Intel PRO-100 User Manual

®

Intel PRO/100 Family
Packet Protect

Enabling the IPSec Protocol on
Microsoft Windows NT 4.0

®

User’s Guide

Intel® Packet Protect User’s Guide

Where to Go for More Information

Readme Files

For more information about installation and general information about
the product, see the readme text file. To view the files, view the root
folder on the Intel CD-ROM. Open readme.txt with any text editor.

Online Services

You can use the Internet to do wnload software updates, and to view
troubleshoot ing tips, installation notes, and more. Online services are
on the World Wide Web at:

http://support.intel.com

Copyright © 2000, Int e l Corporation . All rights reserved.
Intel Corporation, 5200 N.E. Elam Young Parkway, Hillsboro, OR 97124-6497
Intel Corporation assumes no responsibility for errors or omissions in this document. Nor does Intel

make any commitment to update the information contained herein.
* Other product and corporate names may be trademarks of other companies and are used only for

explanation and to the owners’ benefit, without intent to infringe.

ii

Contents

Where to Go for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1



What is Intel

Packet Protect Features 2
Complete Your Security Solution 2
Hardware Acceleration 2
Domestic and Export Versions 2
Additional I nf or mation 3

How Packet Protect Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

What is IP Security? 4
What is Internet Key Exchange? 4
The Process 5

Get Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Installing Packet Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Developing Your Deployment Model . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Review Your Network Architecture and

Corporate Security Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Assign security behavior roles to computers that you want to use
Packet Protect 9
Develop a strategy for handling pre-shared keys 10
Understand the Default Rule 11
Consider exceptions to the Default Rule 11
What are the Trade-offs? 12
Conclusion 14

Set Up Intel Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Instal l Intel Adapters 15
Configure Intel Adapters 15

Install Packet Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

System Requireme nts 17
Licensing 17
Install Packet Protect 17

View Your Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Packet Protect? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Contents

iii

Intel® Packet Protect User’s Guide

Configuring Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Understand Default Security Behavior . . . . . . . . . . . . . . . . . . . . . . . . 22

Default Behaviors in Packet Protect 22

Set up Your System Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

What is a Policy? 25
What is a Rule? 25
The Default Rule 26
Importance of Rule Order 27
How Does the System Policy Work? 28
Add Rules to th e System Policy 28

Making Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Modify the System Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Modify Destination Workgroups or Security Actions 41
Delete a Rule 41
Restore the System Policy 42

Monitor Packet Protect Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

View Status at a Packet Protect Client 44

Set Up Compatible Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Work with Other Security Products . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Turn Security On for a Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Install Security for a New Computer 47
Turn Security on Manually for an Existing Computer 47

Turn Security Off for a Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Shut Down Packet Protect at a Computer 48
Uninstall Packet Protect from a Computer 48

Troubleshooting and FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Frequently Asked Questions (FAQs) . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Appendix A — IKE and IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

IKE and IPSec Work Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

How Packet Protect Uses IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Identity Negotiation Settings 55
IPSec Settings 57

iv

Contents

Examples 58

How Packet Protect Uses IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Security Associations 59
Security Associat io n Lifetimes 59
How IPSec Protects Packets 60

Appendix B — Interoperability with Microsoft Windows* 2000 . 63

Interoperability with Windows* 2000 . . . . . . . . . . . . . . . . . . . . . . . . . 64

Appendix C — Network Software License Agreement . . . . . . . . . 65

Network Software License Agreement . . . . . . . . . . . . . . . . . . . . . . . . 66

Intel Automated Cus tomer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Readme Files on Your Product Disk 67
Web and Internet Sites 67
Customer Support Technicians 67

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

v

Intel® Packet Protect User’s Guide

vi

1

Introduction

With the growing amount of inf orm ation that travels on your local area network
(LAN), confidential informa tion has become a ta rget for intruders both inside
and outside your company. These intruders may be employees, visitors to your
company, or a hac ker who breaks through your firewall.

Intel ® Packet Protec t helps protect Internet Prot ocol (IP) traffic as it travels
between computers on your LAN. This protects confidentia l data from being
retrieved by intruders.

In this chapter, you’ll find information about:

• Packet Protect overview

• How Packet Protect works

• Getting started

1

Intel® Packet Protect User’s Guide



What is Intel

Packet Protect is designed to protect the confidentiality and authenticity of IP
traffic on your LAN.

