Intel PRO-100 User Manual

®
Intel PRO/100 Family Packet Protect
Enabling the IPSec Protocol on Microsoft Windows NT 4.0
®
User’s Guide
Intel® Packet Protect User’s Guide
Readme Files
For more information about installation and general information about the product, see the readme text file. To view the files, view the root folder on the Intel CD-ROM. Open readme.txt with any text editor.
Online Services
You can use the Internet to do wnload software updates, and to view troubleshoot ing tips, installation notes, and more. Online services are on the World Wide Web at:
http://support.intel.com
Copyright © 2000, Int e l Corporation . All rights reserved. Intel Corporation, 5200 N.E. Elam Young Parkway, Hillsboro, OR 97124-6497 Intel Corporation assumes no responsibility for errors or omissions in this document. Nor does Intel
make any commitment to update the information contained herein. * Other product and corporate names may be trademarks of other companies and are used only for
explanation and to the owners’ benefit, without intent to infringe.
ii
Contents
Where to Go for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
What is Intel
Packet Protect Features 2 Complete Your Security Solution 2 Hardware Acceleration 2 Domestic and Export Versions 2 Additional I nf or mation 3
How Packet Protect Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
What is IP Security? 4 What is Internet Key Exchange? 4 The Process 5
Get Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Installing Packet Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Developing Your Deployment Model . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Review Your Network Architecture and
Corporate Security Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Assign security behavior roles to computers that you want to use Packet Protect 9 Develop a strategy for handling pre-shared keys 10 Understand the Default Rule 11 Consider exceptions to the Default Rule 11 What are the Trade-offs? 12 Conclusion 14
Set Up Intel Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Instal l Intel Adapters 15 Configure Intel Adapters 15
Install Packet Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
System Requireme nts 17 Licensing 17 Install Packet Protect 17
View Your Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Packet Protect? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Contents
iii
Intel® Packet Protect User’s Guide
Configuring Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Understand Default Security Behavior . . . . . . . . . . . . . . . . . . . . . . . . 22
Default Behaviors in Packet Protect 22
Set up Your System Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
What is a Policy? 25 What is a Rule? 25 The Default Rule 26 Importance of Rule Order 27 How Does the System Policy Work? 28 Add Rules to th e System Policy 28
Making Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Modify the System Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Modify Destination Workgroups or Security Actions 41 Delete a Rule 41 Restore the System Policy 42
Monitor Packet Protect Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
View Status at a Packet Protect Client 44
Set Up Compatible Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Work with Other Security Products . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Turn Security On for a Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Install Security for a New Computer 47 Turn Security on Manually for an Existing Computer 47
Turn Security Off for a Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Shut Down Packet Protect at a Computer 48 Uninstall Packet Protect from a Computer 48
Troubleshooting and FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Frequently Asked Questions (FAQs) . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Appendix A — IKE and IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
IKE and IPSec Work Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
How Packet Protect Uses IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Identity Negotiation Settings 55 IPSec Settings 57
iv
Contents
Examples 58
How Packet Protect Uses IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Security Associations 59 Security Associat io n Lifetimes 59 How IPSec Protects Packets 60
Appendix B — Interoperability with Microsoft Windows* 2000 . 63
Interoperability with Windows* 2000 . . . . . . . . . . . . . . . . . . . . . . . . . 64
Appendix C — Network Software License Agreement . . . . . . . . . 65
Network Software License Agreement . . . . . . . . . . . . . . . . . . . . . . . . 66
Intel Automated Cus tomer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Readme Files on Your Product Disk 67 Web and Internet Sites 67 Customer Support Technicians 67
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
v
Intel® Packet Protect User’s Guide
vi
1
Introduction
With the growing amount of inf orm ation that travels on your local area network (LAN), confidential informa tion has become a ta rget for intruders both inside and outside your company. These intruders may be employees, visitors to your company, or a hac ker who breaks through your firewall.
Intel ® Packet Protec t helps protect Internet Prot ocol (IP) traffic as it travels between computers on your LAN. This protects confidentia l data from being retrieved by intruders.
In this chapter, you’ll find information about:
Packet Protect overview
How Packet Protect works
Getting started
1
Intel® Packet Protect User’s Guide
What is Intel
Packet Protect is designed to protect the confidentiality and authenticity of IP traffic on your LAN.
Packet Protect can assist you in creating a departmental solution for your secu­rity concerns.
Many data compromises are attempted from within a company firewall. Unless you prote ct information as it travels on the network, it can be received by unwanted users.
For example, employees retrieving confidential designs from a Research & Development department server use Packet Protect to encrypt the information while it travels on th e LA N . Encryption prot ects the confi dentiality of the infor­mation. Each employee’s computer can also verify the integrit y of the informa­tion upon receipt.
Pac k et Prot e ct ?
Packet Protect Features
Packet Protect enables you to:
Protect confidentiality and authenticity of IP traffic on your LAN using Internet Protocol Security (IPSec), including Internet Key Exchange (IKE).
Offloa d se cu rity task s to an Intel PRO/100 S Management or Server Adapter to optimize netw ork performance.
Complete Your Security Solution
If you need to protect data stored on a computer, use operating system features combin ed with Packet Pro te c t . Pa ck et Protect prot e cts data trave ling between computers, not while it’s store d on a com puter. You should use your operating system features or net w ork infrastructure element to provide access control to certain areas of the computers on the network.
Hardware Acceleration
Implement i ng an IPSec sol ut ion can incr ea se CPU ut ili zat ion fo r co mput er s that use the IPSec software. This is common when implementing any IPSec solution because of the intense computation required to encr ypt, decrypt, an d validate packet s. However, there is a way to offload securit y tasks from the CPU.
You can combine Packet Protect with the use of an Intel PRO/100 S Manage­ment or Ser v er A dap ter t o re duc e CPU ut il iz atio n. This fr ees C PU ut ili zat ion fo r other tasks, while reducing the impact to network performance.
Domestic and Export Versions
Packet Protect is available in both domestic and export v ersions. The e xport ver­sion supports DES (56-bit) encryption only. The domestic version, available in the United States and Canada, supports DES and 3DES (168-bit) encryption.
2
Additional Information
This Packet Protect User’s Guide in Adobe Acrobat* format can be found in the Packe t Protect directory on the product CD-ROM. Packet Protect help can be found in the H elp directory on the product CD-ROM.
Introduction
3
Intel® Packet Protect User’s Guide
How Packet Protect Works
Packet Protect helps you protect netw ork traff ic that is sent from one server or client to another. Packet Protect uses these steps to protect information traveling on the ne twork:
1. Activate IKE (Internet Key Ex ch ange). Negotia tes param e ters for secure communication.
2. Activate IPSe c (Internet Protocol Security). Protects the communication using th e security parameters it negotiated success fully using IKE.
What is IP Security?
Internet Protocol (I P) Security (commonly called IPSec) is a s et of standard pro­tocols used to protect the confiden tiality and authenticity of IP communications. IPSec accomplishes this using the following:
Encryption. Protects confident iality of information traveling on the net­work. Each packet is encrypted so that unw anted recipients can’t interpret it. Packet Prot ect uses DES 56-bit and 3DES 168-bit encryption algorithms (3DES in U .S . an d Ca na da versi o n on ly).
•Integrity. Protects the authenticity of the information traveling on the net­work by verifying that each packet was unc hanged in transport. Pa cket Pro­tect uses MD5 and SHA-1 authentication algorithms for both ESP and AH authentication.
Ant i -repla y pro tecti on. Protects the network by preventing an intruder from successfully repeatedly sending an identical packet in an attempt to confuse the system.
For more information about IPSec, see “Appendix A — IKE and IPSec” on page 53.
What is Internet Key Exchange?
Internet K e y Exc han ge (IKE) i s a s tanda rd p ro tocol use d to nego ti ate a pro te cted communication. Negotiation is the first phase in setting u p a secure communi ca­tion. IKE verifies the identity of the computers using pre-shared keys. Then it negot iates a set of secu rity settings to protect the communication.
IKE is a proto col t hat ope ra te s ins ide a fra me wo rk def ine d b y I SAKM P (Int er net Security A ssociation Key Management Protocol) and is used to support the establishment of Security Associations.
For more information about IKE, see “Appendix A — IKE and IPSec” on page 53.
4
The Process
If two computers require security, each tim e they attemp t to communicat e w ith each other Packet Protect follows these steps to attempt a protected comm unica­tion:
1. Ea ch co mputer uses IKE to ver ify t hat the oth er i s th e comp ute r it cl aim s to
2. I f iden ti ty v er if ica ti on is s ucc es sful i n St ep 1, the tw o comp ute rs use IK E to
3. I f the agreem ent is successful in Step 2, both computers will use the agreed
As long as the protected communication is active, the two computers can exchange informati on, without repea ting Steps 1 and 2 (up to th e pre-define d time and size limits — see Table6 on page 34 for more information).
The following diagram shows the roles of IKE and IPSec.
Introduction
be.
agree upon the IPSec settings to use.
upon IPSec settings to protect the data as it travels.
Step 1: IKE Verifies Pre-shared Key
Step 2: IKE Negotiates IPSec Settings
Step 3: IPSec Protects the Communication
5
Intel® Packet Protect User’s Guide
Get Started
T o start using Packet Protect
1. Evaluate your network architecture and decide which areas require Packet Protect. For details , see “Developing Your Deployment Model” on page8.
2. I n stall Packet Protect on those computers that require security . For details, see “Install Packet Protect” on page17.
3. Set up security settings for each computer where you installed Packet Pro­tect. F or details, s ee C hapter 3, “Configuring Security Settings” on page 21.
6
2
Installing Packet Prote ct
To set up your netw o rk in pre pa ra tion fo r de p loying securi ty, ther e are severa l things to cons id er. This chapt er gui des you t hro ugh th e setup proce ss so you can begin de p lo ying se cu r ity most effe ctively.
In this chapter, you’ll find information about:
Developing your dep loyment model.
Setti ng up Intel
Installing Packet Protect.
network adapters.
7
Intel® Packet Protect User’s Guide
Developing Your Deployment Model
In order to use Packet Prot ect successful ly, you must deve lop a deployment model that fulfills your security needs on your ne twork. There are sev eral stages to consider in developing your deplo yment model.
Review your network architecture and corporate security guidelines.
Assign se curity behavior roles to computers that you want to use Packet Protect.
Develop a strategy for using pre-shared keys.
Underst and the Default Rule.
Consider exceptions to the Default Rule.
This di scussion represents o nly an overview of some of the issues t hat should be conside red when deploying Packet Protect in your enterprise. For more detailed information about deployment models, please refer to “Scalable Deployment of IPSec in C orporate Int ranets”white paper from the Intel Archi tecture Labs In ter­net Building Blocks Initiative. This white paper can be found at:
ftp://download.intel.com/ial/home/ibbi/ipsec_122.pdf
Review Yo ur Network Architecture and
Corporate Security Guidelines
The amount of confidential information trav eling on your network grows as more employees use your corporate network. This poses a secu rity risk if some­one break s through your firewall, or someone already behind your fi rewall has access to the network—those people can access confidential information. For example, an intruder can mimic an IP address and recei ve information that was intend ed for someone el se at that IP address. Or, an intrud er can use software to view data as it tra vels on your LAN.
You can depl oy Packet Protect in the areas of your network that transmit sensi­tive information. Some areas of your network might re quire the additi onal pro­tection provided by Packet Protec t, while other ar eas might not. Use your corporate securit y guidelines to hel p determine which areas of your ne twork requir e Packet Protect.
Perhaps you have a server that stores highly confidential information, such as corporate financial figures or e-commerce transactions. You can use your oper­ating system’s tools to help protect data stored on the server’s hard disk, but what about when other compute rs access that in formation? Use P acket Protect
8
Installing Packet Protect
to prote ct your highly confidential informatio n as it travels to and from the server.
Assign security behavior roles to computers that you want to use Packet Protect
Packet Protect uses default security behavior t o determine how a computer will communicate with other computers on th e network. There are three default behaviors: Secure Responder, Secure Initiator and Lockdown.
