| A |
| Access
Control |
Refers to mechanisms and policies that restrict
access to computer resources. An access control list (ACL), for example,
specifies what operations different users can perform on specific files
and directories.
|
| Active
Content |
Active content refers to material that is
downloaded that makes something happen, as opposed to static content,
such as text or simple images that do nothing but get displayed. Active
content includes such things as JavaScript animations, ActiveX controls,
Java spreadsheets...anything that actually does something.
|
| ActiveX |
ActiveX is Microsoft's answer
to the Java technology from Sun Microsystems. An ActiveX control is
roughly equivalent to a Java applet. ActiveX is the name Microsoft has
given to a set of "strategic" object-oriented program
technologies and tools. The main thing that you create when writing a
program to run in the ActiveX environment is a component, a
self-sufficient program that can be run anywhere in your ActiveX network
(currently a network consisting of Windows and Macintosh systems). This
component is known as an ActiveX control.
|
| Address
Book |
An automated e-mail address
directory that allows you to address your messages easily. Generally
comes in personal and public versions.
|
| Anti-Replay
Service |
With anti-replay
service, each IP packet passing within the secure association is tagged
with a sequence number. On the receiving end, each packet's sequence
number is checked to see if it falls within a specified range. If an IP
packet tag number falls outside of the range, the packet is blocked.
|
| API
(application program interface) |
An API is the specific methodology by which a programmer
writing an application program may make requests of the operating system
or another application.
|
| Application
level firewall or Application gateway |
Application gateways look at data at
the application layer of the protocol stack and serve as proxies for
outside users, intercepting packets and forwarding them to the
application. Thus, outside users never have a direct connection to
anything beyond the firewall. The fact that the firewall looks at this
application information means that it can distinguish among such things
as telnet, file transfer protocol (FTP), or Lotus Notes traffic. Because
the application gateway understands these protocols, it provides
security for each application it supports.
|
| Archiving |
An archive is a collection of computer files that have been packaged
together for backup, to transport to some other location, for saving
away from the computer so that more hard disk storage can be made
available, or for some other purpose. An archive can include a simple
list of files or files organized under a directory or catalog structure
(depending on how a particular program supports archiving).
|
| ARP
(Address Resolution Protocol) |
A protocol for mapping an Internet Protocol address (IP address) to a
physical machine address that is recognized in the local network.
|
| Asymmetric
Encryption |
Asymmetric or public key cryptography
is based on the concept of a key pair. Each half of the pair (one key)
can encrypt information so that only the other half (the other key) can
decrypt it. One part of the key pair, the private key, is known only by
the designated owner; the other part, the public key, is published
widely but is still associated with the owner.
|
| Attachment |
A file that a user adds to an email message to transfer it to another
user.
|
| Authentication |
The process of determining the identity of a user
that is attempting to access a network. Authentication occurs through
challenge/response, time-based code sequences or other techniques. See CHAP
and PAP.
|
| Authentication
Header (AH) |
The Authentication Header is a mechanism for
providing strong integrity and authentication for IP datagrams. It might
also provide non-repudiation, depending on which cryptographic algorithm
is used and how keying is performed. For example, use of an asymmetric
digital signature algorithm, such as RSA, could
provide non- repudiation.
|
| Authorization |
The process of determining what types of
activities or access are permitted on a network. Usually used in the
context of authentication: once you have authenticated a user, they may
be authorized to have access to a specific service.
|
| B |
| Bandwidth |
Generally speaking, bandwidth is directly proportional to the amount
of data transmitted or received per unit time. In digital systems,
bandwidth is proportional to the data speed in bits per second (bps).
Thus, a modem that works at 57,600 bps has twice the bandwidth of a
modem that works at 28,800 bps.
|
| Bastion
host |
A specific host that is used to intercept packets entering or leaving
a network. and the system that any outsider must ordinarily connect with
to access a system or service that is inside the network's firewall.
Typically the bastion host must be highly secured because it is
vulnerable to attack due to its placement. See dual-homed gateway.
|
| Buffer
Overflow Attack |
A buffer overflow attack works by
exploiting a known bug in one of the applications running on a server.
It then causes the application to overlay system areas, such as the
system stack, thus gaining administrative rights. In most cases, this
gives a hacker complete control over the system. Also referred to as
stack overflow.
|
| C |
| CA
(Certificate Authority) |
A CA (certificate authority) is an
authority in a network that issues and manages security credentials and public
keys for message encryption and decryption. As part of a public key
infrastructure (PKI), a
CA checks with a registration authority (RA)
to verify information provided by the requestor of a digital
certificate. If the RA verifies the requestor's information, the CA
can then issue a certificate.
|
| CGI
exploit |
When a denial
of service attack is aimed at the CGI, it is referred to as a CGI
exploit. The CGI (common gateway interface) is a standard way for a Web
server to pass a Web user's request to an application program and to
receive data back to forward to the user. It is part of the Web's
HTTP protocol.
|
| Challenge-Response |
A common authentication
technique whereby an individual is prompted (the challenge) to provide
some private information (the response). Most security systems that rely
on smart cards are based on challenge-response. A user is given a code
(the challenge) which he or she enters into the smart card. The smart
card then displays a new code (the response) that the user can present
to log in.
|
| CHAP
(Challenge-Handshake Authentication Protocol) |
An authentication technique where after a link is
established, a server sends a challenge to the requestor. The requestor
responds with a value obtained by using a one-way hash function. The
server checks the response by comparing it its own calculation of the
expected hash value. If the values match, the authentication is
acknowledged otherwise the connection is usually terminated.
|
| Checksum
or hash |
A checksum is a count of the number
of bits in a transmission unit that is included with the unit so that the receiver can check to see whether the
same number of bits arrived. If the counts match, it's assumed that the
complete transmission was received.
|
| Circuit-level
gateways |
Circuit-level gateways run proxy applications at the session layer
instead of the application layer. They can't distinguish different
applications that run on the same protocol stack. However, these
gateways don't need a new module for every new application, either.
Circuit-level gateway is a firewall feature which can, when needed,
serve as an alternative to packet filtering or application gateway
functionality.
|
| Client |
A client is the requesting program or user in a
client/server relationship. For example, the user of a Web browser is
effectively making client requests for pages from servers all over the
Web. The browser itself is a client in its relationship with the
computer that is getting and returning the requested HTML file.
|
| Content
blocking |
The ability to block network traffic based on actual packet content.
|
| Content
scanning or screening |
The ability to review the actual information that an end user sees
when using a specific Internet application. For example, the content of
e-mail.
|
| Content
virus |
See data driven attack. Commonly protected against
with a virus scanner.
|
| CoS
(Class of Service) |
Class of Service (CoS) is a way of managing
traffic in a network by grouping similar types of traffic (for example,
e-mail, streaming video, voice, large document file transfer) together
and treating each type as a class with its own level of service
priority.
|
| CryptoCore® |
A RedCreek hardware
implementation that offloads the heavy computational load usually imposed
by cryptographic tasks, freeing system resources and thus allowing rapid
encryption.
|
| D |
| Daemon |
A program that runs
continuously and exists for the purpose of handling periodic service
requests that a computer system expects to receive. The daemon program
forwards the requests to other programs (or processes) as appropriate.
Each server of pages on the Web has an HTTPD or Hypertext Transfer
Protocol daemon that continually waits for requests to come in from Web
clients and their users.
|
| Data
driven attack |
A form of intrusion in which the
attack is encoded in seemingly innocuous data, and it is subsequently
executed by a user or other software to actually implement the attack.
|
| DES
(Data Encryption Standard) |
A widely-used method of data
encryption using a private (secret) key that was judged so difficult to
break by the U.S. government that it was restricted for exportation to
other countries. There are 72,000,000,000,000,000 (72 quadrillion) or
more possible encryption keys that can be used. For each given message,
the key is chosen at random from among this enormous number of keys.
Like other private key cryptographic methods, both the sender and the
receiver must know and use the same private key.
|
| Denial
of service attack |
A user or program takes up all the
system resources by launching a multitude of requests, leaving no
resources and thereby "denying" service to other users.
Typically, denial-of-service attacks are aimed at bandwidth control.
|
| Diffie-Hellman |
The Diffie-Hellman Method For Key Agreement allows
two hosts to create and share a secret key. VPNs operating on the IPSec
standard use the Diffie-Hellman method for key management. Key
management in IPSec begins with the overall framework called the
Internet Security Association and Key Management Protocol (ISAKMP).
Within that framework is the Internet Key Exchange (IKE) protocol. IKE
relies on yet another protocol known as OAKLEY and it uses
Diffie-Hellman.
|
| DiffServ
(Differentiated Services |
Differential service mechanisms allow providers to
allocate different levels of service to different users of the Internet.
Broadly speaking, any traffic management or bandwidth control mechanism
that treats different users differently - ranging from simple Weighted
Fair Queuing to RSVP and per-session traffic scheduling - counts.
However, in common Internet usage the term is coming to mean any
relatively simple, lightweight mechanism that does not depend entirely
on per-flow resource reservation.
|
| Digital
Certificate |
A digital certificate is an electronic
"credit card" that establishes your credentials when doing
business or other transactions on the Web. It is issued by a
certification authority (CA). It contains your name, a serial number,
expiration dates, a copy of the certificate holder's public key (used
for encrypting and decrypting messages and digital signatures), and the
digital signature of the certificate-issuing authority so that a
recipient can verify that the certificate is real.
|
| Digital
Signature |
A digital signature is an
electronic rather than a written signature that can be used by someone
to authenticate the identity of the sender of a message or of the signer
of a document. It can also be used to ensure that the original content
of the message or document that has been conveyed is unchanged.
Additional benefits to the use of a digital signature are that it is
easily transportable, cannot be easily repudiated, cannot be imitated by
someone else, and can be automatically time-stamped.
|
| DMZ
(de-militarized zone) |
A network added between a protected network and an external network
in order to provide an additional layer of security. Sometimes called a
perimeter network.
|
| DNS
(Domain Name System) |
The Internet protocol for mapping
host names, domain names and aliases to IP addresses.
|
| DNS
spoofing |
Breaching the trust relationship by
assuming the DNS name of another system. This is usually accomplished by
either corrupting the name service cache of a victim system or by
compromising a domain name server for a valid domain.
|
| Domain |
The unique name used to identify an
Internet network.
|
| Domain
name server |
A repository of addressing
information for specific Internet hosts. Name servers use the domain
name system to map IP addresses to Internet hosts.
|
| Downloadable |
A "downloadable" is a file that has been
transmitted from one computer system to another, usually smaller
computer system. From the Internet user's point-of-view, to download a
file is to request it from another computer (or from a Web page on
another computer) and to receive it.
|
| Downstream
post office |
A post office that communicates
with a mail server through another post office or other post offices.
|
| DSS
(Digital Signature Standard |
The Digital Signature Standard (DSS) is a
cryptographic standard promulgated by the National Institute of
Standards and Technology (NIST) in 1994. It has been adopted as the
federal standard for authenticating electronic documents, much as a
written signature verifies the authenticity of a paper document.
|
| DSX
(Dynamic Security Extension) |
A proprietary technology that is patented
and works in the following way. The operating system has a system call
(or vector) table that contains memory address pointers for each system
call. These pointers point to a location in memory where the actual
kernel code of the system calls resides. DSX stores the address pointers
for the security sensitive system calls and then redirects these
pointers to the corresponding SECURED system call code, which is located
elsewhere in memory.
|
| Dual-homed
gateway |
A system that has two or more network interfaces,
each of which is connected to a different network. In firewall
configurations, a dual-homed gateway usually acts to block or filter
some or all of the traffic trying to pass between the networks.
|
| E |
| e-business |
e-business" ("electronic business," derived from such
terms as "e-mail" and "e-commerce") is the conduct
of business on the Internet, not only buying and selling but also
servicing customers and collaborating with business partners.
|
| e-commerce |
e-commerce (electronic commerce or EC) is the
buying and selling of goods and services on the Internet, especially the
World Wide Web. In practice, this term and e-business are often used
interchangeably. For online retail selling, the term e-tailing is
sometimes used.
|
| email
client |
An application from which users can create, send and read e-mail
messages.
|
| email
server |
An application that controls the distribution and storage of e-mail
messages.
|
| eProcess |
A set of software that facilitates the electronic processing of
business transactions using e-mail as an enabling technology.
|
| Encryption |
Scrambling data in such a way
that it can only be unscrambled through the application of the correct
cryptographic key.
|
| Encryption-In-Place
(EIP) |
A security mode in which a Ravlin unit
encrypts the IP packet's payload only (without encrypting the packet
header). Because EIP does not require encryption of the IP header or
encapsulation of the IP packet, overhead is lower and performance
enhanced.
|
| ESP
(Encapsulated Security Payload) |
The Encapsulating Security
Payload provides confidentiality for IP datagrams or packets, which are
the message units that the Internet Protocol deals with and that the
Internet transports, by encrypting the payload data to be protected.
