Intel PRO/100 User Manual
  1. Manuals
  2. Brands
  3. Intel Manuals
  4. Computer Hardware
  5. ETHEREXPRESS PRO/100
  6. User manual
Intel PRO/100 User Manual

Intel PRO/100 User Manual

Packet protect enabling the ipsec protocol on microsoft windows nt 4.0
Hide thumbs Also See for PRO/100:
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual, Installation Manual
Intel PRO/100 Family
®
Packet Protect
Enabling the IPSec Protocol on
Microsoft Windows NT 4.0
®
User's Guide

Advertisement

Table of Contents
loading

Related Manuals for Intel PRO/100

Summary of Contents for Intel PRO/100

  • Page 1 Intel PRO/100 Family ® Packet Protect Enabling the IPSec Protocol on Microsoft Windows NT 4.0 ® User’s Guide...

  • Page 2: Where To Go For More Information

    Copyright © 2000, Intel Corporation. All rights reserved. Intel Corporation, 5200 N.E. Elam Young Parkway, Hillsboro, OR 97124-6497 Intel Corporation assumes no responsibility for errors or omissions in this document. Nor does Intel make any commitment to update the information contained herein.

  • Page 3: Table Of Contents

    Introduction ..........1 What is Intel Packet Protect? ....... . 2...
  • Page 4 Intel® Packet Protect User’s Guide Configuring Security Settings ......21 Understand Default Security Behavior ......22 Default Behaviors in Packet Protect 22 Set up Your System Policy .

  • Page 5: Contents

    Network Software License Agreement ......66 Intel Automated Customer Support ......67...
  • Page 6 Intel® Packet Protect User’s Guide...

  • Page 7: Introduction

    These intruders may be employees, visitors to your company, or a hacker who breaks through your firewall. Intel® Packet Protect helps protect Internet Protocol (IP) traffic as it travels between computers on your LAN. This protects confidential data from being retrieved by intruders.

  • Page 8: What Is Intel Packet Protect

    However, there is a way to offload security tasks from the CPU. You can combine Packet Protect with the use of an Intel PRO/100 S Manage- ment or Server Adapter to reduce CPU utilization. This frees CPU utilization for other tasks, while reducing the impact to network performance.

  • Page 9: Additional Information

    Introduction Additional Information This Packet Protect User’s Guide in Adobe Acrobat* format can be found in the Packet Protect directory on the product CD-ROM. Packet Protect help can be found in the Help directory on the product CD-ROM.

  • Page 10: How Packet Protect Works

    Intel® Packet Protect User’s Guide How Packet Protect Works Packet Protect helps you protect network traffic that is sent from one server or client to another. Packet Protect uses these steps to protect information traveling on the network: Activate IKE (Internet Key Exchange). Negotiates parameters for secure communication.

  • Page 11: The Process

    The Process If two computers require security, each time they attempt to communicate with each other Packet Protect follows these steps to attempt a protected communica- tion: Each computer uses IKE to verify that the other is the computer it claims to If identity verification is successful in Step 1, the two computers use IKE to agree upon the IPSec settings to use.

  • Page 12: Get Started

    Intel® Packet Protect User’s Guide Get Started To start using Packet Protect Evaluate your network architecture and decide which areas require Packet Protect. For details, see “Developing Your Deployment Model” on page 8. Install Packet Protect on those computers that require security. For details, see “Install Packet Protect”...

  • Page 13: Installing Packet Protect

    This chapter guides you through the setup process so you can begin deploying security most effectively. In this chapter, you’ll find information about: • Developing your deployment model. • Setting up Intel network adapters. • Installing Packet Protect.

  • Page 14: Developing Your Deployment Model

    Packet Protect in your enterprise. For more detailed information about deployment models, please refer to “Scalable Deployment of IPSec in Corporate Intranets”white paper from the Intel Architecture Labs Inter- net Building Blocks Initiative. This white paper can be found at: ftp://download.intel.com/ial/home/ibbi/ipsec_122.pdf...

  • Page 15: Assign Security Behavior Roles To Computers That You Want To Use Packet Protect

    to protect your highly confidential information as it travels to and from the server. Assign security behavior roles to computers that you want to use Packet Protect Packet Protect uses default security behavior to determine how a computer will communicate with other computers on the network. There are three default behaviors: Secure Responder, Secure Initiator and Lockdown.