Secure Responder
A computer with the defaul t behavior of Secure Responder always initiat es and accep ts traffic that is no t se cured . H ow ever, it wil l accept a secur e co m m u n ica­tion if it is initiated by another computer. Of course, the negotiation will succeed only if on e th e propos al s in the li st of fere d b y the ini tiat or can be matc hed by the responder.
Secure Responder is a likely behavior for the majority of workstations in a net­work. Communications will always be allowed in the clear between computers that are Secure Responders or Secure Initiators, but will communicate securely with a computer (usually a server) with Lockdown default behavior.
Secure Initiator
A computer with the defaul t behavior of Secure Initiator will always attempt to initiate secure communications on all outbound traffic. Even if an inbound com­munica tion flow is ini tia te d i n the clear, the res po nse data flow wi ll ca u se the computer to initiate a secure session. However, if a secure session cannot be ini­tiated , the computers will fallbac k to communicating in the clear.
Secure In itiator beha vior is appropri ate for both workstations and servers. Com­puters who wish to use peer-to-peer se cure communications can use Secure Ini-
9
Intel® Packet Protect User’s Guide
tiator behavior. Also, many servers can use this behavior as well, as long as the fallback behavior is acceptable for your network.
Secure In itiator is similar to Secure Responder, except that all outbound traffic will result in an attempt to negotiate parameters for security.
Lockdown
A computer with Lockdown behavior will always initiate and respond securely to all da ta flows. If the negotiat ion fails on either computer, then traffic will be denied.
Lockdown behavior i s used for server s w ith high content value, as it requires security for all data transmissions.
Communicating with non-Packet Protect computers
It is common to not use Packe t Protect on all the computers in your network. While the se cur ity th at Pac ke t Pro tect can pro vi de is benef i ci al, th er e are sev er al reasons to limit the computers on your networ k that use Packet Protect, such as:
Only a limi ted number of comput ers on your network require secur e com­munications.
In order to minimize CPU utilization, you want to limit use of Packet Pro­tect to computers that already have PRO/100S Management or Server adapters.
Computers tha t use the def a ult behavior of Secur e Resp onder or Sec ur e Ini tiat or will always be able to c ommunicate in the clear with compu ters in your network that do not use Packet Prot ect.
Computers that use the default behavior of Lockdown wil l not be able to com­municat e with computers in you r network that do not use Packet Protect.
Develop a strategy for handling pre-shared keys
When two computers attempt secure communication, they negotiate parameters for the co mmunication. In addition to using their defa ult behavior, descri bed in the pre vious section, they also exchange a stri ng of characters known as a pre ­shared k ey.
When the computers begin to negotiate parameters, they compare their pre­shared key s. If bo th com p uters ha v e th e sam e p re-s har ed key, then the co mput ers will go ahead and negotia te parameters for the session. If the computers have a dif ferent pre-shared key, then the negotiation for secure commun ication will cease.
Once the pre-shared keys have been compared and matched between the two computers, the IKE protocol generates secure, secret session keys. N o one can find out what these ses sion keys are, even if th ey know what the pre-shared k ey is. Alt hough pre-shared keys are sometimes called passwords, they do not act like pass wor ds . Ev en w hen you kno w w hat t he pr e-sh ar ed k e y is, y ou c anno t use that key to intercept or decrypt the information that is being transmitted.
10
Shar ing keys
It’s important when you are developing you r deployment model that you decide how to handle the distribution of the pre-shared key. Some networks use a widely-published key, known as a “group key” or the “pre-shared key on the wall.” In this str ategy, you make the pre-shared available to everyone. This way, all computers will be configured to use the same key. This ensures that whe n secure communications are requested, th en IKE will be able to negotiate secure communications when the keys are matched between two computers.
In addit ion to “group key,” some enterprises may want to use additional, more pri vate pre-shared keys in certain instances. For exam ple, the presi d ent and the chief financial officer of a corporation may wish to send secured transmissions to each other. In t h is instance, each of these computers would use the group key as part of their standard System Policy, but would crea te a special rule to cover communications just between them. (See “Consider exceptions to the Default Rule” for more information on implementing this scenario.) In this case, they might li k ely cho ose a mo re sec re t pr e-sh ar ed k e y that jus t t he tw o com puter s u se with each other.
Understand the Default Rule
Every co m puter that uses Packet Protect has a single System Policy. Each Sys­tem Policy initially contains a single Default Rule. The Default Rule is quite simple:
For Everybody, use the Default Security Actio n . If the rule fails, Allow Communication without Se curity.
Installing Packet Protect
Note: For computers that use the Lockdown behavior wth the
Default Rule, if the rule fails then fallback action.
See “The Default Rule” on page26 for more information .
Note:
If you want to have secure communication between a Packet Protect computer and a Windows 2000* computer, you must use the Default Rule. Intel recommends that you do not delete the Default Rule.
See “What is a Rule?” on page 25 for more information about rules in Packet Protect.
Consider exceptions to the Default Rule
Many enterprises may find that by careful consideration of th e default behavior roles, a w idely publishe d pre-shared key, and the D efault Rule, they can meet their security requirements without extra effort. This model is quite wor kable and provides adequate security. It is also simple to deploy and maintain.
Deny Communi cat i on
is the
11
Intel® Packet Protect User’s Guide
Some enterprises may wish to create additional rules that govern communica­tions be tw een two speci fic computers.
Earlier, we introduced a scenario where the president and chief financial officer of a company wished to implement extra security for their communications. For this scenario, a new rule is needed. Let’s compare a possible rule for this sce­nario to th e S ys te m Po licy’s Default Ru le :
Property New Rule Default Rule
Table 1: Rule Comparison
Destination Workgroup
Security Action New Security Action: Up
Rule Failure Deny Communication. Allow communication in
Authenticat ion Use a n ew pre-share d
President and CFO only Everybody
Default Security Action: to 15 minutes or 50 MB, whichever occurs first. Then, a new security association is negotiated.
key, known only to these two comput ers .
Up to 8 h ours, then a ne w
security association is
negotiated.
the clear.
Use the System Policy’s
settings
In addition to these rules, both the president and the Chief Financial Officer would ha v e the Sec ur e In it iato r de f aul t behavior . The ru le mi ght al so w an t to us e more secure options, such as perfect forward secrecy, which provides a ver y secure negotiation of session keys. There are many other security options that can be chosen when you create a security action for this rule. See “Customize Securi ty A ctions” on page 33 for mor e information on options for security actions.
By comparing the new rule and the default rule, you can see ho w the new rule provi d es an extra mea sure of securit y. The new security action is much more limite d. Longer time and/or size limits on a security acti on can give an intruder an opport unity to intercept and possibly corrupt packets. By denying comm uni­cation in case of rule failure, you ensure that co m munication between these two computers will never occur in the clear.
What are the Trade-offs?
A very important part of developing your deployment model is to consider not only the initial deployment, but maintaining the System Policies on all the com­puters that use Packet Protect in your network.
Clearl y, the simplest model w e discussed will be the easies t to deploy and ma in­tain. When all compute rs use the same def aults—Default Rule, security action,
12
Installing Packet Protect
fall back to clear com mu nication, same pre-shared key—then you’ll be able to gain adequate security with minimum impact to your network.
If you decide on a more complex deployment model, you should consider the benefits of the extra security that you have against the costs of maintaining and running the model. There are t w o areas that you should evaluate—maintenance and CPU util ization.
Maintenance
If you are considering a deployment model with many customizations and spe­cialized rul es , be aw ar e of t he time a nd effort requir ed f or on going m aint ena nce . Because each computer with Packet Prot ect must be configured individually, customizations requ ire more effort to keep each com puter up-to-date.
Let’s consider the previous example of the special rule for the preside nt and Chief Financial Officer of the co rporation. I n order for this rule to work as designe d, al l a spect s o f t he rul e mus t matc h, or comm un icati on wil l be de ni ed. I f the president’s computer uses a different setting in the security action from the CFO’s computer , then a securit y association ca nnot be negotiat ed and therefore all communication is denied. Consider then that it might take several days for the pres ident and CFO to even discover that their communications haven’t been taking place, as assumed.
Even a new computer for the president could prevent secure communication from happening. For example, when you set up this special rule, you identified the two co mputers to Packet Protect by t he names of the comput ers. The presi­dent’s new computer has a new nam e. When the pres ident and the CFO att empt to communicate the next time, the rule will fail, because of the computer name.
You can imagine h ow difficult it can becom e to maint ain specia lized rules, desti­nation workgroups, and secur ity actions in your n etwork. Intel recommen ds that you begin by using the simple, default model for secure communications. Over time, you may consider customizations to enhance secure communications in special cases.
CPU Utilization
Another ve ry im port ant f acto r t o consi de r i s the ef fec t o f I PSec on y our net wo rk, as well as the individua l com puters using Packet Protect. Generally, you can assume that when you choose most sophisticated security options, th ere will be impact on your network.
One example is choosing to use ESP (Encapsulation Security Payload) and AH (Authen ticat i on Hea de r) aut hen ti ca tion t oge th er. While th is combi na ti on af f or ds extra protection, you must consider that when you use both of these methods, you cannot offload any processing to the adapter, and thus CPU utilization increases. How ever, if you us e ju st ESP au th en ticat io n w it h th e approp r i at e adapter, you can take advantage of the ha rdware offload and get better CPU util­itzation.
You must also consider the adapters that are installed in your Packet P rotect computers. Only the Intel PRO/100 S Server Adapter and Intel PRO/ 100 S Man-
13
Intel® Packet Protect User’s Guide
agement Adapter can perform hardware offloading. If you ha ve other Intel PRO/ 100 Adapters in Pack et Protect co mp uters, you won’t be able to offload an y pro­cessin g, thus incr easing CPU utilization and potenti ally slowi ng that computer’s network performance.
Other se curity options are considered “costly” as we ll. Perfect Forward Secr ecy is very secure, but if used widely throughout the network, there can be a signifi­cant effect on servers that have a lot of secure traffic.
Conclusion
Hopefully, this section provided some guidelines for you to consider as you develop your deployment model. There are no hard-and-fast rules that you must follow. However, Intel reco mme nds tha t you be gin your use of IPSe c an d Pack et Protect slowly in your enterprise. You should consid er starting with a sm all group t hat use the same pre-sh ared key and default System Policy. When you’ ve had a chance to evalu ate this first implementation phase, you can t hen decide how to expand your use of Packet Protect.
14
Set Up Intel Adapters
Before you install Packet Protect, install the necessary Intel adapters on your serve rs and clients th at will use Packet Protect. Packet Protect only operates with Intel adapters that are configured to use Intel drivers.
Insta ll Int e l A d apte rs
Packet Protect works with Intel adapters that are designed to offload CPU-inten­sive tasks to the adapter. This helps reduce the impact to network performance and CPU util ization. Intel adapters that support the offload capabil ities include the following:
Intel PRO/100 S Server Adapter
Intel PRO/100 S Managemen t Adapter
Installing Packet Protect
Note:
Note:
Although Intel adapters can be installed on various operating systems , P acket Prot ect supports only Windows NT* 4.0 wit h Service Pack 5.
Packet Protect also works with the following Intel adapters, but security tasks will not offload to these adapters, and net­work performance will be affected.
PRO/10+ PCI LAN adapter PRO/10 0B LAN ad apter PRO/100B T4 LAN adapter PRO/100+ LAN adapter PRO/100+ Management adapter PRO/100+ Server adapter PRO/100+ Dual Port Server adapter PRO/100 CardBus II PRO/100 RealPort PRO/100 LAN+Modem56 CardBus II PRO/100 LAN+Modem56 RealPort
TM
CardBus II
TM
Cardbus II
Install Intel adapters for the servers and clie nts that use Packet Protect.
To install Intel adapters
1. Refer to the Installation Guide that came wit h the adapters for information about in stallation
2. After instal lation, verify network access for each computer that wil l use Packe t Prot ect b y che cki ng the Li nk a nd Acti v it y LEDs o n the ada pte r . You can also double-click Network Neighborhood on a computer’s desktop to verify tha t other ar e as of th e network are vi si ble.
Configure Intel Adapters
After you install adap ters in the compu ters that will use Packet Pro tect, config­ure them, as necessary, before yo u install Packet Protect. For example, you
15
Intel® Packet Protect User’s Guide
might instal l m ul tiple ad a pt ers on a server. Then you might te am those ad apter s together to take advantage of adapter fault tolerance or adaptive load balancing.
Multip le A d ap t e rs
If you install multiple adapters in one computer, note the following:
Install multiple adapters before installing Packet Protect.
Each computer has only one sec urity policy. This means that the same security settings will apply to all of the adapters in one computer.
If you us e at least one Int el PRO/100 S Server or Management adapter in a computer, Packet Protect will be able to offloa d encryption and aut hentica­tion tasks to that adapter.
If you need to add or remove an adapter from a team after you install Packet Protect, you must uninstall Packet Protect from that computer, add or remove the necessa ry adapters, and th en reinstall Packet Protect .
When you uninstall Packet Protect, you lose all of your customized infor­mation, including rules and security actions. When you reinstall Packet Protect, you will only have the single Default Rule in your System Policy.
Adapter Teaming
Adapter Teaming and Packet Protect work together only for computers with Windows NT operating s ystem installed. If you set up A dapter Teaming for mul­tiple a dapters, keep the following in mind:
16
Configure Adapter Teaming before inst alling Packet Protect.
Refer to the previous page to make sure all adapters in the team are either off load-enabled Intel adapters, or appear in the list of compatible Intel adapters on the previous page.
If you need to add or remove an adapter from a team after you install Packet Protect, you must uninstall Packet Protect from that computer, add or remove the necessa ry adapters, and th en re-install Packet Protect.
Consider using high-s peed adapters to limit upgrading.
Install Packet Protect
Before you install Packet Protect on your computer, make sure the computer meets the following system requirements. Packet Protect computers can be serv­ers or workstations.
System Requirements
Before installing P acket Protect, make sure your computers meet these require­ments:
Windows NT 4.0 with Service Pack 5 or 6a (or higher)
40 MB available disk s pace
32 MB RAM minimum, 64MB RAM recommended
®
200 MHz Pentium
Intel adapter (PRO/100 family)
Licensing
All inst allations are subject to the e nd user’s acceptance of th e applicable Intel Software License Agreement.
Note
: See “Install Intel Adapters” on page 15 for information on
choosing an Int el ada pt er.
processor performance level or higher recommended
Installing Packet Protect
Install Packet Protect
You will need the information detailed in the following table during Packet Pro­tect in stallation at each computer. To complete the installation most efficiently, gather the following information before you begin.
Information
You Need
Default behavior
Pre-shared key Enter a pre-shared key the computer will use to
Table 2: Required Information
Description
Decide how you want the computer to communicate with other computers on the network:
• Secure Responder
• Secure Initiator
•Lockdown For more information about these settings, see “Default Behaviors for Packet Protect Computers” on page 22.
communicate securely with other IPSec computers. A pre-shared key is similar to a secret password.
17
Intel® Packet Protect User’s Guide
T o install Packet Protect
1. Verify that the computer you have chosen meets the minimum require­ments detailed under “System Requirements” on page 17.
2. I nse rt th e pr odu ct CD- R OM into the CD-ROM driv e at t he com puter wh ere you want to install Packet Protect.
3. Browse to the CD-ROM using Windows Explorer.
4. Double-click d:\packet protect\setup.exe , where d:\ is the dri ve of your CD ­ROM drive.
5. Follow the dialog box instruc tions on the screen.
Keep a confidenti al record of the information you enter. If you need to rein stall Packet Protect later, you will need to re-ent er this information.
Notes:
If the static IP address or the DNS name of the computer changes , y ou must restore the S ystem Policy. Y o u will lose all your customizations when you restore the System Policy. Also, if there are other computers in the network that have rules that apply to the computers whose IP address or DNS name changes, the rules of those computers need to be changed. For information on restoring the System Policy, see “Restore the Syst em Policy” on page 42.
You can also install from a mapped drive where you have stored the Packet Protect installation files.
If you already have adapter teaming installed on the system, there’s no need to re-enter the TCP/IP settings during Packet Protect installation (you are not prompted for this informa­tion).
To verify that Packet Protect is install ed and running on a computer:
1. At the taskbar on the com puter, select Settings > Cont rol Panel.
2. Double -c lick Services and verify that Int el Po lic y A ge n t is starte d .
If Inte l Policy Agent doesn’t appear in the list, Packet Protect has been shut down or is not functioning properly. See “T urn Security on Manually for an Existi ng Com puter” on page 47 for details about restarting Packet Protect.
See the cha p ter “Troubleshooting and FAQ s” on page 49 for general tr ouble­shooting guidelines and a l ist of common Packet Protect ins tallation problems and thei r solutions.
18
View Your Security Settin gs
During installation, you set up basic security sett ings for the computer—the authent icat i on meth od and the def aul t beha vi or for the cl ie nt. To view your secu­rity settings, double-click Intel(R) Packet Protect at the Control Panel. The authentication setting and default behavior you chose during installation appear in the Security tab.
Installing Packet Protect
See the next chapter for information on editing basic settings and configuring advanc e d se cu rity se tt in gs.
19
Intel® Packet Protect User’s Guide
20
3
Configuring Security Settings
If you ha ve installed Packet Protect, you have al ready set up basic security set­tings for the com puter. You may view or edit these settings using Packet Protect. Optiona lly, you may also use the Adva nced settings in Packet Protect, if you are familiar with encryption and authentication settings, to configure the security policy that comes wit h Pa ck et Prote c t.
In this chapter, you’ll find information about:
Understanding default security behavior (basic settings).
Setting up your System Policy (advanced settings).
21
Intel® Packet Protect User’s Guide
Understand Default Security Behavior
During installation, you selected a default beha vior for your computer to use for all communications. You also entered a pre-shared key that matches the pre-sh ared key on other computers in the network so the comp uter can commu­nicate securely with other computers possessing the same pre-shared key.
Default Behaviors in Packet Protect
In order to operate with security settings, your computer needs to know how to communicate with other IPSec-enabled computers. In the absence of a rule that matches a s peci f ic com muni catio n n eed , Pack et Pr otect us es de fa ul t beha vi ors to determine how IPSec computers use security. If a matching rule exists on the two comput er s th at are att empt in g to c ommuni cat e, th e def a ult beh a vi or wi ll no t be used. The table below describes the default behaviors available with Packet Protect.
: You can set up specific security policies with rules to apply to
Notes
specific types of communications using advanced security settings. See “Set up Your System Policy” on page 25 for more information. You cannot make any changes to Packet Protect on a com­puter unless you are logged on as users cannot modify Packet Protect settings.
administrator
. Individual
22
Table 3: Default Behaviors for Packet Protect Computers
Default
Behavior Description
Secure Responder
(Example: workstations)
Computers with this behavior initiate co mmunication without security (in the clear), but will attempt to negotiate a secure communication if one is requested. For example, if a Secure Responder workstation attempts to a ccess a file server and tha t file server requests a secure communication, the workstation will respond in a secure manner.
If two workstations are configured with this setting and they attempt to communicate with each other, the communication is allowed without security (in the clear) . Als o, Secure Resp ond ers a nd computers that are not IPSec-enabled communicate without security.
Configuring Security Settings
Table 3: Default Behaviors for Packet Protect Computers
Default
Behavior Description
Secure Initiator
(Example: servers)
Lockd own
(Example: servers that require strict security)
Computers with this beha vio r request security f or all communica t ions , b u t don’t require it. F or example, a Secure Initiator server always initiates communications by requesting security. If the negotiation for a secure communication is unsuccessful, the Secure Initiator server communicates wi thout security (in th e clear).
Computers with this behavior communication. Lockdown computers do not communicate without security, that is, they do not communicate in the clear.
Only use Lockdown if a computer will be accessed by a very limited number of computers, and those computers are all properly set up with Packet Protect. If a backup to another computer on the network is scheduled automatically, it will fail unless the other computer is also security-enabled.
require
secu ri ty for
all
23
Intel® Packet Protect User’s Guide
T o change the default behavior for a Packet Protect computer
1. Cl ick Start > Settings > Control Panel.
2. Click Intel
Packet Protect. The Packet Protect Security tab appears:
24
3. To change the behavior for your com p uter, use the Behavior drop-down list to choose one of these behaviors: Secure Responder, Secure Initiator, or None.
4. To change the pre-shared key, type a new key in Pre-Share d key box.
5. When you are fini shed viewing and m aking changes in the Security tab , click OK.
Set up Your System Policy
You set up bas ic security settings when you install Packet Protect. If you ar e famil iar with encrypti on and authentication settings you can use the adv anced settings in Packet Protect to configure specific security settings to apply to dif­ferent types of communica tion. Packet Protect comes w ith a system policy that contains advanced security settings.
What is a Policy?
A polic y helps determine how the compute rs you manage communicate with each othe r and with other computers on the network. Policies contain one or more rul es and use rules to specify how computers on the LAN communicate in a protected way . Your Packet Protect policy comes with pre-defined rules. Each rule has its own set of condi tions that, if ma tched, apply def ined security set­tings. You can edit the pre-defined rules or create new rules for your policy.
What is a Rule?
A rule defines how you want to communicate with other comput ers on the net­work. For example , one rule can define how to communicate with a f ile server using sp ecif i c secur i ty s etti ngs . Anoth er can d ef ine a n ent ire g rou p of comput ers for which communication wi ll always be allowed “in the cl ear” (without se cu­rity).
The rules in your system policy are listed in the Policy Editor. To view the Pol­icy Edit or, click Advanced on th e Secur it y Tab.
Configuring Security Settings
25
Intel® Packet Protect User’s Guide
Every r ule contains the information described in the following table.
Rule Setting Description
Table 4: Rule Settings
Destinati on workgroup
Security act ion Collecti on of security setti ng s us ed w hen negotiating a
Rule failure Definition of what happens when the rule is applied,
Authentication Definition of how your computer verifies the other
: All rules s pecify All IP for the Traffic Group. If a rule is applied,
Note
The Default Rule
When you install Packet Protect, th e default rule is created. The De fault Rule has these properties:
Collection of computers with which a computer communicates.
communication.
but the communication is not negotiated successfully. You can allow the communication to occur unsecured, or deny the communication.
computer’s pre-shared key when the rule is applied. You can use the authentication settings already specified for your computer (on the Security tab), or use custom settings for th e rul e (p rop ose a pre-shared key).
the security settings apply to all IP traffic between the two computers communicating. Refer to the readme file on the product CD-ROM for a list of ports and protocols that are always sent unprotected in order for Packet Protect to func­tion.
26
• Destination Workgroup Everybody. Applies to every computer in the LAN.
• Security Action Default Action. The standar d se cu rity action, which us e s a time limi t of 8 hours. Refer t o “Customize Security A ctions” on page 33 for detai led information about sec urity actions.
• If rule fails Allow Communication without Security.
• Rule a u thentication Use System Policy’s set tings.
Importance of Rule Order
The System Pol icy typical ly contains one or more rules. Place the rules in the order you want the m applied. If you have one general rule and also an exception to that rule, pla ce the exc ep tion before the g eneral rule; otherwise , th e sp e cific rule is never applied.
It is crit i cal tha t yo u order rul es appropr ia te ly to en sur e th ey beh a v e as expec te d. The following exampl e shows what might happen if the rules are not in the cor­rect order.
Example of rule ordering
Configuring Security Settings
If the comp uters cannot negotiate a secure communication, then communication is allow ed without any security . For computers that use the Lockdown behavior—if the rule fails, then communication is denied.
When Packet Protect was installed, each computer was set up to use a pre-shared key. When two computers attempt to communicate securely using a pre-s hared key, each computer must have the same key entered. If these k eys do not match, the rule cannot be authenticated by the computers and it will fail.
Suppose you have created a destination workgroup for the finance managers at your com p any. You need to sen d sen sitive informatio n to th e m a nagers, so you have created a rule with high security settings. You decide that if one of the finance managers does not meet the security action settings, you do not want to transmit information. You also have the Default Rule with security settings to use when communicating with everyone on the LAN. However, if the settings fail to be negotiated, you will still allow the com munication to take place with­out secur ity. The rules you hav e created appear in the table below.
Table 5: C orrect Ordering fo r Rules
Rule Name
To Finance Management
Default Rule Everybody DES+MD5+None Allow
Destination
Workgroup
Finance Managers
Security Action If rule fails
3DES+SHA1+None Deny
27
Intel® Packet Protect User’s Guide
The rule ordering above requires the Finance Managers wo rkgroup to have a rule li sting your computer and the 3DES+SH A 1+None security action in orde r to nego tiate secure communication. If the Finance Manag ers workgroup does not have a matching rule, communication will be denied.
Notice the importance of rule order. If the Default Rule was ordered before the To Finance Management rule, communication with Finance manager worksta­tions would be allowed “in the clear” (with no security) even if the Finance Managers workgroup does not have a matching rule for communication with R&D using the 3DES+SHA1+None algorithms. In this case, the general rule would be applied first, and the specific rule would never be applied.
For ins truc ti ons on ho w t o or der rules , see “Ste p 3: Orde r t he Rules ” on p age 31. The next section explains more about how Packet Protect computers use rules.
For inf ormation about security algorithms and about thei r notation, see “About algorithm notation” on page 36.
How Does the System Policy Work?
The System Pol icy defines a collection of rules that desc ribes the security set­tings to enforce under cer tain situatio ns. When a computer attempts communi­cation, Packet Protect evaluates a number of things before allowing the communication.
The following exampl e describes how the policy works:
1. My C omputer atte m p ts to communicate with MyServer with a rule using the 3DES+SHA1+None encryption algorithms.
2. If a rule match is found, MyComputer proposes the security action set­tings an d authenticati on settings that you defined for that rule. The two computers negotiat e the security settings. If that security se ttings negotia­tion is successful, the two computers communicate using the agreed upon settings. If that negotiation fails, the communication fails or is allowed unsecured, depending on the if rule fails specification. If a rule match isn’t found, the system propose s the pre-shared key assign ed for that computer’s workgroup. It then proposes pre-de fined secu­rity se ttings such as default settings that are used for all communications. See “Appendix A — IKE and IPSec” on page 53 for more information.
Note:
If the destination computer uses Packet Protect, it also searches its policy for a rule with settings that match. If your computer and the destination computer have matching rules, the communication is allowed secure according to the speci­fied security action settings.
Add Rules to the System Policy
Adding rules to you r policy is optional. If you are unsure whether you need new new rules, see “What is a Policy?” on page 25 for more information.
Creating a new rule involv es several steps:
28
Configuring Security Settings
1. Viewing the System Policy.
2. Defining a new rule for the System Policy.
3. Ordering the rules.
In general, follow these guidelines when you make rules:
When you add a rule to computer A’s poli cy for secure communicatio n with computer B, you must add a matching rul e in computer B’s polic y for secure communication with computer A. Ot herwise, the rule will fail and communication will be denied or allowed unsecure (depending on the If rule fails setting for both workgroups’ rules).
If you add two rules that include some of the same computers (for example, one rules lists computer A as the destination workgroup, and another rule lists Everybody – all computers on the network – as the destination work­group), you must ord er the specific rule before the general rule. Otherwise, the spec ific rule wil l never be applied. See “Import ance of Rule Order” on page 27 for more information.
Step 1: View the System Policy
1. At the Control Panel, click Intel Packet Protect.
2. On t he Security tab, click Advanced. .. . The Policy Edit or dialog box
appears :
29
Intel® Packet Protect User’s Guide
Step 2: Define a new rule for the policy
1. Click New Rule. The New Rule dialog box appears.
2. I n the Rule Name text box, type a name for the rule.
3. I n the Destination workgroup text box, select the group of comput ers for which you want this rule to apply.
The list includes destination workgroups that are already created (either as part of t he D efault Rule or that you create d). If you want to view, edit, or create a destination wor kgroup, see “Cust omize Destination Wo rkgroups” on pag e 31 fo r m or e inform ation.
4. I n th e Securi t y act ion te x t bo x, se lect th e gro up of sec ur it y sett in gs t hat you want to define for this rule.
The list includes security actions you have alrea dy created and pre-defined securi ty actions that come with Packet Protect. If you want to view, edit, or creat e a se cu rity ac ti on , se e “Cu stomiz e Security Actions” on page 33 f o r more information.
5. I n the If rule fails text box, select whether to deny or allow a communica­tion if this rule is matched, but the communication fails to n egotiate.
6. I n the Authentication area, dec ide whether you want to use the default set­tings or propose custom authentication settings.
You specified the default settings when you installed Packet Protect (dis­played on the Security tab).
7. Click OK.
8. Re peat steps 2 through 7 to add more rules to the System Policy.
30
Configuring Security Settings
Step 3: Order the Rules
1. On the Policy Editor dialog box, click a rule.
2. Cl ick Move Up or Move Down to move the rule up or do w n one line. You can also select a rule and dra g it up or down.
The rules are applied in the order in which they are listed. The rule at the top of the list is applied before all rules below it, for exa m p le.
See “Importance of Rule Order” on page 27 for more information about order­ing rule s.
To modify a rule
In order to apply your rule to a communication, the computer with which you are attem pting communica tion must have a rule with matchi ng settings. If you have already coordinated rules with the other computers with w h ich you wish to communicate, modifying your rule will require modification to rules for other computers.
1. Before you modify a rule, check the following:
If you ha ve already set up matching rules for other IPSec com puters,
DO NOT follow the steps below.
If you ha ve not set up matching rules for ot her IPSec computers, con-
tinue wi th the steps belo w.
2. I n the Policy Edit or dialog box, select rule you want to modify.
3. Click Edit Rule. The Edit Rule dialog box appears.
4. Make changes, as necessary, then cli ck OK.
Customize Destination Workgroups
A destina tion work gro up is a colle ct io n of com puter s wit h whi ch you r comp uter communicates. For example, if your computer requires specific security when communicating with the Res earch & Devel opm ent W orkgroup, your pol icy must include a rule with security settings that speci fies the Research & Develop­ment Workgroup as the destination workgroup, and Research & Development computers must have a rule specifying the same security settings and your com­puter as the destination workgroup.
The following destination workgroups are available:
Everybody: Use this destination workgroup when you want the rule to apply to com munication with all computers on your LAN.
Destination workgroups you create.
If a comput er or group of computers you need is not in the destination work­group list, create a new destination workgroup.
To create a new destination workgroup
1. On the Policy Editor dialog box, select the rule for which you want a new destination workgr oup.
31
Intel® Packet Protect User’s Guide
2. Click Edit Rule. The Edit Rule dialog box appears.
3. Cl ick Customize Destination. The Customize Destination Workgroups dia­log box appears.
4. Click New.
5. In the Destination workgroup box, type a new name for the destination workgroup.
6. To add computers to the destination workgroup, in the Add computers by text box, select how you want to identi fy computers for addition to the des­tination workgroup: by IP address or by computer name.
32
: Check with your network administrator to determine how to
Note
add computers to a workgroup. If the computer you want to add to this workgroup has a permanent (or static) IP addresses, you should probably add computers to the work­group by IP address. If the computer you want to add uses s dynamic IP addresses (where a temporary IP address is assigned to a computer for each session), then you should probably add computers to the workgroup by computer name.
7. Type the computer name or IP address for a computer you want to add to the workgroup.
8. Click Add>>.
9. Re peat steps 5 throug h 8 for each computer you w ant to add.
10. If you need to delet e a comp ute r from th e desti nat ion wor kgr ou p, sele ct the computer from the list on the right, then click <<Remove.
11. If desired, continue adding destination workgroups by clicking New again and repea ting Steps 4-7.
12. Click OK. The selecte d dest in at ion w ork gro up app ears aut omat ical l y i n the Edit Rule dialog box.
Configuring Security Settings
Destination workgro ups can be used in multiple rules. If you modify a destina­tion wor kgroup, other rules may be affected.
Before yo u mo dify a destinati on workgroup, check the following:
If you ha ve used the destination workgroup in any other rules, do not
follow the steps below. See “Modi fy Destination Workgroups or S ecu­rity Actions” on page 41 for more information.
If you ha ve not used the destination wor kgroup in any other rule, con-
tinue wi th the steps belo w.
T o m odify a destination workgroup
1. I n the Cus to mize Des tina tion Workgro ups di alog box , selec t the dest in at ion workgroup you want to modify.
2. Make changes, as necessary, then cli ck OK.
Customize Security Actions
You must specify a securit y action for each rule. This sect ion defines the secu­rity settings you can apply when two computers communicate.
Packet Protect provides six pre-defined securi ty actions, described below. See “Available Settings for Security Actions” on page 34 for detailed information about th e security settings listed here.
•Clear Use to com m unicate completely in the clear, without any security.
Default Action Use to get an act ion th at pr o vid es a high le v el of secu rity, along with a high
level of int er op e ra bility. The defa u lt action is a rich set of IPSec p ro posals that includes various levels of ESP (Encapsulation Security P ayload) encryption, ESP authentication, and AH aut hentication. It provides a maxi­mum le vel of interoperability wi th non-Packet Protect implementations of IPSec.
•Deny Use to deny any communications between two computers.
Initiate Clear, Secure Responder Use when you want to initiate communications in the clear and will attempt
to negotiate a secure connection if requested. This security action is most appropriate for workstations.
Secure Initiator, Fallback Clear Use when yo u w ant to request security for al l communications, but do not
requir e it. If a secure connection cann ot be negotiated, then the comm uni­cation wi ll be in the clear. This security action is appropriate for servers.
Secure Initiator, Fallback Deny Use when yo u w ant to require security for al l communications. If a secure
33
Intel® Packet Protect User’s Guide
connect ion cannot be negotiated, then the communication request is denied. This security ac tion is appropri ate for server s.
Remember that two com puters attempt ing to communicate must agree on cer-
tain settings in order to communicate using IPSec.
The Requires Match? column in the tabl e below indicates whether the source and destination computers must have the same security setting..
Table 6: Available Settings for Security Ac t i ons
Security
Setting Description
Time limit The length of time (in minutes or hours) the
protected communication can be active before the system renegotiates. To increase protection, lower the time limit (to a minimum of 10 minutes). This makes the system re­negotiate a new security association more often, but increases network traffic. You may specify a time limit, size limit, or both. This setting is optional.
If two computers require different time limits, the communication is re-negotiated when the lower time limit is reached. If a time limit is n ot defined, the default is 8 hours.
Size limit The amount of data (in MB) that can be
transferred during a security association before the system renegotiates. To increase protection, lower the size limit (to a minimum of 20 MB). This mak es th e syst em renegot iate a new security association more often, but increases network traffic. You may specify a time limit, size limit, or both. This setting is optional.
Requires
Match?
No
No
34
If two computers attempting to communicate require different size limits, the security association expires when it reaches the lower size limit. If you specify a size limit only, an 8­hour time limit is appli ed auto matically. The default is no size limit. There is no maximum size limit for a security association.
Configuring Security Settings
Table 6: Available Settings for Security Ac t i ons
Security
Setting Description
Perfect forward secrecy
Anti-replay protection
Use algorithms in order of preference
The sys tem p ropo ses a second set of keys for the security association (instead of using the first set of keys used to verify identification). Packet Protect is designed to agr ee on any of the settings (including none), but it proposes the setting you select.
: DO NOT use perfect forward secrecy if
Note
your computers will need to communicate securely with Windows* 2000 IP Sec comput­ers or any other non-Packet Protect IPSec computers. This setting is not compatible with non-Packet Protect IPSec computers and may cause communication to fail.
