Triple Data Encryption Standard, or Triple DES. An encryption standard used to encode data while it travels on a network. 3DES uses 168-bit keys to encrypt data.
3DES is not available in the DES-only version of Intel Packet Protect.
Authentication Header. A protocol of verifying the integrity of packets, that is, the packets are known to be from the originating system. Intel Packet Protect uses MD5 and SHA-1 to authenticate packets.
Protection against receiving repeat data transmitted on the network. This helps prevent an intruder from successfully sending the same data in an attempt to confuse the system (for example, the system could repeat the task of restarting a server).
The process of verifying the identity of a system. Intel Packet Protect authenticates a system using pre-shared keys. It helps verify that a system is who it claims to be.
Certificate Authority. A system or organization that issues certificates signed by an established hierarchy.
Certificate Authority certificate. A certificate issued to a certificate authority. CA certificates are well-published and trusted.
A form of electronic identification that enables a hierarchy of trust, depending on the identity of a user or system. Certificates are used during the negotiation of a secure communication.
The science of protecting the privacy of data by encoding the data so it is unreadable to anyone who doesn't have a secret key to decode it.
A measurement of the average load on a system's processor. As processor usage increases due to security tasks, users may notice slower performance. Intel® PRO/100 S Management and Server Adapters are designed to offload the security overhead from Intel Packet Protect by using a special on-board processor, thereby reducing processor utilization.
The decoding of encrypted data using a secret password or key.
Data Encryption Standard. An encryption standard used to protect data confidentiality by encoding the data before it travels on a network. Intel Packet Protect supports 56-bit DES and 168-bit 3DES (3DES available worldwide, except where prohibited by U.S. import/export restrictions).
A logical collection of systems (servers and clients) that you define in Intel Packet Protect. Destination workgroups contain lists of systems with which a system in the source workgroup may want to communicate using IPSec.
Destination workgroups in Intel Packet Protect are different from workgroups in Windows* operating systems.
A security action containing a predefined set of proposals designed to inter-operate with other computers running Intel® Packet Protect or other IPSec implementations.
The default behavior is like a rule, and is used when there is no rule that specifies the workgroup containing the computer name/IP address you want to communicate with.
Each computer in a LAN that uses Intel Packet Protect has one of three default behaviors:
Secure Responder – This behavior always initiates communications in the clear, but will respond securely if requested.
Secure Initiator – This behavior always attempts secure communication first. If negotiation fails, it will communicate in the clear.
Lockdown – This behavior always attempts secure communication first. If negotiation fails, it denies communication.
The default action determines the security method used.
The default behavior can be defined during the installation process or from the Security Tab.
Exists when Intel Packet Protect is first installed. The default rule is designed as the basic rule for secure communications between two computers where no specific rule has been defined. In order for the default rule to behave in this way, it must be defined as the last rule in a policy containing multiple rules. The default rule is defined with the default action.
If there is no default rule, the default behavior will be used.
A method of securely sharing a secret key between two systems.
Domain Name Server. The network of Domain Name Servers that resolve fully qualified domain names (FQDNs) to their corresponding IP addresses.
The process of protecting data confidentiality by encoding the data so it is unreadable to anyone who does not have the secret key to decode it. You can read data if it is not encrypted, but you ca not read data while it is encrypted.
Encapsulation Security Payload. A method of protecting the confidentiality and/or integrity of data. ESP can be used to protect data confidentiality by encrypting the data using DES or 3DES. ESP can also be used to verify the origination of data by authenticating the data using MD5 or SHA-1.
This is the defined course of action when secure negotiations fail between two computers. The fallback action can be either allow communication without security or deny communication. This is defined in the If Rule Fails field in the Edit Rule dialog box.
Fully Qualified Domain Name. The unique name given to a system or device. When addressing information or requests, it is often easier to remember a fully qualified domain name rather than an IP address. Because systems communicate using IP addresses, DNS software matches the fully qualified domain name to its corresponding IP address so users can communicate using the domain name and the IP address.
Internet Control Message Protocol. A type of IP protocol used to transmit data that typically contains error or explanatory information. For example, the ping command uses ICMP to transmit data about network connectivity.
Internet Engineering Task Force. The organization that is developing and standardizing IKE and IPSec.
