®
Intel PRO/100 Family
Packet Protect
Enabling the IPSec Protocol on
Microsoft Windows NT 4.0
®
User’s Guide
Intel® Packet Protect User’s Guide
Where to Go for More Information
Readme Files
For more information about installation and general information about
the product, see the readme text file. To view the files, view the root
folder on the Intel CD-ROM. Open readme.txt with any text editor.
Online Services
You can use the Internet to do wnload software updates, and to view
troubleshoot ing tips, installation notes, and more. Online services are
on the World Wide Web at:
http://support.intel.com
Copyright © 2000, Int e l Corporation . All rights reserved.
Intel Corporation, 5200 N.E. Elam Young Parkway, Hillsboro, OR 97124-6497
Intel Corporation assumes no responsibility for errors or omissions in this document. Nor does Intel
make any commitment to update the information contained herein.
* Other product and corporate names may be trademarks of other companies and are used only for
explanation and to the owners’ benefit, without intent to infringe.
ii
Contents
Where to Go for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
What is Intel
Packet Protect Features 2
Complete Your Security Solution 2
Hardware Acceleration 2
Domestic and Export Versions 2
Additional I nf or mation 3
How Packet Protect Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
What is IP Security? 4
What is Internet Key Exchange? 4
The Process 5
Get Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Installing Packet Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Developing Your Deployment Model . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Review Your Network Architecture and
Corporate Security Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Assign security behavior roles to computers that you want to use
Packet Protect 9
Develop a strategy for handling pre-shared keys 10
Understand the Default Rule 11
Consider exceptions to the Default Rule 11
What are the Trade-offs? 12
Conclusion 14
Set Up Intel Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Instal l Intel Adapters 15
Configure Intel Adapters 15
Install Packet Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
System Requireme nts 17
Licensing 17
Install Packet Protect 17
View Your Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Packet Protect? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Contents
iii
Intel® Packet Protect User’s Guide
Configuring Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Understand Default Security Behavior . . . . . . . . . . . . . . . . . . . . . . . . 22
Default Behaviors in Packet Protect 22
Set up Your System Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
What is a Policy? 25
What is a Rule? 25
The Default Rule 26
Importance of Rule Order 27
How Does the System Policy Work? 28
Add Rules to th e System Policy 28
Making Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Modify the System Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Modify Destination Workgroups or Security Actions 41
Delete a Rule 41
Restore the System Policy 42
Monitor Packet Protect Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
View Status at a Packet Protect Client 44
Set Up Compatible Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Work with Other Security Products . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Turn Security On for a Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Install Security for a New Computer 47
Turn Security on Manually for an Existing Computer 47
Turn Security Off for a Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Shut Down Packet Protect at a Computer 48
Uninstall Packet Protect from a Computer 48
Troubleshooting and FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Frequently Asked Questions (FAQs) . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Appendix A — IKE and IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
IKE and IPSec Work Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
How Packet Protect Uses IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Identity Negotiation Settings 55
IPSec Settings 57
iv
Contents
Examples 58
How Packet Protect Uses IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Security Associations 59
Security Associat io n Lifetimes 59
How IPSec Protects Packets 60
Appendix B — Interoperability with Microsoft Windows* 2000 . 63
Interoperability with Windows* 2000 . . . . . . . . . . . . . . . . . . . . . . . . . 64
Appendix C — Network Software License Agreement . . . . . . . . . 65
Network Software License Agreement . . . . . . . . . . . . . . . . . . . . . . . . 66
Intel Automated Cus tomer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Readme Files on Your Product Disk 67
Web and Internet Sites 67
Customer Support Technicians 67
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
v
Intel® Packet Protect User’s Guide
vi
1
Introduction
With the growing amount of inf orm ation that travels on your local area network
(LAN), confidential informa tion has become a ta rget for intruders both inside
and outside your company. These intruders may be employees, visitors to your
company, or a hac ker who breaks through your firewall.
Intel ® Packet Protec t helps protect Internet Prot ocol (IP) traffic as it travels
between computers on your LAN. This protects confidentia l data from being
retrieved by intruders.
In this chapter, you’ll find information about:
• Packet Protect overview
• How Packet Protect works
• Getting started
1
Intel® Packet Protect User’s Guide
What is Intel
Packet Protect is designed to protect the confidentiality and authenticity of IP
traffic on your LAN.
Packet Protect can assist you in creating a departmental solution for your security concerns.
Many data compromises are attempted from within a company firewall. Unless
you prote ct information as it travels on the network, it can be received by
unwanted users.
For example, employees retrieving confidential designs from a Research &
Development department server use Packet Protect to encrypt the information
while it travels on th e LA N . Encryption prot ects the confi dentiality of the information. Each employee’s computer can also verify the integrit y of the information upon receipt.
Pac k et Prot e ct ?
Packet Protect Features
Packet Protect enables you to:
• Protect confidentiality and authenticity of IP traffic on your LAN using
Internet Protocol Security (IPSec), including Internet Key Exchange (IKE).
• Offloa d se cu rity task s to an Intel PRO/100 S Management or Server
Adapter to optimize netw ork performance.
Complete Your Security Solution
If you need to protect data stored on a computer, use operating system features
combin ed with Packet Pro te c t . Pa ck et Protect prot e cts data trave ling between
computers, not while it’s store d on a com puter. You should use your operating
system features or net w ork infrastructure element to provide access control to
certain areas of the computers on the network.
Hardware Acceleration
Implement i ng an IPSec sol ut ion can incr ea se CPU ut ili zat ion fo r co mput er s that
use the IPSec software. This is common when implementing any IPSec solution
because of the intense computation required to encr ypt, decrypt, an d validate
packet s. However, there is a way to offload securit y tasks from the CPU.
You can combine Packet Protect with the use of an Intel PRO/100 S Management or Ser v er A dap ter t o re duc e CPU ut il iz atio n. This fr ees C PU ut ili zat ion fo r
other tasks, while reducing the impact to network performance.
Domestic and Export Versions
Packet Protect is available in both domestic and export v ersions. The e xport version supports DES (56-bit) encryption only. The domestic version, available in
the United States and Canada, supports DES and 3DES (168-bit) encryption.
2
Additional Information
This Packet Protect User’s Guide in Adobe Acrobat* format can be found in the
Packe t Protect directory on the product CD-ROM. Packet Protect help can be
found in the H elp directory on the product CD-ROM.
Introduction
3
Intel® Packet Protect User’s Guide
How Packet Protect Works
Packet Protect helps you protect netw ork traff ic that is sent from one server or
client to another. Packet Protect uses these steps to protect information traveling
on the ne twork:
1. Activate IKE (Internet Key Ex ch ange). Negotia tes param e ters for secure
communication.
2. Activate IPSe c (Internet Protocol Security). Protects the communication
using th e security parameters it negotiated success fully using IKE.
What is IP Security?
Internet Protocol (I P) Security (commonly called IPSec) is a s et of standard protocols used to protect the confiden tiality and authenticity of IP communications.
IPSec accomplishes this using the following:
• Encryption. Protects confident iality of information traveling on the network. Each packet is encrypted so that unw anted recipients can’t interpret
it. Packet Prot ect uses DES 56-bit and 3DES 168-bit encryption algorithms
(3DES in U .S . an d Ca na da versi o n on ly).
•Integrity. Protects the authenticity of the information traveling on the network by verifying that each packet was unc hanged in transport. Pa cket Protect uses MD5 and SHA-1 authentication algorithms for both ESP and AH
authentication.
• Ant i -repla y pro tecti on. Protects the network by preventing an intruder
from successfully repeatedly sending an identical packet in an attempt to
confuse the system.
For more information about IPSec, see “Appendix A — IKE and IPSec” on
page 53.
What is Internet Key Exchange?
Internet K e y Exc han ge (IKE) i s a s tanda rd p ro tocol use d to nego ti ate a pro te cted
communication. Negotiation is the first phase in setting u p a secure communi cation. IKE verifies the identity of the computers using pre-shared keys. Then it
negot iates a set of secu rity settings to protect the communication.
IKE is a proto col t hat ope ra te s ins ide a fra me wo rk def ine d b y I SAKM P (Int er net
Security A ssociation Key Management Protocol) and is used to support the
establishment of Security Associations.
For more information about IKE, see “Appendix A — IKE and IPSec” on
page 53.
4
The Process
If two computers require security, each tim e they attemp t to communicat e w ith
each other Packet Protect follows these steps to attempt a protected comm unication:
1. Ea ch co mputer uses IKE to ver ify t hat the oth er i s th e comp ute r it cl aim s to
2. I f iden ti ty v er if ica ti on is s ucc es sful i n St ep 1, the tw o comp ute rs use IK E to
3. I f the agreem ent is successful in Step 2, both computers will use the agreed
As long as the protected communication is active, the two computers can
exchange informati on, without repea ting Steps 1 and 2 (up to th e pre-define d
time and size limits — see Table6 on page 34 for more information).
The following diagram shows the roles of IKE and IPSec.
Introduction
be.
agree upon the IPSec settings to use.
upon IPSec settings to protect the data as it travels.
Step 1: IKE Verifies Pre-shared Key
Step 2: IKE Negotiates IPSec Settings
Step 3: IPSec Protects the Communication
5
Intel® Packet Protect User’s Guide
Get Started
T o start using Packet Protect
1. Evaluate your network architecture and decide which areas require Packet
Protect. For details , see “Developing Your Deployment Model” on page8.
2. I n stall Packet Protect on those computers that require security . For details,
see “Install Packet Protect” on page17.
3. Set up security settings for each computer where you installed Packet Protect. F or details, s ee C hapter 3, “Configuring Security Settings” on
page 21.
6
2
Installing Packet Prote ct
To set up your netw o rk in pre pa ra tion fo r de p loying securi ty, ther e are severa l
things to cons id er. This chapt er gui des you t hro ugh th e setup proce ss so you can
begin de p lo ying se cu r ity most effe ctively.
In this chapter, you’ll find information about:
• Developing your dep loyment model.
• Setti ng up Intel
• Installing Packet Protect.
network adapters.
7
Intel® Packet Protect User’s Guide
Developing Your Deployment Model
In order to use Packet Prot ect successful ly, you must deve lop a deployment
model that fulfills your security needs on your ne twork. There are sev eral stages
to consider in developing your deplo yment model.
• Review your network architecture and corporate security guidelines.
• Assign se curity behavior roles to computers that you want to use Packet
Protect.
• Develop a strategy for using pre-shared keys.
• Underst and the Default Rule.
• Consider exceptions to the Default Rule.
This di scussion represents o nly an overview of some of the issues t hat should be
conside red when deploying Packet Protect in your enterprise. For more detailed
information about deployment models, please refer to “Scalable Deployment of
IPSec in C orporate Int ranets”white paper from the Intel Archi tecture Labs In ternet Building Blocks Initiative. This white paper can be found at:
ftp://download.intel.com/ial/home/ibbi/ipsec_122.pdf
Review Yo ur Network Architecture and
Corporate Security Guidelines
The amount of confidential information trav eling on your network grows as
more employees use your corporate network. This poses a secu rity risk if someone break s through your firewall, or someone already behind your fi rewall has
access to the network—those people can access confidential information. For
example, an intruder can mimic an IP address and recei ve information that was
intend ed for someone el se at that IP address. Or, an intrud er can use software to
view data as it tra vels on your LAN.
You can depl oy Packet Protect in the areas of your network that transmit sensitive information. Some areas of your network might re quire the additi onal protection provided by Packet Protec t, while other ar eas might not. Use your
corporate securit y guidelines to hel p determine which areas of your ne twork
requir e Packet Protect.
Perhaps you have a server that stores highly confidential information, such as
corporate financial figures or e-commerce transactions. You can use your operating system’s tools to help protect data stored on the server’s hard disk, but
what about when other compute rs access that in formation? Use P acket Protect
8
Installing Packet Protect
to prote ct your highly confidential informatio n as it travels to and from the
server.
Assign security behavior roles to computers that you want to use
Packet Protect
Packet Protect uses default security behavior t o determine how a computer will
communicate with other computers on th e network. There are three default
behaviors: Secure Responder, Secure Initiator and Lockdown.
