How it Works
Intel
Loading...
PRO/100 Series
User Manual
82 pgs1.81 Mb0

Intel PRO/100 Series User Manual

User’s Guide
Intel PRO/100 Family Packet Protect
Enabling the IPSec Protocol on Microsoft Windows NT 4.0
®
®
Where to Go for More Information
Readm e Files
For more information ab out installation and general information about the product, see the readme text file. To view the files, view the root folder on the Intel CD-ROM. Open readme.txt with any text editor.
Online Services
You can use the Internet to download soft ware updates, and to view troubleshooting tips, installation notes, and more. Online services are on the World Wide Web at:
http://support.intel.com
Copyright © 2000, In tel Corporati on. All rights reserved. Intel Corporation, 5200 N.E. Elam Y oung Parkway, Hillsboro, OR 97124-6497 Intel Corporation assumes no responsibility for errors or omissions in this document. Nor does Intel
make any commitment to update the information contained herein. * Other product and corporate names may be trademarks of other companies and are used only for
explanation and to the own er s’ benefit, without intent to infringe.
ii
Contents
Where to Go for More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
What is I n tel
Packet Protect Features 2 Complete Your Security Solution 2 Hardware Accelera tion 2 Domestic and Export Versions 2 Additional Information 3
How Packet Protect Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
What is IP Security? 4 What is Internet Key Exchange? 4 The Process 5
Packet Protect? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Contents
Get Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Installing Packet Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Developing Your Deployment Model . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Review Your Network Architecture and
Corporate Security Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Assign security behavior roles to computers that you want to use Packet Protect 9 Develop a strategy for handling pre-shared keys 10 Understand the Default Rule 11 Consider exceptions to the Default Rule 11 What are the Trade-offs? 12 Conclusion 14
Set Up Intel Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Install Intel Adapters 15 Configure Intel Adapters 15
Install Packet Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
System Require me nts 17 Licensing 17 Install Packet Protect 17
View Your Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
iii
Configuring Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Understand Default Security Behavior . . . . . . . . . . . . . . . . . . . . . . . . 22
Default Behaviors in Packet Protect 22
Set up Your System Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
What is a Policy? 25 What is a Rule? 25 The Default Rule 26 Importance of Rule Order 27 How Does the System Policy Work? 28 Add Rules to the System Policy 28
Making Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Modify the System Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Modify Destina tion Workgroups or Security Actions 41 Delete a Rule 41 Restore the System Policy 42
Monitor Packet Protect Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
View Status at a Packet Protect Client 44
Set Up Compatible Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Work with Other Security Products . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Turn Security On for a Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Install Security for a New Computer 47 Turn Security on Manually for an Existing Computer 47
Turn Security Off for a Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Shut Down Packet Protect at a Computer 48 Uninstall Packet Prote ct from a Computer 48
Troubleshooting and FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Frequently Asked Questions (FAQs) . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Appendix A — IKE and IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
IKE and IPSec Work Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
How Packet Protect Uses IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Identity Negotiation Settings 55 IPSec Settings 57
iv
Contents
Examples 58
How Packet Protect Uses IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Security Associ ations 59 Security Association Lifetimes 59 How IPSec Protects Packets 60
Appendix B — Interoperability with Microsoft Windows* 2000 . 63
Interoperability with Windows* 2000 . . . . . . . . . . . . . . . . . . . . . . . . . 64
Appendix C — Network Software Li c ense Agreement . . . . . . . . . 65
Network Software License Agreement . . . . . . . . . . . . . . . . . . . . . . . . 66
Intel Automated Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Readme Files on Your Product Disk 67 Web and Inter net Sites 67 Customer S upport Technicians 67
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
v
vi
1
Introduction
Wi th the growing amount of information that travels on your local area network (LAN), confidential information has become a target for intruders bo th ins ide and outside your company. These intruders may be employees, visitors to your company, or a hacker who breaks through your firewall.
Intel® Packet Prot ect helps protect Internet P rotocol (IP) traffic as it travels betwe en computers on your LA N . This protects confidential data from being retrieved by intruders.
In this chapter, you’ll find information about:
Packet Protect overview
How Packet Protect works
Getting started
1
What is Intel
Packet Protect is designed to protec t the confidentiality and authenticity of IP traffic on your LAN.
