| A |
| Access
Control |
Refers to mechanisms and policies that restrict access to computer
resources. An access control list (ACL), for example, specifies what operations different
users can perform on specific files and directories.
|
| Active
Content
|
Active content refers to material that is downloaded
that makes something happen, as opposed to static content, such as text
or simple images that do nothing but get displayed. Active content
includes such things as JavaScript animations, ActiveX controls, Java
spreadsheets...anything that actually does something.
|
| ActiveX |
ActiveX is Microsoft's answer to the Java technology from Sun Microsystems.
An ActiveX control is roughly equivalent to a Java applet. ActiveX is the name Microsoft
has given to a set of "strategic" object-oriented program technologies and
tools. The main thing that you create when writing a program to run in the ActiveX
environment is a component, a self-sufficient program that can be run anywhere in your
ActiveX network (currently a network consisting of Windows and Macintosh systems). This
component is known as an ActiveX control.
|
|
Address
Book
|
An automated e-mail address directory that allows you to address your
messages easily. Generally comes in personal and public versions.
|
|
Address Resolution
Protocol (ARP) |
See ARP
|
| Advanced Encryption
Standard (AES)
|
The Advanced
Encryption Standard (AES) is a Federal Information Processing
Standard (FIPS) Publication that will specify a cryptographic
algorithm for use by U.S. Government organizations to protect
sensitive (unclassified) information. This standard specifies
Rijndael as a FIPS-approved symmetric encryption algorithm
that may be used by U.S. Government organizations (and others)
to protect sensitive information.
|
| Anti-Replay Service |
With anti-replay service, each IP packet passing within the secure
association is tagged with a sequence number. On the receiving end, each packet's sequence
number is checked to see if it falls within a specified range. If an IP packet tag number
falls outside of the range, the packet is blocked. |
| Anti-virus |
A software program
designed to identify and remove a known or potential computer
virus
|
| API (Application program interface) |
An API is the specific methodology by which
a programmer writing an application program may make requests of the operating system or
another application.
|
|
Application Gateway
Firewall |
Application gateways look at data at the
application layer of the protocol stack and serve as proxies for outside users,
intercepting packets and forwarding them to the application. Thus, outside users never
have a direct connection to anything beyond the firewall. The fact that the firewall looks
at this application information means that it can distinguish among such things as
Telnet,
file transfer protocol (FTP), or Lotus Notes traffic. Because the application gateway
understands these protocols, it provides security for each application it supports.
|
| Archiving |
An archive is a collection of computer files that have been packaged
together for backup, to transport to some other location, for saving away from the
computer so that more hard disk storage can be made available, or for some other purpose.
An archive can include a simple list of files or files organized under a directory or
catalog structure (depending on how a particular program supports archiving).
|
| ARP (Address
Resolution Protocol) |
A protocol used to obtain the physical addresses
(such as MAC addresses) of hardwareunits in a network environment. A host obtains such a
physical address by broadcastingan ARP request, which contains the IP address of the target
hardware unit. If the requestfinds a unit with that IP address, the unit replies with its
physical hardware address.
|
| ASIC (Application
Specific Integrated
Circuit) |
a chip designed
for a particular application. ASICs are built by connecting
existing circuit building blocks in new ways. Since the
building blocks already exist in a library, it is much easier
to produce a new ASIC than to design a new chip from
scratch.
|
|
Asymmetrical
Key Exchange |
Asymmetric or public key cryptography
is based on the concept of a key pair. Each half of the pair (one key) can encrypt
information so that only the other half (the other key) can decrypt it. One part of the
key pair, the private key, is known only by the designated owner; the other part, the
public key, is published widely but is still associated with the owner.
|
| Attachment |
A file that a user adds to an email message to transfer it to
another user.
|
| Authentication |
The process of
determining the identity of a user that is attempting to
access a network. Authentication occurs through
challenge/response, time-based code sequences or other
techniques. See
CHAP and
PAP.
|
| Authentication
Header (AH) |
The Authentication
Header is a mechanism for providing strong integrity and
authentication for IP datagrams. It might also provide
non-repudiation, depending on which cryptographic algorithm is
used and how keying is performed. For example, use of an
asymmetric digital signature algorithm, such as
RSA, could
provide non-
repudiation.
|
| Authorization
|
The process of determining what types of activities or access are
permitted on a network. Usually used in the context of authentication: once you have
authenticated a user, they may be authorized to have access to a specific service.