The system does not accept repeated packets; that is, packets that the system already received. This helps protect against an intruder sending the same packets repeatedly in an attempt to confuse an application. Always use this option because it increases the lev e l of prot ection with v ery little impact on network traffic.
Combinations of algorithms a computer must use for a communica tion: ESP encrypti on, ESP authentication, and AH authentication. Packet Protect proposes the algorithm list (in order of preference) to the destination computer durin g negot iatio n.
attempting to com m u nica te securely must agree on an algorithm combination
Requires
Match?
No
No
Yes
T wo comput ers
.
Note:
If your computer needs to communicate securely to a mixed domestic and e xport group of computer s, make sure your pol ­icies have compatible encryption settings. Computers using the export version can use DES encryption only. If computers using the export versi on receive a policy specifyin g 3DES encryption, they will actually use DES encryption for the com­munication. Consider including both DES (56-Bit) and 3DES (168-Bit) encryption in your security actions.
35
Intel® Packet Protect User’s Guide
About algorithm notation
Each secur ity action can specify algorithms to use for encryption and authenti­catio n. Th er e are three categories (En crypt io n , ES P [En c ap sulation Secu rity Payloa d] Authentication, and AH [Authentication Head er] Authentication.
At least one of th ese categories must be used in a security action, or you can use two or even all three.
IPSec and P acket Protect use a kind of “shorthand” notation f or describing the algori thms used in a security action—Encryption value + ESP value + AH value. For example, if you create a security action that uses DES for Encr yption, SHA1 for ESP, and do not use AH, this would be shown as DES+SHA 1+None.
To create a new security action
1. On the Policy Editor dialog box, select the rule for which you want a new security action.
2. Click Edit Rule. The Edit Rule dialog box appears.
3. Click Customize Security. The Customize Secur ity Actions dialog box appears .
4. Click New.
5. In the Sec urity action lis t bo x , ty pe a new name fo r the secur i t y ac tion.
6. Specify a time and/ or size limit for the securit y association. Refer to Table 6, “Available Settings for Security Actions,” on page 34 for detailed infor mation abo ut these items.
7. If applicable, select the Perfect Forward Secrecy check box.
36
: DO NOT use Perfect Forward Secrecy if your computers will
Note
need to communicate securely with Windows 2000 IPSec computer s o r a ny other non-Packet P r otec t I PSec computers .
8. Select Anti-r eplay protection. (Always select this setting because it increases network protection with very little impac t on network traffic— see Table 6 on page 34 for details.)
9. Add algorithms to the preference list for the security action:
In the Encryption, ESP Authentication, and AH Authentication list
boxes, select which algorithms you want to propose for the security action . You must select at least one al gorithm from an y of the lists.
Click Add. Repeat th is step for each algorithm combination you want to add.
10. If you need to remove an algorithm combin ation from the preference list, select the combination from the list on the right, then click Remove.
11. To indicate your order of preference, move the algorithm combinations to the corr ect location on the list by sel ecting an algorithm combination and clicking Move Up or Move Down. Move the most important selection to the top of the list and continue in descending order of importance.
Configuring Security Settings
12. To contin ue adding security actions, click N ew again and repeat Steps 5-11.
13. When you finish, click OK. The selected security action appears automati­cally in the New Rule dialog box.
T o modify a security action
Securi ty actions can be used in multiple rules. If you modify a security action, other rules may be affected.
1. Be fore you modify a security action, check the following:
If you have used the security action in any other rules, DO NOT fol-
low t he step s be low. See “Mo di fy Dest in at ion Workgroups or Secur ity Actions” on page 41 for instruct ions.
If you have not used the security action in any other rule, continue
with the steps bel ow.
2. I n the Customize Security Ac tion dialog b ox, select t he security action you want to modify.
3. Make changes, as necessary, then cli ck OK.
37
Intel® Packet Protect User’s Guide
38
4
Making Changes
Be carefu l whe n you mak e ch anges t o your polic y. The settings you modi fy may be used for more than one rule in your policy. This means changes you make may affect other rule s in your policy, and may even require changes to policies for other Packet Protect computers.
In this chapter, you’ll find information about:
Modifying rules.
Modifying custom destination workgroups and custom security actions.
Deleting rules.
Restoring the system policy .
39
Intel® Packet Protect User’s Guide
Modify the System Policy
Modifying a computer’s System Policy may impact policies that belong to other clients with which your computer communicates using Packet Protect. In order to apply yo ur rule to a security association, the computer with which you are attempting communic ation must have a rule with matching se ttings. If yo u have already coordinated rules with these other computers, modifying your rul e w ill requir e m odification to the rules for t he other computers. Contact the network adminis trat or if you ha v e an y quest io ns o r conce rns abo ut mo difyi ng r ul es in t he System Pol icy.
You may edit t he D efault Rule tha t comes with your P acket Protect S ystem Pol­icy (s ee “The Default R u le” on page 26 for a description of the Default Rule).
Notes:
You should careful l y consider the po ssible eff ec t s of changing the Def ault Rule. I f you m odif y the Def au lt Rule e xte nsiv ely on a computer, then you run the risk of that computer not being able to successfully negotiate a secure transmission with another computer in your network.
If you ha ve to re-ins t all Packet Pro tect for any reason, or need to recrea te the Defau lt R ule , you will lo se y our customizati ons and will have to specify them again.
To modify a rule
1. Determine whi ch of the other computers on the LAN have a matching rule for the rul e yo u will edit . You need this in fo rmatio n later.
2. On the Policy Editor dialog box, sel ect the rule you want to modify.
3. Click Edit Rule. The Edit Rule dialog box appears.
4. Make changes as necessary.
5. I f you click any of the Customize buttons to make changes, see “Modify Destination Workgroups or Security Actions” for more informat ion.
6. Click OK.
7. Go to the other computers that have a matching rule for the rule you just modified (if you do not administer the other computers, coordinate the needed rule changes with the other administrator). Complete steps 2-6 on each of the other computers to update the settings so the rules have match­ing settings.
40
Note:
You must change matching rules on other computers when you modify your rules. Otherwise, when the computers attempt to communicate, the rule may fail and the security settings are not used .
Modif y Destination W orkgr oups or Security Acti ons
Destination workgroups and security actions can be used in multiple rules. If you modify these items, other rules may be affected. Follow these steps to ensure that you address o ther affected rules.
Determine which other computers on the LAN have a matching rule for the rule you will edit. You will need this information later.
T o edit destination workgroups or security actions :
1. Determine wh ich other rules that us e the destination workgroup or security action you wish to modif y. You will need this information later.
2. On the Policy Editor dialog box, sel ect the rule cont aining the destin ation workgroup or security action you want to edit.
3. Click Edit Rule. The Edit Rule dialog box appears.
4. Click Customize Destination or Customize Security, dependin g on w hat you want to edit. The appropriate dialog box appears.
5. Select the item yo u wa nt to modi fy.
6. Make changes as necessary.
7. When you are finished, click OK. Any rule that uses the destination wo rkgroup or security action you just
modified will also us e the modified settings.
8. Administer the other computers that have a rule matching any of the rules that use the modified destination workgroup or securit y action. (If you do not administer the other computers, coordinate the needed rule changes with the other administ rator.) Complete steps 2-7 to update th e settings in the matc hi n g ru le.
Making Changes
Note
Delete a Rule
Caution:
To delete a rule:
1. On the Policy Editor dialog box, select the rule you want to delete.
2. Click Delete Rule.
3. Click Yes to confirm the deletion.
Note
: You must change matching rules on other computers when
you modify your rules. Otherwise, when the computers attempt to communicate, the rule fails and the security set­tings are not used.
After you delete a rule, you cannot recover its information.
: If other computers have a rule that matches the one you just
deleted, you should delete the matching rule in the System Policy of those computers.
41
Intel® Packet Protect User’s Guide
Restore the System Policy
If the System Policy on your com puter has been extensiv ely modified, you m ay find that your computer can not always negotiate a secure communication with another com puter on the LAN.
When this occurs, you should consider removing your customi zations and returning to the original System Policy, with its Default Rule. You will lose all of your cus tomizations, including customized destination workgroups and secu­rity ac tions.
T o restore the System Pol icy
1. Displa y the Intel Pa ck et Protect Security Tab.
2. Cl ick Recreate Now. All your customizations are removed and you now have the default System Policy on your computer.
42
5
Maintaining Packet Protect
You need to perform certai n tasks to ensure that Packet Protect is runn ing smoothl y on their network.
In this chapter, you’ll find information about:
Monitori ng Packet Protect computers .
Setting Up Compatible Policies
Installing a new ada pter for a Packet Protect computer.
Working with ot her security pro ducts.
Tur ning security on.
Tur ning security off.
43
Intel® Packet Protect User’s Guide
Monitor Packet Protect Computers
View Status at a Packet Protect Client
At each computer, you can verify if Packet Protect is running.
T o verify whether Pac ket Protect is running
1. At the taskbar on the com puter, select Settings > Cont rol Panel.
2. Double -c lick Services and verify that Int el Po lic y A ge n t is starte d .
If Inte l Policy Agent doesn’t appear in the list, Packet Protect has been shut down or is not functioning properly. See “T urn Security on Manually for an Existi ng Com puter” on page 47 for details about restarting Packet Protect.
44
Set Up Compatible Policies
Two Packet Protect-enabled computers must agree on certain settings in order to communicate in a protect ed w ay. These settings must be agreed upon by both computer s. I t b eco mes i ncrea si ngly d ifficult to set up an IPSe c s ecu rity sy st em i f there is a different network administrator who manages computers with which you need to communicate using Packet Protect.
Contact the ot h er network administra to r w h o is al s o us in g Packet Prote ct to coordinate the management of Packet Protect computers. One of you may need to update your cl ient ’s System Polic y to be com pati bl e wi th th e o the r c ompu ter’s System Pol icy.
Two computers must use compati ble settings for the follo w ing:
Authentication. Bot h com puters must use the same method to authenticate each othe r’s identity (e.g., both computers must use the same pre-shared key)
IPSec. Both computers must use compatible IPSec settings. See “Custom­ize Security Actions” on page 33 and “How P acket Protect U ses IPSec” on page 59 for a list of the required settings.
45
Intel® Packet Protect User’s Guide
Work with Other Security Products
On your network, there may be installations of an IPSec product other than Packet Protect. If this is the case, m ake sure that the security settings used by your computers match the se curity settin gs used by the other IPSec computers . This is be cause two IPSec -enabled computers must agree on these security set­tings in order to communic ate in a protected w ay.
You might be managing both security product deployments, in which case you can verify the s ettings that need to match. If anoth er network adm inistrator man­ages th e se c ur i t y co m p uters usi n g a differen t produc t , con tact th at ne tw ork administra to r to ver ify the sett in g s.
: If the other network administrator manages Windows* 2000
Note
IPSec computers, you will need to create a separate destina­tion workg roup for each Win do ws 2 000 I PSe c co mpu t er. This will maximize IPSec interoperability.
In order to com m unicate with a Packet Protect computer using IPSec, the two computers must use compatible settings for the following:
Authent ication. Both computers must use pr e-shared keys (the pre-shared key must be the same for both computers) to authenticate each other’s iden­tity.
IKE. Both computers must use compatible IKE settings. S ee “H ow Packet Protect Uses IKE” on page 55 for a list of settings.
IPSec. Both computers must use compatible IPSec settings. See “Custom­ize Security Actions” on page 33 and “How P acket Protect U ses IPSec” on page 59 for a list of the required settings.
46
Note:
If you decide to install Packet Protect for a computer that cur­rently uses a different IPSec product, uninstall the other prod­uct, then install Packet Protect. For more information about installation, see “Install Security for a New Computer” on page 47.
Turn Security On for a Computer
After general deploym ent of Packet Protect, you might need to turn securi ty on for a computer if the computer is new and hasn’t had Packet Protect installed before. Or, you might need to manually turn Packet Protect on for a n existing compu te r if Pa ck et Pro tect was tu rned off prev io usly.
