| A |
| Access Control |
Refers to mechanisms and policies that restrict access to computer
resources. An access control list (ACL), for example, specifies what operations different
users can perform on specific files and directories.
|
| Active
Content |
Active content refers to material that is downloaded
that makes something happen, as opposed to static content, such as text
or simple images that do nothing but get displayed. Active content
includes such things as JavaScript animations, ActiveX controls, Java
spreadsheets...anything that actually does something.
|
| ActiveX |
ActiveX is Microsoft's answer to the Java technology from Sun Microsystems.
An ActiveX control is roughly equivalent to a Java applet. ActiveX is the name Microsoft
has given to a set of "strategic" object-oriented program technologies and
tools. The main thing that you create when writing a program to run in the ActiveX
environment is a component, a self-sufficient program that can be run anywhere in your
ActiveX network (currently a network consisting of Windows and Macintosh systems). This
component is known as an ActiveX control.
|
|
Address
Book |
An automated e-mail address directory that allows you to address your
messages easily. Generally comes in personal and public versions.
|
|
Address Resolution Protocol (ARP) |
See ARP
|
| Anti-Replay Service |
With anti-replay service, each IP packet passing within the secure
association is tagged with a sequence number. On the receiving end, each packet's sequence
number is checked to see if it falls within a specified range. If an IP packet tag number
falls outside of the range, the packet is blocked.
|
|
Anti-virus |
A software program designed to identify and remove a known or potential
computer virus
|
| API (Application program interface) |
An API is the specific methodology by which
a programmer writing an application program may make requests of the operating system or
another application.
|
|
Application Gateway Firewall |
Application gateways look at data at the
application layer of the protocol stack and serve as proxies for outside users,
intercepting packets and forwarding them to the application. Thus, outside users never
have a direct connection to anything beyond the firewall. The fact that the firewall looks
at this application information means that it can distinguish among such things as
Telnet,
file transfer protocol (FTP), or Lotus Notes traffic. Because the application gateway
understands these protocols, it provides security for each application it supports.
|
| Archiving |
An archive is a collection of computer files that have been packaged
together for backup, to transport to some other location, for saving away from the
computer so that more hard disk storage can be made available, or for some other purpose.
An archive can include a simple list of files or files organized under a directory or
catalog structure (depending on how a particular program supports archiving).
|
| ARP (Address Resolution Protocol) |
A protocol used to obtain the physical addresses
(such as MAC addresses) of hardware
units in a network environment. A host obtains such a
physical address by broadcasting
an ARP request, which contains the IP address of the target
hardware unit. If the request
finds a unit with that IP address, the unit replies with its
physical hardware address.
|
|
ASIC
(Application Specific Integrated Circuit) |
a chip designed for a particular application. ASICs are built by
connecting existing circuit building blocks in new ways. Since the
building blocks already exist in a library, it is much easier to produce a
new ASIC than to design a new chip from scratch.
|
|
Asymmetrical
Key Exchange |
Asymmetric or public key cryptography
is based on the concept of a key pair. Each half of the pair (one key) can encrypt
information so that only the other half (the other key) can decrypt it. One part of the
key pair, the private key, is known only by the designated owner; the other part, the
public key, is published widely but is still associated with the owner.
|
| Attachment |
A file that a user adds to an email message to transfer it to
another user.
|
| Authentication |
The process of determining the identity of a user that is attempting
to access a network. Authentication occurs through challenge/response, time-based code
sequences or other techniques. See CHAP and PAP.
|
| Authentication
Header (AH) |
The Authentication Header is a mechanism for
providing strong integrity and authentication for IP datagrams. It might
also provide non-repudiation, depending on which cryptographic algorithm
is used and how keying is performed. For example, use of an asymmetric
digital signature algorithm, such as RSA, could
provide non- repudiation.
|
| Authorization |
The process of determining what types of activities or access are
permitted on a network. Usually used in the context of authentication: once you have
authenticated a user, they may be authorized to have access to a specific service.
|
| B |
| Bandwidth |
Generally speaking, bandwidth is directly proportional to the amount
of data transmitted or received per unit time. In digital systems, bandwidth is
proportional to the data speed in bits per second (bps). Thus, a modem that works at
57,600 bps has twice the bandwidth of a modem that works at 28,800 bps.
|
|
Bastion
host |
A specific host that is used to intercept packets entering or
leaving a network. and the system that any outsider must ordinarily connect with to access
a system or service that is inside the network's firewall. Typically the bastion host must
be highly secured because it is vulnerable to attack due to its placement. See dual-homed
gateway.
|
| Buffer Overflow Attack |
A buffer overflow attack works by exploiting a known bug in one of the
applications running on a server. It then causes the application to overlay system areas,
such as the system stack, thus gaining administrative rights. In most cases, this gives a
hacker complete control over the system. Also referred to as stack overflow.
|
| C |
|
CA (Certificate Authority) |
See
Certificate Authority
|
|
CA Signature |
A digital code that
vouches for the authenticity of a digital certificate. The CA signature is
provided by the certificate authority
(CA) that issued the certificate.
|
| CGI exploit |
When a denial
of service attack is aimed at the CGI (common gateway interface), it is referred to as a CGI exploit. The CGI is a standard way for a Web server to pass a Web user's request
to an application program and to receive data back to forward to the user. It is
part of the Web's HTTP protocol.
|
|
Certificate Authority (CA) |
A certificate authority is an authority in a network that issues and
manages security credentials and public
keys for message encryption and decryption. As part of a public key infrastructure (PKI), a CA checks with a registration
authority (RA) to verify information provided
by the requestor of a digital
certificate. If the RA verifies the requestor's information, the CA can then issue a
certificate.
|
| Challenge-Response |
A common authentication
technique whereby an individual is prompted (the challenge) to provide
some private information (the response). Most security systems that rely
on smart cards are based on challenge-response. A user is given a code
(the challenge) which he or she enters into the smart card. The smart
card then displays a new code (the response) that the user can present
to log in.
|
| CHAP (Challenge-Handshake Authentication Protocol) |
An authentication technique where after a link is established, a
server sends a challenge to the requestor. The requestor responds with a value obtained by
using a one-way hash function. The server checks the response by comparing it its own
calculation of the expected hash value. If the values match, the authentication is
acknowledged otherwise the connection is usually terminated.
|
|
Checksum or hash |
A checksum is a
count of the number of bits in a transmission unit that is
included with the unit so that the receiver can check to see whether the same number of
bits arrived. If the counts match, it's assumed that the complete transmission was
received.
|
|
Circuit-level
gateways |
Circuit-level gateways run proxy applications at the session layer
instead of the application layer. They can't distinguish different applications that run
on the same protocol stack. However, these gateways don't need a new module for every new
application, either. Circuit-level gateway is a firewall feature which can, when needed,
serve as an alternative to packet filtering or application gateway functionality.
|
|
Cleanup interval |
A setting in the Ravlin Node Manager that specifies
how long a Ravlin unit waits before performing automatic internal cleanup.
In general, the busier the network, the more often system cleanups should
be performed.
|
| Client |
A client is the requesting program or user in a client/server
relationship. For example, the user of a Web browser is effectively making client requests
for pages from servers all over the Web. The browser itself is a client in its
relationship with the computer that is getting and returning the requested HTML file.
|
|
Community string |
A character string used to identify valid sources
for SNMP requests, and to limit the scope of
accessible information. Ravlin units use the community string like a
password, allowing only a limited set of management stations to access its
MIB
|
|
Content
blocking |
The ability to block network traffic based on
actual packet content.
|
|
Content
filtering, scanning or screening |
The ability to review the actual information that
an end user sees when using a specific Internet application. For example, the content of
e-mail.
|
|
Content virus |
See data driven
attack. Commonly protected against with a virus
scanner.
|
|
Cookie |
A message given to a Web browser by a Web server. The browser stores
the message in a text file called cookie.txt. The message is then
sent back to the server each time the browser requests a page from the
server.
|
| CoS
(Class of Service) |
Class of Service (CoS) is a way of managing
traffic in a network by grouping similar types of traffic (for example,
e-mail, streaming video, voice, large document file transfer) together
and treating each type as a class with its own level of service
priority.
|
| CryptoCore� |
A RedCreek hardware
implementation that offloads the heavy computational load usually imposed
by cryptographic tasks, freeing system resources and thus allowing rapid
encryption.
|
|
Cryptography |
A branch of complex mathematics and
engineering devoted to protecting information from unwanted access. In the
context of computer networking, cryptography consists of
encryption,
authentication, and authorization.
|
| D |
| Daemon |
A program that runs continuously and exists for the purpose of
handling periodic service requests that a computer system expects to receive. The daemon
program forwards the requests to other programs (or processes) as appropriate. Each server
of pages on the Web has an HTTPD or Hypertext Transfer Protocol daemon that continually
waits for requests to come in from Web clients and their users.
|
| Data driven attack |
A form of
intrusion in which the attack is encoded in seemingly innocuous data, and it is
subsequently executed by a user or other software to actually implement the attack.
|
| DES (Data Encryption Standard) |
A widely-used
method of data encryption using a private (secret) key that was judged so difficult to
break by the U.S. government that it was restricted for exportation to other countries.
There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that
can be used. For each given message, the key is chosen at random from among this enormous
number of keys. Like other private key cryptographic methods, both the sender and the
receiver must know and use the same private key.
|
| Denial of service attack |
A user or
program takes up all the system resources by launching a multitude of requests, leaving no
resources and thereby "denying" service to other users. Typically,
denial-of-service attacks are aimed at bandwidth control.
|
| DHCP
(Dynamic Host Configuration Protocol) |
DHCP enables individual computers on an IP network
to extract their configurations from a server (the 'DHCP server') or
servers, in particular, servers that have no exact information about the
individual computers until they request the information. The overall
purpose of this is to reduce the work necessary to administer a large IP
network. The most significant piece of information distributed in this
manner is the IP address.
|
| Diffie-Hellman |
The Diffie-Hellman Method For Key Agreement allows
two hosts to create and share a secret key. VPNs operating on the IPSec
standard use the Diffie-Hellman method for key management. Key
management in IPSec begins with the overall framework called the
Internet Security Association and Key Management Protocol (ISAKMP).
Within that framework is the Internet Key Exchange (IKE) protocol. IKE
relies on yet another protocol known as OAKLEY and it uses
Diffie-Hellman.
|
| DiffServ
(Differentiated Services |
Differential service mechanisms allow providers to
allocate different levels of service to different users of the Internet.
Broadly speaking, any traffic management or bandwidth control mechanism
that treats different users differently - ranging from simple Weighted
Fair Queuing to RSVP and per-session traffic scheduling - counts.
However, in common Internet usage the term is coming to mean any
relatively simple, lightweight mechanism that does not depend entirely
on per-flow resource reservation.
|
| Digital Certificate |
A digital certificate is an electronic "credit card" that
establishes your credentials when doing business or other transactions on the Web. It is
issued by a certification authority (CA). It contains your name, a serial number,
expiration dates, a copy of the certificate holder's public key (used for encrypting and
decrypting messages and digital signatures), and the digital signature of the
certificate-issuing authority so that a recipient can verify that the certificate is real.
|
| Digital Signature |
A digital
signature is an electronic rather than a written signature that can be used by someone to
authenticate the identity of the sender of a message or of the signer of a document. It
can also be used to ensure that the original content of the message or document that has
been conveyed is unchanged. Additional benefits to the use of a digital signature are that
it is easily transportable, cannot be easily repudiated, cannot be imitated by someone
else, and can be automatically time-stamped.
|
| DMZ (de-militarized zone) |
A network added between a protected network and an external network
in order to provide an additional layer of security. Sometimes called a perimeter network.
|
| DNS (Domain Name System) |
The Internet protocol for mapping host names, domain names and aliases to IP
addresses.
|
|
DNS spoofing |
Breaching the
trust relationship by assuming the DNS name of another system. This is usually
accomplished by either corrupting the name service cache of a victim system or by
compromising a domain name server for a valid domain.
|
| Domain |
The unique name used to identify an Internet network.
|
| Domain name server |
A repository of addressing information for specific Internet hosts. Name
servers use the domain name system to map IP addresses to Internet hosts.
