You must specify a security action for each rule. This section defines the security settings you can apply when two systems communicate.
| Allow Communication without Security | Use to communicate completely in the clear, without any security. |
| Default Action | Use to get an action that provides a high level of security, along with a high level of interoperability. The default action is a rich set of IPSec proposals that includes various levels of encryption, ESP authentication, and AH authentication. It provides a maximum level of interoperability with non-Intel Packet Protect implementations of IPSec. |
| Deny Communication | Use to deny any communication between two systems. |
Remember that two systems attempting to communicate must agree on certain settings in order to communicate using IPSec.
The Requires Match? column in the table below indicates whether the source and destination systems must have the same security setting.
|
Security Setting |
Description |
Requires Match? |
|---|---|---|
|
Time limit |
The length of time (in minutes or hours) the protected communication can be active before the system renegotiates. To increase protection, lower the time limit (to a minimum of 4 hours). This makes the system re-negotiate a new security association more often, but increases network traffic. This setting is optional. If two systems require different time limits, the communication is re-negotiated when the lower time limit is reached. If a time limit is not defined, the default is 8 hours (480 minutes; 28,800 seconds). |
No |
|
Perfect |
The system proposes a second set of keys for the security association (instead of using the first set of keys used to verify identification). |
Yes |
|
Anti-replay |
The system does not accept repeated packets; that is,
packets that the system already received. This helps protect against an
intruder sending the same packets repeatedly in an attempt to confuse an
application. |
No |
|
Use algorithms in order of preference |
Combinations of algorithms a system must use for a communication: ESP encryption, ESP authentication, and AH authentication. Intel Packet Protect proposes the algorithm list (in order of preference) to the destination system during negotiation. Two systems attempting to communicate securely must agree on an algorithm combination. |
Yes |
Note: If your system needs to communicate securely to DES-only versions of Intel Packet Protect, make sure your policies have compatible encryption settings. Systems using the DES-only version can use DES encryption. If systems using the DES-only version receive a policy specifying 3DES encryption, they will actually use DES encryption for the communication. Consider including both DES (56-Bit) and 3DES (168-Bit) encryption in your security actions.
How do I create a new security action?
How do I modify a security action?
How do I delete a security action?
Tell me about the notation for security algorithms.
Copyright © 2000, Intel Corporation. All rights reserved.
Intel Corporation assumes no responsibility for errors or omissions in this document. Nor does Intel make any commitment to update the information contained herein.
* Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without intent to infringe.