Intel(R) Packet Protect Software Supplemental Information Version 2.1 for Windows* 98 ========================================================= NOTE: If you are using Windows NT, refer to the readme.txt in the \PktPt\NT4 directory. Additional information is in the Intel Packet Protect User's Guide in the \Info\Protect directory on the product CD-ROM. Contents ======== - Overview - Available Versions - System Requirements - Installation - Configuration - Compatibility - Communicating with a DNS - Communicating with Windows 2000 - Other Known Issues Overview ======== Intel Packet Protect is a departmental solution that helps protect Internet Protocol (IP) traffic as it travels between computers on your local area network (LAN). It protects data confidentiality and authenticity, and helps prevent data from being retrieved by intruders or hackers. Because many of the total data compromises are attempted from within a company firewall, it is important to protect sensitive data while it travels on your company's LAN. Though Intel Packet Protect securely transmits traffic on the network, it does not protect the data while it is stored on a computer. Use your operating system features to provide access control to sensitive areas of your network. Intel Packet Protect uses Internet Key Exchange (IKE) and Internet Protocol Security (IPSec) to protect communications on your LAN. Both IKE and IPSec are protocol specifications being developed by the Internet Engineering Task Force (IETF). Intel Packet Protect uses pre-shared keys for credential verification. Available Versions ================== Intel Packet Protect is available in DES-only (56-bit encryption) and DES/3DES (56-/168-bit encryption). DES/3DES is available worldwide except where prohibited due to U.S. import/export restrictions. System Requirements =================== - Microsoft Windows* 98 - DCOM98, v1.3 or later. This can be downloaded at: http://www.microsoft.com/com/dcom/dcom98/download.asp. - 40 MB minimum available hard disk space. - 32 MB RAM minimum, of 64 MB RAM recommended. - 200 MHz Pentium(R) processor (performance level or better). - Intel PRO/100 family of network adapters. Installation ============ Before installing Intel Packet Protect: - Uninstall any existing version of Intel Packet Protect using the Add/Remove Programs applet in the Control Panel. - Install and configure your adapter. Refer to your adapter Installation Guide for detailed information about configuring your adapter using the PROSet II utility. Configure PROSet II to enable IPSec: 1. Open PROSet II. 2. In the left pane, select Network Components. 3. Right-click on the name of the adapter you want to use. 4. Select Enable IPSec in the pop-up window. 5. Re-start the system in order for the IPSec bindings to take effect. To install Intel Packet Protect: 1. With the product CD inserted, browse to the CD-ROM using Windows Explorer. 2. Double-click \PktPt\Win98\setup.exe. 3. Follow the prompts on the screen. 4. Restart Windows 98 when prompted. Configuration ============= When you install Intel Packet Protect on a computer, you set up basic security settings the computer will apply to communication attempts. Optionally, you may set up security policies to apply different security settings to specific types of communication attempts. Refer to the Intel Packet Protect User's Guide in the \Info\Protect folder on the product CD-ROM for configuration details and deployment examples. Compatibility ============= Intel Packet Protect is designed to offload encryption and authentication tasks to Intel PRO/100 S Server and Intel PRO/100 S Management adapters, but can also work with Intel LAN adapters that do not support the offload. If you have multiple adapters that are not teamed, one of them must be an Intel PRO/100 S Server or Intel PRO/100 S Management adapter in order for the tasks to be offloaded to that adapter. Intel Packet Protect will not work on systems with Intel(R) PRO/1000 Gigabit server adapters. Intel Packet Protect does not support dial-up adapters. When you set up Intel Packet Protect, each computer that will communicate in a protected way using Intel Packet Protect must use a pre-shared key or by using a certificate. Intel Packet Protect does not support the Kerberos authentication method. Intel Packet Protect computers can communicate with Windows 2000 IPSec computers by setting up each computer's policy to use the same settings. You cannot use Intel Packet Protect to manage security policies for Windows 2000 IPSec computers, or vice versa. Communicating with a DNS ======================== In order for a client machine running Intel Packet Protect to communicate with a Domain Name Server (DNS), you must use one of the following configurations: * If the DNS is communicating with NO IP Security enabled, and you want to use Fully Qualified Domain Names (FQDN) in your rules, then there must be a security exception for DNS requests. This is specified in the Security Exceptions tab in the following way: Protocol Local Port Remote Port TCP Any 53 UDP Any 53 NOTE: These rules are created by default when Intel Packet Protect is installed, but they can be altered or deleted by the user. * If the DNS is communicating WITH IP Security enabled, then you must create a new rule that allows DNS communication with matching security. This must be the first rule in the list. (You must specify the DNS by it's IP number.) In addition, you must remove the two security exceptions (see prior bullet). If this step is not done, security violations will occur. Communicating with Windows 2000 =============================== Intel Packet Protect 2.0 can communicate with the IPSec implementation in Windows 2000, but there are two restrictions: * Use the "All IP Traffic" protocol filter * Use a matching preshared key Use the "All IP Traffic" Protocol Filter ---------------------------------------- On Windows 2000, the rule used to communicate with Intel Packet Protect clients must be set to "All IP Traffic" protocol filter, even if you are only interested in specific protocols (e.g. TCP, UDP, etc) on top of IP. For example, if you are only interested in TCP communications between Windows 2000 and Intel Packet Protect, you must create a new rule in Windows 2000, which can communicate with the active rule or default behaviour on Intel Packet Protect. If you select TCP as the protocol filter in the Windows 2000 rule, the communication will FAIL. You MUST select "All IP Traffic" filter instead. Use a Matching Preshared Key ---------------------------- Since all default rules in Windows 2000 use Kerberos for authentication (not supported in Intel Packet Protect version 2.0), you must either add a preshared key to the authentication methods in the "All IP Traffic" default rule, or you must create a new rule with "All IP Traffic" protocol filter AND a matching pre-shared key as one of its authentication methods. This pre-shared key must match what is in use with Intel Packet Protect. Other Known Issues ================== - If you are using Intel Packet Protect on a system with Windows 98 Retail version, and are using a dual-port network adapter, low- level protocols such as PING directed at this system may not be received. This condition only occurs when both ports are on the same subnet. - If you are using Windows 98 Retail with the Service Pack 1 (SP1) upgrade, and attempt to disable the network adapter using the Device Manager utility, the Control Panel window will appear to hang. To resolve this condition, press Ctrl-Alt-Delete, and shut down the MSGSRV32 process. - If you are using Intel Packet Protect on a system with Windows 98 Second Edition, heavy and continuous traffic conditions over several days or weeks without a reboot may cause system behavior to become sluggish and/or erratic. To correct this condition, you must reboot the system. Additional diagnosis and remedy information is provided in the Troubleshooting section of the user guide. - The Default Rule conflicts with Secure Responder behavior. Secure Responders should initiate communication without security. However, the Default Rule, if present, takes precedence over the Secure Responder behavior and always initiates communication with security. In this case, Secure Responders act like Secure Initiators when the Default Rule is present. You can delete the Default Rule. If you do, then Secure Responders will initiate communications without security, or "in the clear." - During client startup, the client may communicate "in the clear" for a few seconds, even though it may require protection. This is because the computer is initiating itself on the network. During this time period, the IP stack is open to IP-based network intrusions. - Intel Packet Protect can offload IPSec encryption and authentication tasks to Intel PRO/100 S Server and Intel PRO/100 S Management adapters. Intel Packet Protect supports the AH and ESP IPSec security formats. AH and ESP can be used separately or in combination (AH+ESP) to secure packets. When the combined AH+ESP security format is used, only AH authentication will offload to the adapter. - Intel Packet Protect does not compress packets before they are sent using IPSec. - Intel Packet Protect does not support IPSec tunnel mode. - Certificates are not supported in Windows 98 systems. - The pre-shared key is stored in the registry and is "in the clear." Anyone with access to the registry can view the pre-shared key. - When using the Default Rule, computers that operate as Secure Responders will initiate communication with security and not in the clear. - Multicast traffic (defined as having an IP address between 224.0.0.0 and 239.255.255.255) will always be transmitted in the clear. - Security exceptions and ports that are kept open allow traffic to pass with no security. This leaves the system open to intruders. - If a system running Intel Packet Protect has an adapter configured with multiple IP addresses, all communications via any IP address other than the first one (the primary IP address) will fail to negotiate IPSec Security Association. Hence the communication will NOT be secure. - Intel Packet Protect is not compatible in systems that are performing IP Forwarding. - If an IPSec enabled client needs to communicate with a server that has a combination of IPSec enabled and non-IPSec adapters, the client must have an explicit rule in the IPSec Policy that allows communication to the server with no security: destination work group = security action = allow communication in the clear - If you are running on a non-English operating system which uses a double-byte language (e.g., Kanji), the directory path to the executable files must be specified in ANSI text (e.g., English). If there are any double-byte characters in the path, Intel Packet Protect may not run properly. - Under certain high-stress conditions, drive mapping over a network may fail, causing incomplete or failed file transfers. - On rare occasions, the DHCP may renew an IP address with a different IP number. If this happens, communications with devices specified in the security exceptions table will be interrupted. If your Domain Name Server (DNS) is in this list (typically as TCP/UDP port 53), you will not be able to see any network devices. To correct this problem, you will need to reboot your system. This procedure is covered in the Troubleshooting section of the user guide. ---------------------------------------------------------- * Brand, name, or trademark or brand owned by another company. Copyright (C) 2000, Intel Corporation.