Install Security for a New Computer
If a ne w computer requires Packet Protect, follow the instructions under “Install Packe t Protect” on page 17.
Turn Security on Manually for an Existing Computer
After installation, Packet Protect is desig ned to start automatically upon system startup. If for some reason Packet Protect isn’t ru nning, you can rest art it.
If you turned off security for a client and are now turning it back on, make sure you re verse whatever method you used to turn it of f. See “Turn Security Off for a Computer” on page 48 for details abo ut the ways you can turn off Packet Pro­tect at a cl ie nt.
To manually turn Packet Protect on
1. At the taskbar on the com puter, select Settings > Cont rol Panel.
2. Double-cl ic k Servi ce s.
3. Select Intel Policy Agent and click Start.
47
Intel® Packet Protect User’s Guide
Turn Security Off for a Computer
There may be cases when you need to remove security from a client. For exam­ple, whe n the computer no longer requires protected traffic. There are two ways you can remove security from a client :
1. Shut down Packet Protect at the computer
2. Uninstall Packet Protect at the computer
Shut Down Packet Protect at a Computer
Packet Protect is designed to run automatically every time the computer starts. You can shut down Pa cket Protect for the current session, or you can change the computer setup so Packet Protect doesn’t run each time the computer starts.
T o shut down Packet Pr otect for the current computer sessi on
1. At the taskbar on the com puter, select Settings > Cont rol Panel.
2. Double-cl ic k Servi ce s.
3 Selec t In te l Policy Ag e nt and click Sto p.
Note:
If you want to turn security on later, manually restart Packet Protect. See “Turn Security on Manually for an Existing Com­puter” for more information.
Uninstall Packet Protect from a Computer
Uninsta lling Packet Protect from a comp uter permanently removes all Packet Protect-related files, including IPSec, IKE, policies, and related Packet Protect program files.
T o uninstall Packet Protect
1. At the taskbar on the com puter, select Settings > Cont rol Panel.
2. Double-click Add/Remove Programs.
3. On the Install/Uninstall tab, Select Packet Protect and click Add/Remove. Follow the prompts to uninstall Packet Protect.
Caution:
When you uninstall Packet Protect, you lose all your customi­zations.
48
6
Troubleshooting and FAQs
This chapter details tips for troubleshooting Pa cket Protect. This chapter al so provides a list of frequently asked questions about the product.
49
Intel® Packet Protect User’s Guide
Troubleshooting
Communication fails
If a P acket Protect computer cannot commun icate with another computer, check the following:
Verify that each computer’s basic security settings are set to allow comm u­nicati on. If the computers are using advanced security settings, verify that the computers have mat ching rules. The ru les must allow for a match between ESP an d AH settin g s fo r th e se curity action .
If usin g pre-s ha red ke ys , ver i fy t hat ea ch co mput er is set up to use t he same pre-sh ared key when co mmunicating with each another. Note tha t pre-sh ared keys are case-sensitive.
At the client, verify that Packet Protect is running. Click the Start button on the tas kbar, select Settings > Control Panel. Double-click Services and ver­ify that Intel Policy Agent is started.
Communication fails when passing through a firewall
Depending on the type of fire w all, IPSec may affect th e deployment i n different ways:
Some fi r e wa lls b loc k o uts ide- in tr af f ic wi tho ut per fo rmi ng n etw ork a ddr es s translation (NAT). These firewalls can sometimes be configured to allow IPSec traffic to flow from within the network.
Proxying firewalls use HTTP, Telnet, FTP and other applicat ion proxies or SOCKS to for w ard traffic. Wit h these firewalls, IPSec cannot be used to protect traffi c end-to-end. IPSec can be used within the local LAN, b ut all outside traffic will remain unprotected.
If a ga teway or firewall is presen t doing netw ork address translation , IPSec cannot be applied since IPSec packets are encrypted and integrity-pro­tected, making address and port substitution impossible.
The ef fect s of IP Sec on fi re w all pol icie s v a ry g reatl y o n th e type a nd g oal s of t he firewalls. Refer to your fir ewall vendor for information on IPSec support.
Packet Protect doesn’t start automatically upon startup
At the computer, m ake sure that Packet Protect is started as a serv ice. See “Turn Security O n for a Computer” on page47.
Multicast, Broadcast, and IGMP traffic isn’t prot ected
Multica st traff ic is always unpr otected when you use Packet Protect because of IPSec standards. In addition, IGMP traffic is unprotected.
50
Troubleshooting and FAQs
I changed the IP address or DNS name of a computer, now it can’t communicate on the network
If you have custom rules, there may be other computers in the network that have an old IP address or DNS name of a computer in their rules. Thes e rules must be modified to reflec t the IP address/DN S name change.
I think some t ransmitt ed inf orm ation i s unpr otected and i t shoul dn’t be
Check the security action settings of both computers to make sure they match. Also try to determine which rule is being applied to the communi ca­tion. If the rule is set to allow the communication if the ru le fails, the com­puters will transmit data “in the clear” (without security).
Check the default behavior. If both computers use Secure Respond er or No Security, they will always communicate in the clear. If none of the rules applies to the communication, the communication is unprotected if the default behavior is Secure Initiator or Secure Responder.
When a compu ter begins communication with another computer, the fir st few seconds are allo w ed in the clear if the rule being used as a fallb ack clear s etting or if there are no matching rules and the behavior is Secure Initiator or Secu r e R es p onder.
The following ports always al low traffic to pass in the clear:
UDP port 53 (for DNS traffic)
UDP port 68 to UDP port 67 (for DHCP)
UDP port 1 37 to UDP port 137 (NetBIOS name servic e)
UDP port 138 to UDP port 138 (NetBI O S datagram serive)
TCP any port to TCP port 389 (LDAP directory access)
51
Intel® Packet Protect User’s Guide
Frequently Asked Questions (FAQs)
What is Packet Protect?
Packet Protect helps protect Internet Protocol (I P) traffic as it trave ls between computer s on your LAN.
What is IPSec?
Internet Protocol (IP) Security is a set of protocols used to help secure the exchange of IP data. For more information about IPSec, see “Appendix A — IKE and IPSec” on page 53.
What is IK E ?
Internet Key Exchange is a protocol used to veri fy the identity of computers and negot iate a protecte d com munication. For more information about IKE, see “Appendix A — IKE an d IPSec” .
How does Packet Protect work with multiple adapters?
Packet Protect can work wit h multiple adapters that you instal l in one comp uter. If you use an Intel
off loads encryption tasks to any of these adapters. For more information, see “Multiple Adapters” on page 16.
How does Packet Protect work with Adapter Teaming?
Adapter Teaming and Packet Protect work together only for computers with Windows NT
Teaming” on page 16.
How does implementing Packet Protect affect my network perfor­mance?
Like an y IPSec sol ution , P ac ke t Prot ect dec re ase s ne tw ork per for manc e be cause of the int ense computation required to encrypt, decrypt, and validate packets. Use Packet Protect with an Intel PRO/100 S Management or Server Adapter to reduce th e impact on processor utilization and network tr affic. P acket Protect is designe d to offload processor-intensive tasks (ESP and AH algorithm calcula­tions) to these Intel adapters that ar e installed in a computer. This frees up the computer’s pro cessor utilization for other tasks, reducing the impact to the net­work performance.
How can I tell if Packet Protect is running?
From the Sta rt menu, sele ct Se tt in gs > Cont ro l Pa nel. Doubl e- clic k Ser vi ces and verify that Intel Policy Agent is started.
Why isn’t Multi cast, Broadcast, and IGMP traffic protected
Multica st traff ic is always unpr otected when you use Packet Protect because of IPSec standards. In addition, IGMP traffic is unprotected.
PRO/100 S M anagement or Server adapter , Packet Prot ect
*
operating systems installed. For more information, see “Adapter
52
A
Appendix A — IKE and IPSec
A protect ed communication using Packet Protect involves Internet Key Exchange (IK E) and In te rne t Pro toc ol Secur it y (IPS ec) . This a ppe ndix d esc ri be s detail s about IKE and IPS ec, and how the technologies w ork together to protect information as it travels on your network.
In this appendix, you’ll find the fol lowing information:
An overview of IKE and IPSec.
How Packet Protect uses IKE.
How Packet Protect u ses IPSec.
For more i nformation about IKE and IPSec, includi ng applicable RFCs , see Internet Engineering Task F orce IPSec Working Group Web sit e at http://www.ietf.org.
53
Intel® Packet Protect User’s Guide
IKE and IPSe c Work Together
Packet Protect uses IKE and IPSec to protec t packets traveling on the network:
IKE — Negotiates the security settings to be used by IPSec for protection of the comm unication.
IPSec — Protects the packets trav eling between two computers that are attempting to communicate.
The following diagram illustrates how Packet Protect uses IKE and IPSec togeth er to protect a com m unication between two compute rs
Step 1: IKE verifies pre-shared keys
Step 2: IKE Negotiates IPSec Settings
Step 3: IPSec Protects Packets
.
54
How Packet Protect Uses IKE
IKE is a set of standard protocols developed by the Internet Engineering Task Force (IETF). IKE is used to authentica te and negotiate a protected com m unica­tion. U si ng IK E is a tw o step pr oc e ss:
1 IKE verifies t he pre-shared keys of the two computers that are attempting
to communicate.
2 IKE negotiates a set of security settings to be used by IPSec. Each computer must agree upon the security settings before IKE can establish a
protected communication for IPSec.
Identity Negotiation Settings
When IKE negotiates security for two computers, it requires that the following be compatible:
IKE se ttings
Authentication method
IKE Settings
IKE sett ings are agreed upon by the two c omputers that are attempting to verify each other’s pre-shared key. They are used to protect the IKE negotiation trans­actio ns . Th is allows the two compute rs t o nego t i a te without compro m i sing secret key or password information.
The diagram below shows the steps that Packet Protec t performs to protect a communication. The IKE settings are used during Steps 1 and 2.
IKE settings protect IKE pre-shared key verification and negotiation steps
Step 1: IKE Verifies Pre-shared Keys
Step 2: IKE Negotiates IPSec Settings
Step 3: IPSec Protects Packets
Packet Protect uses pre-defined IK E settings, des igned for maximum compati­bility with computers that use Packet P rotect and other IPSec products.
If two Packet Protec t computers attempt to communicate, they use the same default IKE settings. If one of the computers is managed by a different IPSec product , m ake sure that the IKE settings m atch. If necessary, make changes to
55
Intel® Packet Protect User’s Guide
the IKE settings in the other IPSec product. The following table describes the pre-de fined IKE settings for each computer that uses Packet Protect.
Table 7: Pre-Defined IKE Settings
Preferred
Order
Encryption Hashing
Diffie-
Hellman
1 DES (56-bit) MD5 768-Bit 2 DES (56-bit) SHA-1 768-Bit 3 3DES (168-bit)
MD5 1024-Bit
Domestic ver sion only
4 3DES (168-bit)
SHA-1 1024-Bit
Domestic ver sion only
A computer th at requ ests a pr ot ected commu nicat io n pro poses i ts list of IKE set ­tings to the computer with which it is trying to communicate. The IKE settings are prop osed in order of preference, but the responding computer can agree on any of th e proposed combin ations. The responding computer must have one of the combinations defined, or the co mmunication is not allowed using IPSec.
Source compu ter
Proposes de fined IKE settings
Destination computer
Picks which IKE settings to use from the source comput er’s list
NOTE:
Authentication Method
IKE requ ires that two computer s us e th e sam e au thenti c at io n m e thod to veri fy each other’s identity. Packet Protect supports the following:
Pre-sh ared ke ys — If using pre-shared key s, the two computers attempt­ing to communicate must propose the same pre-shared key, otherwise they cannot communicate using IPSec. If you change the pre-share d key for a workgroup, remember that this changes the pre-shared key used for all
56
The IKE settings used by Packet Protect cannot be customized. If you require different settings for a communication with a computer that uses a different IPSec product, change the IKE settings in the other product to match one of the IKE setting combinat ions used by Packet Protect (as noted in the above table).
communications for all computers in the workgroup.
IPSec Settings
After IKE verifies the identity of each computer, it negotiates which IPSec set ­tings to use to protect the com munication after negotiat ion. Packet Protect comes with pre-defined IPSec options, or you can create your own.
Each computer must agree upon the IPSec settings to use before IKE ca n estab­lish a protected communi cation for data transfer.
Pre-defined IPSec Settings
Packet Protect comes with pre-defined IPSec settings, called security actions. These sec urity actions ar e designed for maximum compatibility between com­puters u sing Packet Protect and other IPSec products.
A computer th at requ ests a pr ote cted co mmu nic atio n pro pos es its I PSec setti ngs to the computer with which it is trying to communicate. The IPSec settings include a list of algorithm combinations that appear in order of preference. The other computer must allow one of these defined algorithm combin ations, other­wise, th e com munication is not allowed using IPSec.
Secure communication using the same pre-s hared key
For a des cription of the i ndividual IPSec settings an d how you might use them, see “Available Settings for Security Actions” on page34.
Custom IPSec Settings
Although it is recommended that you use the pre-defined IPS ec settings (sec u­rity act ion s) th at come wit h P ack et Pr ot ect, you can also c re at e your o wn t o mee t your custom corporate securi ty guidelines. If you create your own, keep in mind that tw o com puter s mus t a gree o n ce rt ain se tt in gs in o rde r t o c ommuni cate u si ng IPSec.
For more information about creating your own IPSec security actions, see “Cus­tomize Security Actions” on page 33 .
57
Intel® Packet Protect User’s Guide
Examples
The following diagram illustrates failed IKE negotiations due to mismatched settings.
Pre-shared key = 123456
Default IKE set tings
/SHA-1
DES
Pre-shared key = 777777
Default IKE set tings
/SHA - 1
3DES
The following diagram illustrates successful IKE negotiations due to matched settings
Pre-share d key = 123 456
Defaul t IKE se ttin g s
/SHA-1
3DES
Pre-share d key = 123 456
Defaul t IKE se ttin g s
/SHA-1
3DES
58
How Packet Protect Uses IPSec
IPSec is a set of standard protocols developed by the Int ernet Engineeri ng Task Force (IETF). IPSec is used to protect the privacy and integrity of IP communi­cations. It protects IP com m unications u sing algori thm s that per form encryption and authe ntication tas ks, as well as other features that en force additional protec­tion.
If IKE successfully negotiates a protected communi cation, it passes the agreed upon info rm ation to the IPSec d river used b y Packet Protect. Then, the IPSec dri ver uses that information to determine how to protect the IP communication.
Security Associations
IP communications use a security contract or security association when they are protected using IPSec. After a security association is set up between two com ­puters, the computers can exchange data and IPSec will protect that data using one or more of ESP encryption, ESP authentication, or AH authentication algo­rithms
The diagram below shows the steps that Packet Protec t performs to protect a communication. The secur ity association is establis hed in Step 3.
Step 1: IKE Verifies Pre-shared Key
Step 2: IKE Negotiates IPSec Settings
Step 3: IPSec Protects P ackets
Security association
For more in for mat ion abou t eac h IPSe c sett in g, se e “IPS ec Sett in gs” on page 57 and “Custo mize Security Actions” on page 33.
Security Association Lifetimes
Securi ty ass oci at ions ex pi re if th e y re ac h the m ax imum t hr es hold de f i ned for th e commu n ic ation. Packet Protect is designed to autom a tically re-negotiate the securi ty association when it is about to expire (usually when it reaches approxi­mately 80% of its lifetime), if one of the following is true:
The security action is currently in use, that is, data is being transferred cur­rently.
The security action has been used recently, that is, data was transferred using that security association.
59
Intel® Packet Protect User’s Guide
Packet Protect re-negotiates the IPSec settings only; it doesn’t need to re-verify the identity of the computers because it is already known. This helps reduce net­work traffic b y reducing extra key generation.
If the security association is not renewed automatically and consequently expir es, a security association betw een the same computers will require both IKE steps: pre-shared key verification and IPSec negotiation.
How IPSec Protects Packets
IPSec applies the selected algorithms to each packet that is protected by IPSec. The algor ithms provide one of the following protection features:
Encryption and privacy
Integrity
Time and size limits
Anti-replay protection
The following sections describe some t echnical detai l about encrypti on and integrity protect ion. The other features of IPSec are described in “Customize Security A ctions” on page 33.
Encryption
Use encryption to protect the confidentiality of pack ets. Encryption encodes packets so they are unreadable unless the receiver has the proper key to decode the pack ets.
60
If a pack et is encrypted us ing ESP encryption (DES or 3DES algorithms), it is unreadable while in transit. Other types of encryption can protect the confidenti­ality o f information wh ile stored on a computer – Packet Protect is desi gned to prote ct the co nfidentia lity of informat ion whil e traveling on the net wo rk . T he follow ing diagram shows unencrypted and encrypted pa ckets traveling on the network.
*&e# x2q%z k4!ht68
pear apple banana
Encrypted pack­ets
Packets “in the clear”
If the packets pass through any routers or sw itches, the encrypted packets are relayed w ithout requiri ng IPSec on those devices.
Integrity
Data integrity ve rifies that the packet was unchanged during transport over the network. It also verifies that other packet s w here not inserted into the packet flo w. This helps prevent a computer from accepting packets from an intruder who is att em pting to send packets on the netwo rk.
Use integrity feat ures to protect the authenticity of packets, that is, ve rify that the pack et was unchanged during transport over the network. Integrity features also ve rify that no other packets were inserted int o the packet flow.
Packe t Protect uses ESP and AH al gorithms (MD5 or SHA-1) to protect the integrity of packets.
The following diagram shows two sets of packets traveling on the network. The first set uses integrity protection; the second set does not.
Verified packets
Unverified pack­ets
Intruder
XX
changes packets
61
Intel® Packet Protect User’s Guide
62
Appendix B — Interoperability
B
with Microsoft Windows* 2000
An overview of interoperability between Windows 2000 comp uters and Packet Protect computers.
63
Intel® Packet Protect User’s Guide
Interoperability with Windows* 2000
By default, IPSec is not ena bled in Windows 2000. Wi ndows 2000 is installed with “No Security” as the IPSec default action. You can use the IP Security Pol­icy Management tool to act ivate IPSec in Windows 2000.
Windows 2000 has three IPSec default behaviors—Server, Secure Server, and Client—that you can choose from when you configure the computer.
Currently, Packet Protect interoperates with Windows 2000 using a pre-shared key. However , because Windows 2000 default authentication mechanism is Ker­beros, which is not suppor ted by Packet Protect, the authentica tion must be changed t o use pre-shared keys. Be sure to use the same pre-shared keys on Windows 2000 compu ters as Packet Protect-enabl ed computers for proper interoperability.
Tips: If you have Windows 2000 computers and want them to communicate
securely with Packet Protect-enabled computers, you must use the Default Rule that is set up with the Packet Protect System Policy. Do not erase or modify the Default Rule for best results.
For maximum int eroperability, be sure to place each Windows 2000 comput ers in its o wn Destination Workgr oup.
Creating Policies
64
T o create custom IPSec policies in Windows 2000
1. On the taskbar, click Start and select Settings > Control Panel.
2. Double-click Network and Dial-up Connections.
3. Right-click Local Area Connection and s elect Properti es.
4. Click Advanced and select the Options tab.
5. Unde r Optional settings, click IP security.
6. Click Properties.
7. Clic k Use this I P se cur ity p oli cy, and then select th e I PSec pol ic y y ou wa nt to
use.
You can also use the IPSecurity Policies snap-in in the Microsoft Management Console ( MMC). Set it to use th e loca l co mput er, right- cl ick th e pol ic y you wan t to use, an d then click Assign.
You must be a mem ber of the Administrators group to set IPSec policies. If a computer parti ci pa tes in a W in do ws 2 000 do mai n, the comput er may r ecei v e t he IPSec policy from Active Directory, overriding the local IPSec policy. In this case, the options are disa bled and you cannot change them from the local com­puter.
Appendix C — Network
C
Software License Agreement
This appendix details the following:
Network Software License Agreement
Intel Automated Customer Support
65
Intel® Packet Protect User’s Guide
Network Software License Agreement
IMPORTANT - READ BEFORE COPYING, INSTALLING OR USING. Do not use or load this software and any associated materials (collectively, the “Software”) until you
have carefully read the following terms and conditions. By loading or using the Software, you agree to the terms of this Agreement. If you do not wish to so agree, do not install or use the Software.
LICENSE
and you may make one back-up copy of the Software, subject to these conditions:
1. This Software is licensed for use only in conjunction with Intel component products . Use of the
Software in conjunction with non-Intel component products is not licensed hereunder.
2. Y ou may not copy, modify, rent, sell, distribute or transfer any part of the Software except as
provided in this Agreement, and you agree to prevent unauthorized copying of the Software.
3. Y ou may not reverse engineer, decompile, or disassemble the Softw are.
4. You may not sublicense or permit simultaneous use of the Software by more than one user.
5. The Soft ware may conta in the soft ware or other prop ert y of thir d par ty su ppl ie rs, s ome of whic h may
be identified in, and licensed in accordance with, any enclosed “license.txt” file or other text or file.
OWNERSHIP OF SOFTWARE AND COPYRIGHTS
with Intel or its suppliers. The Software is copyrighted and protected by the laws of the United States and other countries, and international treaty provisions. You may not remove any copyright notices from the Software. Intel may make changes to the Software, or to items referenced t herein , at any time without notice, but is not obligated to support or update the Software. Except as otherwise expressly provided, Intel grants no express or implied right under Intel patents, copyrights, trademarks, or other intellectual property rights. You may transfer the Software only if the recipient agrees to be fully bound by these terms and if you retain no copies of the Software.
LIMITED MEDIA WARRANT Y
Intel warrants the media to be free from material physical defects for a period of ninety (90) days after delivery by Intel. If such a defect is found, return the media to Intel for replacement or alternate deliv­ery of the Software as Intel may select.
EXCLUSION OF OTHER WARRANTIES WARE IS PROVIDED "AS IS" WITHOUT ANY EXPRESS OR IMPLIED WARRANTY OF ANY KIND INCLUDING WARRANT IES OF MERCHANTABILITY, NON-INFRINGEMENT, OR FITNESS FOR A PARTICULAR PURPOSE. Intel does not warrant or assume responsibility
for the accuracy or completeness of any information, text, gr aph ics, l inks or other items conta ined within the Software.
LIMIT ATION OF LIABILITY FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, LOST PR OF ITS, BUSINESS INTERRUPTION, OR LOST INFORMATION) ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE, EVEN IF INTE L H A S BEEN A DVISED OF THE POSSI­BILITY OF SUCH DAMAGES. SOME JURISDICTIONS PROHIBIT EXCLUSION OR LIMITA­TION OF LIABILITY FOR IMPLIED WARRANTIES OR CONSEQUENTIAL OR INCIDENTAL DAMA GES, SO THE ABOVE LIMITATION MAY NO T APPLY TO YOU. YOU MA Y ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM JURISDICTION TO JURISDICTION.
TERMIN ATION OF THIS AGREEMENT violate its terms. Upon termination, you will immediately destroy the Software or return all copies of the Software to Intel.
. Y ou may copy the Software onto a single computer for your personal, non-commercial use,
. Title to all copies of the Software remains
. If the Software has been delivered by Intel on physical media,
. EXCEPT AS PROVIDED ABOVE, THE SOFT-
. IN NO EVENT SHALL INTEL O R ITS SUPPLIERS BE LIABLE
. Intel may terminate this Agreement at any time if you
66
Appendi x C — Net wor k Sof t war e Li ce nse
Intel Automated Customer Support
You can reac h Intel’s automated supp ort services 24 hours a day , every day at no charge. The ser v ices contain the most up-to-date i nformation about Intel products. You can access installation instructions, troubleshooting information, and general product information.
