Filter
Top Products
Intel® Packet Protect User’s Guide
28
The rule ordering above requires the Finance Managers workgroup to have a
rule listing your computer and the 3DES+SHA1+None security action in order
to negotiate secure communication. If the Finance Managers workgroup does
not have a matching rule, communication will be denied.
Notice the importance of rule order. If the Default Rule was ordered before the
To Finance Management rule, communication with Finance manager worksta-
tions would be allowed “in the clear” (with no security) even if the Finance
Managers workgroup does not have a matching rule for communication with
R&D using the 3DES+SHA1+None algorithms. In this case, the general rule
would be applied first, and the specific rule would never be applied.
For instructions on how to order rules, see “Step 3: Order the Rules” on page 31.
The next section explains more about how Packet Protect computers use rules.
For information about security algorithms and about their notation, see “About
algorithm notation” on page 36.
How Does the System Policy Work?
The System Policy defines a collection of rules that describes the security set-
tings to enforce under certain situations. When a computer attempts communi-
cation, Packet Protect evaluates a number of things before allowing the
communication.
The following example describes how the policy works:
1. MyComputer attempts to communicate with MyServer with a rule using
the 3DES+SHA1+None encryption algorithms.
2. If a rule match is found, MyComputer proposes the security action set-
tings and authentication settings that you defined for that rule. The two
computers negotiate the security settings. If that security settings negotia-
tion is successful, the two computers communicate using the agreed upon
settings. If that negotiation fails, the communication fails or is allowed
unsecured, depending on the if rule fails specification.
If a rule match isn’t found, the system proposes the pre-shared key
assigned for that computer’s workgroup. It then proposes pre-defined secu-
rity settings such as default settings that are used for all communications.
See “Appendix A — IKE and IPSec” on page 53 for more information.
Note:
If the destination computer uses Packet Protect, it also
searches its policy for a rule with settings that match. If your
computer and the destination computer have matching rules,
the communication is allowed secure according to the speci-
fied security action settings.
Add Rules to the System Policy
Adding rules to your policy is optional. If you are unsure whether you need new
new rules, see “What is a Policy?” on page 25 for more information.
Creating a new rule involves several steps: