4
Installing and Configuring Data Encryption Offloads
38
Configuring IPSec In Windows 2000
The 3C990B NIC accelerates IP security (IPSec) data encryption from supported operating
systems that provide this offload capability. This feature is currently available in the
Microsoft Windows 2000 operating system.
IPSec primarily consists of two parts:
■
encryption/decryption
■
authentication
To send or receive encrypted data in a PC running Windows 2000 with a 3C990B NIC
installed, you must first create a
security policy
, and then enable encryption on the NIC.
The security policy establishes and defines how encrypted network traffic between
your PC and a specified server occurs.
Authentication enables the receiver to verify the sender of a packet by adding key fields to
a packet without altering the packet data content.
The following table shows the available levels of encryption:
Creating a Security Policy
The process you use to create and enable a security policy will depend on your network
environment requirements. The following is an example of one approach to creating a
security policy.
Defining the Console
This sequence establishes the Console and defines its parameters.
To define the Console:
1
In the Windows taskbar, click
Start
,
Programs
,
Accessories
, and then
Command Prompt
.
2
At the DOS prompt, enter:
MMC
The Console1 screen appears.
Encryption
Type
Encryption
Level
Description
AH
Medium
Authentication only
ESP
High
Authentication and encryption
Custom
Varies
Provides encryption and an extra authentication that includes the
IP header.
Custom allows you to select options for both AH and ESP, such as
MD%/SHA-1 and DES/3DES. And you can select the rate at which
new keys are negotiated.
Microsoft uses IKE key exchange to renew keys every x seconds or y
bytes. However, this practice is computationally very high in
overhead. Some users may set these values low and have frequent
key updates. Users more concerned with performance will set these
values higher.
For more information, refer to the Microsoft documentation about
creating IPSec flows.
NOTE:
You must complete all of the sequences in this section to establish and enable
a security policy for transmitting and receiving encrypted data over the network.