if it is a work environment you may have it so you can do remote management if ever needed, or ya, disable it and just get any other NIC and off you go.
 
MrGuvernment said:
Intel MEI is something only in specific motherboards, so 2 options are either stop buying those devices, but if it is a work environment you may have it so you can do remote management if ever needed, or ya, disable it and just get any other NIC and off you go.
Click to expand...
Yep, if MEI is the issue, then just disable it--problem solved. Also make sure WOL is off on all NICs.
 
Intel MEI has "ring -3" access, which is a privilege higher than that of applications, OS, low-level kernel drivers, and hypervisor. It can override any user settings and is integrated into most modern consumer Intel motherboards without a way to disable it and not heavily risk bricking your motherboard with custom home-baked/cooked firmware. Enterprise Intel motherboards and security-focused motherboards allow you to enable "High Assurance Platform" ("HAP") bit that disables Intel MEI half-way. I am not a fan of conspiracy theories, but it is difficult to justify not having such a bit on consumer motherboards and the NSA is behind that feature because it considers MEI a threat and a backdoor - https://en.wikipedia.org/wiki/Intel_Management_Engine .
 
Last edited:
You must log in or register to reply here.
Back
Top