I
|
| Ethernet |
A local-area network
(LAN) protocol developed by Xerox Corporation in cooperation with DEC
and Intel in 1976. Ethernet uses a bus or star topology and supports
data transfer rates of 100Mbps.
|
| Executable |
An executable is a file that contains a
program - that is, a particular kind of file that is capable of being
executed or run as a program in the computer.
|
| Extended
MAPI (Extended Messaging Application Programming Interface) |
An interface developed by Microsoft that provides messaging functions
including addressing, sending, receiving and storing messages.
|
| F |
| FDDI
(Fiber Distributed Data Interface |
A set of ANSI protocols for sending digital data over fiber optic
cable. FDDI networks are token-passing networks, and support data rates
of up to 100 Mbps (100 million bits) per second. FDDI networks are
typically used as backbones for wide-area networks.
|
| Filter |
A filter is a program or section of code that is designed to examine
each input or output request for certain qualifying criteria and then
process or forward it accordingly. .
|
| Firewall |
A firewall is a program that protects the resources of one network
from users from other networks. Typically, an enterprise with an
intranet that allows its workers access to the wider Internet will want
a firewall to prevent outsiders from accessing its own private data
resources.
|
| Firewall
denial-of service |
The firewall is specifically subjected to a denial-of-service attack.
|
| FTP
(File Transfer Protocol) |
FTP is the simplest way to exchange files between computers on the
Internet. Like the Hypertext Transfer Protocol (HTTP), which transfers
displayable Web pages and related files, and the Simple Mail Transfer
Protocol (SMTP), which transfers e-mail, FTP is an application protocol
that uses the Internet's TCP/IP protocols.
|
| G |
| Gateway |
A gateway is a network point
that acts as an entrance to another network. In a company network, a
proxy server acts as a gateway between the internal network and the
Internet. A gateway may also be any machine or service that passes
packets from one network to another network in their trip across the
Internet.
|
| Green
Screen Terminal |
Terminals that are designed to be centrally-managed, configured with
only essential equipment, and devoid of CD-ROM players, diskette drives,
and expansion slots (and therefore lower in cost).
|
| GSM
(Global System for Mobile Communications) |
GSM is an open, non-proprietary system that is
constantly evolving. One of its great strengths is the international
roaming capability. This gives consumers seamless and same standardized
same number contact ability in more than 159 countries. GSM satellite
roaming has extended service access to areas where terrestrial coverage
is not available.
|
| H |
| Hacker |
Hacker is a term used by some
to mean "a clever programmer" and by others, especially
journalists or their editors, to mean "someone who tries to break
into computer systems."
|
| HDML
(Handheld Device Markup Language) |
HDML is a language that allows the text portions
of Web pages to be presented on cellular telephone and personal digital
assistants (PDA) via wireless access. Developed by Unwired Planet, HDML
is an open language offered royalty-free.
|
| Highjacking
or hijacking |
Control of a connection is taken by the attacker after the user
authentication has been established.
|
| HMAC
(Header
Message Authentication Codes ) |
HMAC is a hash function based message
authentication code that was designed to meet the requirements of the
IPSEC working group in the IETF, and is now a standard.
|
| HTML
(HyperText Markup Language) |
A standard set of commands used to
structure documents and format text so that it can be used on the Web.
|
| HTTP
(HyperText Transfer Protocol) |
HTTP is the set of rules for
exchanging files (text, graphic images, sound, video, and other
multimedia files) on the World Wide Web. Relative to the TCP/IP suite of
protocols (which are the basis for information exchange on the
Internet), HTTP is an application protocol.
|
| I |
| I2O
(Intelligent Input/Output |
Intelligent Input/Output (I2O) is a hardware
specification that describes a model for offloading I/O processing from
the CPU. The model is after the style of what has been used in very
large mainframes for years. It is not a replacement for the PCI
architecture.
|
| IMAP
(Internet Message Access Protocol) |
A standard protocol for accessing e-mail from your
local server. IMAP (the latest version is IMAP4) is a client/server
protocol in which e-mail is received and held for you by your Internet
server. You (or your e-mail client) can view just the heading and the
sender of the letter and then decide whether to download the mail. You
can also create and manipulate folders or mailboxes on the server,
delete messages, or search for certain parts or an entire note. IMAP
requires continual access to the server during the time that you are
working with your mail.
|
| Insider
attack |
An attack originating from inside a
protected network.
|
| Internet
Key Exchange (IKE) |
A hybrid protocol whose purpose is to negotiate,
and provide authenticated keying material for, security associations in
a protected manner. Processes which implement this protocol can be used
for negotiating virtual private networks (VPNs) and also for providing a
remote user from a remote site (whose IP address need not be known
beforehand) access to a secure host or network.
|
| Intrusion
detection |
Detection of break-ins or break-in attempts by reviewing logs or
other information available on a network.
|
| IP
(Internet Protocol) |
The Internet Protocol is the method or protocol by
which data is sent from one computer to another on the Internet. Each
computer (known as a host) on the Internet has at least one address that
uniquely identifies it from all other computers on the Internet.
|
| IP
spoofing |
An attack where the attacker impersonates a
trusted system by using its IP network address.
|
| IP
hijacking |
An attack where an active, established session is
intercepted and taken over by the attacker. May take place after
authentication has occurred which allows the attacker to assume the role
of an already authorized user.
|
| IPSec
(Internet Protocol Security ) |
A developing standard for security at the network or packet
processing layer of network communication. IPSec provides two choices of
security service: Authentication Header (AH), which essentially allows
authentication of the sender of data, and Encapsulating Security Payload
(ESP), which supports both authentication of the sender and encryption
of data as well.
|
| J |
| Java |
Java is a programming language
expressly designed for use in the distributed environment of the
Internet. It was designed to have the "look and feel" of the
C++ language, but it is simpler to use than C++ and enforces a
completely object-oriented view of programming. Java can be used to
create complete applications that may run on a single computer or be
distributed among servers and clients in a network. It can also be used
to build small application modules or applets for use as part of a Web
page. Applets make it possible for a Web page user to interact with the
page.
|
| K |
| Kerberos |
An authentication service developed at MIT based
on a paper by Needham and Schoeder.
|
| Key |
In cryptography, a key is a variable value that is
applied using an algorithm to a string or block of unencrypted text to
produce encrypted text. The length of the key generally determines how
difficult it will be to decrypt the text in a given message.
|
| Key
Management |
The establishment and
enforcement of message encryption and authentication procedures, in
order to provide privacy-enhanced mail (PEM) services for electronic
mail transfer over the Internet.
|
| L |
| LDAP
(Lightweight Directory Access Protocol) |
LDAP (Lightweight Directory
Access Protocol) is an emerging software protocol for enabling anyone to
locate organizations, individuals, and other resources such as files and
devices in a network, whether on the Internet or on a corporate
intranet. LDAP is a "lightweight" (smaller amount of code)
version of DAP (Directory Access Protocol), which is part of X.500, a
standard for directory services in a network.
|
| Litigation
Protection |
Litigation
protection is both the review and recording of Internet, intranet and
extranet communications that is done in order to avoid litigation or the
documentation of the communications parties and content in the event of
litigation.
|
| M |
| MAC
(Media Access Control) |
On a network, the
MAC (Media Access Control) address is your computer's unique hardware
number. The MAC address is used by the Media Access Control sublayer of
the Data-Link Control (DLC) layer of telecommunication protocols. There
is a different MAC sublayer for each physical device type. The Data-Link
Layer is the protocol layer in a program that handles the moving of data
in and out across a physical link in a network.
|
| Macro
Virus |
Macro viruses are small
programs written using the internal programming language of a specific
application program that replicate within documents created by the
application program. Common examples of application programs that use
macros include word processors such as Word and spreadsheets such as
Excel.
|
| Malicious
Code |
Malicious code is any
code added, changed, or removed from a software system in order to
intentionally cause harm or subvert the intended function of the system.