Packet Protect can assist you in creating a departmental solution fo r your secu­rity concerns.
Many data compromises are attempted from within a company firewall. Unless you protect informati on as it travels on th e network, it can be received by unwanted users.
For example, employees retrieving confidential designs from a Research & De velopment department server use Packet Protect to encrypt the inform ation while it travels on the LAN. Encryption protects the confi dentiality of the infor­mation. Each employee’s computer can also verify the integrity of the informa­tion upon receipt.
Pa cket P r ote ct?
Packet Protect Features
Packet Protect enables you to:
Protect confidentiality and authenticity of IP traffic on your LAN using Internet Protocol Security (IPSec), including Internet Key Exchange (IKE).
Offlo a d se cu r ity task s to an Int el PRO/100 S Management or Server Adapt er to optimize network performance.
Complete Your Security Solution
If you need to protect data stored on a computer, u se operating syst em features comb in e d w ith Pack et Prote ct. Pack et Prot ec t protects da ta t rave ling between comput ers, not while it ’s store d on a com puter. You should use your operating system features or network infrast ructure element to provide access control to certain areas of the computers on the network.
Hardware Acceleration
Imple menti ng an I PSec solut io n can increa se CPU uti lizat i on fo r comp uter s th at use the IPSec software. This is common when implementing any IPSec solution because of the intense computation required to encrypt, decrypt, and validate packets. Howe ver, there is a way to offload secur ity tasks from the CP U .
You can combine Packet Protect with the use of an Intel PRO/100 S Manage­ment o r Serv er Adap ter t o reduc e CP U ut iliz at io n. Th is fr ee s CPU ut il i zati on fo r other tasks, while reducing the impact to network performance.
Domestic and Export Ve rsions
Packet Protect i s availabl e in both domestic and export v ersions. The export ver­sion supports DES (56-bit) encryption only. The domestic version, available in the United States and Canada, supports DES and 3DES (168-bit) encryption.
2
Additional Information
This Packet Protect User’s Guide in Adobe Acrobat* format can be found in the Packet Protect directory on the product CD-ROM. Packet Protect help can be found in the Help directory on the product CD-ROM.
Introduction
3
How Pac k et Protect Works
Packet Protect hel ps you protect network traffic that is sent from one server or client to another. Packet Protect uses these steps to protect informa tion traveling on the ne tw ork:
1. Activate IKE (Internet Key Ex ch ange ). Neg ot iates par am e ters fo r se cu re communication.
2. Activate IPSec (Internet Protocol Security). Protects the communication using the security par am eters it negotiated successfully using IKE.
What is IP Security?
Internet Protocol (IP) Securit y (commonly called IPSec) is a set of standa rd pro­tocols used to protect t h e confidentiality and authenticity of IP communicati ons. IPSec accomplishes this using the following:
Encryption. Protects confidentiality of inform ation traveling on the net­work . Each packet is encrypted so that unwanted recipient s can’t interpret it. Packet Protect uses DES 56-bit and 3DES 168-b it encrypti on algorithms (3DE S in U .S . and Ca na d a versio n only) .
•Integrity. Protects the authenticity of the information traveling on the net­work by verifying that each packet was unchanged in transport. Packet Pro­tect uses MD5 and SHA-1 authentication algorithms for bot h ESP and AH auth entication.
An ti-re pl a y protection. Protects the network by preventi ng an intruder from successfully repeatedly sending an identical packet in an attempt to confuse the system.
For more information about IPSec, see “Appendix A — IKE and IPSec” on page 53.
What is Internet Key E xch ang e?
Inter net K ey Exc han ge ( IKE) is a s ta nda rd pro toc ol use d t o ne go tiat e a pro tect ed communication. Ne gotiation is the first pha se in setting u p a secure communi ca­tion. IKE verifies the identity of the computers using pre-shared keys. Then it negotiates a set of se curity settings to protect the communication.
IKE is a pro to col t hat ope rate s i ns ide a f ra me wo rk def i ne d by I SAK MP ( Inter net Security Associati on Key Management Protocol) and is used to support the establishment of Security Associations.
For mo re information about IKE, see “Appendix A — IKE and IPSec” on page 53.
4
The Process
If two com puters require security, each time they attempt to communicate wit h each o ther Packet Protect foll ows these steps to attempt a protected comm unica­tion:
1. Ea ch co mput er uses IK E to ver i fy that the oth er is th e comp ute r i t clai ms to
2. I f i den tit y v erif i ca tion i s s ucces sf ul i n Step 1, the tw o com p uters use IKE t o
3. If the agreement is successful in Step 2, both computers will use the agreed
As long as the protected communication is active, the two computers can exchange information, without repeating Steps 1 and 2 (up to the pre-defined time and size limits — se e Table 6 on page 34 for more information).
The following diagram shows the roles of IKE and IPSec.
Introduction
be.
agree upon the IPSec sett ings to use.
upon IPSec settings to protect the data as it travels.
Step 1: IKE Verif ies Pre-shared Key
Step 2: I KE Negotiates IPSec Settings
Step 3: IPSec Protect s the Communication
5
Get Started
To start using Pac ket Protect
1. Evaluate your network arch itecture and decide which areas require Packet Protect. For details, see “Developing Your Depl oyment Model” on pag e 8.
2. Install Packet Protect on those computer s that require security. For deta ils, see “Install Packet Protect” on page 17.
3. Set up security settings for each computer where you installed Packet Pro­tect. For details, see Chapter 3, “Configuring Securi ty S ettings” on page 21.
6
2
Installi ng Packet Prote ct
To set up yo u r netwo rk in prepa ra tion fo r deploy ing se cu rity, there ar e several things to cons ider. This cha pter gui de s you th rough th e set up process so you can begin deplo ying se cu rity m os t effe ctively.
In this chapter, you’ll find information about:
De veloping your deployment model.
Setting up Intel
Installing Packet Protect.
network adapters.
7
Developing Your Deployment Model
In order to use Packet Protect successfully, you must develop a deployment model that fulfills your s ecurity needs on your ne twork. There are sev eral stages to consider in deve loping your deployment model.
Review your network architecture and corporate security guidelines.
Assign security behavior roles to computers that you want to use Packet Protect.
Develop a strategy for using pre-shared keys.
Under stand the Default Rule.
Consi der exceptions to the Default Rule.
This discussion represents only an overview of some of the issues that should be considered when deploying Packet Protect in your enterprise. For more detailed information about depl oyment models , please refer t o “Scalable Deployment of IPSec in Corporate I ntranets”white paper from t he Intel Architecture Labs Inter­net Building Blocks Initiative. This white paper can be found at:
ftp://download. intel.com/ ial/home/ibbi/ipsec_122.pdf
Review Your Network Arch itecture and
Corporate Security Guidelines
The amount of confide ntial information traveling on your net work grows as more employees use your corporate network. This poses a security risk if som e­one breaks through your firewal l, or someone already behind your f irewall has access to the network—those people can access confidential information. For example, an intruder can mimic an IP address and receive inform ation that was intended for someo ne else at that IP address. Or, an intruder can use software to view data as it travels on your LAN.
You can deploy Packet Protect in the areas of your network that transmit sensi ­tive informati on. Some areas of your network might require the additional pro­tection provided b y Packet Protect, while other areas might not. Use your corp orate security guidelines to help determine w h ich areas of your network require Packet Protect.
Perhaps you have a server that stores hi ghly confidential information, such as corporate financial figures or e-comm erce transact ions. You can use your o per­ating system’s tools to help protect data stored on the server’ s hard disk, but what ab out when other computers access that information? Use Pac k et Protect
8
Installing Packet Protect
to protect your highly confidential in formation as it travels t o and from the server.
Assign security behavior roles to computers that you wan t to use Packet Protect
Packet Protect use s default secur ity behavior t o determine how a com puter will communicate with other computers on the network. There are three default behaviors: Secure Responder, Secure Initiator and Lockdown.
Secure Responder
A computer with the default behavior of Secure Responder alw ays initiates and accep t s tra ffi c th at is not secu red. H ow ever, it wil l accep t a secur e co m m u nica­tion if it is initiated by another computer. Of course, the negotiation will succeed only if one th e pr opos als in the li st of f ere d b y the ini t iator can be matc hed by the respond er.
Secure Responder is a likely behavior for the majority of workstations in a net­work. Communicati ons will always be allowed in the clear between computers that are Secure Responders or Secure Initiators, but will communicate securely with a computer (usually a server) with Lockdown default behavior.
Secure Initiator
A computer with the default behavior of Secure Initiator will always attemp t to initiate secure communications on all outbound traffic. Even if an inbound com­muni ca ti on flow is ini tiated in th e cl ea r, the respon se da ta flow wi ll ca u se the comput er to initiate a secure session. Ho w ever, if a secure session cannot be in i­tiated, the computers will fallb ack to communicat ing in the clear.
Secure Initiator behavior is appropriate for both workstations and servers . Com­pute rs who wish to use peer-to-peer secure communications can use S ecure Ini-
9
tiator behavior. Also, many servers can use this behavior as well, as long as the fallback behavi or is acceptable for your network.
Secure Initiator is similar to Secure Responder, exc ept that all outb ound traffic will result in an attempt to negotiate parameters for security.
Lockdown
A computer with Lockdown behavior will alw ays initiate and respond securely to all data flows. If the negotiatio n fails on either computer, then traf fic will be denied.
Lockdown behavior is used for serv ers with high content value, as it requires security for all data transmissions.
Communicat ing with non-Packet Protect computers
It is comm on to not use Packet Protect on all the computers in your network. While the secur it y th at P acke t Pro te ct can provi de is ben ef ici al , th ere are se v er al reasons to limit the computers on your netw ork that use Packet Protect, such as:
Only a limited number of com puters on your network require se cure com­munications.
In order to minimize CPU utilization, you want to limit use of Packet Pro­tect to computers that already have PRO /100S Management or Server adapters.
Comput ers tha t use the defa ul t beha vio r of Sec ur e Responde r or Sec ur e Initi at or will always be able to communicate in the clear with computers in your network that do not use Packet Protect.
Comput ers that use the default behavior of Lockdown will not be able to co m­municate with computers in your network that do not use Packet Protect.
Develop a strategy for handling pre-shared keys
When two computers attempt secure communication, they negotiate parameters for the communicati on. In addition to using their default behavior, described in the previous section, they also exchange a st ring of characters known as a p re­shared key.
When the computers begin to negotiate parameters, they compare their pre­shared ke y s. If bo th comp ute rs hav e th e s ame p re -s hared ke y, th en the co mput er s will go ahead and negotiate parameters for the session. If the comput ers have a different pre- shared key, then the negotiati on for secure communication will cease.
Once the pre-shared keys have been compared and matched between the two comput ers, the IKE protocol generates secure, secret session keys. N o one can find out what these session keys are, even if the y know what the pre-shared ke y is. Although pre-shared keys are sometimes called passwords, they do not ac t like p ass wor ds. Ev e n when you k no w wha t t he pre- sh ared k e y is , y ou canno t us e that key to intercept or decrypt the information that is being transmitted.
10
Installing Packet Protect
Sharing keys
It’s importa nt when yo u are developing your depl oyment model that you decide how to handle the distribution of the pre-shared key. Some networks use a widely-published key, known as a “group key” or the “pre-shared key on the wall.” In this strategy, you make the pre-shared available to everyone. This way, all com puters will be configured to use the same key. This ensures that when secure communications are requested, then IK E will be able to negotiate secure communications when the keys are matc hed between two co m puters.
In addition to “group key,” some enterprises may want to u se additional, more private pre-shared keys in cert ain instances. For example, the president and the chief financial officer of a corporation may wish to send secured tr ansmissions to each other. In this instanc e, each of these computers would use the gr oup key as part of their standa rd Syst em P olicy, but would create a special rule to cov e r communications just between them. (See “Consider exceptions to the Default Rule” for more information on implementing this scenario.) In this case, they might li k ely cho ose a more sec ret pr e- sh ared k e y th at just t he t wo comput er s u se with each other.
Understand the Default Rule
Every computer that uses Packet Pro tect has a single Sys tem Policy. Each Sys­tem Policy initially contains a single Default Rule. The Default Rule is quite simple:
For Everybody, use the De fa u lt Se c ur ity Act io n . If the rule fails, Allow Communication without Security.
Note: For computers that use the Lockdown behavior wth the
Default Rule, if the rule fails then fallback action.
See “The D efault Rule” on page 26 for more information .
Note:
See “What is a Rule?” on page 25 for more information about rules in Packet Protect.
