Installing Packet Protect
13
fallback to clear communication, same pre-shared key—then you’ll be able to
gain adequate security with minimum impact to your network.
If you decide on a more complex deployment model, you should consider the
benefits of the extra security that you have against the costs of maintaining and
running the model. There are two areas that you should evaluate—maintenance
and CPU utilization.
Maintenance
If you are considering a deployment model with many customizations and spe-
cialized rules, be aware of the time and effort required for ongoing maintenance.
Because each computer with Packet Protect must be configured individually,
customizations require more effort to keep each computer up-to-date.
Let’s consider the previous example of the special rule for the president and
Chief Financial Officer of the corporation. In order for this rule to work as
designed, all aspects of the rule must match, or communication will be denied. If
the president’s computer uses a different setting in the security action from the
CFO’s computer, then a security association cannot be negotiated and therefore
all communication is denied. Consider then that it might take several days for
the president and CFO to even discover that their communications haven’t been
taking place, as assumed.
Even a new computer for the president could prevent secure communication
from happening. For example, when you set up this special rule, you identified
the two computers to Packet Protect by the names of the computers. The presi-
dent’s new computer has a new name. When the president and the CFO attempt
to communicate the next time, the rule will fail, because of the computer name.
You can imagine how difficult it can become to maintain specialized rules, desti-
nation workgroups, and security actions in your network. Intel recommends that
you begin by using the simple, default model for secure communications. Over
time, you may consider customizations to enhance secure communications in
special cases.
CPU Utilization
Another very important factor to consider is the effect of IPSec on your network,
as well as the individual computers using Packet Protect. Generally, you can
assume that when you choose most sophisticated security options, there will be
impact on your network.
One example is choosing to use ESP (Encapsulation Security Payload) and AH
(Authentication Header) authentication together. While this combination affords
extra protection, you must consider that when you use both of these methods,
you cannot offload any processing to the adapter, and thus CPU utilization
increases. However, if you use just ESP authentication with the appropriate
adapter, you can take advantage of the hardware offload and get better CPU util-
itzation.
You must also consider the adapters that are installed in your Packet Protect
computers. Only the Intel PRO/100 S Server Adapter and Intel PRO/100 S Man-