Configuring Security Settings
35
Note:
If your computer needs to communicate securely to a mixed
domestic and export group of computers, make sure your pol-
icies have compatible encryption settings. Computers using
the export version can use DES encryption only. If computers
using the export version receive a policy specifying 3DES
encryption, they will actually use DES encryption for the com-
munication. Consider including both DES (56-Bit) and 3DES
(168-Bit) encryption in your security actions.
Perfect
forward
secrecy
The system proposes a second set of keys for
the security association (instead of using the
first set of keys used to verify identification).
Packet Protect is designed to agree on any of
the settings (including none), but it proposes
the setting you select.
Note
: DO NOT use perfect forward secrecy if
your computers will need to communicate
securely with Windows* 2000 IPSec comput-
ers or any other non-Packet Protect IPSec
computers. This setting is not compatible with
non-Packet Protect IPSec computers and may
cause communication to fail.
No
Anti-replay
protection
The system does not accept repeated
packets; that is, packets that the system
already received. This helps protect against
an intruder sending the same packets
repeatedly in an attempt to confuse an
application. Always use this option because it
increases the level of protection with very little
impact on network traffic.
No
Use
algorithms in
order of
preference
Combinations of algorithms a computer must
use for a communication: ESP encryption,
ESP authentication, and AH authentication.
Packet Protect proposes the algorithm list (in
order of preference) to the destination
computer during negotiation.
Two computers
attempting to communicate securely must
agree on an algorithm combination
.
Yes
Table 6: Available Settings for Security Actions
Security
Setting Description
Requires
Match?