If you want to have secure communication between a Packet Protect computer and a Windows 2000* computer, you must use the Default Rule. Intel recommends that yo u do not delete the Default Rule.
Deny Communication
is the
Consider exceptions to the Default Rule
Many enterprises may find that b y careful consideration of th e default behavior roles, a widely publis hed pre-shared key, and the Default Rule, they can meet their security requirements without extra effo rt. This model is quite workable and provides adequate security. It is also simple to deploy and maintain.
11
Some enterprises may wish to create additional rules that govern communica­tions between two spe c ific computers.
Earlier, we introduced a scenario where the president and chief financial officer of a company wished to implement extra security for their communications. For this scenario, a new rule is needed. Let’s compare a possible rule for this sce­nario to the S ys te m Po li cy ’s Defau lt Rule :
Property New Rule Default Rule
Table 1: Rule Comparison
Destination Workgroup
Security Action New Security Action: Up
Rule Failure Deny Communication. Allow communication in
Authentication Use a new pre-shared
President and CFO only Everybody
Default Sec ur ity Action: to 15 m inutes or 50 MB, whichever occurs first. Then, a new security association is negotiated.
key, known only to these two comput ers.
Up to 8 h ours , then a n ew
security association is
negotiated.
the clear.
Use the System Policy’s
settings
In addition to these rules, both the president and the Chief Financial Officer woul d hav e the Sec ure In it ia to r de faul t beha vio r. The ru le mi ght al so wan t t o us e more se cure options, such as perfect forward secrecy , whic h provides a very secure neg otiation of session keys. There are many oth er security options that can be chosen when you create a security action for this rule. See “Customize Security Actions” on page 33 for more infor mation on optio ns for security actions.
By compar ing the new ru le and the default rule, you can see how the new rule provides an extra m easure of security. The new security action is much more limited. Longer time and/or size limi ts on a security action can give an intr uder an opportunity to intercept and possibly corrupt pack ets. By denying c om m uni­cation in case of rul e failure, you ensure that communication between these t w o computers will never occur in the clear.
What are the Trade-offs?
A very important part of developing your deployment model is to consider not only the initial deployment, but maintaining the System Policies on all the com­puters that use Packet Protect in your network.
Clearly, the simplest model we discussed will be the easiest to deplo y and main­tain. When all computers u se the same defa ults—Default Rule, security action,
12
Installing Packet Protect
fallback to clear communicatio n, same pre-shared key—then you’ll be able to gain adequate security with minimum impact to your network.
If you decide on a more complex deployment model, you should consider the benefits of the extra security that you have against the costs of maintaining and running the mod el. There are two ar eas that you should evaluate—maintenance and CPU utilization.
Maintenance
If you are considering a deployment model with many customizations and spe­ciali zed rules , be aw are of t he t ime a nd ef for t requir ed f or on going m aint ena nce. Becau se each computer with Packet Protect must be configured individually, custom izations require more effort to keep each computer up-t o -date.
Let’s consider the previous example of the special rule for the president and Chief Financial Officer of the corporation. In ord er for this rule to work as designe d, all a sp ect s of t he rul e mus t ma tch, or commun ic ation wil l b e de nied. I f the president’s computer uses a different setting in the security action from the CFO’s computer, then a secur ity association cannot be negotiated and there fore all com m unication is denied. Consider then that it might take several days for the president and CFO to even discover that their communications haven’t been taking place, as assumed.
Even a new computer for the president could prevent secure communication from happening. For example, when you set up this special rule, you identified the two computers to Packet Protect by the names of the com puters. The presi­dent’s new computer has a ne w nam e. When the pres ident and the CFO attempt to communicate the next time, th e rule will fail, because of the computer name.
You c an imagine how difficult it can bec o me to maintain specialized rules, desti ­nation workgro ups, and security actions in your network. Intel recommends that you begin by using the simple, default model for secure communications. Over time, you may consider customizations to enhance secure communications in spec ial cases.
CPU Utilization
Anoth er ve ry impo rt ant f ac to r to co nsi der i s t he eff ec t of I PSec on y our net wo rk , as well as the individual computers using Packet Protect . Generally, you can assume that when you choose most sophisticated security options, there will be impac t on your network.
One example is choosing to use ESP (Encapsulation Security Payload) and AH (Authen ti cat ion H eade r) aut hen tica ti on t ogeth er. While th is combi na tion a f fo rds extra protecti on, you must consider that when you use both of these methods, you cannot offload any processing to the adapter, and thus CPU utilization incre ases. H owever, if you use jus t ES P au th en tication wi t h th e ap p ropri ate adapter, you can take adv antage of the hardware of fload and get better CPU util ­itzation.
You must also consider the adap ters that are installed in you r Packet Protect comput ers. Only the Intel PRO /100 S Server Adapter and Intel PRO/ 100 S Man-
13
agemen t A dapter can perform hardware offloading. If you ha ve other Intel PRO/ 100 Ada pters in Packet Protect computers, you won’t be able to offload any pro­cessing, thus i ncreasing CPU utilization and potent ially slo w ing that co mputer’s netw ork performance.
Other security opti ons are considered “costly” as well. Perfect Forward Secrecy is very secure, but if used widely throughout the network, there can be a signifi­cant effect on servers that have a lot of secure traffic.
Conclusion
Hopefully, this section provided some guidelines for you to consider as you develop your deployment model. There are no hard-and-fast rules that you must follo w. However , Inte l r eco mmends tha t you be gin your use of IPSe c an d Pa ck et Protect slowly in your enterprise. You should consid er starting with a small group that use t he same pre-shared key and default System Policy. When you’ve had a chance to evaluate this first implementation phase, you can then decide how to expand your use of Packet Prote ct.
14
Set Up Intel Adapters
Before you install Packet Protect, install the necessary Intel adapters on your servers and client s that will use Packet Protect. Packet Protect only operates with Intel adapters that are configured to use Intel drivers.
Inst a ll Intel Ad apte r s
Packet Protect works with Intel adapters that are designed to offload CPU-inten­sive tasks to the adapter. This helps reduce the impact to network perform ance and CPU utilization. Intel adapters that support the offload capab ilities include the following:
Intel PRO/100 S Server Adapter
Intel PRO/100 S Managem ent Adapter
Installing Packet Protect
Note:
Note:
Although Intel adapters can be installed on var ious operating syste ms , P a cket Protect suppo rts only Windo ws NT* 4.0 with Service Pack 5.
Packet Protect also works with the following Intel adapters, but security tasks will not offload to these adapters, and net­work performance will be affected.
PR O/10+ PCI LAN adapter PRO/10 0B LAN ad ap t e r PRO/100B T4 LAN adapter PRO/100+ LAN adapter PRO/100+ Management adapter PRO/100+ Server adapter PRO/100+ Dual Port Server adapter PRO/100 CardBus II PRO/100 RealPort PRO/100 LAN+Modem56 CardBus II PRO/100 LAN+Modem56 RealPort
TM
CardBus II
TM
Cardbus II
Install Intel adap ters for the servers and clients that use Pa cket Protect.
T o install Intel adapters
1. Refer to the Installation Guide that came with the adapters for information about installati on
2. After installation, verify network access for each compute r that will use Packe t Pr otect b y che cking t he Link a nd Act i vit y LEDs o n the ada pter. You can also double-click Network Neighborhood on a computer’s desk top to verify that ot her are as of the net wo rk are vi sible.
Configure Intel Adapters
Afte r you install adapters in the com puters that will use Packet Protect, config­ure them, as necessary, before you install Packet Protect. For e xam ple, you
15
migh t in stall m ultipl e adapt ers on a se rve r. Then you mi gh t te am tho se ad ap ters together to take advantage of adapter fault tolerance or adaptive load balancing.
Mult ip le A d apters
If you install multiple adapters in one computer, note the following:
Install multiple adapters before installing Packet Protect.
Each co m puter has only one sec urity policy. This me ans that the same security settings will apply to all of the adapters in one computer.
If you use at least one Intel PRO/100 S Server or Management adapter in a comput er, Packet Protect will be able to off load encryption and authentica­tion tasks to that ad apter.
If you need to add or remove an adapter f rom a team after you install Packet Protect, you must uninstall Packet Protect from that computer, add or remo ve the necessary adapters, and then reinstall Packet Protect.
When you uninstall Packet Protect, you lose all of your customized infor­mation, including rules and security actions. When you reinstall Packet Protect, you will only have the single Default Rule in your System Policy.