Traditional examples of malicious code include viruses, worms, Trojan
Horses, and attack scripts, while more modern examples include Java
attack applets and dangerous ActiveX controls.
|
| Manipulation |
The insertion of arbitrary streams of data without the user noticing
it.
|
| MAPI
(Messaging Application Programming Interface) |
An interface developed by Microsoft that provides messaging functions
including addressing, sending, receiving and storing messages. Simple
MAPI includes some of these functions. Extended MAPI includes all of
these functions.
|
| MIME
(Multipurpose Internet Mail Extensions) |
A protocol used for
transmitting documents with different formats via the Internet.
|
| Monitoring |
A view of individual user
activity on a network, generally in real time. Provides administrators
with the ability to view the content of user utilized applications.
|
| MPLS
(Multiprotocol Label Switching |
A base technology for using label switching in
conjunction with network layer routing and for the implementation of
that technology over various link level technologies, which may include
Packet-over-Sonet, Frame Relay, ATM, and Ethernet
|
| N |
| NAPT
(Network Address Port Translation |
NAPT is a special case of NAT, where many IP
numbers are hidden behind a number of addresses, but in contrast to the
original NAT this does not mean there can be only that number of
connections at a time. In NAPT an almost arbitrary number of connections
is multiplexed using TCP port information. The number of simultaneous
connections is limited by the number of addresses multiplied by the
number of TCP ports available.
|
| NAR
(Network Address Retention) |
A simplified IP addressing capability that eliminates the need to
establish an intermediate IP address between a router and a firewall.
Sometimes called Proxy-ARP. This feature allows the implementation of a
firewall into an existing network without having to establish a new IP
address scheme.
|
| NAT
(Network Address Translation) |
Network Address Translation allows your Intranet to use addresses
that are different from what the outside Internet thinks you are using.
It permits many users to share a single external IP address at the same
time. The NAT provides what some people call "address hiding",
which is, as it suggests, security through obscurity at best.
|
| NCSA
(National Computer Security Association |
An organization with the
mission to continually improve commercial computer security through
certification of firewalls, anti-virus products and web sites. NCSA also
shares and disseminates information concerning information security.
|
| Network
Service Access Policy |
A high level, issue specific policy which defines those services that
will be allowed or explicitly denied from a restricted network, the way
in which these services will be used, and the conditions for exceptions
to the policy.
|
| NNTP
(Network News Transfer Protocol |
NNTP (Network News Transfer Protocol) is the predominant protocol
used by computers (servers and clients) for managing the notes posted on
newsgroups. NNTP replaced the original Usenet protocol, UNIX-to-UN
|
| O |
| ODBC
(Open Database Connectivity |
ODBC is a standard or open application programming interface (API)
for accessing a database. By using ODBC statements in a program, you can
access files in a number of different databases, including Access,
dBase, DB2, Excel, and Text. In addition to the ODBC software, a
separate module or driver is needed for each database to be accessed.
|
| P |
| Packet |
A packet is the unit of data that is routed
between an origin and a destination on the Internet or any other
packet-switched network. When any file (e-mail message, HTML file, GIF
file, URL request, and so forth) is sent from one place to another on
the Internet, the Transmission Control Protocol (TCP) layer of TCP/IP
divides the file into "chunks" of an efficient size for
routing. Each of these packets is separately numbered and includes the
Internet address of the destination. The individual packets for a given
file may travel different routes through the Internet. When they have
all arrived, they are reassembled into the original file (by the TCP
layer at the receiving end).
|
| Packet
Filters |
Packet filters keep out
certain data packets based on their source and destination addresses and
service type. Filters can be used to block connections from or to
specific hosts, networks or ports. Packet filters are simple and fast.
However, they make decisions based on a very limited amount of
information.
|
| Packet
Sniffing |
Intercepting packets of information
(including such things for example as a credit card number ) that are
traveling between locations on the Internet.
|
| PAP
(Password Authentication Procedure) |
A procedure used to validate a connection request. After the link is
established, the requestor sends a password and an id to the server. The
server either validates the request and sends back an acknowledgement,
terminates the connection, or offers the requestor another chance.
|
| Password-based
attacks |
An attack where repetitive attempts are made to duplicate a valid
log-in and/or password sequence.
|
| Perimeter
network |
See DMZ.
|
| PGP
(Pretty Good Privacy) |
A cryptographic product family that enables people to securely
exchange messages, and to secure files, disk volumes and network
connections with both privacy and strong authentication.
|
| Ping
of Death Attack |
A notorious exploit that (when first discovered)
could be easily used to crash a wide variety of machines by overrunning
the size limits in their TCP/IP stacks. The term is now used to refer to
any nudge delivered by hackers over the network that causes bad things
to happen on the system being nudged.
|
| PKI
(Public Key Infrastructure) |
A PKI (public key infrastructure)
enables users of a basically unsecure public network such as the
Internet to securely and privately exchange data and money through the
use of a public and a private cryptographic key pair that is obtained
and shared through a trusted authority.
|
| Platform
attack |
An attack that is focuses on
vulnerabilities in the operating system hosting the firewall.
|
| Policy
Enforced Networking (PEN) |
Policy Enforced Networking defines and automates
the creation, delivery and enforcement of business rules within an
information network.
|
| Policy
Management Zone (PMZ) |
The Policy Management Zone protects communications
between trusted parties and firewalls access to untrusted domains in an
information network.
|
| Polymorphic
virus |
Polymorphic viruses encrypt the body of the virus
in an attempt to hide its signature from anti-virus programs.
|
| POP3
(Post Office Protocol 3) |
An e-mail protocol used to retrieve e-mail from a remote server over
an Internet connection. POP3 is a client/server protocol in which e-mail
is received and held for you by your Internet server. Periodically, you
(or your client e-mail receiver) check your mail-box on the server and
download any mail.
|
| PPP
(Point-to-Point Protocol) |
Point-to-Point Protocol (PPP) is a protocol
for communication between two computers using a serial interface,
typically a personal computer connected by phone line to a server.
|
| PPTP
(Point-to-Point
Tunneling Protocol) |
Point-to-Point Tunneling Protocol
(PPTP) is a network protocol
that enables the secure transfer of data from a remote client to a
private enterprise server by creating a virtual private network (VPN)
across TCP/IP-based data networks. PPTP supports on-demand,
multi-protocol, virtual private networking over public networks, such as
the Internet.
|
| Private
Key |
In cryptography, a private or secret key is an encryption/decryption key
known only to the party or parties that exchange secret messages. In
traditional secret key cryptography, a key would be shared by the
communicators so that each could encrypt and decrypt messages. The risk
in this system is that if either party loses the key or it is stolen,
the system is broken. A more recent alternative is to use a combination
of public and private keys. In this system, a public
key is used together with a private key.
|
| Protocol |
A special set of rules for
communicating that the end points in a telecommunication connection use
when they send signals back and forth. Protocols exist at several levels
in a telecommunication connection. There are hardware telephone
protocols. There are protocols between the end points in communicating
programs within the same computer or at different locations. Both end
points must recognize and observe the protocol. Protocols are often
described in an industry or international standard.
|
| Protocol
Attacks |
A
|
| Proxy |
An agent that acts on behalf of a
user, typically accepting a connection from a user and completing a
connection on behalf of the user with a remote host or service. See also
gateway and proxy server.
|
| Proxy
Server |
A proxy server is one that acts on
behalf of one or more other servers, usually for screening, firewall,
caching, or a combination of these purposes. Gateway is often used as a
synonym for "proxy server." Typically,
a proxy server is used within a company or enterprise to gather all
Internet requests, forward them out to Internet servers, and then
receive the responses and in turn forward them to the original requestor
within the company.
|
| Public
Key |
A public key is a value provided by some
designated authority as a key
that, combined with a private key derived from the public key, can be
used to effectively encrypt and decrypt messages and digital
signatures. The use of combined public and private keys is known as asymmetric
encryption. A system for using public keys is called a public key
infrastructure (PKI).
|
| Q |
| QoS
(Quality of Service) |
On the Internet and in other networks, QoS is the idea that
transmission rates, error rates, and other characteristics can be
measured, improved, and, to some extent, guaranteed in advance. QoS is
of particular concern for the continuous transmission of high-bandwidth
video and multimedia information.