|
| B |
| Bandwidth |
Generally speaking, bandwidth is directly proportional to the amount
of data transmitted or received per unit time. In digital systems, bandwidth is
proportional to the data speed in bits per second (bps). Thus, a modem that works at
57,600 bps has twice the bandwidth of a modem that works at 28,800 bps.
|
|
Bastion
host
|
A specific host that is used to intercept packets entering or
leaving a network. and the system that any outsider must ordinarily connect with to access
a system or service that is inside the network's firewall. Typically the bastion host must
be highly secured because it is vulnerable to attack due to its placement. See dual-homed
gateway.
|
| Buffer Overflow
Attack |
A buffer overflow attack works by exploiting a known bug in one of the
applications running on a server. It then causes the application to overlay system areas,
such as the system stack, thus gaining administrative rights. In most cases, this gives a
hacker complete control over the system. Also referred to as stack overflow.
|
| C |
|
CA (Certificate Authority) |
See Certificate Authority
|
|
CA
Signature |
A digital code that vouches for the authenticity
of a digital certificate. The CA signature is provided by the
certificate authority (CA) that issued the
certificate.
|
| CGI
exploit |
When a denial of service
attack is aimed at the CGI (common gateway interface), it is
referred to as a CGI exploit. The CGI is a standard way for a
Web server to pass a Web user's request to an application
program and to receive data back to forward to the user.
It is part of the Web's HTTP protocol. |
|
Certificate Authority (CA) |
A certificate
authority is an authority in a network that issues and manages
security credentials and
public keys
for
message encryption and decryption. As part of a public key
infrastructure ( PKI), a CA checks
with a registration authority (
RA) to verify
information provided by the requestor of a
digital certificate
. If the RA verifies the requestor's
information, the CA can then issue a certificate.
|
| Challenge-Response |
A common authentication
technique whereby an individual is prompted (the challenge) to
provide some private information (the response). Most security
systems that rely on smart cards are based on
challenge-response. A user is given a code (the challenge)
which he or she enters into the smart card. The smart card
then displays a new code (the response) that the user can
present to log in.
|
| CHAP (Challenge-Handshake Authentication
Protocol) |
An authentication technique where after a link is established, a
server sends a challenge to the requestor. The requestor responds with a value obtained by
using a one-way hash function. The server checks the response by comparing it its own
calculation of the expected hash value. If the values match, the authentication is
acknowledged otherwise the connection is usually terminated.
|
|
Checksum or
hash |
A checksum is a
count of the number of bits in a transmission unit that is
included with the unit so that the receiver can check to see whether the same number of
bits arrived. If the counts match, it's assumed that the complete transmission was
received.
|
|
Circuit-level gateways
|
Circuit-level gateways run proxy applications at the session layer
instead of the application layer. They can't distinguish different applications that run
on the same protocol stack. However, these gateways don't need a new module for every new
application, either. Circuit-level gateway is a firewall feature which can, when needed,
serve as an alternative to packet filtering or application gateway functionality.
|
| Cleanup
interval |
A setting in the Ravlin Node Manager that
specifies how long a Ravlin unit waits before performing
automatic internal cleanup. In general, the busier the
network, the more often system cleanups should be
performed. |
| Client |
A client is the requesting program or
user in a client/server relationship. For example, the user of
a Web browser is effectively making client requests for pages
from servers all over the Web. The browser itself is a client
in its relationship with the computer that is getting and
returning the requested HTML file. |
| Community
string |
A character string
used to identify valid sources for SNMP requests,
and to limit the scope of accessible information. Ravlin units
use the community string like a password, allowing only a
limited set of management stations to access its MIB |
| Content
blocking |
The ability to block network traffic
based on actual packet content. |
| Content filtering, scanning or
screening |
The ability to review the actual
information that an end user sees when using a specific
Internet application. For example, the content of
e-mail. |
| Content
virus |
See data driven attack. Commonly protected against with a virus
scanner. |
| Cookie |
A message given to a Web browser by a Web
server. The browser stores the message in a text file called
cookie.txt. The message is then sent back to the server each
time the browser requests a page from the
server. |
| CoS (Class of Service) |
Class of Service (CoS) is a way of
managing traffic in a network by grouping similar types of
traffic (for example, e-mail, streaming video, voice, large
document file transfer) together and treating each type as a
class with its own level of service
priority. |
| CryptoCore® |
A RedCreek hardware implementation that
offloads the heavy computational load usually imposed by
cryptographic tasks, freeing system resources and thus
allowing rapid encryption. |
| Cryptography |
A branch of
complex mathematics and engineering devoted to protecting
information from unwanted access. In the context of computer
networking, cryptography consists of encryption,
authentication,
and authorization. |
| D |
| Daemon |
A program that runs continuously and
exists for the purpose of handling periodic service requests
that a computer system expects to receive. The daemon program
forwards the requests to other programs (or processes) as
appropriate. Each server of pages on the Web has an HTTPD or
Hypertext Transfer Protocol daemon that continually waits for
requests to come in from Web clients and their users.