|
| Downloadable |
A "downloadable" is a file that has been
transmitted from one computer system to another, usually smaller
computer system. From the Internet user's point-of-view, to download a
file is to request it from another computer (or from a Web page on
another computer) and to receive it.
|
| Downstream post office |
A post office that communicates with a mail server through another post
office or other post offices.
|
| DSL
(Digital Subscriber Line) |
DSL (Digital Subscriber Line) is a technology for
bringing high-bandwidth
information to homes and small businesses over ordinary copper telephone
lines. xDSL refers to different variations of DSL, such as ADSL, HDSL,
and RADSL. A DSL line can carry both data and voice signals and the data
part of the line is continuously connected.
|
| DSS
(Digital Signature Standard |
The Digital Signature Standard (DSS) is a
cryptographic standard promulgated by the National Institute of
Standards and Technology (NIST) in 1994. It has been adopted as the
federal standard for authenticating electronic documents, much as a
written signature verifies the authenticity of a paper document.
|
| DSX (Dynamic Security Extension) |
A proprietary technology that is patented and works in the
following way. The operating system has a system call (or vector) table that contains
memory address pointers for each system call. These pointers point to a location in memory
where the actual kernel code of the system calls resides. DSX stores the address pointers
for the security sensitive system calls and then redirects these pointers to the
corresponding SECURED system call code, which is located elsewhere in memory.
|
|
Dual-homed gateway |
A system that has two or more network interfaces, each of which is
connected to a different network. In firewall configurations, a dual-homed gateway usually
acts to block or filter some or all of the traffic trying to pass between the networks.
|
| E |
| e-business |
e-business" ("electronic business," derived from such
terms as "e-mail" and "e-commerce") is the conduct of business on the
Internet, not only buying and selling but also servicing customers and collaborating with
business partners.
|
| e-commerce |
e-commerce (electronic commerce or EC) is the buying and selling of
goods and services on the Internet, especially the World Wide Web. In practice, this term
and e-business are often used interchangeably. For online retail selling, the term
e-tailing is sometimes used.
|
| email client |
An application from which users can create, send and read e-mail
messages.
|
| email server |
An application that controls the distribution and storage of e-mail
messages.
|
| Encryption |
Scrambling
data in such a way that it can only be unscrambled through the application of the correct
cryptographic key.
|
| Encryption-In-Place
(EIP) |
A security mode in which a Ravlin unit
encrypts the IP packet's payload only (without encrypting the packet
header). Because EIP does not require encryption of the IP header or
encapsulation of the IP packet, overhead is lower and performance
enhanced.
|
| Endpoint
Group |
In a policy
enforced network, an endpoint group represents subnets or an
individual host protected by a security appliance. By creating and
configuring endpoint groups, you can permit hosts in one subnet to
exchange data securely with hosts in another subnet. Endpoint groups
along with their associated policy
enforcement points are generally members of a policy
group.
|
| Enterprise
Object |
Within a policy
enforced network, the
enterprise is the highest-level object category. It encompasses all management
domains and all lower-level
divisions in the organization's secure networking environment.
|
| ESP (Encapsulated Security Payload) |
The
Encapsulating Security Payload provides confidentiality for IP datagrams or packets, which
are the message units that the Internet Protocol deals with and that the Internet
transports, by encrypting the payload data to be protected. I
|
| Ethernet |
A local-area network (LAN) protocol developed by Xerox Corporation
in cooperation with DEC and Intel in 1976. Ethernet uses a bus or star topology and
supports data transfer rates of 100Mbps.
|
| Executable |
An executable is a file that contains a
program - that is, a particular kind of file that is capable of being
executed or run as a program in the computer.
|
|
Extended
MAPI (Extended Messaging Application Programming Interface) |
An interface developed by Microsoft that provides messaging
functions including addressing, sending, receiving and storing messages.
|
| F |
| FDDI (Fiber Distributed Data Interface |
A set of ANSI protocols for sending digital data over fiber optic
cable. FDDI networks are token-passing networks, and support data rates of up to 100 Mbps
(100 million bits) per second. FDDI networks are typically used as backbones for wide-area
networks.
|
| Filter |
A filter is a program or section of code that is designed to examine
each input or output request for certain qualifying criteria and then process or forward
it accordingly. .
|
| Firewall |
A firewall is a program that protects the resources of one network
from users from other networks. Typically, an enterprise with an intranet that allows its
workers access to the wider Internet will want a firewall to prevent outsiders from
accessing its own private data resources.
|
|
Firewall
denial-of service |
The firewall is specifically subjected to a denial-of-service
attack.
|
| FTP (File Transfer Protocol) |
FTP is the simplest way to exchange files between computers on the
Internet. Like the Hypertext Transfer Protocol (HTTP), which transfers displayable Web
pages and related files, and the Simple Mail Transfer Protocol (SMTP), which transfers
e-mail, FTP is an application protocol that uses the Internet's TCP/IP protocols.
|
| G |
| Gateway |
A gateway is a network point that acts as an entrance to another network. In
a company network, a proxy server acts as a gateway between the internal network and the
Internet. A gateway may also be any machine or service that passes packets from one
network to another network in their trip across the Internet.
|
| Green Screen Terminal |
Terminals that are designed to be centrally-managed, configured with
only essential equipment, and devoid of CD-ROM players, diskette drives, and expansion
slots (and therefore lower in cost).
|
| H |
| Hacker |
Hacker is a term used by some to mean "a clever programmer" and by
others, especially journalists or their editors, to mean "someone who tries to break
into computer systems."
|
|
Highjacking
or hijacking |
Control of a connection is taken by the attacker after the user
authentication has been established.
|
| HMAC
(Header Message
Authentication Codes ) |
HMAC is a hash function based message
authentication code that was designed to meet the requirements of the
IPsec working group in the IETF, and is now a standard.
|
|
HTML
(HyperText Markup Language) |
A standard set of commands used to structure documents and format text so
that it can be used on the Web.
|
| HTTP (HyperText Transfer Protocol) |
HTTP is the set of rules for exchanging files (text, graphic images, sound,
video, and other multimedia files) on the World Wide Web. Relative to the TCP/IP suite of
protocols (which are the basis for information exchange on the Internet), HTTP is an
application protocol.
|
|
HTTPS (Secure Hypertext Transfer Protocol) |
The secure hypertext transfer protocol (HTTPS) is a communications
protocol designed to transfer encrypted information between computers over
the World Wide Web. HTTPS is http using a Secure
Socket Layer (SSL).
|
| I |
| I2O
(Intelligent Input/Output |
Intelligent Input/Output (I2O) is a hardware
specification that describes a model for offloading I/O processing from
the CPU. The model is after the style of what has been used in very
large mainframes for years. It is not a replacement for the PCI
architecture.
|
|
ICSA
(International Computer Security Association |
An organization with the mission to continually improve commercial computer
security through certification of firewalls, anti-virus products and web sites.
ICSA also
shares and disseminates information concerning information security.
|
|
Insider
attack |
An attack originating from inside a protected network.
|
| Internet
Key Exchange (IKE) |
A hybrid protocol whose purpose is to negotiate,
and provide authenticated keying material for, security associations in
a protected manner. Processes which implement this protocol can be used
for negotiating virtual private networks (VPNs) and also for providing a
remote user from a remote site (whose IP address need not be known
beforehand) access to a secure host or network.
|
| Intrusion detection |
Detection of break-ins or break-in attempts by reviewing logs or
other information available on a network.
|
| IP (Internet Protocol) |
The Internet Protocol is the method or protocol by which data is
sent from one computer to another on the Internet. Each computer (known as a host) on the
Internet has at least one address that uniquely identifies it from all other computers on
the Internet.
|
|
IP
spoofing |
An attack where the attacker impersonates a trusted system by using
its IP network address.
|
|
IP
hijacking |
An attack where an active, established session is intercepted and
taken over by the attacker. May take place after authentication has occurred which allows
the attacker to assume the role of an already authorized user.
|
| IPSec (Internet Protocol Security ) |
A developing standard for security at the network or packet
processing layer of network communication. IPSec provides two choices of security service:
Authentication Header (AH), which essentially allows authentication of the sender of data,
and Encapsulating Security Payload (ESP), which supports both authentication of the sender
and encryption of data as well.
|
| ISDN
(Integrated Services Digital Network |
A set of communications standards allowing a
single wire or optical fibre to carry voice, digital network services
and video. ISDN gives a user up to 56 kbps of data bandwidth
on a phone line that is also used for voice, or up to 128 kbps if the
line is only used for data.
|
| J |
| Java |
Java is a programming language expressly designed for use in the distributed
environment of the Internet. It was designed to have the "look and feel" of the
C++ language, but it is simpler to use than C++ and enforces a completely object-oriented
view of programming. Java can be used to create complete applications that may run on a
single computer or be distributed among servers and clients in a network. It can also be
used to build small application modules or applets for use as part of a Web page. Applets
make it possible for a Web page user to interact with the page.
|
| K |
|
Kerberos |
An authentication service developed at MIT based
on a paper by Needham and Schoeder.
|
| Key |
In cryptography, a key is a variable value that is applied using an
algorithm to a string or block of unencrypted text to produce encrypted text. The length
of the key generally determines how difficult it will be to decrypt the text in a given
message.
|
| Key Management |
The establishment and enforcement of message encryption and authentication
procedures, in order to provide privacy-enhanced mail (PEM) services for electronic mail
transfer over the Internet.
|
| L |
| LDAP (Lightweight Directory Access Protocol) |
LDAP
(Lightweight Directory Access Protocol) is an emerging software protocol for enabling
anyone to locate organizations, individuals, and other resources such as files and devices
in a network, whether on the Internet or on a corporate intranet. LDAP is a
"lightweight" (smaller amount of code) version of DAP (Directory Access
Protocol), which is part of X.500, a standard for directory services in a network.
|
| Litigation Protection |
Litigation protection is both the review and recording of
Internet, intranet and extranet communications that is done in order to avoid litigation
or the documentation of the communications parties and content in the event of litigation.
|
| M |
| MAC (Media Access Control) |
On a network, the MAC
(Media Access Control) address is your computer's unique hardware number. The MAC address
is used by the Media Access Control sublayer of the Data-Link Control (DLC) layer of
telecommunication protocols. There is a different MAC sublayer for each physical device
type. The Data-Link Layer is the protocol layer in a program that handles the moving of
data in and out across a physical link in a network.
|
| Macro
Virus |
Macro viruses are small
programs written using the internal programming language of a specific
application program that replicate within documents created by the
application program. Common examples of application programs that use
macros include word processors such as Word and spreadsheets such as
Excel.
|
| Malicious
Code |
Malicious code is any
code added, changed, or removed from a software system in order to
intentionally cause harm or subvert the intended function of the system.
Traditional examples of malicious code include viruses, worms, Trojan
Horses, and attack scripts, while more modern examples include Java
attack applets and dangerous ActiveX controls.
|
| Management
Domain |
In a policy
enforced network, a management domain consists of one or more policy
groups.
A management domain usually
encompasses a large category of users. For example, a management domain
might contain all users who work with an organization's financial data or
with an insurance company's
patient records. Management domains may also be specific to business
relationships such as extranet
partnerships or branch-office data transfer.
|
| MAPI (Messaging Application Programming Interface) |
An interface developed by Microsoft that provides messaging
functions including addressing, sending, receiving and storing messages. Simple MAPI
includes some of these functions. Extended MAPI includes all of these functions.
|
|
MIB
(Management Information Base) |
A database of objects that can be monitored by an
SNMP-based network management system. Standardized MIB formats allow any
SNMP tool to monitor any device defined by a MIB.
|
| MIME (Multipurpose Internet Mail Extensions) |
A protocol used for transmitting documents with different formats via the
Internet.
|
| Monitoring |
A view of individual user activity on a network, generally in real time.
Provides administrators with the ability to view the content of user utilized
applications.
|
| MPLS
(Multiprotocol Label Switching |
A base technology for using label switching in
conjunction with network layer routing and for the implementation of
that technology over various link level technologies, which may include
Packet-over-Sonet, Frame Relay, ATM, and Ethernet
|
| N |
| NAPT
(Network Address Port Translation |
NAPT is a special case of NAT, where many IP
numbers are hidden behind a number of addresses, but in contrast to the
original NAT this does not mean there can be only that number of
connections at a time. In NAPT an almost arbitrary number of connections
is multiplexed using TCP port information. The number of simultaneous
connections is limited by the number of addresses multiplied by the
number of TCP ports available.
|
| NAR (Network Address Retention) |
A simplified IP addressing capability that eliminates the need to
establish an intermediate IP address between a router and a firewall. Sometimes called
Proxy-ARP. This feature allows the implementation of a firewall into an existing network
without having to establish a new IP address scheme.
|
| NAT (Network Address Translation) |
Network Address Translation allows your Intranet to use addresses
that are different from what the outside Internet thinks you are using. It permits many
users to share a single external IP address at the same time. The NAT provides what some
people call "address hiding", which is, as it suggests, security through
obscurity at best.
|
|
Network
Service Access Policy |
A high level, issue specific policy which defines those services
that will be allowed or explicitly denied from a restricted network, the way in which
these services will be used, and the conditions for exceptions to the policy.
|
| NNTP (Network News Transfer Protocol |
NNTP (Network News Transfer Protocol) is the predominant protocol
used by computers (servers and clients) for managing the notes posted on newsgroups.
NNTP replaced the original Usenet protocol, UNIX-to-UN
|
| Nonrepudiation |
The goal of nonrepudiation is to prove that a
message has been sent and received. This is extremely important in
networks where commands and status must be issued and responded to,
where financial transactions must be verifiably completed, and where
signed contracts are transmitted.
|
| O |
| ODBC (Open Database Connectivity |
ODBC is a standard or open application programming interface (API)
for accessing a database. By using ODBC statements in a program, you can access files in a
number of different databases, including Access, dBase, DB2, Excel, and Text. In addition
to the ODBC software, a separate module or driver is needed for each database to be
accessed.
|
| P |
| Packet |
A packet is the unit of
data that is routed between an origin and a destination on the Internet or any other
packet-switched network. When any file (e-mail message, HTML file, GIF file, URL request,
and so forth) is sent from one place to another on the Internet, the Transmission Control
Protocol (TCP) layer of TCP/IP divides the file into "chunks" of an efficient
size for routing. Each of these packets is separately numbered and includes the Internet
address of the destination. The individual packets for a given file may travel different
routes through the Internet. When they have all arrived, they are reassembled into the
original file (by the TCP layer at the receiving end).
|
|
Packet
Filters |
Packet filters keep out
certain data packets based on their source and destination addresses and service type.
Filters can be used to block connections from or to specific hosts, networks or ports.
Packet filters are simple and fast. However, they make decisions based on a very limited
amount of information.
|
|
Packet
Sniffing |
Intercepting packets of
information (including such things for example as a credit card number ) that are
traveling between locations on the Internet.
|
| PAP
(Password Authentication Procedure) |
A procedure used to validate a connection request. After the link is
established, the requestor sends a password and an id to the server. The server either
validates the request and sends back an acknowledgement, terminates the connection, or
offers the requestor another chance.
|
|
Password-based
attacks |
An attack where repetitive attempts are made to duplicate a valid
log-in and/or password sequence.
|
|
Perimeter
network |
See DMZ.
|
| PGP (Pretty Good Privacy) |
A cryptographic product family that enables people to securely
exchange messages, and to secure files, disk volumes and network connections with
both privacy and strong authentication.
|
| Ping
of Death Attack |
A notorious exploit that (when first discovered)
could be easily used to crash a wide variety of machines by overrunning
the size limits in their TCP/IP stacks. The term is now used to refer to
any nudge delivered by hackers over the network that causes bad things
to happen on the system being nudged.
|
| PKCS
(Public-Key Cryptography Standards) |
The Public-Key Cryptography Standards are
specifications produced by RSA Laboratories in cooperation with secure
systems developers worldwide for the purpose of accelerating the
deployment of public-key cryptography. First published in 1991 as a
result of meetings with a small group of early adopters of public-key
technology, the PKCS documents have become widely referenced and
implemented.
|
| PKI (Public Key Infrastructure) |
A
PKI (public key infrastructure) enables users of a basically unsecure public network such
as the Internet to securely and privately exchange data and money through the use of a
public and a private cryptographic key pair that is obtained and shared through a trusted
authority.
|
|
Platform
attack |
An
attack that is focuses on vulnerabilities in the operating system hosting the firewall.
|
| PPP
(Point-to-Point Protocol) |
Point-to-Point
Protocol (PPP) is a protocol
for communication between two computers using a serial interface, typically a personal
computer connected by phone line to a server.
|
| PPPoE
(Point-to-Point Protocol over Ethernet) |
PPP over Ethernet (PPPoE) provides the ability to
connect a network of hosts over a simple bridging access device to a
remote Access Concentrator (Server).
|
| PPTP
(Point-to-Point Tunneling Protocol) |
Point-to-Point
Tunneling Protocol (PPTP) is a network protocol
that enables the secure transfer of data from a remote client to a private
enterprise server by creating a virtual private network (VPN) across
TCP/IP-based data networks. PPTP supports on-demand, multi-protocol,
virtual private networking over public networks, such as the Internet.
|
| Policy
Enforced Network (PEN) |
A Policy Enforced Network is a
management architecture in which the creation, delivery and enforcement of business rules
in an information network are defined and automated. Policy
Enforced Networking is designed to bring structure and
organization to information networks whether they are within a campus or
are distributed around the globe.
|
| Policy
Enforcement Points (PEP) |
In a policy
enforced network, a policy enforcement point represents a security
appliance used to protect one or more endpoints.
PEPs are also points for monitoring the health and status of a network.
PEPs are generally members of a policy group.
|
| Policy
Groups |
In a policy
enforced network (PEN), a policy group represents endpoint
groups and their associated policy
enforcement points. A policy group also contains business rules
concerning membership, access privileges, and
traffic flow (including data authentication, encryption, and address
translation). In most cases, a policy group�s members are related to
each other in ways useful to the organization. Policy groups are
generally members of a management domain.
|
| Policy Management
Zone (PMZ) |
The Policy Management Zone protects communications
between trusted parties and firewalls access to untrusted domains in an
information network.
|
| Policy
Rules |
IIn a policy
enforced network (PEN), policy rules determine how the members and endpoint
groups of a policy group communicate.
|
| Polymorphic
virus |
Polymorphic viruses encrypt the body of the virus
in an attempt to hide its signature from anti-virus programs.
|
| POP3 (Post Office Protocol 3) |
An e-mail protocol used to retrieve e-mail from a remote server over
an Internet connection.
|
| Private Key |
In cryptography, a private or secret key is an encryption/decryption
key known only to the party or parties that
exchange secret messages. In traditional secret key cryptography, a key would be shared by
the communicators so that each could encrypt and decrypt messages. The risk in this system
is that if either party loses the key or it is stolen, the system is broken. A more recent
alternative is to use a combination of public and private keys. In this system, a public key is used together with a
private key.
|
| Protocol |
A special set of rules for communicating that the end points in a
telecommunication connection use when they send signals back and forth. Protocols exist at
several levels in a telecommunication connection. There are hardware telephone protocols.
There are protocols between the end points in communicating programs within the same
computer or at different locations. Both end points must recognize and observe the
protocol. Protocols are often described in an industry or international standard.
|
| Protocol
Attacks |
A protocol attack is when the
characteristics of network services are exploited by the
attacker. Examples include the creation of infinite protocol loops which
result in denial of services (e.g.,
echo packets under IP), the use of information packets under the
Network News Transfer Protocol to map out a remote
site, and use of the Source Quench protocol element to reduce traffic
rates through select network paths.
|
|
Proxy |
An agent that acts on behalf of a user, typically accepting a connection from
a user and completing a connection on behalf of the user with a remote host or service.
See also gateway and proxy server.
|
| Proxy Server |
A
proxy server is one that acts on behalf of one or more other servers, usually for
screening, firewall, caching, or a combination of these purposes. Gateway is often used as
a synonym for "proxy server." Typically, a proxy
server is used within a company or enterprise to gather all Internet requests, forward
them out to Internet servers, and then receive the responses and in turn forward them to
the original requestor within the company.
|
| Public Key |
A public key is a value provided by some designated authority as a key that, combined with a private key derived
from the public key, can be used to effectively encrypt and decrypt messages and digital signatures. The use of
combined public and private keys is known as
asymmetric encryption. A system for using public keys is
called a public key infrastructure (PKI).
|
| Q |
| QoS (Quality of Service) |
On the Internet and in other networks, QoS is the idea that
transmission rates, error rates, and other characteristics can be measured, improved, and,
to some extent, guaranteed in advance. QoS is of particular concern for the continuous
transmission of high-bandwidth video and multimedia information.
|
| R |
| RA (Registration Authority) |
An RA (registration authority) is an authority in a network that verifies
user requests for a digital
certificate and tells the certificate authority (CA) to issue it. RAs are part of a public key
infrastructure (PKI), a networked system
that enables companies and users to exchange information and money safely and securely.
|
| RADIUS |
RADIUS (Remote Authentication Dial-In User
Service) is a client/server protocol
and software that enables remote access servers to communicate with a
central server to authenticate dial-in users and authorize their access
to the requested system or service. RADIUS allows a company to maintain
user profiles in a central database that all remote servers can share.
|
| RAS (Remote Access Services) |
A feature built into Windows NT that enables users to log into an NT-based
LAN using a modem, X.25 connection or WAN link. RAS works with several major network
protocols, including TCP/IP, IPX, and NetBEUI.
|
| Replay
Prevention |
To provide protection against replay attacks in
which a message is stored and re-used later, replacing or repeating the
original. See also Anti-replay service.
|
|
RIP
(Routing Information Protocol) |
The oldest routing protocol on the Internet and the most commonly used
routing protocol on local area IP networks. Routers use RIP to periodically broadcast
which networks they know how to reach.
|
| Routing Agent |
On the Internet, an agent (also called an intelligent agent) is a program
that gathers information or performs some other service without your immediate presence
and on some regular schedule. Typically, an agent program, using parameters you have
provided, searches all or some part of the Internet, gathers information you're interested
in, and presents it to you on a daily or other periodic basis.
|
| RSA (Rivest-Shamir-Adleman) |
One of the fundamental encryption algorithms or series of mathematical
actions developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA
algorithm is the most commonly used encryption and authentication algorithm and is
included as part of the Web browsers from Netscape and Microsoft.
|
|
RSACi
(Recreational Software Advisory Council on the Internet) |
A computer software ratings system of Web site
content developed by RSACI in response to the passage of US federal legislation prohibiting
the transmittal of offensive, or indecent, materials over the Internet. RSACi was
developed with the express intent of providing a simple, yet effective rating system for
web sites which protect both children, by providing and empowering parents with detailed
information about site content, and the rights of free speech of everyone who publishes on
the World Wide Web.
|
|
Rules |
Criteria that are used to organize and control incoming messages
automatically. When you set up a rule, you designate the criteria that selects a specific
class of messages and then you select one or more actions to handle the messages that meet
the criteria.
|
| S |
|
Screening
router |
A router configured to permit or deny traffic based on a set of
permission rules installed by the administrator.
|
| Security
Association (SA) |
A Security Association (SA) is a relationship
between two or more entities that describes how the entities will
utilize security services to communicate securely. This relationship is
represented by a set of information that can be considered a contract
between the entities. The information must be agreed upon and shared
between all the entities.
|
| Secure
Hash Algorithm-1 (SHA-1) |
A one-way cryptographic function which takes a
message produces a 160-bit message digest. A message digest is a value
generated for a message or document that is unique to that message, and
is sometimes referred to as a "fingerprint" of that message or
data. Once a message digest is computed, any subsequent change to the
original data will, with a very high probability, cause a change in the
message digest, and the signature will fail to verify. This process is
used to compress large data strings to a 20-byte length which is used in
a cryptographic process. The reduced data length relieves computational
requirements for data encryption.
|
| Self-signed
Certificate |
A self-signed certificate uses its own certificate
request as a signature rather than the signature of a CA.
A self-signed certificate will not provide the same functionality as a
CA-signed certificate. A self-signed certificate will not be
automatically recognized by users' browsers, and a self-signed
certificate does not provide any guarantee concerning the identity of
the organization that is providing the website.
|
| Session |
In the Open Systems Interconnection (OSI) communications
model, the Session layer (sometimes called the "port layer") manages the setting
up and taking down of the association between two communicating end points that is called
a connection. A connection is maintained while the two end points are communicating back
and forth in a conversation or session of some duration. Some connections and sessions
last only long enough to send a message in one direction. However, other sessions may last
longer, usually with one or both of the communicating parties able to terminate it.
|
|
Shared
POP3 mailbox |
A mailbox that stores messages for an entire domain that allows
organizations with part-time Internet connections to exchange mail.
|
| Signatures |
Viruses employ signatures by which they identify
themselves to themselves and thereby avoid corrupting their own code.
Standard viruses, including most macro viruses,
use character-based signatures. More complex viruses, such as polymorphic
viruses, use algorithmic signatures.
|
| SLIP |
SLIP is a TCP/IP protocol
used for communication between two machines that are previously configured for
communication with each other.
|
| Smart Card |
About the size of a credit card, a smart card is a plastic card with
an embedded microchip that can be loaded with data, used for telephone calling, electronic
cash payments, and other applications, and then periodically "recharged" for
additional use. Currently used to establish your identity when logging on to an Internet
access provider.
|
| S/MIME (Secure/ Multipurpose Mail Extensions) |
S/MIME is an E-mail security protocol. It was designed to prevent the
interception and forgery of E-mail by using encryption and digital signatures. S/MIME
builds security on top of the MIME protocol and is based on technology originally
developed by RSA Data Security, Inc.
|
| SMF (Standard Message Format) |
A message file format established by Novell and used by many e-mail
applications.
|
| SMTP (Simple Mail Transport Protocol) |
The standard protocol used for Internet e-mail messages.
|
| SNMP (Simple Network Management Protocol) |
The protocol governing network management and the monitoring of
network
devices and their functions.
|
|
Social
engineering |
An attack based on tricking or deceiving users or administrators
into revealing passwords or other information that compromises a target system's security.
Social engineering attacks are typically carried out by telephoning users or operators and
pretending to be an authorized user.
|
|
Source-Routing |
Normal IP packets have only source and destination addresses in
their headers, leaving the actual route taken to the routers in between the source and the
destination. Source-routed IP packets have additional information in the header that
specifies the route the packet should take. This additional routing is specified by the
source host, hence the name source-routed.
|
| Source-Route Attack |
A form of spoofing whereby the routing, as indicated in the source
routed packet, is not coming from a trusted source and therefore the packet is being
routed illicitly.
|
| Spoofing |
The term for establishing a connection with a forged sender
address. This normally involves exploiting a trust relationship that exists between source
and destination addresses/systems.
|
| Spool File |
A report that has been sent to the printer control software on the
AS400, to be disposed of by the printer agent. Similar to Print Manager on Windows.
|
| SSH
(Secure Shell) |
A protocol which permits secure remote access over
a network from one computer to another. SSH negotiates and establishes
an encrypted connection between an SSH client and an SSH server.
|
| SSL (Secure Sockets Layer) |
A program layer created by Netscape
for managing the security of message transmissions in a network. Netscape's idea is that
the programming for keeping your messages confidential ought to be contained in a program
layer between an application (such as your Web browser or HTTP) and the Internet's TCP/IP
layers. The "sockets" part of the term refers to the sockets method of passing
data back and forth between a client and a server program in a network or between program
layers in the same computer.
|
| Stateful |
Stateful and stateless are adjectives
that describe whether a computer or computer program is designed to note and remember one
or more preceding events in a given sequence of interactions with a user, another computer
or program, a device, or other outside element. Stateful means the computer or program
keeps track of the state of interaction, usually by setting values in a storage field
designated for that purpose.
|
| Stateful inspection |
Analysis of data within the lowest levels of the protocol stack and
comparing the current session to previous ones in order to detect suspicious
activity. Unlike application level gateways, stateful inspection uses business rules
defined by the user and therefore does not rely on predefined application information.
Stateful inspection also takes less processing power than application level analysis. Stateful inspection firewalls do not recognize specific
applications and thus are unable to apply different rules to different applications.
|
| Stealth
Virus |
Stealth viruses hide the modifications they make
to your files or boot records, attempting to defeat anti-virus programs.
|
| STOP (Stack Overflow Protection) |
Stack or buffer overflow attacks continue to be a favorite technique
used by hackers for breaking into servers. STOP reallocates the location of the system
stack. The stack is the area to which the attacker is trying to have the data overflow.
This is like reshuffling the cards in a deck, making it very difficult for the attacker to
predict the location for the overflow data. This simple and transparent approach renders
overflow attacks unsuccessful.
|
| S/WAN
(Secure Wide Area Network) |
An initiative to promote the
deployment of Internet Based Virtual Private Networks (VPN)
|
| Symmetric Encryption |
The oldest form of key-based cryptography is called secret-key or
symmetric encryption. In this scheme, both the sender and recipient possess the same key,
which means that both parties can encrypt and decrypt data with the key.
|
| SYN
Flood Attack |
A TCP connection is
initiated when a client issues a request to a server with the SYN flag
set in the TCP header. Normally the server will issue a SYN/ACK back to
the client identified by the 32-bit source address in the IP header. The
client will then send an ACK to the server and data transfer can
commence. When the client IP address is spoofed (changed) to be that of
an unreachable host, however, the targeted TCP cannot complete the
three-way hand-shake and will keep trying until it times out. That is
the basis for the attack.
|
| T |
| TCP/IP (Transmission Control Protocol/Internet Protocol) |
The standard family of protocols for communicating with Internet devices.
|
| Telnet |
A terminal emulation program for TCP/IP networks such as the
Internet. The Telnet program runs on your computer and connects your PC to a server on the
network. You can then enter commands through the Telnet program and they will be executed
as if you were entering them directly on the server console
|
|
Triple DES (3DES) |
Triple DES is simply another mode of DES operation.
It takes three 64-bit keys, for an overall key length of 192 bits. The
procedure for encryption is exactly the same as regular DES, but it is
repeated three times. Hence the name Triple DES. The data is encrypted
with the first key, decrypted with the second key, and finally encrypted
again with the third key.
|
| Token Ring |
A type of computer network in which all the computers are arranged
(schematically) in a circle. A token, which is a special bit pattern, travels around the
circle. To send a message, a computer catches the token, attaches a message to it, and
then lets it continue to travel around the network.
|
| Tracking |
The logging of inbound and outbound messages based on a predefined
criteria. Logging is usually done to allow for further analysis of the data at a future
date or time.
|
| Trojan horse |
A software entity that appears to do something quite normal but
which, in fact, contains a trapdoor or attack program.
|
|
Tunnel |
The path established by one network to send
its data via another network's connections. Tunneling works by
encapsulating a network protocol within
packets carried by the second network. For example,
Microsoft's PPTP technology enables organizations to
use the Internet to transmit data across a
virtual private network (VPN).
It does this by embedding its own network protocol within the
TCP/IP packets carried by the Internet.
|
| Tunneling
router |
A router or system capable of routing traffic by encrypting it and
encapsulating it for transmission across an untrusted network, for eventual
de-encapsulation and decryption.
|
| U |
| UDP (User Datagram Protocol |
A connectionless protocol that, like TCP, runs on top of IP networks. Unlike
TCP/IP, UDP/IP provides very few error recovery services, offering instead a direct way to
send and receive datagrams over an IP network. It's used primarily for broadcasting
messages over a network.
|
| URL (Uniform Resource Locator) |
An address in a standard format that locates files (resources) on the
Internet and the Web. The type of resource depends on the
Internet application protocol. Using the World Wide Web's protocol, the Hypertext Transfer
Protocol (HTTP) , the resource can be an HTML page (like the one you're reading), an image
file, a program such as a CGI application or Java applet, or any other file supported by
HTTP. The URL contains the name of the protocol required to access the resource, a domain
name that identifies a specific computer on the Internet, and a hierarchical description
of a file location on the computer.
|
| URL Blocking |
The tracking and denying of user access to undesirable web sites based on
predefined site content.
|
| User
Administration |
User Administration is a process aimed at creating
users efficiently, controlling what they can do, limiting the damage
they can cause, and monitoring their activities on a system or network.
|
| User Authentication |
Authentication is a process that verifies a user's identity to ensure that
the person requesting access to the private network is in fact, that person to whom entry
is authorized.
|
| UUCP (UNIX-to-UNIX Copy Protocol) |
A set of UNIX programs for copying (sending) files between different
UNIX systems and for sending commands to be executed on another system.
|
|
UUencode |
A data encoding standard developed to translate or convert a file or
e-mail attachment (it can be an image, a text file, or a program) from its binary or
bit-stream representation into the 7-bit ASCII set of text characters.
|
| V |
| Vandal |
A vandal is an executable file,
usually an applet or an ActiveX control, associated with a Web page that is designed to be
harmful, malicious, or at the very least inconvenient to the user. Since such applets or
little application programs can be embedded in any HTML file, they can also arrive as an
e-mail attachment or automatically as the result of being pushed to the user. Vandals can
be viewed as viruses that can arrive over the Internet stuck to a Web page. Vandals are
sometimes referred to as "hostile applets."
|
| VBScript
(Visual Basic Script) |
VBScript is an interpreted script language
from Microsoft that is a subset of its Visual Basic programming
language. VBScript can be compared to other script languages designed
for the Web such as Netscape's JavaScript
|
| Virus |
A virus is a piece of programming code inserted into other
programming to cause some unexpected and, for the victim, usually undesirable event.
Viruses can be transmitted by downloading programming from other sites or be present on a
diskette. The source of the file you're downloading or of a diskette you've received is
often unaware of the virus. The virus lies dormant until circumstances cause its code to
be executed by the computer. Some viruses are playful in intent and effect and some can be
quite harmful, erasing data or causing your hard disk to require reformatting.
|
| Virus Scanner |
A program that searches files for possible viruses, including email
and attachments.
|
| VPN (Virtual Private Networking) |
A VPN is a technology that overlays communications
networks with a management and security layer. Though VPN technology,
network managers can set up secure relationships while still enjoying the
low cost of a public network such as the Internet.
|
| W |
| WAP (Wireless Application Protocol) |
An open global standard for communications between a mobile handset and the
Internet or other computer applications as defined by the WAP forum.
|
|
Web
Attack |
Any attack from the outside aimed at Web server vulnerabilities.
|
|
Web
Browser |
A Web browser is a client program that uses the Hypertext Transfer
Protocol (HTTP) to make requests of Web servers throughout the Internet on behalf of the
browser user.
|
|
Web
denial-of-service |
The Web server is specifically subjected to denial-of-service
attacks.
|
| WinNuke
Attack |
- WinNuke is a Windows DoS (Denial
of Service) attack which can cause Windows NT & 95 (and in
some cases, Windows 3.11) stations to panic and lose their network
connections. WinNuke sends a string (in the original source code the
string is "bye") to your NETBIOS port (139) using OOB (Out
Of Band data). The port is open by default on most Windows machines
and is used for networking over TCP/IP. The problem is that Windows,
although it supports OOB's, doesn't know what to do with them all the
time. Windows 95 goes for the exception handler, and fails, leaving
most users with a blue screen.
|
| Worm |
A type of virus that disables a computer by
creating a large number of copies of itself within the computer's
memory, forcing out other programs. Worm viruses are generally
constructed to also copy themselves to other linked computers.
|
| X |
| X.500
Directory |
X.500 Directory Service is a standard way to
develop an electronic directory of people in an organization so that it
can be part of a global directory available to anyone in the world with
Internet access. Such a directory is sometimes called a global White
Pages directory.
|
| X.509 |
The most widely used standard for defining digital certificates. X.509 is
actually an ITU Recommendation, which means that has not yet been officially defined or
approved. As a result, companies have implemented the standard in different ways. For
example, both Netscape and Microsoft use X.509 certificates to implement SSL in their Web servers and browsers. But an X.509
Certificate generated by Netscape may not be readable by Microsoft products, and vice
versa.
|
| Y |
| Z |
