Intel Packet Protect helps protect Internet Protocol (IP) traffic as it travels between systems on your LAN.
Internet Protocol (IP) Security (IPSec) is a set of protocols used to help secure the exchange of IP data. Click for more information about IPSec.
Internet Key Exchange is a protocol used to verify the identity of systems and negotiate a protected communication. Click for more information about IKE.
Intel Packet Protect can work with multiple adapters that you install in one system. If you use an Intel® PRO/100 S Management or Server aAdapter, Intel Packet Protect offloads encryption tasks to any of these adapters. Click for more information about multiple adapters.
If a system running Intel Packet Protect has an adapter configured with multiple IP addresses, all communications via any IP address other than the first one (the primary IP address) will fail to negotiate IPSec Security Association. Hence the communication will NOT be secure.
Adapter Teaming and Intel Packet Protect work together only for systems with Windows* NT* operating systems installed. Click for more information on adapter teaming.
Intel Packet Protect does not support IP Forwarding.
Like any IPSec solution, Intel Packet Protect decreases network performance because of the intense computation required to encrypt, decrypt, and validate packets. Packet Protect was designed to utilize offload processing capability of the Intel PRO/100 S Management or Server Adapter. This helps to reduce the impact on processor utilization and network traffic. Processor-intensive tasks such ESP and AH algorithm calculations are offloaded to these Intel adapters. This frees up the system's processor utilization for other tasks, reducing the impact to the network performance.
Use Intel Packet Protect Monitor to view detailed information about your secure communications. Click for information on starting Intel Packet Protect Monitor.
Multicast traffic is always unprotected when you use Intel Packet Protect because of IPSec standards. In addition, IGMP traffic is unprotected.
In order for a client machine running Intel Packet Protect to communicate with a Domain Name Server (DNS), you must use one of the following configurations:
Use this method if you want to use Fully Qualified
Domain Names (FQDN) in your rules AND the DNS communication is not
communicating with IP Security enabled, then there must be a security
exception
for DNS requests. This is specified in the Security Exceptions tab in the
following way:
Protocol Local Port Remote Port TCP Any 53 UDP Any 53NOTE: These rules are created by default when Intel Packet Protect is installed, but they can be altered or deleted by the user.
If the DNS IS communicating with IP Security enabled, then you must create a new rule that allows DNS communication with matching security. This must be the first rule in the list. In addition, you must remove the two security exceptions (see prior bullet). If this step is not done, security violations will occur.
If you use Microsoft's Netmon product for packet sniffing, it must run from a system which does not have Intel Packet Protect enabled. If Netmon is running on a system with Intel Packet Protect enabled, you will see the following:
Netmon will not see any ESP/AH packets among other peers. It does see IKE packets.
All ICMP packets to or from self (where Netmon runs) are clear. These packets are actually encrypted on the wire.
So, to correctly collect sniffing packets, Netmon must be running from a third system which has IPSec disabled.
Copyright © 2000, Intel Corporation. All rights reserved.
Intel Corporation assumes no responsibility for errors or omissions in this document. Nor does Intel make any commitment to update the information contained herein.
* Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without intent to infringe.