Internet Group Management Protocol. A type of protocol used to transmit multicast traffic on a single network.
Internet Key Exchange. A standards-based protocol used to negotiate a protected communication.
IKE is a subset profile of ISAKMP/Oakley. It is being developed by the Internet Engineering Task Force (IETF).
An unwanted visitor from inside or outside your company who may try to steal information or harm your network.
Internet Protocol. A set of rules that describe how systems transmit data with a destination address.
A series of numbers that identifies a connection point or device on an IP network. Each connection point and device needs a unique IP address to communicate using IP. For example, 192.168.1.1 is a sample IP address.
Internet Protocol (IP) Security. A set of protocols used to help secure the exchange of IP data. IPSec is being developed by the Internet Engineering Task Force (IETF).
A set of bytes that encrypt or decrypt data. Keys allow you to protect data from being read by an intruder on the network. Keys can be symmetric or asymmetric; asymmetric keys can be either public or private.
Local Area Network. A communications network usually located within a building or small number of buildings. For example, systems and printers at many companies are connected to a LAN.
A description of a default behavior for a system that uses Intel Packet Protect. A Lockdown system initiates and replies to all communications by requesting security; it only communicates using IPSec (requires that the other system also uses IPSec). A common use for this setting is a server that requires very restricted access.
Message Digest Algorithm. An algorithm often used to verify the integrity of packets traveling on a network. The algorithm transforms any number of bytes into a fixed number of bytes; no other set of bytes produces the same result.
One or more systems that are connected together for communication purposes.
The assignment of algorithm computations from software to hardware. Intel Packet Protect offloads security tasks to Intel® PRO/100 S Management and Server Adapters to speed processing and increase network performance.
A piece of data that travels on the network. Each packet contains the data being transmitted, along with a destination address. Intel Packet Protect protects packets as they travel on the network using IPSec.
The generation of an additional key pair to be used during data transfer. This helps guarantee that no keys are re-used. Using perfect forward secrecy increases protection, but generates more CPU utilization during security negotiation (performance during data transfer will remain the same).
Public Key Infrastructure. A system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate the validity of each party involved in a secure communication, using public key cryptography.
A collection of security settings and rules that are applied to a group of systems.
A connection point used by IP applications. For example, a Web server typically sends and receives information on port 80.
A secret password that a system presents to verify its identity. Pre-shared keys are used during negotiation of a secure communication. Each system must present the same pre-shared key in order to communicate using IPSec.
A set of guidelines that describe how networks or applications communicate. If the set of rules is followed, information can be processed correctly. This allows systems and hardware devices to communicate with one another even if they are different from one another.
A signing certificate that is self-signed. It represents a key pair that is used to sign certificates; a root certificate is not signed by another signing certificate.
A definition of the security settings to apply when a system communicates with a destination system using a specified protocol.
A description of a default behavior for a system that uses Intel Packet Protect. A Secure Initiator system initiates communications by requesting security and responds to communication requests without security ("in the clear"). A common use for this setting is a server that does not require the strict control of the Lockdown setting.
A description of a default behavior for a system that uses Intel Packet Protect. A Secure Responder system initiates communications without security ("in the clear"), but can respond to communication requests with security. A common use for this setting is a workstation.
A collection of IPSec settings that are proposed when two systems attempt to communicate. Intel Packet Protect uses security actions when a rule is matched for a communication.
A security contract between two systems. While the security association is active (8 hours is the default), the two systems can send data without re-negotiating a communication (as long as the data being sent uses a protocol defined in the existing security association).
The duration of a security association. A lifetime can be limited by time or by the amount of data transmitted.
Secure Hash Algorithm. An algorithm often used to verify the integrity of packets traveling on a network. The algorithm transforms any number of bytes into a fixed number of bytes.
Packets traveling on the network.
A logical collection of systems (servers and clients) that you define in Intel Packet Protect.
Workgroups in Intel Packet Protect are different from workgroups in Windows operating systems.
Copyright © 2000, Intel Corporation. All rights reserved.
Intel Corporation assumes no responsibility for errors or omissions in this document. Nor does Intel make any commitment to update the information contained herein.
* Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without intent to infringe.