Q. If I install a PRO/100 S adapter, will my data be encrypted? |
A. Simply installing a PRO/100 S will not provide IPSec or encryption services of any kind. IPSec requires special software to configure and enforce security policies, and to negotiate Security Associations with other computers based on those policies.
The PRO/100 S adapters provide an encryption engine to offload the encryption process from the main processor. Currently, the only IPSec solutions that will offload the encryption to the PRO/100 S adapters is the IPSec capability built into Windows* 2000 and Windows* XP and Windows* 2003 Server.
Q. Will a PRO/100 S encrypt my data when I use my browser over the Internet?
A. When communicating with secure Web sites over the internet, browsers use the Secure Sockets Layer (SSL), not IPSec. The PRO/100 S will not offload encryption of SSL data.
Q. Is a PRO/100 S adapter required for IPSec?
A. No. Windows 2000 and Windows XP will run IPSec over any supported adapter. The advantage of the PRO/100 S family of adapters is the fact that the adapter can offload the processor-intensive task of encryption. Using IPSec with adapters that do not feature the offload capability will have a significant impact on your computers CPU utilization.
Q. Will use of IPSec and the PRO/100 S adapter stop hackers from getting into my network?
A. The purpose of IPSec is to encrypt data as it passes over the network so that no one intercepting packets can discern the contents. It is not considered a form of access control and should not be used as such. IPSec should be used in conjunction with other security tools and proper network administration practices to keep your network secure.
Q. Once I have the PRO/100 S installed, how do I turn on the encryption?
A. When installed in a supported Windows environment, the PRO/100 S will, by default, perform encryption offload automatically.
Q. Once I have IPSec installed, will all of my data be encrypted?
A. Not necessarily. When configuring IPSec, you must set up policies that determine which computers or IP addresses to communicate with securely. Secure connections will only be established with IP addresses and ports as defined by the policies. Also, some IP functions such as DHCP cannot be encrypted.
Q. Once I have IPSec installed and configured, how can I be sure my data is being encrypted?
A. Windows 2000 has a utility named IPSecMon.exe. Run this utility to display details about the currently active Security Associations. Windows* XP and Windows* 2003 Server have an IP Security Monitor Snap-in that can be added via MMC.
Q. What if I have IPSec security associations with multiple machines at the same time? Do they all use the same key? Will a network traffic monitor program on one computer be able to read the packets going to another?
A. No. IPSec negotiates different keys for each security association, so no two computers will use the same keys. IPSec uses a method of key exchange (the "Diffie-Hellman Method For Key Agreement") that establishes secret keys without the key ever crossing the network unencrypted.
This applies to: