Intel(R) Packet Protect Software Supplemental Information
Version 2.1 for Windows NT* 4.0
=========================================================
NOTE: If you are using Windows 98, refer to the readme.txt in the
\PktPt\Win98 directory. Additional information is in the Packet
Protect User's Guide in the \Info\Protect directory on the product
CD-ROM.
Contents
========
- Overview
- Available Versions
- System Requirements
- Installation
- Certificate Installation Issues
- Configuration
- Compatibility
- Communicating with a DNS
- Communicating with Windows 2000
- Other Known Issues
Overview
========
Intel Packet Protect is a departmental solution that helps protect
Internet Protocol (IP) traffic as it travels between computers on your
local area network (LAN). It protects data confidentiality and
authenticity, and helps prevent data from being retrieved by intruders
or hackers. Because many of the total data compromises are attempted
from within a company firewall, it is important to protect sensitive
data while it travels on your company's LAN.
Though Intel Packet Protect securely transmits traffic on the network,
it does not protect the data while it is stored on a computer. Use
your operating system features to provide access control to sensitive
areas of your network.
Intel Packet Protect uses Internet Key Exchange (IKE) and Internet
Protocol Security (IPSec) to protect communications on your LAN. Both
IKE and IPSec are standard protocols being developed by the Internet
Engineering Task Force (IETF). Intel Packet Protect uses pre-shared
keys for credential verification. Intel Packet Protect also offers
support for Entrust/Entelligence* certificates.
Available Versions
==================
Intel Packet Protect is available in DES-only (56-bit encryption) and
DES/3DES (56-/168-bit encryption). 3DES is available worldwide
except where prohibited due to U.S. import/export restrictions.
System Requirements
===================
- Microsoft Windows NT* 4.0 with Service Pack 5, Service Pack 6a
or later.
- 40 MB minimum available hard disk space.
- 32 MB RAM minimum, 64 MB RAM recommended.
- 200 MHz Pentium(R) processor (performance level or better)
recommended.
- Intel Ether Express (TM) adapter (PRO/100 family).
Installation
============
Before installing Intel Packet Protect:
- Uninstall any existing version of Intel Packet Protect using the
Add/Remove Programs applet in the Control Panel.
- Install and configure your adapter.
If you do not use teaming, you can re-configure PROSet II
utility now or wait until another time. Refer to your adapter
Installation Guide for detailed information about configuring your
adapter using PROSet II.
Configure PROSet II to enable IPSec:
1. Open PROSet II.
2. In the left windows, select Network Components.
3. Right-click on the name of the adapter you want to use.
4. Select Enable IPSec in the popup window.
5. Type in your IP configuration information.
To install Intel Packet Protect:
1. With the product CD inserted, browse to the CD-ROM using
Windows Explorer.
2. Double-click \PktPt\NT4\setup.exe
3. Follow the prompts on the screen.
4. Restart Windows NT when prompted.
Certificate Installation Issues
===============================
In order to perform certificate installation, you must first install
Entrust/Entelligence*. If this is not done first, you will get a
"Missing KMPAPI32.DLL" error message. Use the Entrust/Desktop Designer
to install Entrust/Entelligence. The installer will give you several
installation options. Be sure to select "IPSEC" in the "Engines"
category.
This will enable IPSec and properly copy over the KMPAPI32.DLL file.
Additional details at
http://www.entrust.com/entelligence/new/desktop.htm
This DLL should be placed in the \Winnt\system32 directory.
Problems during Certificate Installation process:
If you have problems logging in to Entrust/Entelligence, it may be
due to an improper setting in the Entrust .INI file:
1. Using a text editor, open /Winnt/entrust.ini
2. Locate the tag "FipsMode".
3. Set the value to 0.
4. Save and close the file.
If you get an error message, "Intel Intel Packet Protect Credential
Store (CS) component problem: failed to get the subject name in the
certificate", it could be due to a duplicate conflicting profile
name. To resolve this, log out of Entrust/Entelligence, then start
up the Certificate Installer again.