|
| R |
| RA
(Registration Authority) |
An RA (registration authority) is
an authority in a network that verifies user requests for a digital
certificate and tells the certificate authority (CA)
to issue it. RAs are part of a public key infrastructure (PKI),
a networked system that enables companies and users to exchange
information and money safely and securely.
|
| RADIUS |
RADIUS (Remote Authentication Dial-In User
Service) is a client/server protocol
and software that enables remote access servers to communicate with a
central server to authenticate dial-in users and authorize their access
to the requested system or service. RADIUS allows a company to maintain
user profiles in a central database that all remote servers can share.
|
| RAS
(Remote Access Services) |
A feature built into Windows NT
that enables users to log into an NT-based LAN using a modem, X.25
connection or WAN link. RAS works with several major network protocols,
including TCP/IP, IPX, and NetBEUI.
|
| RIP
(Routing Information Protocol) |
The oldest routing protocol on the
Internet and the most commonly used routing protocol on local area IP
networks. Routers use RIP to periodically broadcast which networks they
know how to reach.
|
| Routing
Agent |
On the Internet, an agent (also
called an intelligent agent) is a program that gathers information or
performs some other service without your immediate presence and on some
regular schedule. Typically, an agent program, using parameters you have
provided, searches all or some part of the Internet, gathers information
you're interested in, and presents it to you on a daily or other
periodic basis.
|
| RSA
(Rivest-Shamir-Adleman) |
One of the fundamental encryption
algorithms or series of mathematical actions developed in 1977 by Ron
Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm is the most
commonly used encryption and authentication algorithm and is included as
part of the Web browsers from Netscape and Microsoft.
|
| RSACi
(Recreational Software Advisory Council on the Internet) |
A computer
software ratings system of Web site content developed by RSACI in
response to the passage of US federal legislation prohibiting the
transmittal of offensive, or indecent, materials over the Internet.
RSACi was developed with the express intent of providing a simple, yet
effective rating system for web sites which protect both children, by
providing and empowering parents with detailed information about site
content, and the rights of free speech of everyone who publishes on the
World Wide Web.
|
| Rules |
Criteria that are used to organize and control incoming messages
automatically. When you set up a rule, you designate the criteria that
selects a specific class of messages and then you select one or more
actions to handle the messages that meet the criteria.
|
| S |
| Screening
router |
A router configured to permit or deny traffic
based on a set of permission rules installed by the administrator.
|
| Security
Association (SA) |
A Security Association (SA) is a relationship
between two or more entities that describes how the entities will
utilize security services to communicate securely. This relationship is
represented by a set of information that can be considered a contract
between the entities. The information must be agreed upon and shared
between all the entities.
|
| Secure
Hash Algorithm-1 (SHA-1) |
A one-way cryptographic function which takes a
message produces a 160-bit message digest. A message digest is a value
generated for a message or document that is unique to that message, and
is sometimes referred to as a "fingerprint" of that message or
data. Once a message digest is computed, any subsequent change to the
original data will, with a very high probability, cause a change in the
message digest, and the signature will fail to verify. This process is
used to compress large data strings to a 20-byte length which is used in
a cryptographic process. The reduced data length relieves computational
requirements for data encryption.
|
| Session |
In the Open Systems Interconnection (OSI) communications model,
the Session layer (sometimes called the "port layer") manages
the setting up and taking down of the association between two
communicating end points that is called a connection. A connection is
maintained while the two end points are communicating back and forth in
a conversation or session of some duration. Some connections and
sessions last only long enough to send a message in one direction.
However, other sessions may last longer, usually with one or both of the
communicating parties able to terminate it.
|
| SGML
(Standard Generalized Markup Language) |
SGML is the Standard Generalized Markup Language,
the international standard for defining descriptions of the structure
and content of different types of electronic documents.
|
| Shared
POP3 mailbox |
A mailbox that stores messages for an entire domain that allows
organizations with part-time Internet connections to exchange mail.
|
| Signatures |
Viruses employ signatures by which they identify
themselves to themselves and thereby avoid corrupting their own code.
Standard viruses, including most macro viruses,
use character-based signatures. More complex viruses, such as polymorphic
viruses, use algorithmic signatures.
|
| SLIP |
SLIP is a
TCP/IP protocol
used for communication between two machines that are previously
configured for communication with each other. |