  • Page 16: Develop A Strategy For Handling Pre-Shared Keys

    Intel® Packet Protect User’s Guide tiator behavior. Also, many servers can use this behavior as well, as long as the fallback behavior is acceptable for your network. Secure Initiator is similar to Secure Responder, except that all outbound traffic will result in an attempt to negotiate parameters for security.

  • Page 17: Understand The Default Rule

    If you want to have secure communication between a Packet Protect computer and a Windows 2000* computer, you must use the Default Rule. Intel recommends that you do not delete the Default Rule. See “What is a Rule?” on page 25 for more information about rules in Packet Protect.

  • Page 18: What Are The Trade-Offs

    Intel® Packet Protect User’s Guide Some enterprises may wish to create additional rules that govern communica- tions between two specific computers. Earlier, we introduced a scenario where the president and chief financial officer of a company wished to implement extra security for their communications. For this scenario, a new rule is needed.
  • Page 19 CPU util- itzation. You must also consider the adapters that are installed in your Packet Protect computers. Only the Intel PRO/100 S Server Adapter and Intel PRO/100 S Man- Installing Packet Protect...

  • Page 20: Conclusion

    Hopefully, this section provided some guidelines for you to consider as you develop your deployment model. There are no hard-and-fast rules that you must follow. However, Intel recommends that you begin your use of IPSec and Packet Protect slowly in your enterprise. You should consider starting with a small group that use the same pre-shared key and default System Policy.

  • Page 21: Set Up Intel Adapters

    Set Up Intel Adapters Before you install Packet Protect, install the necessary Intel adapters on your servers and clients that will use Packet Protect. Packet Protect only operates with Intel adapters that are configured to use Intel drivers. Install Intel Adapters Packet Protect works with Intel adapters that are designed to offload CPU-inten- sive tasks to the adapter.
  • Page 22 • If you use at least one Intel PRO/100 S Server or Management adapter in a computer, Packet Protect will be able to offload encryption and authentica- tion tasks to that adapter.

  • Page 23: Install Packet Protect

    See “Install Intel Adapters” on page 15 for information on choosing an Intel adapter. Licensing All installations are subject to the end user’s acceptance of the applicable Intel Software License Agreement. Install Packet Protect You will need the information detailed in the following table during Packet Pro- tect installation at each computer.
  • Page 24 At the taskbar on the computer, select Settings > Control Panel. Double-click Services and verify that Intel Policy Agent is started. If Intel Policy Agent doesn’t appear in the list, Packet Protect has been shut down or is not functioning properly. See “Turn Security on Manually for an Existing Computer”...

  • Page 25: View Your Security Settings

    During installation, you set up basic security settings for the computer—the authentication method and the default behavior for the client. To view your secu- rity settings, double-click Intel(R) Packet Protect at the Control Panel. The authentication setting and default behavior you chose during installation appear in the Security tab.
  • Page 26 Intel® Packet Protect User’s Guide...

  • Page 27: Configuring Security Settings

    Configuring Security Settings If you have installed Packet Protect, you have already set up basic security set- tings for the computer. You may view or edit these settings using Packet Protect. Optionally, you may also use the Advanced settings in Packet Protect, if you are familiar with encryption and authentication settings, to configure the security policy that comes with Packet Protect.

  • Page 28: Understand Default Security Behavior

    Intel® Packet Protect User’s Guide Understand Default Security Behavior During installation, you selected a default behavior for your computer to use for all communications. You also entered a pre-shared key that matches the pre-shared key on other computers in the network so the computer can commu- nicate securely with other computers possessing the same pre-shared key.
  • Page 29 Table 3: Default Behaviors for Packet Protect Computers Default Behavior Secure Initiator Computers with this behavior request security for all communications, but don’t require it. For example, a (Example: Secure Initiator server always initiates servers) communications by requesting security. If the negotiation for a secure communication is unsuccessful, the Secure Initiator server communicates without security (in the clear).
  • Page 30 To change the default behavior for a Packet Protect computer Click Start > Settings > Control Panel. Click Intel Packet Protect. The Packet Protect Security tab appears: To change the behavior for your computer, use the Behavior drop-down list to choose one of these behaviors: Secure Responder, Secure Initiator, or None.

  • Page 31: Set Up Your System Policy

    Set up Your System Policy You set up basic security settings when you install Packet Protect. If you are familiar with encryption and authentication settings you can use the advanced settings in Packet Protect to configure specific security settings to apply to dif- ferent types of communication.

  • Page 32: The Default Rule

    Intel® Packet Protect User’s Guide Every rule contains the information described in the following table. Rule Setting Destination workgroup Security action Rule failure Authentication Note : All rules specify All IP for the Traffic Group. If a rule is applied, the security settings apply to all IP traffic between the two computers communicating.