Readme Files on Your Product Disk
To review the readme topics, insert the PRO/100 S Server or Management adap ter disk in a disk drive, swit ch to that drive, and type:
SETUP /R EAD ME and then press Enter.
Web and Internet Sites
Support : http://support.intel.com Network Products: http://www .intel.com/network Corporate: http://www.intel.com FTP Host: download.intel.com FTP Directory: /support/network/adapter/
Customer Support Technicians
US and Canada: 1-916-377-7000 (7:00 - 17:00 M-F Pacific Time)
Worldwide access: Intel has technical support centers w orldwide. Many of the cente rs are staffed by technicians who speak the local langua ges. For a list of all Intel support center s, the telephone numbers, and the times they ar e open, go to:
http: //support.i ntel.com/support/9089.htm.
67
Intel® Packet Protect User’s Guide
68
G
Glossary
3DES
Triple Data Encryption Standard, or Triple DES. An encryption standard used to encode d ata while it travels on a net­work. 3DES uses 168-bit ke ys to encrypt data.
3DES is availabl e o nl y in the dom e stic version of Packet Protect.
AH
Authentication Header. A protocol of veri­fying th e integrity of packets, th at is, the packet s are known to be from the originat­ing computer. Packet Protect uses MD5 and SHA-1 to authenticate packets.
anti-replay
Protection against receiving repeat data trans mitted on th e ne tw o rk . T hi s he lp s prevent an intruder from successfully sending the same data in an attempt to confu s e th e sy stem (f o r exa m p le, the co m­puter could repeat the task of restarting a server).
authentication
The process of verifying th e identity of a computer. Pack et Protect authe n ticates a computer using pre-shared keys. It helps verif y that a computer is w ho it claims to be.
cryptograph y
The scienc e of protecting the privacy of data by enc oding the data so it is unread­able to anyone who doesn’t have a secret key to decode it.
CPU utilization
A measurement of the average load on a computer’s processor. As processor usage increases due to security tasks, users may notice slower performance. Intel PRO/100 S Management and Server Adapters are designed to offload the secu­rity o ver hea d f rom P acket Pr otec t by us ing a special on-board processor, thereby redu ci n g proce ss o r ut ilizat io n.
decryption
The un-en coding of e ncrypt ed da ta us in g a secret pa ssword or ke y.
69
Intel® Packet Protect User’s Guide
DES
Data Encryption Standard. An encryption standard used to protect data confidential­ity by encoding the data before it travels on a network.Packet Protect supports 56­bit DES an d 16 8-bit 3D ES (3 D E S avail­able in the United States and Canada only).
destination workgroup
A logical collection of co m puters (serv ers and clie nts) that you define in Packet Pro­tect. Destination workgroups contain lists of computers with which a computer in the source workgroup may want to communi­cate using IPSec.
Destination workgroups in Packet Protect are dif fere nt from workgr oups in W indo ws opera ting systems.
default behavior
The setting for a workgroup specified in Packet Protect that determines how a com­puter communicates using IPSec.
Diffie-Hellman
A method of sharing a secret key between two computers.
DNS
Domain Name Server. The network of Domain Name Servers that resolve fully qualified domain names (FQDNs) to their corres ponding IP addre sses.
encryption
The process of protecting data confidenti­ality by encoding the data so it is unread­able t o any one who doe sn’ t h a v e the se cre t key to decode it. You can read data if it isn’ t encrypted, but you can’t r ead data while it’s encrypted.
ESP
Encapsulation Security Payload. A method of protecting the confidentiality and/or integrity of data. ESP can be used
to protec t data confidentiality b y encrypt­ing the dat a using DES or 3DES. ESP can also be used to verify the origination of data by au thent ic ating the dat a using MD5 or SHA-1.
FQDN
Full y Q u al ified Dom ai n N ame. Th e unique name given to a computer or devic e . When addressing informatio n or request s, it’s often easier to remember a fully q ual if ie d d omai n na me r at he r t ha n a n IP address . Because computers communi­cate usin g IP addresses, DN S software matches the fully qualified domain name to its corresponding IP address so users can communicate using the domain name and the IP address.
ICMP
Interne t Contr ol Mess age Proto col . A ty pe of IP protoc ol used to transm it data that typical ly contains error or explanatory information. For example, the ping com­mand uses ICMP to transmit data about network connectivity.
IETF
Internet Engineering Task Force. The organization that is developing and stan­dardizing IK E and IPSec.
IKE
Interne t Key Exchange. A protocol bui lt on standard s that is used to ne gotiate a protected communicatio n.
IKE is a subset profile of ISAKMP/Oak­ley. It is being developed by the Internet Engineering Task Force (IETF).
intruder
An unwanted visitor from inside or out­side your co m pany who may try to steal information or harm your network.
IP
Internet Protocol. A se t of rules that
70
Glossary
descri be how computers transmit data with a destination address.
IP address
A series of numbers that identifies a con­nectio n point or devic e on an IP network. Each conne ction point and device needs a unique IP address to commu nicate using IP. For example, 192.168.1.1 is a sample IP addres s.
IPSec
Inter net Protocol (IP) Security. A set of protoc ols us ed to he lp secur e th e e xc hange of IP data . I PSec i s b eing d e v elope d b y t he Internet Engineering Task F orce (IETF).
key
A set of byt es tha t encry pt or dec rypt da ta. Keys allow you to protect da ta from being read by an intruder on the net w ork. Keys can be symmetric or asymmetric and asymmetric keys can be either public or private.
LAN
Local Area Ne twork. A communications network usually located within a building or small numbe r of buildi n gs . For exam­ple, computers and prin ters at many com­panies are connected to a LAN.
lockdown
A descrip tion of a default behavior for a computer that uses Packet Protect. A Lockdown computer in itiates and replies to all co mmunications by requesting secu­rity; it on l y co m m u n ic ates using IPSe c (requires that the other com puter also uses IPSec). A common use for this setting is a server that requires very restricted access.
MD5
Message Digest Algorithm. An algorithm often used to verify the integrity of pack­ets traveling on a network. The algorithm transf orms any number of bytes into a
fixed number of bytes; no other set of bytes produces the same result.
network
One or more com pute rs that ar e c onne cted together for communication purposes.
offload
The assignment of algorithm com puta­tions fr om software to hardware. Pack et Prot ec t offl oads sec urity tasks to Inte l PRO/100 S Management and Server adapters to speed processing and increase network pe rformance.
packet
A piece of data th at trav els on th e network. Each packet contains the data being trans­mitted, along with a destination address. Packet Protect protects packets as they travel on the network using IPSec.
perfect forward secrecy
The generation of an additional key pair to be used duri ng data transfer. This helps guarantee that no keys are re-used. Using perfect forward secrecy increases protec­tion, but generates more CPU utilization.
policy
A collection of security settings and rules that are ap plied to a group of comp uters.
port
A connection point used by IP applica­tions. For example, a Web server typically sends and re ce iv es inf orm ation on por t 8 0.
pre-shared key
A secret pas sw ord that a computer pre­sents to help verify its identity. Pre-shared keys ar e used during negotiation of a secure communication. Eac h computer must present the same pre-shared key in order to communication using IPSec.
protocol
A set of guide lines that describe how net-
71
Intel® Packet Protect User’s Guide
works or applicat ions communicate. If the set of rules are followed, information can be proces sed correctly. This allows com­puters and hardware devices to comm uni­cate wit h one another even if they’re different from one another.
rule
A definition of the security settings to apply when a computer communicates with a de s tin a t i on co m puter us in g a sp eci­fied protocol.
secure initiator
A descrip tion of a default behavior for a computer that uses Packet Protect. A Secure Initiator computer initiates com­munications by requesting security and respond s to communication requests wit h ­out security (“in the clear”). A common use for this setting is a server that doesn’t require the strict control of the Lockdown setting.
secure responder
A descrip tion of a default behavior for a computer that uses Packet Protect. A Secure Responder compu ter initiates com­munications without security (“in the clear” ), b u t c an respo nd t o c omm unica ti on requests with security. A common use for this setting is a workstation.
the existing security association).
security associat ion lifetime
The duration of a security association. A lifeti m e can be limited by time or by the amount of data transmitted.
SHA-1
Secure Hash Algorithm. An algorithm often used to verify th e integrity of pack­ets tra veling on a network. The algori thm transforms any number of bytes into a fixed number of bytes.
traffic
Packet s traveli ng on the network.
workgroup
A logical collection of com puters (servers and clients) that you define in Packet Pro­tect.
Wo rkg ro ups i n P ac ke t Pro te ct ar e di ff er ent from workgroups in Windows operating systems.
security action
A collect ion of IPSec settings that are pro­posed when two computers attempt to communica te. P ack et Pr otect us es secur i ty actions when a rule is matched for a com­munication.
security association
A securit y contract between two comput­ers. Whil e the security as sociation is active (8 hours is the defaul t) , th e tw o computers can send data without re-nego­tiating a communication (as long as the data being sent uses a protocol defined in
72
Index A
adapters
installi n g 15 teaming and 16
use multiple 16 algorithms and security actions 35 Anti-replay protection 4 anti-replay protection 35 authentication
of rules 26
C clients
failed communication between 50
turn off security for 48
turn on se c u rity for 4 7
uninstalling Packet Protect from 48 configure adapters for Packet Protect 15 customize
destinati on workgroups 31
D Data Encryptio n Standard 60
data integrity 60 DES. See Data Encryption Standard destinati on workgroups
customize 31
modify 33
modify after poli cy distribution 41 domestic versi on of Packet Protect 2
Index
E Encapsulati on Security Payload 60
encryption algorithms 35 encryption of data packets 4, 60 ESP. See Encapulation Security Payload export version of Packet Protect 2
F FAQs. See Frequently Asked Q uestions
firewall
using Packet Protect with 50 firewalls 5 0 Frequently Asked Questions 49
73
Intel® Packet Protect User’s Guide
G gateway 50
glossary 69
H hardware
acceleration 2 hardware acceleration 2 help file for Packet Protect 3
I IKE. See Internet Key Exchange
installation
more information ii
notes ii integrity of dat a packets 4 Internet Key Exch ange
authentication 56
definition 4
how it works with IPSec 54
how Packet Protect uses 55
settings 55 Internet Protocol Security
data integrity and 60
definition 4
encryption of data packets 60
how it protects packets 59, 60
how it works with IKE 54
how Packet Protect uses 59
security associations and 59
settings 57 Internet Protocol traffic
protectio n of 1
traffic not protected by Packet Protect 50, 52 interoperability with other security products 46 introduction 1–6 intruders 1 IP. See Internet Protcol IPSec. See Internet Pr otocol Security
L LAN. See Local Area Network
Local Area Network 1 Lockdown workgroup behavior 23
74
N network address translation 50
O ordering rules 27
other security products
interope rabilit y w ith 43 overview 2 overview of Packet Protect 2
P Packet Protect
administrator and client versions 3
domestic and export versions 2
features 2
frequently asked questions 49
get started 6
getting started 6
how it works 4
HTML help 3
introduction 1
preparing for installation 8
purpose 2
troubleshooting 49
work with other IPSec products 46 perfect for w ard secrecy 35 policy
definition of 25
modifying after distribution 40
set up compatible policies 45
Index
R readme files i i
rules
authenticat ion setting 26
definition of 25
delete after policy distribution 41
If rule fails 26
importance of order 25, 27
ordering 31
S Secure Initiator workgroup behavior 23
Secure Responder workgroup behavior 22 security action
customize 33
75
Intel® Packet Protect User’s Guide
security actions
create new 36
customize 33
definition of 26
modify after poli cy distribution 41 services on the World Wide Web ii size limit and security actions 34 support servi ces 67
T time limit and security actions 34
troubleshooting 49
more information ii
U uninstalling
Packet Protect at cl ients 48
V view
status at clients 44 W
workgroups
customize security actions 33
modify destin ation workgroups 31
76
Loading...