Develop A Strategy For Handling Pre-Shared Keys - Intel PRO/100 User Manual

Intel® Packet Protect User's Guide
tiator behavior. Also, many servers can use this behavior as well, as long as the
fallback behavior is acceptable for your network.
Secure Initiator is similar to Secure Responder, except that all outbound traffic
will result in an attempt to negotiate parameters for security.
Lockdown
A computer with Lockdown behavior will always initiate and respond securely
to all data flows. If the negotiation fails on either computer, then traffic will be
denied.
Lockdown behavior is used for servers with high content value, as it requires
security for all data transmissions.
Communicating with non-Packet Protect computers
It is common to not use Packet Protect on all the computers in your network.
While the security that Packet Protect can provide is beneficial, there are several
reasons to limit the computers on your network that use Packet Protect, such as:
• Only a limited number of computers on your network require secure com-
munications.
• In order to minimize CPU utilization, you want to limit use of Packet Pro-
tect to computers that already have PRO/100S Management or Server
adapters.
Computers that use the default behavior of Secure Responder or Secure Initiator
will always be able to communicate in the clear with computers in your network
that do not use Packet Protect.
Computers that use the default behavior of Lockdown will not be able to com-
municate with computers in your network that do not use Packet Protect.

Develop a strategy for handling pre-shared keys

When two computers attempt secure communication, they negotiate parameters
for the communication. In addition to using their default behavior, described in
the previous section, they also exchange a string of characters known as a pre-
shared key.
When the computers begin to negotiate parameters, they compare their pre-
shared keys. If both computers have the same pre-shared key, then the computers
will go ahead and negotiate parameters for the session. If the computers have a
different pre-shared key, then the negotiation for secure communication will
cease.
Once the pre-shared keys have been compared and matched between the two
computers, the IKE protocol generates secure, secret session keys. No one can
find out what these session keys are, even if they know what the pre-shared key
is. Although pre-shared keys are sometimes called passwords, they do not act
like passwords. Even when you know what the pre-shared key is, you cannot use
that key to intercept or decrypt the information that is being transmitted.
10