Secure Responder
A computer with the defaul t behavior of Secure Responder always initiat es and
accep ts traffic that is no t se cured . H ow ever, it wil l accept a secur e co m m u n ication if it is initiated by another computer. Of course, the negotiation will succeed
only if on e th e propos al s in the li st of fere d b y the ini tiat or can be matc hed by the
responder.
Secure Responder is a likely behavior for the majority of workstations in a network. Communications will always be allowed in the clear between computers
that are Secure Responders or Secure Initiators, but will communicate securely
with a computer (usually a server) with Lockdown default behavior.
Secure Initiator
A computer with the defaul t behavior of Secure Initiator will always attempt to
initiate secure communications on all outbound traffic. Even if an inbound communica tion flow is ini tia te d i n the clear, the res po nse data flow wi ll ca u se the
computer to initiate a secure session. However, if a secure session cannot be initiated , the computers will fallbac k to communicating in the clear.
Secure In itiator beha vior is appropri ate for both workstations and servers. Computers who wish to use peer-to-peer se cure communications can use Secure Ini-
9
Intel® Packet Protect User’s Guide
tiator behavior. Also, many servers can use this behavior as well, as long as the
fallback behavior is acceptable for your network.
Secure In itiator is similar to Secure Responder, except that all outbound traffic
will result in an attempt to negotiate parameters for security.
Lockdown
A computer with Lockdown behavior will always initiate and respond securely
to all da ta flows. If the negotiat ion fails on either computer, then traffic will be
denied.
Lockdown behavior i s used for server s w ith high content value, as it requires
security for all data transmissions.
Communicating with non-Packet Protect computers
It is common to not use Packe t Protect on all the computers in your network.
While the se cur ity th at Pac ke t Pro tect can pro vi de is benef i ci al, th er e are sev er al
reasons to limit the computers on your networ k that use Packet Protect, such as:
• Only a limi ted number of comput ers on your network require secur e communications.
• In order to minimize CPU utilization, you want to limit use of Packet Protect to computers that already have PRO/100S Management or Server
adapters.
Computers tha t use the def a ult behavior of Secur e Resp onder or Sec ur e Ini tiat or
will always be able to c ommunicate in the clear with compu ters in your network
that do not use Packet Prot ect.
Computers that use the default behavior of Lockdown wil l not be able to communicat e with computers in you r network that do not use Packet Protect.
Develop a strategy for handling pre-shared keys
When two computers attempt secure communication, they negotiate parameters
for the co mmunication. In addition to using their defa ult behavior, descri bed in
the pre vious section, they also exchange a stri ng of characters known as a pre shared k ey.
When the computers begin to negotiate parameters, they compare their preshared key s. If bo th com p uters ha v e th e sam e p re-s har ed key, then the co mput ers
will go ahead and negotia te parameters for the session. If the computers have a
dif ferent pre-shared key, then the negotiation for secure commun ication will
cease.
Once the pre-shared keys have been compared and matched between the two
computers, the IKE protocol generates secure, secret session keys. N o one can
find out what these ses sion keys are, even if th ey know what the pre-shared k ey
is. Alt hough pre-shared keys are sometimes called passwords, they do not act
like pass wor ds . Ev en w hen you kno w w hat t he pr e-sh ar ed k e y is, y ou c anno t use
that key to intercept or decrypt the information that is being transmitted.
10
Shar ing keys
It’s important when you are developing you r deployment model that you decide
how to handle the distribution of the pre-shared key. Some networks use a
widely-published key, known as a “group key” or the “pre-shared key on the
wall.” In this str ategy, you make the pre-shared available to everyone. This way,
all computers will be configured to use the same key. This ensures that whe n
secure communications are requested, th en IKE will be able to negotiate secure
communications when the keys are matched between two computers.
In addit ion to “group key,” some enterprises may want to use additional, more
pri vate pre-shared keys in certain instances. For exam ple, the presi d ent and the
chief financial officer of a corporation may wish to send secured transmissions
to each other. In t h is instance, each of these computers would use the group key
as part of their standard System Policy, but would crea te a special rule to cover
communications just between them. (See “Consider exceptions to the Default
Rule” for more information on implementing this scenario.) In this case, they
might li k ely cho ose a mo re sec re t pr e-sh ar ed k e y that jus t t he tw o com puter s u se
with each other.
Understand the Default Rule
Every co m puter that uses Packet Protect has a single System Policy. Each System Policy initially contains a single Default Rule. The Default Rule is quite
simple:
For Everybody, use the Default Security Actio n . If the rule fails, Allow
Communication without Se curity.
Installing Packet Protect
Note: For computers that use the Lockdown behavior wth the
Default Rule, if the rule fails then
fallback action.
See “The Default Rule” on page26 for more information .
Note:
If you want to have secure communication between a Packet
Protect computer and a Windows 2000* computer, you must
use the Default Rule. Intel recommends that you do not
delete the Default Rule.
See “What is a Rule?” on page 25 for more information about rules in Packet
Protect.
Consider exceptions to the Default Rule
Many enterprises may find that by careful consideration of th e default behavior
roles, a w idely publishe d pre-shared key, and the D efault Rule, they can meet
their security requirements without extra effort. This model is quite wor kable
and provides adequate security. It is also simple to deploy and maintain.
Deny Communi cat i on
is the
11
Intel® Packet Protect User’s Guide
Some enterprises may wish to create additional rules that govern communications be tw een two speci fic computers.
Earlier, we introduced a scenario where the president and chief financial officer
of a company wished to implement extra security for their communications. For
this scenario, a new rule is needed. Let’s compare a possible rule for this scenario to th e S ys te m Po licy’s Default Ru le :
Property New Rule Default Rule
Table 1: Rule Comparison
Destination
Workgroup
Security Action New Security Action: Up
Rule Failure Deny Communication. Allow communication in
Authenticat ion Use a n ew pre-share d
President and CFO only Everybody
Default Security Action:
to 15 minutes or 50 MB,
whichever occurs first.
Then, a new security
association is negotiated.
key, known only to these
two comput ers .
Up to 8 h ours, then a ne w
security association is
negotiated.
the clear.
Use the System Policy’s
settings
In addition to these rules, both the president and the Chief Financial Officer
would ha v e the Sec ur e In it iato r de f aul t behavior . The ru le mi ght al so w an t to us e
more secure options, such as perfect forward secrecy, which provides a ver y
secure negotiation of session keys. There are many other security options that
can be chosen when you create a security action for this rule. See “Customize
Securi ty A ctions” on page 33 for mor e information on options for security
actions.
By comparing the new rule and the default rule, you can see ho w the new rule
provi d es an extra mea sure of securit y. The new security action is much more
limite d. Longer time and/or size limits on a security acti on can give an intruder
an opport unity to intercept and possibly corrupt packets. By denying comm unication in case of rule failure, you ensure that co m munication between these two
computers will never occur in the clear.
What are the Trade-offs?
A very important part of developing your deployment model is to consider not
only the initial deployment, but maintaining the System Policies on all the computers that use Packet Protect in your network.
Clearl y, the simplest model w e discussed will be the easies t to deploy and ma intain. When all compute rs use the same def aults—Default Rule, security action,
12
Installing Packet Protect
fall back to clear com mu nication, same pre-shared key—then you’ll be able to
gain adequate security with minimum impact to your network.
If you decide on a more complex deployment model, you should consider the
benefits of the extra security that you have against the costs of maintaining and
running the model. There are t w o areas that you should evaluate—maintenance
and CPU util ization.
Maintenance
If you are considering a deployment model with many customizations and specialized rul es , be aw ar e of t he time a nd effort requir ed f or on going m aint ena nce .
Because each computer with Packet Prot ect must be configured individually,
customizations requ ire more effort to keep each com puter up-to-date.
Let’s consider the previous example of the special rule for the preside nt and
Chief Financial Officer of the co rporation. I n order for this rule to work as
designe d, al l a spect s o f t he rul e mus t matc h, or comm un icati on wil l be de ni ed. I f
the president’s computer uses a different setting in the security action from the
CFO’s computer , then a securit y association ca nnot be negotiat ed and therefore
all communication is denied. Consider then that it might take several days for
the pres ident and CFO to even discover that their communications haven’t been
taking place, as assumed.
Even a new computer for the president could prevent secure communication
from happening. For example, when you set up this special rule, you identified
the two co mputers to Packet Protect by t he names of the comput ers. The president’s new computer has a new nam e. When the pres ident and the CFO att empt
to communicate the next time, the rule will fail, because of the computer name.
You can imagine h ow difficult it can becom e to maint ain specia lized rules, destination workgroups, and secur ity actions in your n etwork. Intel recommen ds that
you begin by using the simple, default model for secure communications. Over
time, you may consider customizations to enhance secure communications in
special cases.
CPU Utilization
Another ve ry im port ant f acto r t o consi de r i s the ef fec t o f I PSec on y our net wo rk,
as well as the individua l com puters using Packet Protect. Generally, you can
assume that when you choose most sophisticated security options, th ere will be
impact on your network.
One example is choosing to use ESP (Encapsulation Security Payload) and AH
(Authen ticat i on Hea de r) aut hen ti ca tion t oge th er. While th is combi na ti on af f or ds
extra protection, you must consider that when you use both of these methods,
you cannot offload any processing to the adapter, and thus CPU utilization
increases. How ever, if you us e ju st ESP au th en ticat io n w it h th e approp r i at e
adapter, you can take advantage of the ha rdware offload and get better CPU utilitzation.
You must also consider the adapters that are installed in your Packet P rotect
computers. Only the Intel PRO/100 S Server Adapter and Intel PRO/ 100 S Man-
13
Intel® Packet Protect User’s Guide
agement Adapter can perform hardware offloading. If you ha ve other Intel PRO/
100 Adapters in Pack et Protect co mp uters, you won’t be able to offload an y processin g, thus incr easing CPU utilization and potenti ally slowi ng that computer’s
network performance.
Other se curity options are considered “costly” as we ll. Perfect Forward Secr ecy
is very secure, but if used widely throughout the network, there can be a significant effect on servers that have a lot of secure traffic.
Conclusion
Hopefully, this section provided some guidelines for you to consider as you
develop your deployment model. There are no hard-and-fast rules that you must
follow. However, Intel reco mme nds tha t you be gin your use of IPSe c an d Pack et
Protect slowly in your enterprise. You should consid er starting with a sm all
group t hat use the same pre-sh ared key and default System Policy. When you’ ve
had a chance to evalu ate this first implementation phase, you can t hen decide
how to expand your use of Packet Protect.
14
Set Up Intel Adapters
Before you install Packet Protect, install the necessary Intel adapters on your
serve rs and clients th at will use Packet Protect. Packet Protect only operates
with Intel adapters that are configured to use Intel drivers.
Insta ll Int e l A d apte rs
Packet Protect works with Intel adapters that are designed to offload CPU-intensive tasks to the adapter. This helps reduce the impact to network performance
and CPU util ization. Intel adapters that support the offload capabil ities include
the following:
• Intel PRO/100 S Server Adapter
• Intel PRO/100 S Managemen t Adapter
Installing Packet Protect
Note:
Note:
Although Intel adapters can be installed on various operating
systems , P acket Prot ect supports only Windows NT* 4.0 wit h
Service Pack 5.
Packet Protect also works with the following Intel adapters,
but security tasks will not offload to these adapters, and network performance will be affected.
PRO/10+ PCI LAN adapter
PRO/10 0B LAN ad apter
PRO/100B T4 LAN adapter
PRO/100+ LAN adapter
PRO/100+ Management adapter
PRO/100+ Server adapter
PRO/100+ Dual Port Server adapter
PRO/100 CardBus II
PRO/100 RealPort
PRO/100 LAN+Modem56 CardBus II
PRO/100 LAN+Modem56 RealPort
TM
CardBus II
TM
Cardbus II
Install Intel adapters for the servers and clie nts that use Packet Protect.
To install Intel adapters
1. Refer to the Installation Guide that came wit h the adapters for information
about in stallation
2. After instal lation, verify network access for each computer that wil l use
Packe t Prot ect b y che cki ng the Li nk a nd Acti v it y LEDs o n the ada pte r . You
can also double-click Network Neighborhood on a computer’s desktop to
verify tha t other ar e as of th e network are vi si ble.
Configure Intel Adapters
After you install adap ters in the compu ters that will use Packet Pro tect, configure them, as necessary, before yo u install Packet Protect. For example, you
15
Intel® Packet Protect User’s Guide
might instal l m ul tiple ad a pt ers on a server. Then you might te am those ad apter s
together to take advantage of adapter fault tolerance or adaptive load balancing.
Multip le A d ap t e rs
If you install multiple adapters in one computer, note the following:
• Install multiple adapters before installing Packet Protect.
• Each computer has only one sec urity policy. This means that the same
security settings will apply to all of the adapters in one computer.
• If you us e at least one Int el PRO/100 S Server or Management adapter in a
computer, Packet Protect will be able to offloa d encryption and aut hentication tasks to that adapter.
• If you need to add or remove an adapter from a team after you install
Packet Protect, you must uninstall Packet Protect from that computer, add
or remove the necessa ry adapters, and th en reinstall Packet Protect .
When you uninstall Packet Protect, you lose all of your customized information, including rules and security actions. When you reinstall Packet
Protect, you will only have the single Default Rule in your System Policy.
Adapter Teaming
Adapter Teaming and Packet Protect work together only for computers with
Windows NT operating s ystem installed. If you set up A dapter Teaming for multiple a dapters, keep the following in mind:
16
• Configure Adapter Teaming before inst alling Packet Protect.
• Refer to the previous page to make sure all adapters in the team are either
off load-enabled Intel adapters, or appear in the list of compatible Intel
adapters on the previous page.
• If you need to add or remove an adapter from a team after you install
Packet Protect, you must uninstall Packet Protect from that computer, add
or remove the necessa ry adapters, and th en re-install Packet Protect.
• Consider using high-s peed adapters to limit upgrading.
Install Packet Protect
Before you install Packet Protect on your computer, make sure the computer
meets the following system requirements. Packet Protect computers can be servers or workstations.
System Requirements
Before installing P acket Protect, make sure your computers meet these requirements:
• Windows NT 4.0 with Service Pack 5 or 6a (or higher)
• 40 MB available disk s pace
• 32 MB RAM minimum, 64MB RAM recommended
®
• 200 MHz Pentium
• Intel adapter (PRO/100 family)
Licensing
All inst allations are subject to the e nd user’s acceptance of th e applicable Intel
Software License Agreement.
Note
: See “Install Intel Adapters” on page 15 for information on
choosing an Int el ada pt er.
processor performance level or higher recommended
Installing Packet Protect
Install Packet Protect
You will need the information detailed in the following table during Packet Protect in stallation at each computer. To complete the installation most efficiently,
gather the following information before you begin.
Information
You Need
Default
behavior
Pre-shared key Enter a pre-shared key the computer will use to
Table 2: Required Information
Description
Decide how you want the computer to communicate
with other computers on the network:
• Secure Responder
• Secure Initiator
•Lockdown
For more information about these settings, see
“Default Behaviors for Packet Protect Computers” on
page 22.
communicate securely with other IPSec computers. A
pre-shared key is similar to a secret password.
17
Intel® Packet Protect User’s Guide
T o install Packet Protect
1. Verify that the computer you have chosen meets the minimum requirements detailed under “System Requirements” on page 17.
2. I nse rt th e pr odu ct CD- R OM into the CD-ROM driv e at t he com puter wh ere
you want to install Packet Protect.
3. Browse to the CD-ROM using Windows Explorer.
4. Double-click d:\packet protect\setup.exe , where d:\ is the dri ve of your CD ROM drive.
5. Follow the dialog box instruc tions on the screen.
Keep a confidenti al record of the information you enter. If you need to rein stall
Packet Protect later, you will need to re-ent er this information.
Notes:
If the static IP address or the DNS name of the computer
changes , y ou must restore the S ystem Policy. Y o u will lose all
your customizations when you restore the System Policy.
Also, if there are other computers in the network that have
rules that apply to the computers whose IP address or DNS
name changes, the rules of those computers need to be
changed. For information on restoring the System Policy, see
“Restore the Syst em Policy” on page 42.
You can also install from a mapped drive where you have
stored the Packet Protect installation files.
If you already have adapter teaming installed on the system,
there’s no need to re-enter the TCP/IP settings during Packet
Protect installation (you are not prompted for this information).
To verify that Packet Protect is install ed and running on a computer:
1. At the taskbar on the com puter, select Settings > Cont rol Panel.
2. Double -c lick Services and verify that Int el Po lic y A ge n t is starte d .
If Inte l Policy Agent doesn’t appear in the list, Packet Protect has been shut
down or is not functioning properly. See “T urn Security on Manually for an
Existi ng Com puter” on page 47 for details about restarting Packet Protect.
See the cha p ter “Troubleshooting and FAQ s” on page 49 for general tr oubleshooting guidelines and a l ist of common Packet Protect ins tallation problems
and thei r solutions.
18
View Your Security Settin gs
During installation, you set up basic security sett ings for the computer—the
authent icat i on meth od and the def aul t beha vi or for the cl ie nt. To view your security settings, double-click Intel(R) Packet Protect at the Control Panel. The
authentication setting and default behavior you chose during installation appear
in the Security tab.
Installing Packet Protect
See the next chapter for information on editing basic settings and configuring
advanc e d se cu rity se tt in gs.
19
Intel® Packet Protect User’s Guide
20
3
Configuring Security Settings
If you ha ve installed Packet Protect, you have al ready set up basic security settings for the com puter. You may view or edit these settings using Packet Protect.
Optiona lly, you may also use the Adva nced settings in Packet Protect, if you are
familiar with encryption and authentication settings, to configure the security
policy that comes wit h Pa ck et Prote c t.
In this chapter, you’ll find information about:
• Understanding default security behavior (basic settings).
• Setting up your System Policy (advanced settings).
21
Intel® Packet Protect User’s Guide
Understand Default Security Behavior
During installation, you selected a default beha vior for your computer to use for
all communications. You also entered a pre-shared key that matches the
pre-sh ared key on other computers in the network so the comp uter can communicate securely with other computers possessing the same pre-shared key.
Default Behaviors in Packet Protect
In order to operate with security settings, your computer needs to know how to
communicate with other IPSec-enabled computers. In the absence of a rule that
matches a s peci f ic com muni catio n n eed , Pack et Pr otect us es de fa ul t beha vi ors to
determine how IPSec computers use security. If a matching rule exists on the
two comput er s th at are att empt in g to c ommuni cat e, th e def a ult beh a vi or wi ll no t
be used. The table below describes the default behaviors available with Packet
Protect.
: You can set up specific security policies with rules to apply to
Notes
specific types of communications using advanced security
settings. See “Set up Your System Policy” on page 25 for
more information.
You cannot make any changes to Packet Protect on a computer unless you are logged on as
users cannot modify Packet Protect settings.
administrator
. Individual
22
Table 3: Default Behaviors for Packet Protect Computers
Default
Behavior Description
Secure
Responder
(Example:
workstations)
Computers with this behavior initiate co mmunication
without security (in the clear), but will attempt to
negotiate a secure communication if one is
requested. For example, if a Secure Responder
workstation attempts to a ccess a file server and tha t
file server requests a secure communication, the
workstation will respond in a secure manner.
If two workstations are configured with this setting
and they attempt to communicate with each other,
the communication is allowed without security (in
the clear) . Als o, Secure Resp ond ers a nd computers
that are not IPSec-enabled communicate without
security.
Configuring Security Settings
Table 3: Default Behaviors for Packet Protect Computers
Default
Behavior Description
Secure Initiator
(Example:
servers)
Lockd own
(Example: servers
that require strict
security)
Computers with this beha vio r request security f or all
communica t ions , b u t don’t require it. F or example, a
Secure Initiator server always initiates
communications by requesting security. If the
negotiation for a secure communication is
unsuccessful, the Secure Initiator server
communicates wi thout security (in th e clear).
Computers with this behavior
communication. Lockdown computers do not
communicate without security, that is, they do not
communicate in the clear.
Only use Lockdown if a computer will be accessed
by a very limited number of computers, and those
computers are all properly set up with Packet
Protect. If a backup to another computer on the
network is scheduled automatically, it will fail unless
the other computer is also security-enabled.
require
secu ri ty for
all
23
Intel® Packet Protect User’s Guide
T o change the default behavior for a Packet Protect computer
1. Cl ick Start > Settings > Control Panel.
2. Click Intel
Packet Protect. The Packet Protect Security tab appears:
24
3. To change the behavior for your com p uter, use the Behavior drop-down list
to choose one of these behaviors: Secure Responder, Secure Initiator, or
None.
4. To change the pre-shared key, type a new key in Pre-Share d key box.
5. When you are fini shed viewing and m aking changes in the Security tab ,
click OK.
Set up Your System Policy
You set up bas ic security settings when you install Packet Protect. If you ar e
famil iar with encrypti on and authentication settings you can use the adv anced
settings in Packet Protect to configure specific security settings to apply to different types of communica tion. Packet Protect comes w ith a system policy that
contains advanced security settings.
What is a Policy?
A polic y helps determine how the compute rs you manage communicate with
each othe r and with other computers on the network. Policies contain one or
more rul es and use rules to specify how computers on the LAN communicate in
a protected way . Your Packet Protect policy comes with pre-defined rules. Each
rule has its own set of condi tions that, if ma tched, apply def ined security settings. You can edit the pre-defined rules or create new rules for your policy.
What is a Rule?
A rule defines how you want to communicate with other comput ers on the network. For example , one rule can define how to communicate with a f ile server
using sp ecif i c secur i ty s etti ngs . Anoth er can d ef ine a n ent ire g rou p of comput ers
for which communication wi ll always be allowed “in the cl ear” (without se curity).
The rules in your system policy are listed in the Policy Editor. To view the Policy Edit or, click Advanced on th e Secur it y Tab.
Configuring Security Settings
25
Intel® Packet Protect User’s Guide
Every r ule contains the information described in the following table.
Rule Setting Description
Table 4: Rule Settings
Destinati on
workgroup
Security act ion Collecti on of security setti ng s us ed w hen negotiating a
Rule failure Definition of what happens when the rule is applied,
Authentication Definition of how your computer verifies the other
: All rules s pecify All IP for the Traffic Group. If a rule is applied,
Note
The Default Rule
When you install Packet Protect, th e default rule is created. The De fault Rule
has these properties:
Collection of computers with which a computer
communicates.
communication.
but the communication is not negotiated successfully.
You can allow the communication to occur unsecured,
or deny the communication.
computer’s pre-shared key when the rule is applied.
You can use the authentication settings already
specified for your computer (on the Security tab), or
use custom settings for th e rul e (p rop ose a pre-shared
key).
the security settings apply to all IP traffic between the two
computers communicating. Refer to the readme file on the
product CD-ROM for a list of ports and protocols that are
always sent unprotected in order for Packet Protect to function.
26
• Destination Workgroup Everybody.
Applies to every computer in the LAN.
• Security Action Default Action.
The standar d se cu rity action, which us e s a
time limi t of 8 hours. Refer t o “Customize
Security A ctions” on page 33 for detai led
information about sec urity actions.
• If rule fails Allow Communication without Security.
• Rule a u thentication Use System Policy’s set tings.
Importance of Rule Order
The System Pol icy typical ly contains one or more rules. Place the rules in the
order you want the m applied. If you have one general rule and also an exception
to that rule, pla ce the exc ep tion before the g eneral rule; otherwise , th e sp e cific
rule is never applied.
It is crit i cal tha t yo u order rul es appropr ia te ly to en sur e th ey beh a v e as expec te d.
The following exampl e shows what might happen if the rules are not in the correct order.
Example of rule ordering
Configuring Security Settings
If the comp uters cannot negotiate a secure
communication, then communication is
allow ed without any security . For computers
that use the Lockdown behavior—if the rule
fails, then communication is denied.
When Packet Protect was installed, each
computer was set up to use a pre-shared key.
When two computers attempt to communicate
securely using a pre-s hared key, each
computer must have the same key entered. If
these k eys do not match, the rule cannot be
authenticated by the computers and it will fail.
Suppose you have created a destination workgroup for the finance managers at
your com p any. You need to sen d sen sitive informatio n to th e m a nagers, so you
have created a rule with high security settings. You decide that if one of the
finance managers does not meet the security action settings, you do not want to
transmit information. You also have the Default Rule with security settings to
use when communicating with everyone on the LAN. However, if the settings
fail to be negotiated, you will still allow the com munication to take place without secur ity. The rules you hav e created appear in the table below.
Table 5: C orrect Ordering fo r Rules
Rule Name
To Finance
Management
Default Rule Everybody DES+MD5+None Allow
Destination
Workgroup
Finance
Managers
Security Action If rule fails
3DES+SHA1+None Deny
27
Intel® Packet Protect User’s Guide
The rule ordering above requires the Finance Managers wo rkgroup to have a
rule li sting your computer and the 3DES+SH A 1+None security action in orde r
to nego tiate secure communication. If the Finance Manag ers workgroup does
not have a matching rule, communication will be denied.
Notice the importance of rule order. If the Default Rule was ordered before the
To Finance Management rule, communication with Finance manager workstations would be allowed “in the clear” (with no security) even if the Finance
Managers workgroup does not have a matching rule for communication with
R&D using the 3DES+SHA1+None algorithms. In this case, the general rule
would be applied first, and the specific rule would never be applied.
For ins truc ti ons on ho w t o or der rules , see “Ste p 3: Orde r t he Rules ” on p age 31.
The next section explains more about how Packet Protect computers use rules.
For inf ormation about security algorithms and about thei r notation, see “About
algorithm notation” on page 36.
How Does the System Policy Work?
The System Pol icy defines a collection of rules that desc ribes the security settings to enforce under cer tain situatio ns. When a computer attempts communication, Packet Protect evaluates a number of things before allowing the
communication.
The following exampl e describes how the policy works:
1. My C omputer atte m p ts to communicate with MyServer with a rule using
the 3DES+SHA1+None encryption algorithms.
2. If a rule match is found, MyComputer proposes the security action settings an d authenticati on settings that you defined for that rule. The two
computers negotiat e the security settings. If that security se ttings negotiation is successful, the two computers communicate using the agreed upon
settings. If that negotiation fails, the communication fails or is allowed
unsecured, depending on the if rule fails specification.
If a rule match isn’t found, the system propose s the pre-shared key
assign ed for that computer’s workgroup. It then proposes pre-de fined security se ttings such as default settings that are used for all communications.
See “Appendix A — IKE and IPSec” on page 53 for more information.
Note:
If the destination computer uses Packet Protect, it also
searches its policy for a rule with settings that match. If your
computer and the destination computer have matching rules,
the communication is allowed secure according to the specified security action settings.
Add Rules to the System Policy
Adding rules to you r policy is optional. If you are unsure whether you need new
new rules, see “What is a Policy?” on page 25 for more information.
Creating a new rule involv es several steps:
28
Configuring Security Settings
1. Viewing the System Policy.
2. Defining a new rule for the System Policy.
3. Ordering the rules.
In general, follow these guidelines when you make rules:
• When you add a rule to computer A’s poli cy for secure communicatio n
with computer B, you must add a matching rul e in computer B’s polic y for
secure communication with computer A. Ot herwise, the rule will fail and
communication will be denied or allowed unsecure (depending on the If
rule fails setting for both workgroups’ rules).
• If you add two rules that include some of the same computers (for example,
one rules lists computer A as the destination workgroup, and another rule
lists Everybody – all computers on the network – as the destination workgroup), you must ord er the specific rule before the general rule. Otherwise,
the spec ific rule wil l never be applied. See “Import ance of Rule Order” on
page 27 for more information.
Step 1: View the System Policy
1. At the Control Panel, click Intel Packet Protect.
2. On t he Security tab, click Advanced. .. . The Policy Edit or dialog box
appears :
29
Intel® Packet Protect User’s Guide
Step 2: Define a new rule for the policy
1. Click New Rule. The New Rule dialog box appears.
2. I n the Rule Name text box, type a name for the rule.
3. I n the Destination workgroup text box, select the group of comput ers for
which you want this rule to apply.
The list includes destination workgroups that are already created (either as
part of t he D efault Rule or that you create d). If you want to view, edit, or
create a destination wor kgroup, see “Cust omize Destination Wo rkgroups”
on pag e 31 fo r m or e inform ation.
4. I n th e Securi t y act ion te x t bo x, se lect th e gro up of sec ur it y sett in gs t hat you
want to define for this rule.
The list includes security actions you have alrea dy created and pre-defined
securi ty actions that come with Packet Protect. If you want to view, edit, or
creat e a se cu rity ac ti on , se e “Cu stomiz e Security Actions” on page 33 f o r
more information.
5. I n the If rule fails text box, select whether to deny or allow a communication if this rule is matched, but the communication fails to n egotiate.
6. I n the Authentication area, dec ide whether you want to use the default settings or propose custom authentication settings.
You specified the default settings when you installed Packet Protect (displayed on the Security tab).
7. Click OK.
8. Re peat steps 2 through 7 to add more rules to the System Policy.
30
Configuring Security Settings
Step 3: Order the Rules
1. On the Policy Editor dialog box, click a rule.
2. Cl ick Move Up or Move Down to move the rule up or do w n one line. You
can also select a rule and dra g it up or down.
The rules are applied in the order in which they are listed. The rule at the
top of the list is applied before all rules below it, for exa m p le.
See “Importance of Rule Order” on page 27 for more information about ordering rule s.
To modify a rule
In order to apply your rule to a communication, the computer with which you
are attem pting communica tion must have a rule with matchi ng settings. If you
have already coordinated rules with the other computers with w h ich you wish to
communicate, modifying your rule will require modification to rules for other
computers.
1. Before you modify a rule, check the following:
• If you ha ve already set up matching rules for other IPSec com puters,
DO NOT follow the steps below.
• If you ha ve not set up matching rules for ot her IPSec computers, con-
tinue wi th the steps belo w.
2. I n the Policy Edit or dialog box, select rule you want to modify.
3. Click Edit Rule. The Edit Rule dialog box appears.
4. Make changes, as necessary, then cli ck OK.
Customize Destination Workgroups
A destina tion work gro up is a colle ct io n of com puter s wit h whi ch you r comp uter
communicates. For example, if your computer requires specific security when
communicating with the Res earch & Devel opm ent W orkgroup, your pol icy
must include a rule with security settings that speci fies the Research & Development Workgroup as the destination workgroup, and Research & Development
computers must have a rule specifying the same security settings and your computer as the destination workgroup.
The following destination workgroups are available:
• Everybody: Use this destination workgroup when you want the rule to
apply to com munication with all computers on your LAN.
• Destination workgroups you create.
If a comput er or group of computers you need is not in the destination workgroup list, create a new destination workgroup.
To create a new destination workgroup
1. On the Policy Editor dialog box, select the rule for which you want a new
destination workgr oup.
31
Intel® Packet Protect User’s Guide
2. Click Edit Rule. The Edit Rule dialog box appears.
3. Cl ick Customize Destination. The Customize Destination Workgroups dialog box appears.
4. Click New.
5. In the Destination workgroup box, type a new name for the destination
workgroup.
6. To add computers to the destination workgroup, in the Add computers by
text box, select how you want to identi fy computers for addition to the destination workgroup: by IP address or by computer name.
32
: Check with your network administrator to determine how to
Note
add computers to a workgroup. If the computer you want to
add to this workgroup has a permanent (or static) IP
addresses, you should probably add computers to the workgroup by IP address. If the computer you want to add uses s
dynamic IP addresses (where a temporary IP address is
assigned to a computer for each session), then you should
probably add computers to the workgroup by computer name.
7. Type the computer name or IP address for a computer you want to add to
the workgroup.
8. Click Add>>.
9. Re peat steps 5 throug h 8 for each computer you w ant to add.
10. If you need to delet e a comp ute r from th e desti nat ion wor kgr ou p, sele ct the
computer from the list on the right, then click <<Remove.
11. If desired, continue adding destination workgroups by clicking New again
and repea ting Steps 4-7.
12. Click OK. The selecte d dest in at ion w ork gro up app ears aut omat ical l y i n the
Edit Rule dialog box.
Configuring Security Settings
Destination workgro ups can be used in multiple rules. If you modify a destination wor kgroup, other rules may be affected.
Before yo u mo dify a destinati on workgroup, check the following:
• If you ha ve used the destination workgroup in any other rules, do not
follow the steps below. See “Modi fy Destination Workgroups or S ecurity Actions” on page 41 for more information.
• If you ha ve not used the destination wor kgroup in any other rule, con-
tinue wi th the steps belo w.
T o m odify a destination workgroup
1. I n the Cus to mize Des tina tion Workgro ups di alog box , selec t the dest in at ion
workgroup you want to modify.
2. Make changes, as necessary, then cli ck OK.
Customize Security Actions
You must specify a securit y action for each rule. This sect ion defines the security settings you can apply when two computers communicate.
Packet Protect provides six pre-defined securi ty actions, described below. See
“Available Settings for Security Actions” on page 34 for detailed information
about th e security settings listed here.
•Clear
Use to com m unicate completely in the clear, without any security.
• Default Action
Use to get an act ion th at pr o vid es a high le v el of secu rity, along with a high
level of int er op e ra bility. The defa u lt action is a rich set of IPSec p ro posals
that includes various levels of ESP (Encapsulation Security P ayload)
encryption, ESP authentication, and AH aut hentication. It provides a maximum le vel of interoperability wi th non-Packet Protect implementations of
IPSec.
•Deny
Use to deny any communications between two computers.
• Initiate Clear, Secure Responder
Use when you want to initiate communications in the clear and will attempt
to negotiate a secure connection if requested. This security action is most
appropriate for workstations.
• Secure Initiator, Fallback Clear
Use when yo u w ant to request security for al l communications, but do not
requir e it. If a secure connection cann ot be negotiated, then the comm unication wi ll be in the clear. This security action is appropriate for servers.
• Secure Initiator, Fallback Deny
Use when yo u w ant to require security for al l communications. If a secure
33
Intel® Packet Protect User’s Guide
connect ion cannot be negotiated, then the communication request is
denied. This security ac tion is appropri ate for server s.
Remember that two com puters attempt ing to communicate must agree on cer-
tain settings in order to communicate using IPSec.
The Requires Match? column in the tabl e below indicates whether the source
and destination computers must have the same security setting..
Table 6: Available Settings for Security Ac t i ons
Security
Setting Description
Time limit The length of time (in minutes or hours) the
protected communication can be active
before the system renegotiates. To increase
protection, lower the time limit (to a minimum
of 10 minutes). This makes the system renegotiate a new security association more
often, but increases network traffic. You may
specify a time limit, size limit, or both. This
setting is optional.
If two computers require different time limits,
the communication is re-negotiated when the
lower time limit is reached. If a time limit is n ot
defined, the default is 8 hours.
Size limit The amount of data (in MB) that can be
transferred during a security association
before the system renegotiates. To increase
protection, lower the size limit (to a minimum
of 20 MB). This mak es th e syst em renegot iate
a new security association more often, but
increases network traffic. You may specify a
time limit, size limit, or both. This setting is
optional.
Requires
Match?
No
No
34
If two computers attempting to communicate
require different size limits, the security
association expires when it reaches the lower
size limit. If you specify a size limit only, an 8hour time limit is appli ed auto matically. The
default is no size limit. There is no maximum
size limit for a security association.
Configuring Security Settings
Table 6: Available Settings for Security Ac t i ons
Security
Setting Description
Perfect
forward
secrecy
Anti-replay
protection
Use
algorithms in
order of
preference
The sys tem p ropo ses a second set of keys for
the security association (instead of using the
first set of keys used to verify identification).
Packet Protect is designed to agr ee on any of
the settings (including none), but it proposes
the setting you select.
: DO NOT use perfect forward secrecy if
Note
your computers will need to communicate
securely with Windows* 2000 IP Sec computers or any other non-Packet Protect IPSec
computers. This setting is not compatible with
non-Packet Protect IPSec computers and may
cause communication to fail.