|
| Data driven
attack |
A form of intrusion in which the attack
is encoded in seemingly innocuous data, and it is subsequently
executed by a user or other software to actually implement the
attack. |
| DES (Data Encryption
Standard) |
A widely-used method of data encryption
using a private (secret) key that was judged so difficult to
break by the U.S. government that it was restricted for
exportation to other countries. There are
72,000,000,000,000,000 (72 quadrillion) or more possible
encryption keys that can be used. For each given message, the
key is chosen at random from among this enormous number of
keys. Like other private key cryptographic methods, both the
sender and the receiver must know and use the same private
key. |
| Denial of service attack |
A user or program takes up all the system
resources by launching a multitude of requests, leaving no
resources and thereby "denying" service to other users.
Typically, denial-of-service attacks are aimed at bandwidth
control. |
| DHCP (Dynamic Host Configuration
Protocol) |
DHCP enables
individual computers on an IP network to extract their
configurations from a server (the 'DHCP server') or servers,
in particular, servers that have no exact information about
the individual computers until they request the information.
The overall purpose of this is to reduce the work necessary to
administer a large IP network. The most significant piece of
information distributed in this manner is the IP
address. |
| Diffie-Hellman |
The Diffie-Hellman Method For Key
Agreement allows two hosts to create and share a secret key.
VPNs operating on the IPSec standard use the Diffie-Hellman
method for key management. Key management in IPSec begins with
the overall framework called the Internet Security Association
and Key Management Protocol (ISAKMP). Within that framework is
the Internet Key Exchange (IKE) protocol. IKE relies on yet
another protocol known as OAKLEY and it uses
Diffie-Hellman. |
| DiffServ
(Differentiated Services |
Differential service mechanisms allow
providers to allocate different levels of service to different
users of the Internet. Broadly speaking, any traffic
management or bandwidth control mechanism that treats
different users differently - ranging from simple Weighted
Fair Queuing to RSVP and per-session traffic scheduling -
counts. However, in common Internet usage the term is coming
to mean any relatively simple, lightweight mechanism that does
not depend entirely on per-flow resource
reservation. |
| Digital Certificate |
A digital certificate is an electronic
"credit card" that establishes your credentials when doing
business or other transactions on the Web. It is issued by a
certification authority (CA). It contains your name, a serial
number, expiration dates, a copy of the certificate holder's
public key (used for encrypting and decrypting messages and
digital signatures), and the digital signature of the
certificate-issuing authority so that a recipient can verify
that the certificate is real. |
| Digital Signature |
A digital signature is an electronic
rather than a written signature that can be used by someone to
authenticate the identity of the sender of a message or of the
signer of a document. It can also be used to ensure that the
original content of the message or document that has been
conveyed is unchanged. Additional benefits to the use of a
digital signature are that it is easily transportable, cannot
be easily repudiated, cannot be imitated by someone else, and
can be automatically time-stamped. |
| DMZ (de-militarized
zone) |
A network added between a protected
network and an external network in order to provide an
additional layer of security. Sometimes called a perimeter
network. |
| DNS (Domain Name System) |
The Internet protocol for mapping host
names, domain names and aliases to IP addresses. |
| DNS
spoofing |
Breaching the trust relationship by
assuming the DNS name of another system. This is usually
accomplished by either corrupting the name service cache of a
victim system or by compromising a domain name server for a
valid domain. |
| Domain |
The unique name used to identify an
Internet network. |
| Domain name server |
A repository of addressing information
for specific Internet hosts. Name servers use the domain name
system to map IP addresses to Internet hosts. |
| Downloadable |
A "downloadable" is a file that has been
transmitted from one computer system to another, usually
smaller computer system. From the Internet user's
point-of-view, to download a file is to request it from
another computer (or from a Web page on another computer) and
to receive it. |
| Downstream post
office |
A post office that communicates with a
mail server through another post office or other post offices.
|
| DSL (Digital Subscriber
Line) |
DSL (Digital
Subscriber Line) is a technology for bringing high-bandwidth
information to homes and small businesses over ordinary copper
telephone lines. xDSL refers to different variations of DSL,
such as ADSL, HDSL, and RADSL. A DSL line can carry both data
and voice signals and the data part of the line is
continuously
connected. |
| DSS (Digital Signature Standard |
The Digital Signature Standard (DSS) is a
cryptographic standard promulgated by the National Institute
of Standards and Technology (NIST) in 1994. It has been
adopted as the federal standard for authenticating electronic
documents, much as a written signature verifies the
authenticity of a paper document. |
| DSX (Dynamic Security
Extension) |
A proprietary technology that is patented
and works in the following way. The operating system has a
system call (or vector) table that contains memory address
pointers for each system call. These pointers point to a
location in memory where the actual kernel code of the system
calls resides. DSX stores the address pointers for the
security sensitive system calls and then redirects these
pointers to the corresponding SECURED system call code, which
is located elsewhere in memory. |
| Dual-homed
gateway |
A system that has two or more network
interfaces, each of which is connected to a different network.
In firewall configurations, a dual-homed gateway usually acts
to block or filter some or all of the traffic trying to pass
between the
networks. |
| E |
| e-business |
e-business" ("electronic business,"
derived from such terms as "e-mail" and "e-commerce") is the
conduct of business on the Internet, not only buying and
selling but also servicing customers and collaborating with
business partners. |
| e-commerce |
e-commerce (electronic commerce or EC) is
the buying and selling of goods and services on the Internet,
especially the World Wide Web. In practice, this term and
e-business are often used interchangeably. For online retail
selling, the term e-tailing is sometimes used.
|
| email client |
An application from which users can
create, send and read e-mail messages. |
| email server |
An application that controls the
distribution and storage of e-mail
messages. |
| Encryption |
Scrambling data in such a way that it can
only be unscrambled through the application of the correct
cryptographic key. |
| Encryption-In-Place
(EIP) |
A security mode in which a Ravlin unit
encrypts the IP packet's payload only (without encrypting the
packet header). Because EIP does not require encryption of the
IP header or encapsulation of the IP packet, overhead is lower
and performance enhanced.
|
| Endpoint
Group |
In a policy enforced network, an endpoint group represents subnets or an
individual host protected by a security appliance. By creating
and configuring endpoint groups, you can permit hosts in one
subnet to exchange data securely with hosts in another subnet.
Endpoint groups along with their associated policy enforcement points are generally members of a policy group. |
| Enterprise Object |
Within a policy enforced network, the enterprise is the highest-level
object category. It encompasses all management domains and all lower-level
divisions in the organization's secure networking
environment. |
| ESP (Encapsulated Security
Payload) |
The Encapsulating
Security Payload provides confidentiality for IP datagrams or
packets, which are the message units that the Internet
Protocol deals with and that the Internet transports, by
encrypting the payload data to be protected.
I |
| Ethernet |
A local-area network (LAN) protocol
developed by Xerox Corporation in cooperation with DEC and
Intel in 1976. Ethernet uses a bus or star topology and
supports data transfer rates of 100Mbps. |
| Executable |
An executable is a file that contains a
program - that is, a particular kind of file that is capable
of being executed or run as a program in the
computer. |
| Extended MAPI (Extended Messaging Application
Programming Interface) |
An interface developed by Microsoft
that provides messaging functions including addressing,
sending, receiving and storing messages. |
| F |
| FDDI (Fiber Distributed Data
Interface |
A set of ANSI protocols for sending
digital data over fiber optic cable. FDDI networks are
token-passing networks, and support data rates of up to 100
Mbps (100 million bits) per second. FDDI networks are
typically used as backbones for wide-area networks.
|
| Filter |
A filter is a program or section of
code that is designed to examine each input or output request
for certain qualifying criteria and then process or forward it
accordingly. . |
| Firewall |
A firewall is a program that protects
the resources of one network from users from other networks.
Typically, an enterprise with an intranet that allows its
workers access to the wider Internet will want a firewall to
prevent outsiders from accessing its own private data
resources. |
| Firewall denial-of service |
The firewall is specifically subjected
to a denial-of-service attack. |
| FTP (File Transfer
Protocol) |
FTP is the simplest way to exchange
files between computers on the Internet. Like the Hypertext
Transfer Protocol (HTTP), which transfers displayable Web
pages and related files, and the Simple Mail Transfer Protocol
(SMTP), which transfers e-mail, FTP is an application protocol
that uses the Internet's TCP/IP
protocols. |
| G |
| Gateway |
A gateway is a network point that acts as
an entrance to another network. In a company network, a proxy
server acts as a gateway between the internal network and the
Internet. A gateway may also be any machine or service that
passes packets from one network to another network in their
trip across the Internet. |
| Green Screen Terminal |
Terminals that are designed to be
centrally-managed, configured with only essential equipment,
and devoid of CD-ROM players, diskette drives, and expansion
slots (and therefore lower in cost). |
| H |
| Hacker |
Hacker is a term used by some to mean "a
clever programmer" and by others, especially journalists or
their editors, to mean "someone who tries to break into
computer systems." |
| Headend or Head
End |
A central control
device required by some networks (e.g., LANs or VPNs) to provide such
centralized functions as administration, diagnostic control,
and network access. |
| Highjacking or
hijacking |
Control of a connection is taken by
the attacker after the user authentication has been
established. |
| HMAC
(Header
Message Authentication Codes
) |
HMAC is a hash function based message
authentication code that was designed to meet the requirements
of the IPsec working group in the IETF, and is now a
standard. |
| HTML (HyperText
Markup Language) |
A standard set of commands used to
structure documents and format text so that it can be used on
the Web. |
| HTTP (HyperText Transfer
Protocol) |
HTTP is the set of rules for exchanging
files (text, graphic images, sound, video, and other
multimedia files) on the World Wide Web. Relative to the
TCP/IP suite of protocols (which are the basis for information
exchange on the Internet), HTTP is an application
protocol. |
| HTTPS (Secure
Hypertext Transfer
Protocol) |
The secure
hypertext transfer protocol (HTTPS) is a communications
protocol designed to transfer encrypted information between
computers over the World Wide Web. HTTPS is http using a
Secure Socket Layer (SSL). |
| Hybrid
Auth |
The Hybrid Auth
extension allows the asymmetric use of digital certificates between client and server. The client verifies
the authenticity of the server's credentials (certificate),
and the server verifies the authenticity of the client's
credentials. Companies benefit from the interoperability of
standards-based IPSec with IKE as well as
the increased security of the PKI at the
central site, with no disruption to remote
users. |
| I |
| I2O (Intelligent
Input/Output) |
Intelligent Input/Output (I2O) is a
hardware specification that describes a model for offloading
I/O processing from the CPU. The model is after the style of
what has been used in very large mainframes for years. It is
not a replacement for the PCI
architecture. |
| ICSA (International Computer Security
Association |
An organization with the mission to
continually improve commercial computer security through
certification of firewalls, anti-virus products and web sites.
ICSA also shares and disseminates information concerning
information security. |
| Insider attack |
An attack originating from inside a
protected network. |
| Internet Key
Exchange (IKE) |
A hybrid protocol whose purpose is to
negotiate, and provide authenticated keying material for,
security associations in a protected manner. Processes which
implement this protocol can be used for negotiating virtual
private networks (VPNs) and also for providing a remote user
from a remote site (whose IP address need not be known
beforehand) access to a secure host or
network. |
| Intrusion
detection |
Detection of break-ins or break-in
attempts by reviewing logs or other information available on a
network. |
| IP (Internet Protocol) |
The Internet Protocol is the method or
protocol by which data is sent from one computer to another on
the Internet. Each computer (known as a host) on the Internet
has at least one address that uniquely identifies it from all
other computers on the Internet. |
| IP spoofing |
An attack where the attacker impersonates
a trusted system by using its IP network
address. |
| IP hijacking |
An attack where an active, established
session is intercepted and taken over by the attacker. May
take place after authentication has occurred which allows the
attacker to assume the role of an already authorized
user. |
| IPSec (Internet Protocol Security )
|
A developing standard for security at
the network or packet processing layer of network
communication. IPSec provides two choices of security service:
Authentication Header (AH), which essentially allows
authentication of the sender of data, and Encapsulating
Security Payload (ESP), which supports both authentication of
the sender and encryption of data as
well. |
| ISDN (Integrated Services Digital
Network |
A set of
communications standards allowing a single wire or optical
fibre to carry voice, digital network services and video. ISDN
gives a user up to 56 kbps of data bandwidth on a
phone line that is also used for voice, or up to 128 kbps if
the line is only used for data. |
| J |
| Java |
Java is a programming language expressly
designed for use in the distributed environment of the
Internet. It was designed to have the "look and feel" of the
C++ language, but it is simpler to use than C++ and enforces a
completely object-oriented view of programming. Java can be
used to create complete applications that may run on a single
computer or be distributed among servers and clients in a
network. It can also be used to build small application
modules or applets for use as part of a Web page. Applets make
it possible for a Web page user to interact with the page.
|
| K |
| Kerberos |
Kerberos was created by MIT as a solution
to network security problems. The Kerberos protocol uses
strong cryptography so that a client can prove its identity to
a server (and vice versa) across an insecure network
connection. After a client and server has used Kerberos to
prove their identity, they can also encrypt all of their
communications to assure privacy and data integrity as they go
about their
business. |
| Key |
In cryptography, a key is a variable
value that is applied using an algorithm to a string or block
of unencrypted text to produce encrypted text. The length of
the key generally determines how difficult it will be to
decrypt the text in a given message. |
| Key
Management |
The establishment and enforcement of
message encryption and authentication procedures, in order to
provide privacy-enhanced mail (PEM) services for electronic
mail transfer over the Internet. |
| L |
| LDAP (Lightweight Directory Access
Protocol) |
LDAP (Lightweight Directory Access
Protocol) is an emerging software protocol for enabling anyone
to locate organizations, individuals, and other resources such
as files and devices in a network, whether on the Internet or
on a corporate intranet. LDAP is a "lightweight" (smaller
amount of code) version of DAP (Directory Access Protocol),
which is part of X.500, a standard for directory services in a
network. |
| Litigation
Protection |
Litigation protection is both the review
and recording of Internet, intranet and extranet
communications that is done in order to avoid litigation or
the documentation of the communications parties and content in
the event of litigation. |
| M |
| MAC (Media Access
Control) |
On a network, the MAC (Media Access
Control) address is your computer's unique hardware number.
The MAC address is used by the Media Access Control sublayer
of the Data-Link Control (DLC) layer of telecommunication
protocols. There is a different MAC sublayer for each physical
device type. The Data-Link Layer is the protocol layer in a
program that handles the moving of data in and out across a
physical link in a network. |
| Macro
Virus |
Macro viruses are small programs written
using the internal programming language of a specific
application program that replicate within documents created by
the application program. Common examples of application
programs that use macros include word processors such as Word
and spreadsheets such as Excel. |
| Malicious
Code |
Malicious code is any code added,
changed, or removed from a software system in order to
intentionally cause harm or subvert the intended function of
the system. Traditional examples of malicious code include
viruses, worms, Trojan Horses, and attack scripts, while more
modern examples include Java attack applets and dangerous
ActiveX controls. |
| Management Domain |
In a policy enforced network, a management domain consists of one or more
policy groups.
A management domain usually
encompasses a large category of users. For example, a
management domain might contain all users who work with an
organization's financial data or with an insurance company's
patient records. Management domains may also be specific to
business relationships such as extranet partnerships or
branch-office data transfer. |
| MAPI (Messaging Application Programming
Interface) |
An interface developed by Microsoft
that provides messaging functions including addressing,
sending, receiving and storing messages. Simple MAPI includes
some of these functions. Extended MAPI includes all of these
functions. |
| MIB (Management
Information Base) |
A database of objects that can be
monitored by an SNMP-based network management system.
Standardized MIB formats allow any SNMP tool to monitor any
device defined by a
MIB. |
| MIME (Multipurpose Internet Mail
Extensions) |
A protocol used for transmitting
documents with different formats via the
Internet. |
| Monitoring |
A view of individual user activity on a
network, generally in real time. Provides administrators with
the ability to view the content of user utilized
applications. |
| MPLS (Multiprotocol
Label Switching |
A base technology for using label
switching in conjunction with network layer routing and for
the implementation of that technology over various link level
technologies, which may include Packet-over-Sonet, Frame
Relay, ATM, and Ethernet |
| N |
| NAPT (Network
Address Port Translation |
NAPT is a special case of NAT, where many
IP numbers are hidden behind a number of addresses, but in
contrast to the original NAT this does not mean there
can be only that number of connections at a time. In NAPT an
almost arbitrary number of connections is multiplexed using
TCP port information. The number of simultaneous connections
is limited by the number of addresses multiplied by the number
of TCP ports
available. |
| NAR (Network Address
Retention) |
A simplified IP addressing capability
that eliminates the need to establish an intermediate IP
address between a router and a firewall. Sometimes called
Proxy-ARP. This feature allows the implementation of a
firewall into an existing network without having to establish
a new IP address
scheme. |
| NAT (Network Address
Translation) |
Network Address Translation allows
your Intranet to use addresses that are different from what
the outside Internet thinks you are using. It permits many
users to share a single external IP address at the same time.
The NAT provides what some people call "address hiding", which
is, as it suggests, security through obscurity at
best. |
| Network Service
Access Policy |
A high level, issue specific policy
which defines those services that will be allowed or
explicitly denied from a restricted network, the way in which
these services will be used, and the conditions for exceptions
to the policy. |
| NNTP (Network News Transfer
Protocol |
NNTP (Network News Transfer Protocol)
is the predominant protocol used by computers (servers and
clients) for managing the notes posted on newsgroups.
NNTP replaced the original Usenet protocol, UNIX-to-UN
|
| Nonrepudiation |
The goal of nonrepudiation is to prove
that a message has been sent and received. This is extremely
important in networks where commands and status must be issued
and responded to, where financial transactions must be
verifiably completed, and where signed contracts are
transmitted. |
| O |
| ODBC (Open Database
Connectivity |
ODBC is a standard or open application
programming interface (API) for accessing a database. By using
ODBC statements in a program, you can access files in a number
of different databases, including Access, dBase, DB2, Excel,
and Text. In addition to the ODBC software, a separate module
or driver is needed for each database to be
accessed. |
| P |
| Packet |
A packet is the unit of data that is
routed between an origin and a destination on the Internet or
any other packet-switched network. When any file (e-mail
message, HTML file, GIF file, URL request, and so forth) is
sent from one place to another on the Internet, the
Transmission Control Protocol (TCP) layer of TCP/IP divides
the file into "chunks" of an efficient size for routing. Each
of these packets is separately numbered and includes the
Internet address of the destination. The individual packets
for a given file may travel different routes through the
Internet. When they have all arrived, they are reassembled
into the original file (by the TCP layer at the receiving
end). |
| Packet
Filters |
Packet filters keep out certain data
packets based on their source and destination addresses and
service type. Filters can be used to block connections from or
to specific hosts, networks or ports. Packet filters are
simple and fast. However, they make decisions based on a very
limited amount of information. |
| Packet
Sniffing |
Intercepting packets of information
(including such things for example as a credit card number )
that are traveling between locations on the
Internet. |
| PAP (Password
Authentication Procedure)
|
A procedure used to validate a
connection request. After the link is established, the
requestor sends a password and an id to the server. The server
either validates the request and sends back an
acknowledgement, terminates the connection, or offers the
requestor another chance.
|
| Password-based attacks |
An attack where repetitive attempts
are made to duplicate a valid log-in and/or password
sequence. |
| Perimeter network |
See DMZ. |
| PGP (Pretty Good
Privacy) |
A cryptographic product family that
enables people to securely exchange messages, and to
secure files, disk volumes and network connections with both
privacy and strong authentication. |
| Ping of Death
Attack |
A notorious exploit that (when first
discovered) could be easily used to crash a wide variety of
machines by overrunning the size limits in their TCP/IP
stacks. The term is now used to refer to any nudge delivered
by hackers over the network that causes bad things to happen
on the system being nudged. |
| PKCS (Public-Key
Cryptography Standards) |
The Public-Key Cryptography Standards are
specifications produced by RSA Laboratories in cooperation
with secure systems developers worldwide for the purpose of
accelerating the deployment of public-key cryptography. First
published in 1991 as a result of meetings with a small group
of early adopters of public-key technology, the PKCS documents
have become widely referenced and
implemented. |
| PKI (Public Key
Infrastructure) |
A PKI (public key infrastructure) enables
users of a basically unsecure public network such as the
Internet to securely and privately exchange data and money
through the use of a public and a private cryptographic key
pair that is obtained and shared through a trusted authority.