Packet Protect can assist you in creating a departmental solution for your secu­rity concerns.

Many data compromises are attempted from within a company firewall. Unless
you prote ct information as it travels on the network, it can be received by
unwanted users.

For example, employees retrieving confidential designs from a Research &
Development department server use Packet Protect to encrypt the information
while it travels on th e LA N . Encryption prot ects the confi dentiality of the infor­mation. Each employee’s computer can also verify the integrit y of the informa­tion upon receipt.

Pac k et Prot e ct ?

Packet Protect Features

Packet Protect enables you to:

• Protect confidentiality and authenticity of IP traffic on your LAN using
Internet Protocol Security (IPSec), including Internet Key Exchange (IKE).

• Offloa d se cu rity task s to an Intel  PRO/100 S Management or Server
Adapter to optimize netw ork performance.

Complete Your Security Solution

If you need to protect data stored on a computer, use operating system features
combin ed with Packet Pro te c t . Pa ck et Protect prot e cts data trave ling between
computers, not while it’s store d on a com puter. You should use your operating
system features or net w ork infrastructure element to provide access control to
certain areas of the computers on the network.

Hardware Acceleration

Implement i ng an IPSec sol ut ion can incr ea se CPU ut ili zat ion fo r co mput er s that
use the IPSec software. This is common when implementing any IPSec solution
because of the intense computation required to encr ypt, decrypt, an d validate
packet s. However, there is a way to offload securit y tasks from the CPU.

You can combine Packet Protect with the use of an Intel PRO/100 S Manage­ment or Ser v er A dap ter t o re duc e CPU ut il iz atio n. This fr ees C PU ut ili zat ion fo r
other tasks, while reducing the impact to network performance.

Domestic and Export Versions

Packet Protect is available in both domestic and export v ersions. The e xport ver­sion supports DES (56-bit) encryption only. The domestic version, available in
the United States and Canada, supports DES and 3DES (168-bit) encryption.

2

Additional Information

This Packet Protect User’s Guide in Adobe Acrobat* format can be found in the
Packe t Protect directory on the product CD-ROM. Packet Protect help can be
found in the H elp directory on the product CD-ROM.

Introduction

3

Intel® Packet Protect User’s Guide

How Packet Protect Works

Packet Protect helps you protect netw ork traff ic that is sent from one server or
client to another. Packet Protect uses these steps to protect information traveling
on the ne twork:

1. Activate IKE (Internet Key Ex ch ange). Negotia tes param e ters for secure
communication.

2. Activate IPSe c (Internet Protocol Security). Protects the communication
using th e security parameters it negotiated success fully using IKE.

What is IP Security?

Internet Protocol (I P) Security (commonly called IPSec) is a s et of standard pro­tocols used to protect the confiden tiality and authenticity of IP communications.
IPSec accomplishes this using the following:

• Encryption. Protects confident iality of information traveling on the net­work. Each packet is encrypted so that unw anted recipients can’t interpret
it. Packet Prot ect uses DES 56-bit and 3DES 168-bit encryption algorithms
(3DES in U .S . an d Ca na da versi o n on ly).

•Integrity. Protects the authenticity of the information traveling on the net­work by verifying that each packet was unc hanged in transport. Pa cket Pro­tect uses MD5 and SHA-1 authentication algorithms for both ESP and AH
authentication.

• Ant i -repla y pro tecti on. Protects the network by preventing an intruder
from successfully repeatedly sending an identical packet in an attempt to
confuse the system.

For more information about IPSec, see “Appendix A — IKE and IPSec” on
page 53.

What is Internet Key Exchange?

Internet K e y Exc han ge (IKE) i s a s tanda rd p ro tocol use d to nego ti ate a pro te cted
communication. Negotiation is the first phase in setting u p a secure communi ca­tion. IKE verifies the identity of the computers using pre-shared keys. Then it
negot iates a set of secu rity settings to protect the communication.

IKE is a proto col t hat ope ra te s ins ide a fra me wo rk def ine d b y I SAKM P (Int er net
Security A ssociation Key Management Protocol) and is used to support the
establishment of Security Associations.

For more information about IKE, see “Appendix A — IKE and IPSec” on
page 53.

4

The Process

If two computers require security, each tim e they attemp t to communicat e w ith
each other Packet Protect follows these steps to attempt a protected comm unica­tion:

1. Ea ch co mputer uses IKE to ver ify t hat the oth er i s th e comp ute r it cl aim s to

2. I f iden ti ty v er if ica ti on is s ucc es sful i n St ep 1, the tw o comp ute rs use IK E to

3. I f the agreem ent is successful in Step 2, both computers will use the agreed

As long as the protected communication is active, the two computers can
exchange informati on, without repea ting Steps 1 and 2 (up to th e pre-define d
time and size limits — see Table6 on page 34 for more information).

The following diagram shows the roles of IKE and IPSec.

Introduction

be.

agree upon the IPSec settings to use.

upon IPSec settings to protect the data as it travels.

Step 1: IKE Verifies Pre-shared Key

Step 2: IKE Negotiates IPSec Settings

Step 3: IPSec Protects the Communication

5

Intel® Packet Protect User’s Guide

Get Started

T o start using Packet Protect

1. Evaluate your network architecture and decide which areas require Packet
Protect. For details , see “Developing Your Deployment Model” on page8.

2. I n stall Packet Protect on those computers that require security . For details,
see “Install Packet Protect” on page17.

3. Set up security settings for each computer where you installed Packet Pro­tect. F or details, s ee C hapter 3, “Configuring Security Settings” on
page 21.

6

2

Installing Packet Prote ct

To set up your netw o rk in pre pa ra tion fo r de p loying securi ty, ther e are severa l
things to cons id er. This chapt er gui des you t hro ugh th e setup proce ss so you can
begin de p lo ying se cu r ity most effe ctively.

In this chapter, you’ll find information about:

• Developing your dep loyment model.

• Setti ng up Intel

• Installing Packet Protect.



network adapters.

7

Intel® Packet Protect User’s Guide

Developing Your Deployment Model

In order to use Packet Prot ect successful ly, you must deve lop a deployment
model that fulfills your security needs on your ne twork. There are sev eral stages
to consider in developing your deplo yment model.

• Review your network architecture and corporate security guidelines.

• Assign se curity behavior roles to computers that you want to use Packet
Protect.

• Develop a strategy for using pre-shared keys.

• Underst and the Default Rule.

• Consider exceptions to the Default Rule.

This di scussion represents o nly an overview of some of the issues t hat should be
conside red when deploying Packet Protect in your enterprise. For more detailed
information about deployment models, please refer to “Scalable Deployment of
IPSec in C orporate Int ranets”white paper from the Intel Archi tecture Labs In ter­net Building Blocks Initiative. This white paper can be found at:

ftp://download.intel.com/ial/home/ibbi/ipsec_122.pdf

Review Yo ur Network Architecture and

Corporate Security Guidelines

The amount of confidential information trav eling on your network grows as
more employees use your corporate network. This poses a secu rity risk if some­one break s through your firewall, or someone already behind your fi rewall has
access to the network—those people can access confidential information. For
example, an intruder can mimic an IP address and recei ve information that was
intend ed for someone el se at that IP address. Or, an intrud er can use software to
view data as it tra vels on your LAN.

You can depl oy Packet Protect in the areas of your network that transmit sensi­tive information. Some areas of your network might re quire the additi onal pro­tection provided by Packet Protec t, while other ar eas might not. Use your
corporate securit y guidelines to hel p determine which areas of your ne twork
requir e Packet Protect.

Perhaps you have a server that stores highly confidential information, such as
corporate financial figures or e-commerce transactions. You can use your oper­ating system’s tools to help protect data stored on the server’s hard disk, but
what about when other compute rs access that in formation? Use P acket Protect

8

Installing Packet Protect

to prote ct your highly confidential informatio n as it travels to and from the
server.

Assign security behavior roles to computers that you want to use
Packet Protect

Packet Protect uses default security behavior t o determine how a computer will
communicate with other computers on th e network. There are three default
behaviors: Secure Responder, Secure Initiator and Lockdown.

Secure Responder

A computer with the defaul t behavior of Secure Responder always initiat es and
accep ts traffic that is no t se cured . H ow ever, it wil l accept a secur e co m m u n ica­tion if it is initiated by another computer. Of course, the negotiation will succeed
only if on e th e propos al s in the li st of fere d b y the ini tiat or can be matc hed by the
responder.

Secure Responder is a likely behavior for the majority of workstations in a net­work. Communications will always be allowed in the clear between computers
that are Secure Responders or Secure Initiators, but will communicate securely
with a computer (usually a server) with Lockdown default behavior.