The system does not accept repeated
packets; that is, packets that the system
already received. This helps protect against
an intruder sending the same packets
repeatedly in an attempt to confuse an
application. Always use this option because it
increases the lev e l of prot ection with v ery little
impact on network traffic.
Combinations of algorithms a computer must
use for a communica tion: ESP encrypti on,
ESP authentication, and AH authentication.
Packet Protect proposes the algorithm list (in
order of preference) to the destination
computer durin g negot iatio n.
attempting to com m u nica te securely must
agree on an algorithm combination
Requires
Match?
No
No
Yes
T wo comput ers
.
Note:
If your computer needs to communicate securely to a mixed
domestic and e xport group of computer s, make sure your pol icies have compatible encryption settings. Computers using
the export version can use DES encryption only. If computers
using the export versi on receive a policy specifyin g 3DES
encryption, they will actually use DES encryption for the communication. Consider including both DES (56-Bit) and 3DES
(168-Bit) encryption in your security actions.
35
Intel® Packet Protect User’s Guide
About algorithm notation
Each secur ity action can specify algorithms to use for encryption and authenticatio n. Th er e are three categories (En crypt io n , ES P [En c ap sulation Secu rity
Payloa d] Authentication, and AH [Authentication Head er] Authentication.
At least one of th ese categories must be used in a security action, or you can use
two or even all three.
IPSec and P acket Protect use a kind of “shorthand” notation f or describing the
algori thms used in a security action—Encryption value + ESP value + AH
value. For example, if you create a security action that uses DES for Encr yption,
SHA1 for ESP, and do not use AH, this would be shown as DES+SHA 1+None.
To create a new security action
1. On the Policy Editor dialog box, select the rule for which you want a new
security action.
2. Click Edit Rule. The Edit Rule dialog box appears.
3. Click Customize Security. The Customize Secur ity Actions dialog box
appears .
4. Click New.
5. In the Sec urity action lis t bo x , ty pe a new name fo r the secur i t y ac tion.
6. Specify a time and/ or size limit for the securit y association. Refer to
Table 6, “Available Settings for Security Actions,” on page 34 for detailed
infor mation abo ut these items.
7. If applicable, select the Perfect Forward Secrecy check box.
36
: DO NOT use Perfect Forward Secrecy if your computers will
Note
need to communicate securely with Windows 2000 IPSec
computer s o r a ny other non-Packet P r otec t I PSec computers .
8. Select Anti-r eplay protection. (Always select this setting because it
increases network protection with very little impac t on network traffic—
see Table 6 on page 34 for details.)
9. Add algorithms to the preference list for the security action:
• In the Encryption, ESP Authentication, and AH Authentication list
boxes, select which algorithms you want to propose for the security
action . You must select at least one al gorithm from an y of the lists.
• Click Add.
Repeat th is step for each algorithm combination you want to add.
10. If you need to remove an algorithm combin ation from the preference list,
select the combination from the list on the right, then click Remove.
11. To indicate your order of preference, move the algorithm combinations to
the corr ect location on the list by sel ecting an algorithm combination and
clicking Move Up or Move Down. Move the most important selection to
the top of the list and continue in descending order of importance.
Configuring Security Settings
12. To contin ue adding security actions, click N ew again and repeat Steps 5-11.
13. When you finish, click OK. The selected security action appears automatically in the New Rule dialog box.
T o modify a security action
Securi ty actions can be used in multiple rules. If you modify a security action,
other rules may be affected.
1. Be fore you modify a security action, check the following:
• If you have used the security action in any other rules, DO NOT fol-
low t he step s be low. See “Mo di fy Dest in at ion Workgroups or Secur ity
Actions” on page 41 for instruct ions.
• If you have not used the security action in any other rule, continue
with the steps bel ow.
2. I n the Customize Security Ac tion dialog b ox, select t he security action you
want to modify.
3. Make changes, as necessary, then cli ck OK.
37
Intel® Packet Protect User’s Guide
38
4
Making Changes
Be carefu l whe n you mak e ch anges t o your polic y. The settings you modi fy may
be used for more than one rule in your policy. This means changes you make
may affect other rule s in your policy, and may even require changes to policies
for other Packet Protect computers.
In this chapter, you’ll find information about:
• Modifying rules.
• Modifying custom destination workgroups and custom security actions.
• Deleting rules.
• Restoring the system policy .
39
Intel® Packet Protect User’s Guide
Modify the System Policy
Modifying a computer’s System Policy may impact policies that belong to other
clients with which your computer communicates using Packet Protect. In order
to apply yo ur rule to a security association, the computer with which you are
attempting communic ation must have a rule with matching se ttings. If yo u have
already coordinated rules with these other computers, modifying your rul e w ill
requir e m odification to the rules for t he other computers. Contact the network
adminis trat or if you ha v e an y quest io ns o r conce rns abo ut mo difyi ng r ul es in t he
System Pol icy.
You may edit t he D efault Rule tha t comes with your P acket Protect S ystem Policy (s ee “The Default R u le” on page 26 for a description of the Default Rule).
Notes:
You should careful l y consider the po ssible eff ec t s of changing
the Def ault Rule. I f you m odif y the Def au lt Rule e xte nsiv ely on
a computer, then you run the risk of that computer not being
able to successfully negotiate a secure transmission with
another computer in your network.
If you ha ve to re-ins t all Packet Pro tect for any reason, or need
to recrea te the Defau lt R ule , you will lo se y our customizati ons
and will have to specify them again.
To modify a rule
1. Determine whi ch of the other computers on the LAN have a matching rule
for the rul e yo u will edit . You need this in fo rmatio n later.
2. On the Policy Editor dialog box, sel ect the rule you want to modify.
3. Click Edit Rule. The Edit Rule dialog box appears.
4. Make changes as necessary.
5. I f you click any of the Customize buttons to make changes, see “Modify
Destination Workgroups or Security Actions” for more informat ion.
6. Click OK.
7. Go to the other computers that have a matching rule for the rule you just
modified (if you do not administer the other computers, coordinate the
needed rule changes with the other administrator). Complete steps 2-6 on
each of the other computers to update the settings so the rules have matching settings.
40
Note:
You must change matching rules on other computers when
you modify your rules. Otherwise, when the computers
attempt to communicate, the rule may fail and the security
settings are not used .
Modif y Destination W orkgr oups or Security Acti ons
Destination workgroups and security actions can be used in multiple rules. If
you modify these items, other rules may be affected. Follow these steps to
ensure that you address o ther affected rules.
Determine which other computers on the LAN have a matching rule for the rule
you will edit. You will need this information later.
T o edit destination workgroups or security actions :
1. Determine wh ich other rules that us e the destination workgroup or security
action you wish to modif y. You will need this information later.
2. On the Policy Editor dialog box, sel ect the rule cont aining the destin ation
workgroup or security action you want to edit.
3. Click Edit Rule. The Edit Rule dialog box appears.
4. Click Customize Destination or Customize Security, dependin g on w hat
you want to edit. The appropriate dialog box appears.
5. Select the item yo u wa nt to modi fy.
6. Make changes as necessary.
7. When you are finished, click OK.
Any rule that uses the destination wo rkgroup or security action you just
modified will also us e the modified settings.
8. Administer the other computers that have a rule matching any of the rules
that use the modified destination workgroup or securit y action. (If you do
not administer the other computers, coordinate the needed rule changes
with the other administ rator.) Complete steps 2-7 to update th e settings in
the matc hi n g ru le.
Making Changes
Note
Delete a Rule
Caution:
To delete a rule:
1. On the Policy Editor dialog box, select the rule you want to delete.
2. Click Delete Rule.
3. Click Yes to confirm the deletion.
Note
: You must change matching rules on other computers when
you modify your rules. Otherwise, when the computers
attempt to communicate, the rule fails and the security settings are not used.
After you delete a rule, you cannot recover its information.
: If other computers have a rule that matches the one you just
deleted, you should delete the matching rule in the System
Policy of those computers.
41
Intel® Packet Protect User’s Guide
Restore the System Policy
If the System Policy on your com puter has been extensiv ely modified, you m ay
find that your computer can not always negotiate a secure communication with
another com puter on the LAN.
When this occurs, you should consider removing your customi zations and
returning to the original System Policy, with its Default Rule. You will lose all
of your cus tomizations, including customized destination workgroups and security ac tions.
T o restore the System Pol icy
1. Displa y the Intel Pa ck et Protect Security Tab.
2. Cl ick Recreate Now. All your customizations are removed and you now
have the default System Policy on your computer.
42
5
Maintaining Packet Protect
You need to perform certai n tasks to ensure that Packet Protect is runn ing
smoothl y on their network.
In this chapter, you’ll find information about:
• Monitori ng Packet Protect computers .
• Setting Up Compatible Policies
• Installing a new ada pter for a Packet Protect computer.
• Working with ot her security pro ducts.
• Tur ning security on.
• Tur ning security off.
43
Intel® Packet Protect User’s Guide
Monitor Packet Protect Computers
View Status at a Packet Protect Client
At each computer, you can verify if Packet Protect is running.
T o verify whether Pac ket Protect is running
1. At the taskbar on the com puter, select Settings > Cont rol Panel.
2. Double -c lick Services and verify that Int el Po lic y A ge n t is starte d .
If Inte l Policy Agent doesn’t appear in the list, Packet Protect has been shut
down or is not functioning properly. See “T urn Security on Manually for an
Existi ng Com puter” on page 47 for details about restarting Packet Protect.
44
Set Up Compatible Policies
Two Packet Protect-enabled computers must agree on certain settings in order to
communicate in a protect ed w ay. These settings must be agreed upon by both
computer s. I t b eco mes i ncrea si ngly d ifficult to set up an IPSe c s ecu rity sy st em i f
there is a different network administrator who manages computers with which
you need to communicate using Packet Protect.
Contact the ot h er network administra to r w h o is al s o us in g Packet Prote ct to
coordinate the management of Packet Protect computers. One of you may need
to update your cl ient ’s System Polic y to be com pati bl e wi th th e o the r c ompu ter’s
System Pol icy.
Two computers must use compati ble settings for the follo w ing:
• Authentication. Bot h com puters must use the same method to authenticate
each othe r’s identity (e.g., both computers must use the same pre-shared
key)
• IPSec. Both computers must use compatible IPSec settings. See “Customize Security Actions” on page 33 and “How P acket Protect U ses IPSec” on
page 59 for a list of the required settings.
45
Intel® Packet Protect User’s Guide
Work with Other Security Products
On your network, there may be installations of an IPSec product other than
Packet Protect. If this is the case, m ake sure that the security settings used by
your computers match the se curity settin gs used by the other IPSec computers .
This is be cause two IPSec -enabled computers must agree on these security settings in order to communic ate in a protected w ay.
You might be managing both security product deployments, in which case you
can verify the s ettings that need to match. If anoth er network adm inistrator manages th e se c ur i t y co m p uters usi n g a differen t produc t , con tact th at ne tw ork
administra to r to ver ify the sett in g s.
: If the other network administrator manages Windows* 2000
Note
IPSec computers, you will need to create a separate destination workg roup for each Win do ws 2 000 I PSe c co mpu t er. This
will maximize IPSec interoperability.
In order to com m unicate with a Packet Protect computer using IPSec, the two
computers must use compatible settings for the following:
• Authent ication. Both computers must use pr e-shared keys (the pre-shared
key must be the same for both computers) to authenticate each other’s identity.
• IKE. Both computers must use compatible IKE settings. S ee “H ow Packet
Protect Uses IKE” on page 55 for a list of settings.
• IPSec. Both computers must use compatible IPSec settings. See “Customize Security Actions” on page 33 and “How P acket Protect U ses IPSec” on
page 59 for a list of the required settings.
46
Note:
If you decide to install Packet Protect for a computer that currently uses a different IPSec product, uninstall the other product, then install Packet Protect. For more information about
installation, see “Install Security for a New Computer” on
page 47.
Turn Security On for a Computer
After general deploym ent of Packet Protect, you might need to turn securi ty on
for a computer if the computer is new and hasn’t had Packet Protect installed
before. Or, you might need to manually turn Packet Protect on for a n existing
compu te r if Pa ck et Pro tect was tu rned off prev io usly.
Install Security for a New Computer
If a ne w computer requires Packet Protect, follow the instructions under “Install
Packe t Protect” on page 17.
Turn Security on Manually for an Existing Computer
After installation, Packet Protect is desig ned to start automatically upon system
startup. If for some reason Packet Protect isn’t ru nning, you can rest art it.
If you turned off security for a client and are now turning it back on, make sure
you re verse whatever method you used to turn it of f. See “Turn Security Off for
a Computer” on page 48 for details abo ut the ways you can turn off Packet Protect at a cl ie nt.
To manually turn Packet Protect on
1. At the taskbar on the com puter, select Settings > Cont rol Panel.
2. Double-cl ic k Servi ce s.
3. Select Intel Policy Agent and click Start.
47
Intel® Packet Protect User’s Guide
Turn Security Off for a Computer
There may be cases when you need to remove security from a client. For example, whe n the computer no longer requires protected traffic. There are two ways
you can remove security from a client :
1. Shut down Packet Protect at the computer
2. Uninstall Packet Protect at the computer
Shut Down Packet Protect at a Computer
Packet Protect is designed to run automatically every time the computer starts.
You can shut down Pa cket Protect for the current session, or you can change the
computer setup so Packet Protect doesn’t run each time the computer starts.
T o shut down Packet Pr otect for the current computer sessi on
1. At the taskbar on the com puter, select Settings > Cont rol Panel.
2. Double-cl ic k Servi ce s.
3 Selec t In te l Policy Ag e nt and click Sto p.
Note:
If you want to turn security on later, manually restart Packet
Protect. See “Turn Security on Manually for an Existing Computer” for more information.
Uninstall Packet Protect from a Computer
Uninsta lling Packet Protect from a comp uter permanently removes all Packet
Protect-related files, including IPSec, IKE, policies, and related Packet Protect
program files.
T o uninstall Packet Protect
1. At the taskbar on the com puter, select Settings > Cont rol Panel.
2. Double-click Add/Remove Programs.
3. On the Install/Uninstall tab, Select Packet Protect and click Add/Remove.
Follow the prompts to uninstall Packet Protect.
Caution:
When you uninstall Packet Protect, you lose all your customizations.
48
6
Troubleshooting and FAQs
This chapter details tips for troubleshooting Pa cket Protect. This chapter al so
provides a list of frequently asked questions about the product.
49
Intel® Packet Protect User’s Guide
Troubleshooting
Communication fails
If a P acket Protect computer cannot commun icate with another computer, check
the following:
• Verify that each computer’s basic security settings are set to allow comm unicati on. If the computers are using advanced security settings, verify that
the computers have mat ching rules. The ru les must allow for a match
between ESP an d AH settin g s fo r th e se curity action .
• If usin g pre-s ha red ke ys , ver i fy t hat ea ch co mput er is set up to use t he same
pre-sh ared key when co mmunicating with each another. Note tha t
pre-sh ared keys are case-sensitive.
• At the client, verify that Packet Protect is running. Click the Start button on
the tas kbar, select Settings > Control Panel. Double-click Services and verify that Intel Policy Agent is started.
Communication fails when passing through a firewall
Depending on the type of fire w all, IPSec may affect th e deployment i n different
ways:
• Some fi r e wa lls b loc k o uts ide- in tr af f ic wi tho ut per fo rmi ng n etw ork a ddr es s
translation (NAT). These firewalls can sometimes be configured to allow
IPSec traffic to flow from within the network.
• Proxying firewalls use HTTP, Telnet, FTP and other applicat ion proxies or
SOCKS to for w ard traffic. Wit h these firewalls, IPSec cannot be used to
protect traffi c end-to-end. IPSec can be used within the local LAN, b ut all
outside traffic will remain unprotected.
• If a ga teway or firewall is presen t doing netw ork address translation , IPSec
cannot be applied since IPSec packets are encrypted and integrity-protected, making address and port substitution impossible.
The ef fect s of IP Sec on fi re w all pol icie s v a ry g reatl y o n th e type a nd g oal s of t he
firewalls. Refer to your fir ewall vendor for information on IPSec support.
Packet Protect doesn’t start automatically upon startup
At the computer, m ake sure that Packet Protect is started as a serv ice. See “Turn
Security O n for a Computer” on page47.
Multicast, Broadcast, and IGMP traffic isn’t prot ected
Multica st traff ic is always unpr otected when you use Packet Protect because of
IPSec standards. In addition, IGMP traffic is unprotected.
50
Troubleshooting and FAQs
I changed the IP address or DNS name of a computer, now it can’t
communicate on the network
If you have custom rules, there may be other computers in the network that have
an old IP address or DNS name of a computer in their rules. Thes e rules must be
modified to reflec t the IP address/DN S name change.
I think some t ransmitt ed inf orm ation i s unpr otected and i t shoul dn’t
be
• Check the security action settings of both computers to make sure they
match. Also try to determine which rule is being applied to the communi cation. If the rule is set to allow the communication if the ru le fails, the computers will transmit data “in the clear” (without security).
• Check the default behavior. If both computers use Secure Respond er or No
Security, they will always communicate in the clear. If none of the rules
applies to the communication, the communication is unprotected if the
default behavior is Secure Initiator or Secure Responder.
• When a compu ter begins communication with another computer, the fir st
few seconds are allo w ed in the clear if the rule being used as a fallb ack
clear s etting or if there are no matching rules and the behavior is Secure
Initiator or Secu r e R es p onder.
• The following ports always al low traffic to pass in the clear:
• UDP port 53 (for DNS traffic)
• UDP port 68 to UDP port 67 (for DHCP)
• UDP port 1 37 to UDP port 137 (NetBIOS name servic e)
• UDP port 138 to UDP port 138 (NetBI O S datagram serive)
• TCP any port to TCP port 389 (LDAP directory access)
51
Intel® Packet Protect User’s Guide
Frequently Asked Questions (FAQs)
What is Packet Protect?
Packet Protect helps protect Internet Protocol (I P) traffic as it trave ls between
computer s on your LAN.
What is IPSec?
Internet Protocol (IP) Security is a set of protocols used to help secure the
exchange of IP data. For more information about IPSec, see “Appendix A — IKE
and IPSec” on page 53.
What is IK E ?
Internet Key Exchange is a protocol used to veri fy the identity of computers and
negot iate a protecte d com munication. For more information about IKE, see
“Appendix A — IKE an d IPSec” .
How does Packet Protect work with multiple adapters?
Packet Protect can work wit h multiple adapters that you instal l in one comp uter.
If you use an Intel
off loads encryption tasks to any of these adapters. For more information, see
“Multiple Adapters” on page 16.
How does Packet Protect work with Adapter Teaming?
Adapter Teaming and Packet Protect work together only for computers with
Windows NT
Teaming” on page 16.
How does implementing Packet Protect affect my network performance?
Like an y IPSec sol ution , P ac ke t Prot ect dec re ase s ne tw ork per for manc e be cause
of the int ense computation required to encrypt, decrypt, and validate packets.
Use Packet Protect with an Intel PRO/100 S Management or Server Adapter to
reduce th e impact on processor utilization and network tr affic. P acket Protect is
designe d to offload processor-intensive tasks (ESP and AH algorithm calculations) to these Intel adapters that ar e installed in a computer. This frees up the
computer’s pro cessor utilization for other tasks, reducing the impact to the network performance.
How can I tell if Packet Protect is running?
From the Sta rt menu, sele ct Se tt in gs > Cont ro l Pa nel. Doubl e- clic k Ser vi ces and
verify that Intel Policy Agent is started.
Why isn’t Multi cast, Broadcast, and IGMP traffic protected
Multica st traff ic is always unpr otected when you use Packet Protect because of
IPSec standards. In addition, IGMP traffic is unprotected.
PRO/100 S M anagement or Server adapter , Packet Prot ect
*
operating systems installed. For more information, see “Adapter
52
A
Appendix A — IKE and IPSec
A protect ed communication using Packet Protect involves Internet Key
Exchange (IK E) and In te rne t Pro toc ol Secur it y (IPS ec) . This a ppe ndix d esc ri be s
detail s about IKE and IPS ec, and how the technologies w ork together to protect
information as it travels on your network.
In this appendix, you’ll find the fol lowing information:
• An overview of IKE and IPSec.
• How Packet Protect uses IKE.
• How Packet Protect u ses IPSec.
For more i nformation about IKE and IPSec, includi ng applicable RFCs , see
Internet Engineering Task F orce IPSec Working Group Web sit e at
http://www.ietf.org.
53
Intel® Packet Protect User’s Guide
IKE and IPSe c Work Together
Packet Protect uses IKE and IPSec to protec t packets traveling on the network:
• IKE — Negotiates the security settings to be used by IPSec for protection
of the comm unication.
• IPSec — Protects the packets trav eling between two computers that are
attempting to communicate.
The following diagram illustrates how Packet Protect uses IKE and IPSec
togeth er to protect a com m unication between two compute rs
Step 1: IKE verifies pre-shared keys
Step 2: IKE Negotiates IPSec Settings
Step 3: IPSec Protects Packets
.
54
How Packet Protect Uses IKE
IKE is a set of standard protocols developed by the Internet Engineering Task
Force (IETF). IKE is used to authentica te and negotiate a protected com m unication. U si ng IK E is a tw o step pr oc e ss:
1 IKE verifies t he pre-shared keys of the two computers that are attempting
to communicate.
2 IKE negotiates a set of security settings to be used by IPSec.
Each computer must agree upon the security settings before IKE can establish a
protected communication for IPSec.
Identity Negotiation Settings
When IKE negotiates security for two computers, it requires that the following
be compatible:
• IKE se ttings
• Authentication method
IKE Settings
IKE sett ings are agreed upon by the two c omputers that are attempting to verify
each other’s pre-shared key. They are used to protect the IKE negotiation transactio ns . Th is allows the two compute rs t o nego t i a te without compro m i sing
secret key or password information.
The diagram below shows the steps that Packet Protec t performs to protect a
communication. The IKE settings are used during Steps 1 and 2.
IKE settings protect IKE pre-shared
key verification and negotiation steps
Step 1: IKE Verifies Pre-shared Keys
Step 2: IKE Negotiates IPSec Settings
Step 3: IPSec Protects Packets
Packet Protect uses pre-defined IK E settings, des igned for maximum compatibility with computers that use Packet P rotect and other IPSec products.
If two Packet Protec t computers attempt to communicate, they use the same
default IKE settings. If one of the computers is managed by a different IPSec
product , m ake sure that the IKE settings m atch. If necessary, make changes to
55
Intel® Packet Protect User’s Guide
the IKE settings in the other IPSec product. The following table describes the
pre-de fined IKE settings for each computer that uses Packet Protect.
Table 7: Pre-Defined IKE Settings
Preferred
Order
Encryption Hashing
Diffie-
Hellman
1 DES (56-bit) MD5 768-Bit
2 DES (56-bit) SHA-1 768-Bit
3 3DES (168-bit)
MD5 1024-Bit
Domestic ver sion only
4 3DES (168-bit)
SHA-1 1024-Bit
Domestic ver sion only
A computer th at requ ests a pr ot ected commu nicat io n pro poses i ts list of IKE set tings to the computer with which it is trying to communicate. The IKE settings
are prop osed in order of preference, but the responding computer can agree on
any of th e proposed combin ations. The responding computer must have one of
the combinations defined, or the co mmunication is not allowed using IPSec.
Source compu ter
Proposes de fined IKE
settings
Destination computer
Picks which IKE settings to use
from the source comput er’s list
NOTE:
Authentication Method
IKE requ ires that two computer s us e th e sam e au thenti c at io n m e thod to veri fy
each other’s identity. Packet Protect supports the following:
• Pre-sh ared ke ys — If using pre-shared key s, the two computers attempting to communicate must propose the same pre-shared key, otherwise they
cannot communicate using IPSec. If you change the pre-share d key for a
workgroup, remember that this changes the pre-shared key used for all
56
The IKE settings used by Packet Protect cannot be customized. If you
require different settings for a communication with a computer that
uses a different IPSec product, change the IKE settings in the other
product to match one of the IKE setting combinat ions used by Packet
Protect (as noted in the above table).
communications for all computers in the workgroup.
