Installing Packet Protect
11
Sharing keys
It’s important when you are developing your deployment model that you decide
how to handle the distribution of the pre-shared key. Some networks use a
widely-published key, known as a “group key” or the “pre-shared key on the
wall.” In this strategy, you make the pre-shared available to everyone. This way,
all computers will be configured to use the same key. This ensures that when
secure communications are requested, then IKE will be able to negotiate secure
communications when the keys are matched between two computers.
In addition to “group key,” some enterprises may want to use additional, more
private pre-shared keys in certain instances. For example, the president and the
chief financial officer of a corporation may wish to send secured transmissions
to each other. In this instance, each of these computers would use the group key
as part of their standard System Policy, but would create a special rule to cover
communications just between them. (See “Consider exceptions to the Default
Rule” for more information on implementing this scenario.) In this case, they
might likely choose a more secret pre-shared key that just the two computers use
with each other.
Understand the Default Rule
Every computer that uses Packet Protect has a single System Policy. Each Sys-
tem Policy initially contains a single Default Rule. The Default Rule is quite
simple:
For Everybody, use the Default Security Action. If the rule fails, Allow
Communication without Security.
Note: For computers that use the Lockdown behavior wth the
Default Rule, if the rule fails then
Deny Communication
is the
fallback action.
See “The Default Rule” on page 26 for more information.
Note:
If you want to have secure communication between a Packet
Protect computer and a Windows 2000* computer, you must
use the Default Rule. Intel recommends that you do not
delete the Default Rule.
See “What is a Rule?” on page 25 for more information about rules in Packet
Protect.
Consider exceptions to the Default Rule
Many enterprises may find that by careful consideration of the default behavior
roles, a widely published pre-shared key, and the Default Rule, they can meet
their security requirements without extra effort. This model is quite workable
and provides adequate security. It is also simple to deploy and maintain.