  • Page 33: Importance Of Rule Order

    • If rule fails • Rule authentication Importance of Rule Order The System Policy typically contains one or more rules. Place the rules in the order you want them applied. If you have one general rule and also an exception to that rule, place the exception before the general rule;...

  • Page 34: How Does The System Policy Work

    Intel® Packet Protect User’s Guide The rule ordering above requires the Finance Managers workgroup to have a rule listing your computer and the 3DES+SHA1+None security action in order to negotiate secure communication. If the Finance Managers workgroup does not have a matching rule, communication will be denied.
  • Page 35 See “Importance of Rule Order” on page 27 for more information. Step 1: View the System Policy At the Control Panel, click Intel Packet Protect. On the Security tab, click Advanced..The Policy Editor dialog box appears:...
  • Page 36 Intel® Packet Protect User’s Guide Step 2: Define a new rule for the policy Click New Rule. The New Rule dialog box appears. In the Rule Name text box, type a name for the rule. In the Destination workgroup text box, select the group of computers for which you want this rule to apply.
  • Page 37 Step 3: Order the Rules On the Policy Editor dialog box, click a rule. Click Move Up or Move Down to move the rule up or down one line. You can also select a rule and drag it up or down. The rules are applied in the order in which they are listed.
  • Page 38 Intel® Packet Protect User’s Guide Click Edit Rule. The Edit Rule dialog box appears. Click Customize Destination. The Customize Destination Workgroups dia- log box appears. Click New. In the Destination workgroup box, type a new name for the destination workgroup.
  • Page 39 Destination workgroups can be used in multiple rules. If you modify a destina- tion workgroup, other rules may be affected. Before you modify a destination workgroup, check the following: • If you have used the destination workgroup in any other rules, do not follow the steps below.
  • Page 40 Intel® Packet Protect User’s Guide connection cannot be negotiated, then the communication request is denied. This security action is appropriate for servers. Remember that two computers attempting to communicate must agree on cer- tain settings in order to communicate using IPSec.
  • Page 41 Table 6: Available Settings for Security Actions Security Setting Perfect The system proposes a second set of keys for forward the security association (instead of using the secrecy first set of keys used to verify identification). Packet Protect is designed to agree on any of the settings (including none), but it proposes the setting you select.
  • Page 42 Intel® Packet Protect User’s Guide About algorithm notation Each security action can specify algorithms to use for encryption and authenti- cation. There are three categories (Encryption, ESP [Encapsulation Security Payload] Authentication, and AH [Authentication Header] Authentication. At least one of these categories must be used in a security action, or you can use two or even all three.
  • Page 43 12. To continue adding security actions, click New again and repeat Steps 5-11. 13. When you finish, click OK. The selected security action appears automati- cally in the New Rule dialog box. To modify a security action Security actions can be used in multiple rules. If you modify a security action, other rules may be affected.
  • Page 44 Intel® Packet Protect User’s Guide...

  • Page 45: Making Changes

    Making Changes Be careful when you make changes to your policy. The settings you modify may be used for more than one rule in your policy. This means changes you make may affect other rules in your policy, and may even require changes to policies for other Packet Protect computers.

  • Page 46: Modify The System Policy

    Intel® Packet Protect User’s Guide Modify the System Policy Modifying a computer’s System Policy may impact policies that belong to other clients with which your computer communicates using Packet Protect. In order to apply your rule to a security association, the computer with which you are attempting communication must have a rule with matching settings.

  • Page 47: Modify Destination Workgroups Or Security Actions

    Modify Destination Workgroups or Security Actions Destination workgroups and security actions can be used in multiple rules. If you modify these items, other rules may be affected. Follow these steps to ensure that you address other affected rules. Determine which other computers on the LAN have a matching rule for the rule you will edit.

  • Page 48: Restore The System Policy

    To restore the System Policy Display the Intel Packet Protect Security Tab. Click Recreate Now. All your customizations are removed and you now have the default System Policy on your computer.
  • Page 49 Maintaining Packet Protect You need to perform certain tasks to ensure that Packet Protect is running smoothly on their network. In this chapter, you’ll find information about: • Monitoring Packet Protect computers. • Setting Up Compatible Policies • Installing a new adapter for a Packet Protect computer. •...

  • Page 50: Monitor Packet Protect Computers

    At the taskbar on the computer, select Settings > Control Panel. Double-click Services and verify that Intel Policy Agent is started. If Intel Policy Agent doesn’t appear in the list, Packet Protect has been shut down or is not functioning properly. See “Turn Security on Manually for an...

  • Page 51: Set Up Compatible Policies

    Set Up Compatible Policies Two Packet Protect-enabled computers must agree on certain settings in order to communicate in a protected way. These settings must be agreed upon by both computers. It becomes increasingly difficult to set up an IPSec security system if there is a different network administrator who manages computers with which you need to communicate using Packet Protect.

  • Page 52: Work With Other Security Products

    Intel® Packet Protect User’s Guide Work with Other Security Products On your network, there may be installations of an IPSec product other than Packet Protect. If this is the case, make sure that the security settings used by your computers match the security settings used by the other IPSec computers.

  • Page 53: Turn Security On For A Computer

    Computer” on page 48 for details about the ways you can turn off Packet Pro- tect at a client. To manually turn Packet Protect on At the taskbar on the computer, select Settings > Control Panel. Double-click Services. Select Intel Policy Agent and click Start.

  • Page 54: Turn Security Off For A Computer

    To shut down Packet Protect for the current computer session At the taskbar on the computer, select Settings > Control Panel. Double-click Services. Select Intel Policy Agent and click Stop. Note: If you want to turn security on later, manually restart Packet Protect.

  • Page 55: Troubleshooting And Faqs

    Troubleshooting and FAQs This chapter details tips for troubleshooting Packet Protect. This chapter also provides a list of frequently asked questions about the product.

  • Page 56: Troubleshooting

    At the client, verify that Packet Protect is running. Click the Start button on the taskbar, select Settings > Control Panel. Double-click Services and ver- ify that Intel Policy Agent is started. Communication fails when passing through a firewall Depending on the type of firewall, IPSec may affect the deployment in different ways: •...
  • Page 57 I changed the IP address or DNS name of a computer, now it can’t communicate on the network If you have custom rules, there may be other computers in the network that have an old IP address or DNS name of a computer in their rules. These rules must be modified to reflect the IP address/DNS name change.

  • Page 58: Frequently Asked Questions (Faqs)

    Packet Protect is designed to offload processor-intensive tasks (ESP and AH algorithm calcula- tions) to these Intel adapters that are installed in a computer. This frees up the computer’s processor utilization for other tasks, reducing the impact to the net- work performance.

  • Page 59: Appendix A — Ike And Ipsec

    Appendix A — IKE and IPSec A protected communication using Packet Protect involves Internet Key Exchange (IKE) and Internet Protocol Security (IPSec). This appendix describes details about IKE and IPSec, and how the technologies work together to protect information as it travels on your network. In this appendix, you’ll find the following information: •...

  • Page 60: Ike And Ipsec Work Together

    Intel® Packet Protect User’s Guide IKE and IPSec Work Together Packet Protect uses IKE and IPSec to protect packets traveling on the network: • IKE — Negotiates the security settings to be used by IPSec for protection of the communication.

  • Page 61: How Packet Protect Uses Ike

    How Packet Protect Uses IKE IKE is a set of standard protocols developed by the Internet Engineering Task Force (IETF). IKE is used to authenticate and negotiate a protected communica- tion. Using IKE is a two step process: IKE verifies the pre-shared keys of the two computers that are attempting to communicate.
  • Page 62 Intel® Packet Protect User’s Guide the IKE settings in the other IPSec product. The following table describes the pre-defined IKE settings for each computer that uses Packet Protect. Preferred Order DES (56-bit) DES (56-bit) 3DES (168-bit) Domestic version only 3DES (168-bit)

  • Page 63: Ipsec Settings

    communications for all computers in the workgroup. IPSec Settings After IKE verifies the identity of each computer, it negotiates which IPSec set- tings to use to protect the communication after negotiation. Packet Protect comes with pre-defined IPSec options, or you can create your own. Each computer must agree upon the IPSec settings to use before IKE can estab- lish a protected communication for data transfer.

  • Page 64: Examples

    Intel® Packet Protect User’s Guide Examples The following diagram illustrates failed IKE negotiations due to mismatched settings. Pre-shared key = 123456 Default IKE settings DES /SHA-1 The following diagram illustrates successful IKE negotiations due to matched settings Pre-shared key = 123456...

  • Page 65: How Packet Protect Uses Ipsec

    How Packet Protect Uses IPSec IPSec is a set of standard protocols developed by the Internet Engineering Task Force (IETF). IPSec is used to protect the privacy and integrity of IP communi- cations. It protects IP communications using algorithms that perform encryption and authentication tasks, as well as other features that enforce additional protec- tion.

  • Page 66: How Ipsec Protects Packets

    Intel® Packet Protect User’s Guide Packet Protect re-negotiates the IPSec settings only; it doesn’t need to re-verify the identity of the computers because it is already known. This helps reduce net- work traffic by reducing extra key generation. If the security association is not renewed automatically and consequently expires, a security association between the same computers will require both IKE steps: pre-shared key verification and IPSec negotiation.
  • Page 67 Use integrity features to protect the authenticity of packets, that is, verify that the packet was unchanged during transport over the network. Integrity features also verify that no other packets were inserted into the packet flow. Packet Protect uses ESP and AH algorithms (MD5 or SHA-1) to protect the integrity of packets.
  • Page 68 Intel® Packet Protect User’s Guide...

  • Page 69: Appendix B - Interoperability With Microsoft Windows* 2000

    Appendix B — Interoperability with Microsoft Windows* 2000 An overview of interoperability between Windows 2000 computers and Packet Protect computers.

  • Page 70: Interoperability With Windows* 2000

    Intel® Packet Protect User’s Guide Interoperability with Windows* 2000 By default, IPSec is not enabled in Windows 2000. Windows 2000 is installed with “No Security” as the IPSec default action. You can use the IP Security Pol- icy Management tool to activate IPSec in Windows 2000.

  • Page 71: Appendix C - Network Software License Agreement

    Appendix C — Network Software License Agreement This appendix details the following: • Network Software License Agreement • Intel Automated Customer Support...

  • Page 72: Network Software License Agreement

    LIMITED MEDIA WARRANTY. If the Software has been delivered by Intel on physical media, Intel warrants the media to be free from material physical defects for a period of ninety (90) days after delivery by Intel. If such a defect is found, return the media to Intel for replacement or alternate deliv- ery of the Software as Intel may select.

  • Page 73: Intel Automated Customer Support

    Intel Automated Customer Support You can reach Intel’s automated support services 24 hours a day, every day at no charge. The services contain the most up-to-date information about Intel products. You can access installation instructions, troubleshooting information, and general product information.
  • Page 74 Intel® Packet Protect User’s Guide...

  • Page 75: Glossary

    As processor usage increases due to security tasks, users may notice slower performance. Intel PRO/100 S Management and Server Adapters are designed to offload the secu- rity overhead from Packet Protect by using a special on-board processor, thereby reducing processor utilization.
  • Page 76 Intel® Packet Protect User’s Guide Data Encryption Standard. An encryption standard used to protect data confidential- ity by encoding the data before it travels on a network.Packet Protect supports 56- bit DES and 168-bit 3DES (3DES avail- able in the United States and Canada only).
  • Page 77 One or more computers that are connected together for communication purposes. offload The assignment of algorithm computa- tions from software to hardware. Packet Protect offloads security tasks to Intel PRO/100 S Management and Server adapters to speed processing and increase network performance. packet A piece of data that travels on the network.
  • Page 78 Intel® Packet Protect User’s Guide works or applications communicate. If the set of rules are followed, information can be processed correctly. This allows com- puters and hardware devices to communi- cate with one another even if they’re different from one another.

  • Page 79: Index

    Index adapters installing 15 teaming and 16 use multiple 16 algorithms and security actions 35 Anti-replay protection 4 anti-replay protection 35 authentication of rules 26 clients failed communication between 50 turn off security for 48 turn on security for 47 uninstalling Packet Protect from 48 configure adapters for Packet Protect 15 customize...
  • Page 80 Intel® Packet Protect User’s Guide gateway 50 glossary 69 hardware acceleration 2 hardware acceleration 2 help file for Packet Protect 3 IKE. See Internet Key Exchange installation more information ii notes ii integrity of data packets 4 Internet Key Exchange...
  • Page 81 network address translation 50 ordering rules 27 other security products interoperability with 43 overview 2 overview of Packet Protect 2 Packet Protect administrator and client versions 3 domestic and export versions 2 features 2 frequently asked questions 49 get started 6 getting started 6 how it works 4 HTML help 3...
  • Page 82 Intel® Packet Protect User’s Guide security actions create new 36 customize 33 definition of 26 modify after policy distribution 41 services on the World Wide Web ii size limit and security actions 34 support services 67 time limit and security actions 34...

This manual is also suitable for:

Pro/100 series

Table of Contents