Secure Initiator

A computer with the defaul t behavior of Secure Initiator will always attempt to
initiate secure communications on all outbound traffic. Even if an inbound com­munica tion flow is ini tia te d i n the clear, the res po nse data flow wi ll ca u se the
computer to initiate a secure session. However, if a secure session cannot be ini­tiated , the computers will fallbac k to communicating in the clear.

Secure In itiator beha vior is appropri ate for both workstations and servers. Com­puters who wish to use peer-to-peer se cure communications can use Secure Ini-

9

Intel® Packet Protect User’s Guide

tiator behavior. Also, many servers can use this behavior as well, as long as the
fallback behavior is acceptable for your network.

Secure In itiator is similar to Secure Responder, except that all outbound traffic
will result in an attempt to negotiate parameters for security.

Lockdown

A computer with Lockdown behavior will always initiate and respond securely
to all da ta flows. If the negotiat ion fails on either computer, then traffic will be
denied.

Lockdown behavior i s used for server s w ith high content value, as it requires
security for all data transmissions.

Communicating with non-Packet Protect computers

It is common to not use Packe t Protect on all the computers in your network.
While the se cur ity th at Pac ke t Pro tect can pro vi de is benef i ci al, th er e are sev er al
reasons to limit the computers on your networ k that use Packet Protect, such as:

• Only a limi ted number of comput ers on your network require secur e com­munications.

• In order to minimize CPU utilization, you want to limit use of Packet Pro­tect to computers that already have PRO/100S Management or Server
adapters.

Computers tha t use the def a ult behavior of Secur e Resp onder or Sec ur e Ini tiat or
will always be able to c ommunicate in the clear with compu ters in your network
that do not use Packet Prot ect.

Computers that use the default behavior of Lockdown wil l not be able to com­municat e with computers in you r network that do not use Packet Protect.

Develop a strategy for handling pre-shared keys

When two computers attempt secure communication, they negotiate parameters
for the co mmunication. In addition to using their defa ult behavior, descri bed in
the pre vious section, they also exchange a stri ng of characters known as a pre ­shared k ey.

When the computers begin to negotiate parameters, they compare their pre­shared key s. If bo th com p uters ha v e th e sam e p re-s har ed key, then the co mput ers
will go ahead and negotia te parameters for the session. If the computers have a
dif ferent pre-shared key, then the negotiation for secure commun ication will
cease.

Once the pre-shared keys have been compared and matched between the two
computers, the IKE protocol generates secure, secret session keys. N o one can
find out what these ses sion keys are, even if th ey know what the pre-shared k ey
is. Alt hough pre-shared keys are sometimes called passwords, they do not act
like pass wor ds . Ev en w hen you kno w w hat t he pr e-sh ar ed k e y is, y ou c anno t use
that key to intercept or decrypt the information that is being transmitted.

10

Shar ing keys

It’s important when you are developing you r deployment model that you decide
how to handle the distribution of the pre-shared key. Some networks use a
widely-published key, known as a “group key” or the “pre-shared key on the
wall.” In this str ategy, you make the pre-shared available to everyone. This way,
all computers will be configured to use the same key. This ensures that whe n
secure communications are requested, th en IKE will be able to negotiate secure
communications when the keys are matched between two computers.

In addit ion to “group key,” some enterprises may want to use additional, more
pri vate pre-shared keys in certain instances. For exam ple, the presi d ent and the
chief financial officer of a corporation may wish to send secured transmissions
to each other. In t h is instance, each of these computers would use the group key
as part of their standard System Policy, but would crea te a special rule to cover
communications just between them. (See “Consider exceptions to the Default
Rule” for more information on implementing this scenario.) In this case, they
might li k ely cho ose a mo re sec re t pr e-sh ar ed k e y that jus t t he tw o com puter s u se
with each other.

Understand the Default Rule

Every co m puter that uses Packet Protect has a single System Policy. Each Sys­tem Policy initially contains a single Default Rule. The Default Rule is quite
simple:

For Everybody, use the Default Security Actio n . If the rule fails, Allow
Communication without Se curity.

Installing Packet Protect

Note: For computers that use the Lockdown behavior wth the

Default Rule, if the rule fails then
fallback action.

See “The Default Rule” on page26 for more information .

Note:

If you want to have secure communication between a Packet
Protect computer and a Windows 2000* computer, you must
use the Default Rule. Intel recommends that you do not
delete the Default Rule.

See “What is a Rule?” on page 25 for more information about rules in Packet
Protect.

Consider exceptions to the Default Rule

Many enterprises may find that by careful consideration of th e default behavior
roles, a w idely publishe d pre-shared key, and the D efault Rule, they can meet
their security requirements without extra effort. This model is quite wor kable
and provides adequate security. It is also simple to deploy and maintain.

Deny Communi cat i on

is the

11

Intel® Packet Protect User’s Guide

Some enterprises may wish to create additional rules that govern communica­tions be tw een two speci fic computers.

Earlier, we introduced a scenario where the president and chief financial officer
of a company wished to implement extra security for their communications. For
this scenario, a new rule is needed. Let’s compare a possible rule for this sce­nario to th e S ys te m Po licy’s Default Ru le :

Property New Rule Default Rule

Table 1: Rule Comparison

Destination
Workgroup

Security Action New Security Action: Up

Rule Failure Deny Communication. Allow communication in

Authenticat ion Use a n ew pre-share d

President and CFO only Everybody

Default Security Action:
to 15 minutes or 50 MB,
whichever occurs first.
Then, a new security
association is negotiated.

key, known only to these
two comput ers .

Up to 8 h ours, then a ne w

security association is

negotiated.

the clear.

Use the System Policy’s

settings

In addition to these rules, both the president and the Chief Financial Officer
would ha v e the Sec ur e In it iato r de f aul t behavior . The ru le mi ght al so w an t to us e
more secure options, such as perfect forward secrecy, which provides a ver y
secure negotiation of session keys. There are many other security options that
can be chosen when you create a security action for this rule. See “Customize
Securi ty A ctions” on page 33 for mor e information on options for security
actions.

By comparing the new rule and the default rule, you can see ho w the new rule
provi d es an extra mea sure of securit y. The new security action is much more
limite d. Longer time and/or size limits on a security acti on can give an intruder
an opport unity to intercept and possibly corrupt packets. By denying comm uni­cation in case of rule failure, you ensure that co m munication between these two
computers will never occur in the clear.

What are the Trade-offs?

A very important part of developing your deployment model is to consider not
only the initial deployment, but maintaining the System Policies on all the com­puters that use Packet Protect in your network.

Clearl y, the simplest model w e discussed will be the easies t to deploy and ma in­tain. When all compute rs use the same def aults—Default Rule, security action,

12

Installing Packet Protect

fall back to clear com mu nication, same pre-shared key—then you’ll be able to
gain adequate security with minimum impact to your network.

If you decide on a more complex deployment model, you should consider the
benefits of the extra security that you have against the costs of maintaining and
running the model. There are t w o areas that you should evaluate—maintenance
and CPU util ization.

Maintenance

If you are considering a deployment model with many customizations and spe­cialized rul es , be aw ar e of t he time a nd effort requir ed f or on going m aint ena nce .
Because each computer with Packet Prot ect must be configured individually,
customizations requ ire more effort to keep each com puter up-to-date.

Let’s consider the previous example of the special rule for the preside nt and
Chief Financial Officer of the co rporation. I n order for this rule to work as
designe d, al l a spect s o f t he rul e mus t matc h, or comm un icati on wil l be de ni ed. I f
the president’s computer uses a different setting in the security action from the
CFO’s computer , then a securit y association ca nnot be negotiat ed and therefore
all communication is denied. Consider then that it might take several days for
the pres ident and CFO to even discover that their communications haven’t been
taking place, as assumed.

Even a new computer for the president could prevent secure communication
from happening. For example, when you set up this special rule, you identified
the two co mputers to Packet Protect by t he names of the comput ers. The presi­dent’s new computer has a new nam e. When the pres ident and the CFO att empt
to communicate the next time, the rule will fail, because of the computer name.

You can imagine h ow difficult it can becom e to maint ain specia lized rules, desti­nation workgroups, and secur ity actions in your n etwork. Intel recommen ds that
you begin by using the simple, default model for secure communications. Over
time, you may consider customizations to enhance secure communications in
special cases.

CPU Utilization

Another ve ry im port ant f acto r t o consi de r i s the ef fec t o f I PSec on y our net wo rk,
as well as the individua l com puters using Packet Protect. Generally, you can
assume that when you choose most sophisticated security options, th ere will be
impact on your network.

One example is choosing to use ESP (Encapsulation Security Payload) and AH
(Authen ticat i on Hea de r) aut hen ti ca tion t oge th er. While th is combi na ti on af f or ds
extra protection, you must consider that when you use both of these methods,
you cannot offload any processing to the adapter, and thus CPU utilization
increases. How ever, if you us e ju st ESP au th en ticat io n w it h th e approp r i at e
adapter, you can take advantage of the ha rdware offload and get better CPU util­itzation.

You must also consider the adapters that are installed in your Packet P rotect
computers. Only the Intel PRO/100 S Server Adapter and Intel PRO/ 100 S Man-

13

Intel® Packet Protect User’s Guide

agement Adapter can perform hardware offloading. If you ha ve other Intel PRO/
100 Adapters in Pack et Protect co mp uters, you won’t be able to offload an y pro­cessin g, thus incr easing CPU utilization and potenti ally slowi ng that computer’s
network performance.

Other se curity options are considered “costly” as we ll. Perfect Forward Secr ecy
is very secure, but if used widely throughout the network, there can be a signifi­cant effect on servers that have a lot of secure traffic.

Conclusion

Hopefully, this section provided some guidelines for you to consider as you
develop your deployment model. There are no hard-and-fast rules that you must
follow. However, Intel reco mme nds tha t you be gin your use of IPSe c an d Pack et
Protect slowly in your enterprise. You should consid er starting with a sm all
group t hat use the same pre-sh ared key and default System Policy. When you’ ve
had a chance to evalu ate this first implementation phase, you can t hen decide
how to expand your use of Packet Protect.

14

Set Up Intel Adapters

Before you install Packet Protect, install the necessary Intel adapters on your
serve rs and clients th at will use Packet Protect. Packet Protect only operates
with Intel adapters that are configured to use Intel drivers.

Insta ll Int e l A d apte rs

Packet Protect works with Intel adapters that are designed to offload CPU-inten­sive tasks to the adapter. This helps reduce the impact to network performance
and CPU util ization. Intel adapters that support the offload capabil ities include
the following:

• Intel PRO/100 S Server Adapter

• Intel PRO/100 S Managemen t Adapter

Installing Packet Protect

Note:

Note:

Although Intel adapters can be installed on various operating
systems , P acket Prot ect supports only Windows NT* 4.0 wit h
Service Pack 5.

Packet Protect also works with the following Intel adapters,
but security tasks will not offload to these adapters, and net­work performance will be affected.

PRO/10+ PCI LAN adapter
PRO/10 0B LAN ad apter
PRO/100B T4 LAN adapter
PRO/100+ LAN adapter
PRO/100+ Management adapter
PRO/100+ Server adapter
PRO/100+ Dual Port Server adapter
PRO/100 CardBus II
PRO/100 RealPort
PRO/100 LAN+Modem56 CardBus II
PRO/100 LAN+Modem56 RealPort

TM

CardBus II

TM

Cardbus II

Install Intel adapters for the servers and clie nts that use Packet Protect.

To install Intel adapters

1. Refer to the Installation Guide that came wit h the adapters for information
about in stallation

2. After instal lation, verify network access for each computer that wil l use
Packe t Prot ect b y che cki ng the Li nk a nd Acti v it y LEDs o n the ada pte r . You
can also double-click Network Neighborhood on a computer’s desktop to
verify tha t other ar e as of th e network are vi si ble.

Configure Intel Adapters

After you install adap ters in the compu ters that will use Packet Pro tect, config­ure them, as necessary, before yo u install Packet Protect. For example, you

15

Intel® Packet Protect User’s Guide

might instal l m ul tiple ad a pt ers on a server. Then you might te am those ad apter s
together to take advantage of adapter fault tolerance or adaptive load balancing.

Multip le A d ap t e rs

If you install multiple adapters in one computer, note the following:

• Install multiple adapters before installing Packet Protect.

• Each computer has only one sec urity policy. This means that the same
security settings will apply to all of the adapters in one computer.

• If you us e at least one Int el PRO/100 S Server or Management adapter in a
computer, Packet Protect will be able to offloa d encryption and aut hentica­tion tasks to that adapter.

• If you need to add or remove an adapter from a team after you install
Packet Protect, you must uninstall Packet Protect from that computer, add
or remove the necessa ry adapters, and th en reinstall Packet Protect .

