3Com 3CR990-FX-97 manual Offloading Encryption Processing, Configuring IPSec for Windows

Configuring IPSec Offloads

Offloading Encryption Processing

You can configure any two (or more) computers running Windows 2000 or Windows XP to perform IPSec encryption by changing the Local Security Setting in the operating system. With most non-3CR990-FX-97 NICs, all the IPSec processing is done by the host central processing unit (CPU), which significantly diminishes CPU performance. The 3CR990-FX-97 NIC can offload all the encryption processing from the host CPU, thereby freeing the CPU to work on other tasks. The data-encryption offload capability of the 3CR990-FX-97 NIC is enabled at the factory.

For any two or more computers running operating systems other than Windows 2000 or Windows XP (that is, Windows 95/98/Me/NT), IPSec encryption is provided by third-party applications. The 3CR990-FX-97 NIC does not provide IPSec encryption offloading for those operating systems.

Auto-Selecting Basic or Strong Encryption Processing

The 3CR990-FX-97 NIC provides Data Encryption Standard (DES) 56-bit basic encryption processing and 3DES (3DES 168-bit) strong encryption processing. DES and 3DES are IPSec bulk encryption algorithms for coding data. DES encrypts 64-bit data blocks using a 56-bit key. DES can be applied in several modes. 3DES (Triple DES) achieves a higher level of security by encrypting the data three times using DES with three different, unrelated keys. 3DES is also known as 168-bit data encryption.

There is no need to configure the 3CR990-FX-97 NIC to establish a particular encryption setting: the NIC auto-selects the strongest encryption setting based on the data encryption setting of the partner (receiving or sending) node. If the partner node has a 3DES encryption setting, the NIC automatically processes data encryption using the 3DES standard; if the partner node has a DES encryption setting, the NIC automatically processes data encryption using the DES standard; if the partner node has no encryption setting, the NIC automatically processes data in unencrypted form.

Configuring IPSec for Windows 2000

The 3CR990-FX-97 NIC accelerates IP security (IPSec) data encryption from supported operating systems that provide this offload capability. This feature is currently available in the Windows 2000 and Windows XP operating systems.

IPSec primarily consists of two parts:

■encryption/decryption

■authentication

To send or receive encrypted data in a PC running Windows 2000 with a 3CR990-FX-97 NIC installed, you must first create a security policy, and then enable encryption on the NIC. The security policy establishes and defines how encrypted network traffic between your PC and a specified server occurs.

Authentication enables the receiver to verify the sender of a packet by adding key fields to a packet without altering the packet data content.

33