|
| Platform attack |
An attack that is focuses on
vulnerabilities in the operating system hosting the
firewall. |
| PPP (Point-to-Point
Protocol) |
Point-to-Point
Protocol (PPP) is a protocol for
communication between two computers using a serial interface,
typically a personal computer connected by phone line to a
server. |
| PPPoE (Point-to-Point Protocol over
Ethernet) |
PPP over Ethernet (PPPoE) provides the
ability to connect a network of hosts over a simple bridging
access device to a remote Access Concentrator
(Server). |
| PPTP (Point-to-Point
Tunneling Protocol) |
Point-to-Point
Tunneling Protocol (PPTP) is a network protocol that
enables the secure transfer of data from a remote client to a
private enterprise server by creating a virtual private
network (VPN) across TCP/IP-based data networks. PPTP supports
on-demand, multi-protocol, virtual private networking over
public networks, such as the Internet. |
| Policy Enforced Network (PEN) |
A Policy Enforced Network is a management
architecture in which the creation, delivery and enforcement
of business rules in an information network are defined and
automated. Policy Enforced Networking is designed to
bring structure and organization to information networks
whether they are within a campus or are distributed around the
globe. |
| Policy Enforcement
Points (PEP) |
In a policy enforced network, a policy enforcement point represents a
security appliance used to protect one or more endpoints. PEPs
are also points for monitoring the health and status of a
network. PEPs are generally members of a policy group. |
| Policy Groups |
In a policy enforced network (PEN), a policy group represents endpoint groups
and their associated policy enforcement points. A policy group also contains business rules
concerning membership, access privileges, and traffic flow (including data
authentication, encryption, and address translation). In most
cases, a policy group’s members are related to each other in
ways useful to the organization. Policy groups are generally
members of a management
domain. |
| Policy Management Zone (PMZ) |
The Policy Management Zone protects
communications between trusted parties and firewalls access to
untrusted domains in an information
network. |
| Policy Rules |
In a policy enforced network (PEN), policy rules determine how the members
and endpoint groups
of a policy group
communicate. |
| Polymorphic
virus |
Polymorphic viruses encrypt the body of
the virus in an attempt to hide its signature from anti-virus
programs. |
| POP3 (Post Office Protocol
3) |
An e-mail protocol used to retrieve
e-mail from a remote server over an Internet
connection. |
| Private
Key |
In cryptography, a
private or secret key is an encryption/decryption key known only to
the party or parties that exchange secret messages. In
traditional secret key cryptography, a key would be shared by
the communicators so that each could encrypt and decrypt
messages. The risk in this system is that if either party
loses the key or it is stolen, the system is broken. A more
recent alternative is to use a combination of public and
private keys. In this system, a public key is
used together with a private key. |
| Protocol |
A special set of rules for communicating
that the end points in a telecommunication connection use when
they send signals back and forth. Protocols exist at several
levels in a telecommunication connection. There are hardware
telephone protocols. There are protocols between the end
points in communicating programs within the same computer or
at different locations. Both end points must recognize and
observe the protocol. Protocols are often described in an
industry or international standard. |
| Protocol
Attacks |
A protocol attack
is when the characteristics of network
services are exploited by the attacker. Examples include the
creation of infinite protocol loops which result in denial of services (e.g., echo packets under IP), the use of
information packets under the Network
News Transfer Protocol to map
out a remote site, and use of the Source Quench protocol
element to reduce traffic rates through select network
paths. |
| Proxy |
An agent that acts on behalf of a user,
typically accepting a connection from a user and completing a
connection on behalf of the user with a remote host or
service. See also gateway and proxy server. |
| Proxy Server
|
A proxy server is
one that acts on behalf of one or more other servers, usually
for screening, firewall, caching, or a combination of these
purposes. Gateway is often used as a synonym for "proxy
server." Typically, a proxy server is used within a company or
enterprise to gather all Internet requests, forward them out
to Internet servers, and then receive the responses and in
turn forward them to the original requestor within the
company. |
| Public
Key |
A public key is a
value provided by some designated authority as a key that,
combined with a private key derived from the public key, can
be used to effectively encrypt and decrypt messages and
digital signatures. The use of combined public and private keys is
known as |