Intel(R) Packet Protect Software Supplemental Information
Version 3.1 for Windows 98, Windows ME and Windows NT* 4.0
==========================================================
Contents
========
- Overview
- System Requirements
- Installation
- Certificate Installation Issues
- Configuration
- Compatibility
- Security Exceptions for Communication
- Communicating with Windows 2000
- Other Security Considerations
- Known Issues
Overview
========
Intel Packet Protect is a departmental solution that helps protect
Internet Protocol (IP) traffic as it travels between computers on your
local area network (LAN). It protects data confidentiality and
authenticity, and helps prevent data from being retrieved by intruders
or hackers. Because many of the total data compromises are attempted
from within a company firewall, it is important to protect sensitive
data while it travels on your company's LAN.
Though Intel Packet Protect securely transmits traffic on the network,
it does not protect the data while it is stored on a computer. Use
your operating system features to provide access control to sensitive
areas of your network.
Intel Packet Protect uses Internet Key Exchange (IKE) and Internet
Protocol Security (IPSec) to protect communications on your LAN.
Both IKE and IPSec are protocol specifications being developed by the
Internet Engineering Task Force (IETF). Intel Packet Protect uses
pre-shared keys or certificates for IKE credential verification.
Intel Packet Protect supports only Entrust certificates.
Intel Packet Protect does not compress packets before they are sent
using IPSec.
System Requirements
===================
- One of the following Microsoft operating systems:
- Windows NT* 4.0 with Service Pack 5, Service Pack 6a or later
- Windows Millenium Edition
- Windows 98, with DCOM98 (normally installed with Windows 98).
DCOM98 can be downloaded at:
http://www.microsoft.com/com/dcom/dcom98/download.asp.
- 40 MB minimum available hard disk space.
- 32 MB RAM minimum, 64 MB RAM recommended.
- 233 MHz Pentium(R) processor (performance level or better)
recommended.
- Intel PRO/100 family of network adapters.
If certificate support is required, you will also need the KMPAPI32.DLL
This file comes from the Entrust* Engelligence* installation (see
below).
Installation
============
NOTE:
If you are upgrading from a prior version of Intel Packet Protect,
there are several steps which you must follow in order to
successfully upgrade. See "Installing Packet Protect" in the Intel
Packet Protect user guide for complete information.
NOTE:
In windows NT, if you are installing an additional adapter when Intel
Packet Protect is already installed, you must follow a sequence of
steps to ensure that your IP Security works properly with multiple
network adapters. These steps are listed in the Intel Packet Protect
user guide under "Set Up Adapters".
Configure PROSet II to enable IPSec:
-----------------------------------
1. Open PROSet II.
2. In the left pane, select Network Components.
3. Right-click on the name of the adapter you want to use.
4. Select Enable IPSec in the popup window.
5. Click OK. At this time the bindings are formed for IP
Security.
6. Type in your IP configuration information.
7. Re-start the system in order for the IPSec bindings to take effect.
To install Intel Packet Protect:
-------------------------------
1. With the product CD inserted, browse to the CD-ROM using
Windows Explorer.
2. In Windows NT, find and double-click \PktPt\NT4\setup.exe
In Windows 98 and Me, find and double-click \PktPt\Win98\
setup.exe.
3. Follow the prompts on the screen.
4. Re-start Windows when prompted.
Certificate Installation Issues
===============================
If you get a "Missing KMPAPI32.DLL" error message during Intel
Packet Protect certificate support installation, you will need to
download and install the Entrust* EntrustIPSec* Negotiator*
Toolkit:
1. Using your Internet web browser, go to http://www.entrust.com/
developer/ipsec/
2. Select "Download".
3. Enter your member ID and PIN if necessary.
4. Select a download location on your hard drive.
5. Using the Windows Explorer, find and run the EntrustIPSec
installer program.
6. After installation, go to the installation directory (default
is c:\Program Files\Entrust Toolkit\IPSec\Lib\) and move
"KMPAPI32.DLL" to the Windows System directory.
In Windows NT, the default is C:\WinNT\System32.
In Windows 98 and Me, the default is C:\Windows\System.
7. Re-start the Intel Packet Protect certificate support
installation.
Problems during Certificate Installation process:
------------------------------------------------
If you have problems logging in to Entrust/Entelligence, it may be
due to an improper setting in the Entrust .INI file:
1. Using a text editor, open /Winnt/entrust.ini
2. Locate the tag "FipsMode".
3. Set the value to "0" (zero).
4. Save and close the file.
If you get an error message, "Intel Packet Protect Credential
Store (CS) component problem: failed to get the subject name in the
certificate", it could be due to a duplicate conflicting profile
name. To resolve this, log out of Entrust/Entelligence, then start
up the Certificate Installer again.
Configuration
=============
When you install Intel Packet Protect on a computer, you set up basic
security settings the computer will apply to communication attempts.
Optionally, you may set up security policies to apply different
security settings to specific types of communication attempts. Refer
to the Intel Packet Protect User's Guide in the \Info\Protect folder
on the product CD-ROM for configuration details and deployment
examples.
Compatibility
=============
Intel Packet Protect is designed to offload encryption and
authentication tasks to Intel adapters that have an integrated
encryption co-processor, such as the PRO/100 S family of adapters.
LAN adapters that do not support offloading will still work but
system and network performance will not be optimal.
Intel Packet Protect is not supported on Intel PRO/1000 gigabit
adapters.
Intel Packet Protect does not support dial-up adapters.
Intel Packet Protect does not support IPSec tunnel mode.
Each computer that will communicate in a protected way using Intel
Packet Protect must use a pre-shared key or by using an Entrust
certificate.
Intel Packet Protect does not support the Kerberos authentication
method.
Intel Packet Protect computers can communicate with Windows 2000
IPSec computers by setting up each computer's policy to use the same
settings. You cannot use Intel Packet Protect to manage security
policies for Windows 2000 IPSec computers, or vice versa.
Compatibility with Mixed Versions of Intel Packet Protect
---------------------------------------------------------
Ideally, all computers should be running on the latest version
of Intel Packet Protect. See "Installing Packet Protect" in the
user guide for complete information.
If you continue using a previous versions of Intel Packet Protect
on one or more systems, note the following:
- You may experience performance problems.
- If you are using Entrust certificates for authentication,
machines running Intel Packet Protect version 2.x will not be
able to connect with the other machines. There is a patch
available for systems running Microsoft Windows NT. Download
it from http://support.intel.com, under "Downloads and Software",
and search by filename for "pprpatch".
Security Exceptions for Communication
=====================================
In order for a client machine running Intel Packet Protect to
communicate with a Domain Name Server (DNS) or a Windows Internet
Naming Service (WINS) server, you must employ one or more security
exceptions to allow communication. These and other security
exceptions are discussed in the user guide, under the topic
"Common Security Exceptions".
Communicating with Windows 2000
===============================
Intel Packet Protect version 3.1 can communicate with the IPSec
implementation in Windows 2000, but there are three restrictions:
- Use the "All IP Traffic" protocol filter
- Use a matching pre-shared key
- Match DES/3DES policies
Use the "All IP Traffic" Protocol Filter
----------------------------------------
On Windows 2000, the rule used to communicate with Intel Packet
Protect clients must be set to "All IP Traffic" protocol filter, even
if you are only interested in specific protocols (e.g. TCP, UDP, etc)
on top of IP.
For example, if you are only interested in TCP communications between
Windows 2000 and Intel Packet Protect, you must create a new rule in
Windows 2000, which can communicate with the active rule or default
behavior on Intel Packet Protect. If you select TCP as the protocol
filter in the Windows 2000 rule, the communication may fail. You
MUST select "All IP Traffic" filter instead.
Use a Matching Pre-Shared Key
-----------------------------
Since all default rules in Windows 2000 use Kerberos for
authentication (not supported in Intel Packet Protect version 3.1),
you must either add a pre-shared key to the authentication methods in
the "All IP Traffic" default rule, or you must create a new rule with
"All IP Traffic" protocol filter AND a matching pre-shared key as one
of its authentication methods. This pre-shared key must match what
is in use with Intel Packet Protect.
Match DES/3DES Policies
-----------------------
Some Windows 2000 versions are using DES policies instead of 3DES.
If the server has Intel Packet Protect installed, and the rule used
involve only 3DES (in various combinations) there will be no
communication between those Windows 2000 clients and the Intel Packet
Protect server. To enable the use of 3DES you have to install the
Windows 2000 High Encryption Pack. This is available from the
Microsoft support site: http://www.microsoft.com/windows2000/
downloads/recommended/encryption/default.asp.
Other Security Considerations
=============================
- During client startup, the client may communicate "in the clear"
for a few seconds, even though it may require protection. This is
because the computer is initiating itself on the network. During
this time period, the IP stack is open to IP-based network
intrusions.
- Multicast traffic (defined as having an IP address between 224.0.0.0
and 239.255.255.255) and broadcast traffic will always be
transmitted in the clear and leave the system open to attacks from
intruders. At this time, the IPSec specification does not cover
multicast and broadcast packets, therefore these packets will neither
be secured nor filtered. The side effect is that the machine will
still accept packets from unauthenticated users. This may lead to a
possible misuse.
- Security exceptions and ports that are kept open allow traffic to
pass with no security. This leaves the system open to intruders.
Known Issues
============
Also see the Troubleshooting section of the user guide, located on
the Intel CD.
- If you are installing on a non-English operating system which uses a
double-byte character set (e.g., Kanji), the directory path to the
executable files must be specified in ANSI text (e.g., English).
If there are any double-byte characters in the path, Intel Packet
Protect will not install properly.
- In Windows NT, if you attempt to update the network driver or
install drivers for a second adapter without first shutting off
Intel Packet Protect software, Intel Packet Protect will fail to
restart. The remedy for this is covered in the troubleshooting
section of the user guide.
- When disabling IPSec in PROSet, it triggers the "Add New Hardware"
wizard, and communication fails through the adapter. This occurs only
on laptop computers running Windows 98 or Millennium. This condition
breaks the binding between the Intel Advanced Network Services (ANS)
layer and TCP/IP stack. To correct this situation, follow these
steps:
1. Cancel (or click-through) the installation wizard.
2. Open the Network control panel.
3. Select the ANS Virtual Adapter Driver (bound to "->nothing")
and click the Delete button. This driver and the TCP/IP protocol
stack are removed from the list of network components.
4. Click the Add button. A list of component types appears.
5. Select Protocol.
6. Select TCP/IP from the list of protocols.
7. Click OK to close the list.
8. Click OK to close the Network control panel.
9. When prompted, click to reboot the computer.
When the computer finishes rebooting, you may verify in the Network
control panel that the TCP/IP stack is functional, and logically bound
to the adapter.
-------------------------------------------------------------
Copyright (C) 2001, Intel Corporation. All rights reserved.
Intel Corporation assumes no responsibility for errors or omissions in this document. Nor does Intel make any commitment to update the information contained herein.
* Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without intent to infringe.
Download Driver Pack
After your driver has been downloaded, follow these simple steps to install it.
Expand the archive file (if the download file is in zip or rar format).
If the expanded file has an .exe extension, double click it and follow the installation instructions.
Otherwise, open Device Manager by right-clicking the Start menu and selecting Device Manager.
Find the device and model you want to update in the device list.
Double-click on it to open the Properties dialog box.
From the Properties dialog box, select the Driver tab.
Click the Update Driver button, then follow the instructions.
Very important: You must reboot your system to ensure that any driver updates have taken effect.
For more help, visit our Driver Support section for step-by-step videos on how to install drivers for every file type.