Adapter Teaming
Adapter Teaming and Packet Protect work together only for computers with Wi ndows NT operating system installed. If you set up Adapter Teamin g for mul­tiple adapters, keep the following in mind:
Conf igure Adapter Teami ng before installing Packet Protect.
Refer to the previous page to make sure all adapters in the team are either offload-enabled Intel adapt ers, or appear in the list of compat ible Intel adapters on the previous page.
If you need to add or remove an adapter from a team after you install Packet Protect, you must uninstall Packet Protect from that computer, add or remo ve the necessary adapters, and then re-install Packet Protec t.
Consi der using high-speed adapters to limit upgrading.
16
Install Packet Protect
Before you insta ll Packet Protect on your computer, make sure the computer meets the following system requirements . Packet Protect computers can be serv­ers or workstations.
System Requirements
Befor e installing Packet Protect, make sure your computers meet these require­ments:
Windows NT 4.0 with Service Pack 5 or 6a (or higher)
40 MB available disk space
32 MB RAM minimu m, 64M B RA M re commended
®
200 MHz Pentium
Intel adapter (PRO/100 family)
Note
: See “Install Intel Adapters” on page 15 for information on
choosi ng an Intel ada pter.
processor performance level or higher recomm ended
Installing Packet Protect
Licensing
All installations are subject t o the end user’s acceptance of the applicable In tel Softw are License Agr eement.
Install Packet Protect
You wil l need the information detailed in the follo w ing table during Packet Pro­tect installati on at each compute r. To complete the installa tion most efficiently, gather the foll owing information before you begin.
Information
You N eed
Default behavior
Table 2: Required Information
Description
Decide how you want the computer to communicate with other computers on the network:
• Secure Responder
• Secure Initiator
•Lockdown For more information about these settings, see “Default Behaviors for Packet Protect Computers” on page 22.
Pre-shared key Enter a pre-shared key the computer will use to
communicate securely with other IPSec computers. A pre-shared key is similar to a secret password.
17
To install Packet Protect
1. Verify that the computer you have chosen meets the minimum require­ments detailed under “Sy stem Requiremen ts” on page 17.
2. Insert th e pr oduct C D- R OM in to the CD-ROM driv e at the comput er wher e you want to install Packet Protect.
3. Browse to the CD-ROM using Windows Explorer.
4. Doubl e-click d:\packet protect\setup.exe, where d:\ is t he drive of your CD­ROM drive.
5. Follow the dialog bo x instructions on the screen.
Ke ep a confidential record of the information you enter. If you need to reinstall Pac ket Protect lat er, you will need to re-ent er this information.
Notes:
If the static IP address or the DNS name of the computer changes, you must re store t he S yste m Policy. Yo u wi ll lose all your customizations when you restore the System Policy. Also, if there are other computers in the network that have rules that apply to the computers whose IP address or DNS name changes, the rules of those computers need to be changed. For information on restoring the System Policy, see “Restore t he Syst em Policy” on page 42.
You can also install from a mapped drive where you have stored the Packet Protect installation file s.
If you already have adapter teaming installed on the system, there’s no need to re-enter the TCP/IP settings during Packet Protect installation (you are not prom pted for this informa­tion).
To verify that Packet Protect is installed and running on a computer:
1. At the taskbar on the computer, select Settings > Contro l Panel.
2. Doub le -c lick Se r vi ces and ver ify that Int el Polic y A ge n t is st arted .
If Intel Policy Agent doesn’t appear in the list, Packet Protect has b een shut dow n or is not function ing properly. See “Turn Security on Manually for an Existing Computer” on page 47 for detai ls about restarting P acket Protect .
See the chapter “Troubleshooting and FAQs” on page 49 for general trouble­shooting guidelines and a list of common Packet Protect installation problems and their solutions.
18
View Your Security Settings
Duri ng installation, you set up basic security settings for the computer—the authent i cati on meth od and the de faul t be ha vior for t he clie nt . To view your secu ­rity settings, double-click Intel(R) Packet Protect at the Control Panel. The authentication setting and default behavior you chose during installation appear in the Security tab.
Installing Packet Protect
See the next chapter for information on editing basic settings and configuring advanc ed secu r ity sett ings.
19
Loading...
+ 57 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use