IPSec Settings
After IKE verifies the identity of each computer, it negotiates which IPSec set tings to use to protect the com munication after negotiat ion. Packet Protect
comes with pre-defined IPSec options, or you can create your own.
Each computer must agree upon the IPSec settings to use before IKE ca n establish a protected communi cation for data transfer.
Pre-defined IPSec Settings
Packet Protect comes with pre-defined IPSec settings, called security actions.
These sec urity actions ar e designed for maximum compatibility between computers u sing Packet Protect and other IPSec products.
A computer th at requ ests a pr ote cted co mmu nic atio n pro pos es its I PSec setti ngs
to the computer with which it is trying to communicate. The IPSec settings
include a list of algorithm combinations that appear in order of preference. The
other computer must allow one of these defined algorithm combin ations, otherwise, th e com munication is not allowed using IPSec.
Secure communication using the
same pre-s hared key
For a des cription of the i ndividual IPSec settings an d how you might use them,
see “Available Settings for Security Actions” on page34.
Custom IPSec Settings
Although it is recommended that you use the pre-defined IPS ec settings (sec urity act ion s) th at come wit h P ack et Pr ot ect, you can also c re at e your o wn t o mee t
your custom corporate securi ty guidelines. If you create your own, keep in mind
that tw o com puter s mus t a gree o n ce rt ain se tt in gs in o rde r t o c ommuni cate u si ng
IPSec.
For more information about creating your own IPSec security actions, see “Customize Security Actions” on page 33 .
57
Intel® Packet Protect User’s Guide
Examples
The following diagram illustrates failed IKE negotiations due to mismatched
settings.
Pre-shared key = 123456
Default IKE set tings
/SHA-1
DES
Pre-shared key = 777777
Default IKE set tings
/SHA - 1
3DES
The following diagram illustrates successful IKE negotiations due to matched
settings
Pre-share d key = 123 456
Defaul t IKE se ttin g s
/SHA-1
3DES
Pre-share d key = 123 456
Defaul t IKE se ttin g s
/SHA-1
3DES
58
How Packet Protect Uses IPSec
IPSec is a set of standard protocols developed by the Int ernet Engineeri ng Task
Force (IETF). IPSec is used to protect the privacy and integrity of IP communications. It protects IP com m unications u sing algori thm s that per form encryption
and authe ntication tas ks, as well as other features that en force additional protection.
If IKE successfully negotiates a protected communi cation, it passes the agreed
upon info rm ation to the IPSec d river used b y Packet Protect. Then, the IPSec
dri ver uses that information to determine how to protect the IP communication.
Security Associations
IP communications use a security contract or security association when they are
protected using IPSec. After a security association is set up between two com puters, the computers can exchange data and IPSec will protect that data using
one or more of ESP encryption, ESP authentication, or AH authentication algorithms
The diagram below shows the steps that Packet Protec t performs to protect a
communication. The secur ity association is establis hed in Step 3.
Step 1: IKE Verifies Pre-shared Key
Step 2: IKE Negotiates IPSec Settings
Step 3: IPSec Protects P ackets
Security association
For more in for mat ion abou t eac h IPSe c sett in g, se e “IPS ec Sett in gs” on page 57
and “Custo mize Security Actions” on page 33.
Security Association Lifetimes
Securi ty ass oci at ions ex pi re if th e y re ac h the m ax imum t hr es hold de f i ned for th e
commu n ic ation. Packet Protect is designed to autom a tically re-negotiate the
securi ty association when it is about to expire (usually when it reaches approximately 80% of its lifetime), if one of the following is true:
• The security action is currently in use, that is, data is being transferred currently.
• The security action has been used recently, that is, data was transferred
using that security association.
59
Intel® Packet Protect User’s Guide
Packet Protect re-negotiates the IPSec settings only; it doesn’t need to re-verify
the identity of the computers because it is already known. This helps reduce network traffic b y reducing extra key generation.
If the security association is not renewed automatically and consequently
expir es, a security association betw een the same computers will require both
IKE steps: pre-shared key verification and IPSec negotiation.
How IPSec Protects Packets
IPSec applies the selected algorithms to each packet that is protected by IPSec.
The algor ithms provide one of the following protection features:
• Encryption and privacy
• Integrity
• Time and size limits
• Anti-replay protection
The following sections describe some t echnical detai l about encrypti on and
integrity protect ion. The other features of IPSec are described in “Customize
Security A ctions” on page 33.
Encryption
Use encryption to protect the confidentiality of pack ets. Encryption encodes
packets so they are unreadable unless the receiver has the proper key to decode
the pack ets.
60
If a pack et is encrypted us ing ESP encryption (DES or 3DES algorithms), it is
unreadable while in transit. Other types of encryption can protect the confidentiality o f information wh ile stored on a computer – Packet Protect is desi gned to
prote ct the co nfidentia lity of informat ion whil e traveling on the net wo rk . T he
follow ing diagram shows unencrypted and encrypted pa ckets traveling on the
network.
*&e# x2q%z k4!ht68
pear apple banana
Encrypted packets
Packets “in the
clear”
If the packets pass through any routers or sw itches, the encrypted packets are
relayed w ithout requiri ng IPSec on those devices.
Integrity
Data integrity ve rifies that the packet was unchanged during transport over the
network. It also verifies that other packet s w here not inserted into the packet
flo w. This helps prevent a computer from accepting packets from an intruder
who is att em pting to send packets on the netwo rk.
Use integrity feat ures to protect the authenticity of packets, that is, ve rify that
the pack et was unchanged during transport over the network. Integrity features
also ve rify that no other packets were inserted int o the packet flow.
Packe t Protect uses ESP and AH al gorithms (MD5 or SHA-1) to protect the
integrity of packets.
The following diagram shows two sets of packets traveling on the network. The
first set uses integrity protection; the second set does not.
Verified
packets
Unverified packets
Intruder
XX
changes packets
61
Intel® Packet Protect User’s Guide
62
Appendix B — Interoperability
B
with Microsoft Windows* 2000
An overview of interoperability between Windows 2000 comp uters and Packet
Protect computers.
63
Intel® Packet Protect User’s Guide
Interoperability with Windows* 2000
By default, IPSec is not ena bled in Windows 2000. Wi ndows 2000 is installed
with “No Security” as the IPSec default action. You can use the IP Security Policy Management tool to act ivate IPSec in Windows 2000.
Windows 2000 has three IPSec default behaviors—Server, Secure Server, and
Client—that you can choose from when you configure the computer.
Currently, Packet Protect interoperates with Windows 2000 using a pre-shared
key. However , because Windows 2000 default authentication mechanism is Kerberos, which is not suppor ted by Packet Protect, the authentica tion must be
changed t o use pre-shared keys. Be sure to use the same pre-shared keys on
Windows 2000 compu ters as Packet Protect-enabl ed computers for proper
interoperability.
Tips: If you have Windows 2000 computers and want them to communicate
securely with Packet Protect-enabled computers, you must use the
Default Rule that is set up with the Packet Protect System Policy. Do
not erase or modify the Default Rule for best results.
For maximum int eroperability, be sure to place each Windows 2000
comput ers in its o wn Destination Workgr oup.
Creating Policies
64
T o create custom IPSec policies in Windows 2000
1. On the taskbar, click Start and select Settings > Control Panel.
2. Double-click Network and Dial-up Connections.
3. Right-click Local Area Connection and s elect Properti es.
4. Click Advanced and select the Options tab.
5. Unde r Optional settings, click IP security.
6. Click Properties.
7. Clic k Use this I P se cur ity p oli cy, and then select th e I PSec pol ic y y ou wa nt to
use.
You can also use the IPSecurity Policies snap-in in the Microsoft Management
Console ( MMC). Set it to use th e loca l co mput er, right- cl ick th e pol ic y you wan t
to use, an d then click Assign.
You must be a mem ber of the Administrators group to set IPSec policies. If a
computer parti ci pa tes in a W in do ws 2 000 do mai n, the comput er may r ecei v e t he
IPSec policy from Active Directory, overriding the local IPSec policy. In this
case, the options are disa bled and you cannot change them from the local computer.
Appendix C — Network
C
Software License Agreement
This appendix details the following:
• Network Software License Agreement
• Intel Automated Customer Support
65
Intel® Packet Protect User’s Guide
Network Software License Agreement
IMPORTANT - READ BEFORE COPYING, INSTALLING OR USING.
Do not use or load this software and any associated materials (collectively, the “Software”) until you
have carefully read the following terms and conditions. By loading or using the Software, you agree to
the terms of this Agreement. If you do not wish to so agree, do not install or use the Software.
LICENSE
and you may make one back-up copy of the Software, subject to these conditions:
1. This Software is licensed for use only in conjunction with Intel component products . Use of the
Software in conjunction with non-Intel component products is not licensed hereunder.
2. Y ou may not copy, modify, rent, sell, distribute or transfer any part of the Software except as
provided in this Agreement, and you agree to prevent unauthorized copying of the Software.
3. Y ou may not reverse engineer, decompile, or disassemble the Softw are.
4. You may not sublicense or permit simultaneous use of the Software by more than one user.
5. The Soft ware may conta in the soft ware or other prop ert y of thir d par ty su ppl ie rs, s ome of whic h may
be identified in, and licensed in accordance with, any enclosed “license.txt” file or other text or file.
OWNERSHIP OF SOFTWARE AND COPYRIGHTS
with Intel or its suppliers. The Software is copyrighted and protected by the laws of the United States
and other countries, and international treaty provisions. You may not remove any copyright notices
from the Software. Intel may make changes to the Software, or to items referenced t herein , at any time
without notice, but is not obligated to support or update the Software. Except as otherwise expressly
provided, Intel grants no express or implied right under Intel patents, copyrights, trademarks, or other
intellectual property rights. You may transfer the Software only if the recipient agrees to be fully bound
by these terms and if you retain no copies of the Software.
LIMITED MEDIA WARRANT Y
Intel warrants the media to be free from material physical defects for a period of ninety (90) days after
delivery by Intel. If such a defect is found, return the media to Intel for replacement or alternate delivery of the Software as Intel may select.
EXCLUSION OF OTHER WARRANTIES
WARE IS PROVIDED "AS IS" WITHOUT ANY EXPRESS OR IMPLIED WARRANTY OF
ANY KIND INCLUDING WARRANT IES OF MERCHANTABILITY, NON-INFRINGEMENT,
OR FITNESS FOR A PARTICULAR PURPOSE. Intel does not warrant or assume responsibility
for the accuracy or completeness of any information, text, gr aph ics, l inks or other items conta ined
within the Software.
LIMIT ATION OF LIABILITY
FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, LOST PR OF ITS,
BUSINESS INTERRUPTION, OR LOST INFORMATION) ARISING OUT OF THE USE OF OR
INABILITY TO USE THE SOFTWARE, EVEN IF INTE L H A S BEEN A DVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS PROHIBIT EXCLUSION OR LIMITATION OF LIABILITY FOR IMPLIED WARRANTIES OR CONSEQUENTIAL OR INCIDENTAL
DAMA GES, SO THE ABOVE LIMITATION MAY NO T APPLY TO YOU. YOU MA Y ALSO HAVE
OTHER LEGAL RIGHTS THAT VARY FROM JURISDICTION TO JURISDICTION.
TERMIN ATION OF THIS AGREEMENT
violate its terms. Upon termination, you will immediately destroy the Software or return all copies of
the Software to Intel.
. Y ou may copy the Software onto a single computer for your personal, non-commercial use,
. Title to all copies of the Software remains
. If the Software has been delivered by Intel on physical media,
. EXCEPT AS PROVIDED ABOVE, THE SOFT-
. IN NO EVENT SHALL INTEL O R ITS SUPPLIERS BE LIABLE
. Intel may terminate this Agreement at any time if you
66
Appendi x C — Net wor k Sof t war e Li ce nse
Intel Automated Customer Support
You can reac h Intel’s automated supp ort services 24 hours a day , every day at no charge.