When you uninstall Packet Protect, you lose all of your customized infor­mation, including rules and security actions. When you reinstall Packet
Protect, you will only have the single Default Rule in your System Policy.

Adapter Teaming

Adapter Teaming and Packet Protect work together only for computers with
Windows NT operating s ystem installed. If you set up A dapter Teaming for mul­tiple a dapters, keep the following in mind:

16

• Configure Adapter Teaming before inst alling Packet Protect.

• Refer to the previous page to make sure all adapters in the team are either
off load-enabled Intel adapters, or appear in the list of compatible Intel
adapters on the previous page.

• If you need to add or remove an adapter from a team after you install
Packet Protect, you must uninstall Packet Protect from that computer, add
or remove the necessa ry adapters, and th en re-install Packet Protect.

• Consider using high-s peed adapters to limit upgrading.

Install Packet Protect

Before you install Packet Protect on your computer, make sure the computer
meets the following system requirements. Packet Protect computers can be serv­ers or workstations.

System Requirements

Before installing P acket Protect, make sure your computers meet these require­ments:

• Windows NT 4.0 with Service Pack 5 or 6a (or higher)

• 40 MB available disk s pace

• 32 MB RAM minimum, 64MB RAM recommended

®

• 200 MHz Pentium

• Intel adapter (PRO/100 family)

Licensing

All inst allations are subject to the e nd user’s acceptance of th e applicable Intel
Software License Agreement.

Note

: See “Install Intel Adapters” on page 15 for information on

choosing an Int el ada pt er.

processor performance level or higher recommended

Installing Packet Protect

Install Packet Protect

You will need the information detailed in the following table during Packet Pro­tect in stallation at each computer. To complete the installation most efficiently,
gather the following information before you begin.

Information

You Need

Default
behavior

Pre-shared key Enter a pre-shared key the computer will use to

Table 2: Required Information

Description

Decide how you want the computer to communicate
with other computers on the network:

• Secure Responder

• Secure Initiator

•Lockdown
For more information about these settings, see
“Default Behaviors for Packet Protect Computers” on
page 22.

communicate securely with other IPSec computers. A
pre-shared key is similar to a secret password.

17

Intel® Packet Protect User’s Guide

T o install Packet Protect

1. Verify that the computer you have chosen meets the minimum require­ments detailed under “System Requirements” on page 17.

2. I nse rt th e pr odu ct CD- R OM into the CD-ROM driv e at t he com puter wh ere
you want to install Packet Protect.

3. Browse to the CD-ROM using Windows Explorer.

4. Double-click d:\packet protect\setup.exe , where d:\ is the dri ve of your CD ­ROM drive.

5. Follow the dialog box instruc tions on the screen.

Keep a confidenti al record of the information you enter. If you need to rein stall
Packet Protect later, you will need to re-ent er this information.

Notes:

If the static IP address or the DNS name of the computer
changes , y ou must restore the S ystem Policy. Y o u will lose all
your customizations when you restore the System Policy.
Also, if there are other computers in the network that have
rules that apply to the computers whose IP address or DNS
name changes, the rules of those computers need to be
changed. For information on restoring the System Policy, see
“Restore the Syst em Policy” on page 42.

You can also install from a mapped drive where you have
stored the Packet Protect installation files.

If you already have adapter teaming installed on the system,
there’s no need to re-enter the TCP/IP settings during Packet
Protect installation (you are not prompted for this informa­tion).

To verify that Packet Protect is install ed and running on a computer:

1. At the taskbar on the com puter, select Settings > Cont rol Panel.

2. Double -c lick Services and verify that Int el Po lic y A ge n t is starte d .

If Inte l Policy Agent doesn’t appear in the list, Packet Protect has been shut
down or is not functioning properly. See “T urn Security on Manually for an
Existi ng Com puter” on page 47 for details about restarting Packet Protect.

See the cha p ter “Troubleshooting and FAQ s” on page 49 for general tr ouble­shooting guidelines and a l ist of common Packet Protect ins tallation problems
and thei r solutions.

18

View Your Security Settin gs

During installation, you set up basic security sett ings for the computer—the
authent icat i on meth od and the def aul t beha vi or for the cl ie nt. To view your secu­rity settings, double-click Intel(R) Packet Protect at the Control Panel. The
authentication setting and default behavior you chose during installation appear
in the Security tab.

Installing Packet Protect

See the next chapter for information on editing basic settings and configuring
advanc e d se cu rity se tt in gs.

19