If you cancel the certificate installation before it completes, all
currently configured rules will be lost. You can however recover
the default rule:
1. Open the Intel Packet Protect utility.
2. Click on the Recreate Default Rule button under the Security tab.
You can then re-enter your customized rules that were deleted.
Configuration
=============
When you install Intel Packet Protect on a computer, you set up basic
security settings the computer will apply to communication attempts.
Optionally, you may set up security policies to apply different
security settings to specific types of communication attempts. Refer
to the Intel Packet Protect User's Guide in the \Info\Protect folder
on the product CD-ROM for configuration details and deployment
examples.
Compatibility
=============
Intel Packet Protect is designed to offload encryption and
authentication tasks to Intel PRO/100 S Server and Intel PRO/100 S
Management adapters, but can also work with Intel LAN adapters that
do not support the offload. If you have multiple adapters that are
not teamed, one of them must be an Intel PRO/100 S Server or Intel
PRO/100 S Management adapter in order for the tasks to be offloaded
to that adapter. Intel Packet Protect will not work on systems with
Intel PRO/1000 Gigabit server adapters. Intel Packet Protect does
not support dial-up adapters.
When you set up Intel Packet Protect, each computer that will
communicate in a protected way using Intel Packet Protect must use a
pre-shared key or a certificate. Intel Packet Protect does not
support the Kerberos authentication method.
Intel Packet Protect computers can communicate with Windows 2000
IPSec computers by setting up each computer's policy to use the same
settings. You cannot use Intel Packet Protect to manage security
policies for Windows 2000 IPSec computers, or vice versa.
Communicating with a DNS
========================
In order for a client machine running Intel Packet Protect to
communicate with a Domain Name Server (DNS), you must use one of
the following configurations:
* If the DNS is communicating with NO IP Security enabled, and you
want to use Fully Qualified Domain Names (FQDN) in your rules,
then there must be a security exception for DNS requests. This is
specified in the Security Exceptions tab in the following way:
Protocol Local Port Remote Port
TCP Any 53
UDP Any 53
NOTE: These rules are created by default when Intel Packet Protect is
installed, but they can be altered or deleted by the user.
* If the DNS is communicating WITH IP Security enabled, then you must
create a new rule that allows DNS communication with matching
security. This must be the first rule in the list. (You must specify
the DNS by it's IP number.) In addition, you must remove the two
security exceptions (see prior bullet). If this step is not done,
security violations will occur.
Communicating with Windows 2000
===============================
Intel Packet Protect 2.0 can communicate with the IPSec implementation
in Windows 2000, but there are two restrictions:
* Use the "All IP Traffic" Protocol filter
* Use a Matching Pre-Shared Key
Use the "All IP Traffic" Protocol Filter
----------------------------------------
On Windows 2000, the rule used to communicate with Intel Packet
Protect clients must be set to "All IP Traffic" protocol filter, even
if you are only interested in specific protocols (e.g. TCP, UDP, etc)
on top of IP.
For example, if you are only interested in TCP communications between
Windows 2000 and Intel Packet Protect, you must create a new rule in
Windows 2000, which can communicate with the active rule or default
behavior on Intel Packet Protect. If you select TCP as the protocol
filter in the Windows 2000 rule, the communication will FAIL. You
MUST select "All IP Traffic" filter instead.
Use a Matching Pre-Shared Key
-----------------------------
Since all default rules in Windows 2000 use Kerberos for
authentication (not supported in Intel Packet Protect version 2.0),
you must either add a pre-shared key to the authentication methods in
the "All IP Traffic" default rule, or you must create a new rule with
"All IP Traffic" protocol filter AND a matching pre-shared key as one
of its authentication methods. This pre-shared key must match what
is in use with Intel Packet Protect.
Other Known Issues
==================
- Intel Packet Protect protects traffic as it travels on the network,
not while it's stored on a computer. Use your operating system
features to provide access control to sensitive areas of your
network.
- During client startup, the client may communicate "in the clear" for
a few seconds, even though it may require protection. This is
because the computer is initiating its network connection. During
this time period, the IP stack is open to IP-based network
intrusions.
- Intel Packet Protect can offload IPSec encryption and authentication
tasks to Intel PRO/100 S Server and Intel PRO/100 S Management
adapters. Intel Packet Protect supports the AH and ESP IPSec
security formats. AH and ESP can be used separately or in
combination (AH+ESP) to secure packets. When the combined AH+ESP
security format is used, only AH authentication will offload to the
adapter.
- Intel Packet Protect does not compress packets before they are sent
using IPSec.
- Intel Packet Protect does not support IPSec tunnel mode.
- The Default Rule conflicts with Secure Responder behavior. Secure
Responders should initiate communication without security. However,
the Default Rule, if present, takes precedence over the Secure
Responder behavior and always initiates communication with
security. In this case, Secure Responders act like Secure Initiators
when the Default Rule is present. You can delete the Default Rule.
If you do, then Secure Responders will initiate communications
without security, or "in the clear."
- When you install certificate support on a computer, Intel Packet
Protect assumes that certificate software has already been installed
on that computer. The certificate installation will fail unless the
certificate software has been previously installed.
- The pre-shared key is stored in the registry and is "in the clear."
Anyone with access to the registry can view the pre-shared key.
- The Intel Packet Protect user interface can be used only with
Administrator rights for that system.
- Multicast traffic (defined as having an IP address between 224.0.0.0
and 239.255.255.255) will always be transmitted in the clear and
leave the system open to attacks from intruders.
- Security exceptions and ports that are kept open allow traffic to
pass with no security. This leaves the system open to intruders.
- If a system running Intel Packet Protect has an adapter configured
with multiple IP addresses, all communications via any IP address
other than the first one (the primary IP address) will fail to
negotiate IPSec Security Association. Hence the communication will
NOT be secure.
- Intel Packet Protect is not compatible in systems that are
performing IP Forwarding.
- If Intel Packet Protect is operating under high-stress conditions
for several days or weeks without a reboot, it could be causing
sluggish or erratic system behavior. Diagnosis and remedy
information is provided in the Troubleshooting section of the user
guide.
- If an IPSec enabled client needs to communicate with a server that
has a combination of IPSec enabled and non-IPSec adapters, the
client must have an explicit rule in the IPSec Policy that allows
communication to the server with no security:
destination work group = <server's non-ipsec ip address>
security action = allow communication in the clear
- If you are running on a non-English operating system which uses a
double-byte language (e.g., Kanji), the directory path to the
executable files must be specified in ANSI text (e.g., English).
If there are any double-byte characters in the path, Intel Packet
Protect may not run properly.
- On rare occasions, the DHCP may renew an IP address with a
different IP number. If this happens, communications with devices
specified in the security exceptions table will be lost. If your
Domain Name Server (DNS) is in this list (typically as TCP/UDP
port 53), you will not be able to see any network devices. To
correct this problem, you will need to stop and restart Intel
Packet Protect. This procedure is covered in the Troubleshooting
section of the user guide.
- If the client system's network configuration includes the NetBEUI
protocol in addition to TCP/IP, and IPSec is enabled in the Intel
PROSet control panel utility, content from shared (mapped) drives
using NetBEUI will not be available. To correct this problem, you
must either disable NetBEUI from the Network control panel
utility, or disable IPSec from the Intel PROSet control panel
utility (which also disables Intel Packet Protect).
----------------------------------------------------------
* Brand, name, or trademark or brand owned by another company.
Copyright (C) 2000, Intel Corporation.
Download Driver Pack
After your driver has been downloaded, follow these simple steps to install it.
Expand the archive file (if the download file is in zip or rar format).
If the expanded file has an .exe extension, double click it and follow the installation instructions.
Otherwise, open Device Manager by right-clicking the Start menu and selecting Device Manager.
Find the device and model you want to update in the device list.
Double-click on it to open the Properties dialog box.
From the Properties dialog box, select the Driver tab.
Click the Update Driver button, then follow the instructions.
Very important: You must reboot your system to ensure that any driver updates have taken effect.
For more help, visit our Driver Support section for step-by-step videos on how to install drivers for every file type.