The ser v ices contain the most up-to-date i nformation about Intel products. You can access
installation instructions, troubleshooting information, and general product information.
Readme Files on Your Product Disk
To review the readme topics, insert the PRO/100 S Server or Management adap ter disk in
a disk drive, swit ch to that drive, and type:
SETUP /R EAD ME and then press Enter.
Web and Internet Sites
Support : http://support.intel.com
Network Products: http://www .intel.com/network
Corporate: http://www.intel.com
FTP Host: download.intel.com
FTP Directory: /support/network/adapter/
Customer Support Technicians
US and Canada: 1-916-377-7000 (7:00 - 17:00 M-F Pacific Time)
Worldwide access: Intel has technical support centers w orldwide. Many of the cente rs are
staffed by technicians who speak the local langua ges. For a list of all Intel support center s,
the telephone numbers, and the times they ar e open, go to:
http: //support.i ntel.com/support/9089.htm.
67
Intel® Packet Protect User’s Guide
68
G
Glossary
3DES
Triple Data Encryption Standard, or
Triple DES. An encryption standard used
to encode d ata while it travels on a network. 3DES uses 168-bit ke ys to encrypt
data.
3DES is availabl e o nl y in the dom e stic
version of Packet Protect.
AH
Authentication Header. A protocol of verifying th e integrity of packets, th at is, the
packet s are known to be from the originating computer. Packet Protect uses MD5
and SHA-1 to authenticate packets.
anti-replay
Protection against receiving repeat data
trans mitted on th e ne tw o rk . T hi s he lp s
prevent an intruder from successfully
sending the same data in an attempt to
confu s e th e sy stem (f o r exa m p le, the co mputer could repeat the task of restarting a
server).
authentication
The process of verifying th e identity of a
computer. Pack et Protect authe n ticates a
computer using pre-shared keys. It helps
verif y that a computer is w ho it claims to
be.
cryptograph y
The scienc e of protecting the privacy of
data by enc oding the data so it is unreadable to anyone who doesn’t have a secret
key to decode it.
CPU utilization
A measurement of the average load on a
computer’s processor. As processor usage
increases due to security tasks, users may
notice slower performance. Intel
PRO/100 S Management and Server
Adapters are designed to offload the security o ver hea d f rom P acket Pr otec t by us ing
a special on-board processor, thereby
redu ci n g proce ss o r ut ilizat io n.
decryption
The un-en coding of e ncrypt ed da ta us in g a
secret pa ssword or ke y.
69
Intel® Packet Protect User’s Guide
DES
Data Encryption Standard. An encryption
standard used to protect data confidentiality by encoding the data before it travels
on a network.Packet Protect supports 56bit DES an d 16 8-bit 3D ES (3 D E S available in the United States and Canada
only).
destination workgroup
A logical collection of co m puters (serv ers
and clie nts) that you define in Packet Protect. Destination workgroups contain lists
of computers with which a computer in the
source workgroup may want to communicate using IPSec.
Destination workgroups in Packet Protect
are dif fere nt from workgr oups in W indo ws
opera ting systems.
default behavior
The setting for a workgroup specified in
Packet Protect that determines how a computer communicates using IPSec.
Diffie-Hellman
A method of sharing a secret key between
two computers.
DNS
Domain Name Server. The network of
Domain Name Servers that resolve fully
qualified domain names (FQDNs) to their
corres ponding IP addre sses.
encryption
The process of protecting data confidentiality by encoding the data so it is unreadable t o any one who doe sn’ t h a v e the se cre t
key to decode it. You can read data if it
isn’ t encrypted, but you can’t r ead data
while it’s encrypted.
ESP
Encapsulation Security Payload. A
method of protecting the confidentiality
and/or integrity of data. ESP can be used
to protec t data confidentiality b y encrypting the dat a using DES or 3DES. ESP can
also be used to verify the origination of
data by au thent ic ating the dat a using MD5
or SHA-1.
FQDN
Full y Q u al ified Dom ai n N ame. Th e
unique name given to a computer or
devic e . When addressing informatio n or
request s, it’s often easier to remember a
fully q ual if ie d d omai n na me r at he r t ha n a n
IP address . Because computers communicate usin g IP addresses, DN S software
matches the fully qualified domain name
to its corresponding IP address so users
can communicate using the domain name
and the IP address.
ICMP
Interne t Contr ol Mess age Proto col . A ty pe
of IP protoc ol used to transm it data that
typical ly contains error or explanatory
information. For example, the ping command uses ICMP to transmit data about
network connectivity.
IETF
Internet Engineering Task Force. The
organization that is developing and standardizing IK E and IPSec.
IKE
Interne t Key Exchange. A protocol bui lt
on standard s that is used to ne gotiate a
protected communicatio n.
IKE is a subset profile of ISAKMP/Oakley. It is being developed by the Internet
Engineering Task Force (IETF).
intruder
An unwanted visitor from inside or outside your co m pany who may try to steal
information or harm your network.
IP
Internet Protocol. A se t of rules that
70
Glossary
descri be how computers transmit data
with a destination address.
IP address
A series of numbers that identifies a connectio n point or devic e on an IP network.
Each conne ction point and device needs a
unique IP address to commu nicate using
IP. For example, 192.168.1.1 is a sample
IP addres s.
IPSec
Inter net Protocol (IP) Security. A set of
protoc ols us ed to he lp secur e th e e xc hange
of IP data . I PSec i s b eing d e v elope d b y t he
Internet Engineering Task F orce (IETF).
key
A set of byt es tha t encry pt or dec rypt da ta.
Keys allow you to protect da ta from being
read by an intruder on the net w ork. Keys
can be symmetric or asymmetric and
asymmetric keys can be either public or
private.
LAN
Local Area Ne twork. A communications
network usually located within a building
or small numbe r of buildi n gs . For example, computers and prin ters at many companies are connected to a LAN.
lockdown
A descrip tion of a default behavior for a
computer that uses Packet Protect. A
Lockdown computer in itiates and replies
to all co mmunications by requesting security; it on l y co m m u n ic ates using IPSe c
(requires that the other com puter also uses
IPSec). A common use for this setting is a
server that requires very restricted access.
MD5
Message Digest Algorithm. An algorithm
often used to verify the integrity of packets traveling on a network. The algorithm
transf orms any number of bytes into a
fixed number of bytes; no other set of
bytes produces the same result.
network
One or more com pute rs that ar e c onne cted
together for communication purposes.
offload
The assignment of algorithm com putations fr om software to hardware. Pack et
Prot ec t offl oads sec urity tasks to Inte l
PRO/100 S Management and Server
adapters to speed processing and increase
network pe rformance.
packet
A piece of data th at trav els on th e network.
Each packet contains the data being transmitted, along with a destination address.
Packet Protect protects packets as they
travel on the network using IPSec.
perfect forward secrecy
The generation of an additional key pair to
be used duri ng data transfer. This helps
guarantee that no keys are re-used. Using
perfect forward secrecy increases protection, but generates more CPU utilization.
policy
A collection of security settings and rules
that are ap plied to a group of comp uters.
port
A connection point used by IP applications. For example, a Web server typically
sends and re ce iv es inf orm ation on por t 8 0.
pre-shared key
A secret pas sw ord that a computer presents to help verify its identity. Pre-shared
keys ar e used during negotiation of a
secure communication. Eac h computer
must present the same pre-shared key in
order to communication using IPSec.
protocol
A set of guide lines that describe how net-
71
Intel® Packet Protect User’s Guide
works or applicat ions communicate. If the
set of rules are followed, information can
be proces sed correctly. This allows computers and hardware devices to comm unicate wit h one another even if they’re
different from one another.
rule
A definition of the security settings to
apply when a computer communicates
with a de s tin a t i on co m puter us in g a sp ecified protocol.
secure initiator
A descrip tion of a default behavior for a
computer that uses Packet Protect. A
Secure Initiator computer initiates communications by requesting security and
respond s to communication requests wit h out security (“in the clear”). A common
use for this setting is a server that doesn’t
require the strict control of the Lockdown
setting.
secure responder
A descrip tion of a default behavior for a
computer that uses Packet Protect. A
Secure Responder compu ter initiates communications without security (“in the
clear” ), b u t c an respo nd t o c omm unica ti on
requests with security. A common use for
this setting is a workstation.
the existing security association).
security associat ion lifetime
The duration of a security association. A
lifeti m e can be limited by time or by the
amount of data transmitted.
SHA-1
Secure Hash Algorithm. An algorithm
often used to verify th e integrity of packets tra veling on a network. The algori thm
transforms any number of bytes into a
fixed number of bytes.
traffic
Packet s traveli ng on the network.
workgroup
A logical collection of com puters (servers
and clients) that you define in Packet Protect.
Wo rkg ro ups i n P ac ke t Pro te ct ar e di ff er ent
from workgroups in Windows operating
systems.
security action
A collect ion of IPSec settings that are proposed when two computers attempt to
communica te. P ack et Pr otect us es secur i ty
actions when a rule is matched for a communication.
security association
A securit y contract between two computers. Whil e the security as sociation is
active (8 hours is the defaul t) , th e tw o
computers can send data without re-negotiating a communication (as long as the
data being sent uses a protocol defined in
72
Index
A
adapters
installi n g 15
teaming and 16
use multiple 16
algorithms and security actions 35
Anti-replay protection 4
anti-replay protection 35
authentication
of rules 26
C
clients
failed communication between 50
turn off security for 48
turn on se c u rity for 4 7
uninstalling Packet Protect from 48
configure adapters for Packet Protect 15
customize
destinati on workgroups 31
D
Data Encryptio n Standard 60
data integrity 60
DES. See Data Encryption Standard
destinati on workgroups
customize 31
modify 33
modify after poli cy distribution 41
domestic versi on of Packet Protect 2
Index
E
Encapsulati on Security Payload 60
encryption algorithms 35
encryption of data packets 4, 60
ESP. See Encapulation Security Payload
export version of Packet Protect 2
F
FAQs. See Frequently Asked Q uestions
firewall
using Packet Protect with 50
firewalls 5 0
Frequently Asked Questions 49
73
Intel® Packet Protect User’s Guide
G
gateway 50
glossary 69
H
hardware
acceleration 2
hardware acceleration 2
help file for Packet Protect 3
I
IKE. See Internet Key Exchange
installation
more information ii
notes ii
integrity of dat a packets 4
Internet Key Exch ange
authentication 56
definition 4
how it works with IPSec 54
how Packet Protect uses 55
settings 55
Internet Protocol Security
data integrity and 60
definition 4
encryption of data packets 60
how it protects packets 59, 60
how it works with IKE 54
how Packet Protect uses 59
security associations and 59
settings 57
Internet Protocol traffic
protectio n of 1
traffic not protected by Packet Protect 50, 52
interoperability with other security products 46
introduction 1–6
intruders 1
IP. See Internet Protcol
IPSec. See Internet Pr otocol Security
L
LAN. See Local Area Network
Local Area Network 1
Lockdown workgroup behavior 23
74
N
network address translation 50
O
ordering rules 27
other security products
interope rabilit y w ith 43
overview 2
overview of Packet Protect 2
P
Packet Protect
administrator and client versions 3
domestic and export versions 2
features 2
frequently asked questions 49
get started 6
getting started 6
how it works 4
HTML help 3
introduction 1
preparing for installation 8
purpose 2
troubleshooting 49
work with other IPSec products 46
perfect for w ard secrecy 35
policy
definition of 25
modifying after distribution 40
set up compatible policies 45
Index
R
readme files i i
rules
authenticat ion setting 26
definition of 25
delete after policy distribution 41
If rule fails 26
importance of order 25, 27
ordering 31
S
Secure Initiator workgroup behavior 23
Secure Responder workgroup behavior 22
security action
customize 33
75
Intel® Packet Protect User’s Guide
security actions
create new 36
customize 33
definition of 26
modify after poli cy distribution 41
services on the World Wide Web ii
size limit and security actions 34
support servi ces 67
T
time limit and security actions 34
troubleshooting 49
more information ii
U
uninstalling
Packet Protect at cl ients 48
V
view
status at clients 44
W
workgroups
customize security actions 33
modify destin ation workgroups 31
76
Loading...