KYBERNETE.net

We frequently update our glossary with terms that may be used in our products and in our industry in general.

Access Control List (ACL)

A sequential list of permit and deny conditions that define the connections permitted to pass through a device, usually a *router. ACL syntax is arcane and specific to individual vendors, and a *security policy based on ACLs is difficult to maintain.

ActiveX

A programming environment developed by Microsoft Corporation; a direct competitor to Sun Microsystems’ *Java. ActiveX presents a security risk because its executable ActiveX control files run on the client and can be used to gain illicit access to its files.

ActiveX Stripping

The ability to prevent *ActiveX programs from being executed on the client by removing all ActiveX programs from HTML pages as they are downloaded.

Address Resolution Protocol (ARP)

The *protocol used inside networks to bind high level *IP addresses to low-level physical hardware addresses.

Advanced Encryption Standard (AES)

A replacement proposed for *DES by the US Commerce Department’s National Institute of Standards and Technology ( NIST) in 1997. The successful candidate, the Rijndael block cipher, pronounced “raindoll”), is supported both for VPN Modules and VPN Clients (SecuRemote/SecureClient).

AES’s advantages are:

Variable key length (from 128 to 256 bits); the DES key length is 56 bits and 3DES provides security equivalent to 112 bit keys
A threefold performance improvement over 3DES

Anti-spoofing

A method used to protect a network against *IP spoofing attacks by verifying that a packet’s source and destination *IP addresses are appropriate to the interface through which the packet passes, for example, that a packet entering the local network from the outside carries an external source IP address.

A simple precaution against IP spoofing attacks is to hide internal IP addresses (using the Network Address Translation feature) so that outside users cannot learn what they are.

Anti-virus

A mechanism that provides detection, inoculation, logging and alerting capabilities to disarm *viruses on a local disk or in files as they are transferred on the network.

API

A well-defined set of functions, syntax or languages that enable application programs to communicate with one another and exchange data.

Application gateway

A *firewall that uses *proxies to provide security. Historically, application level gateways suited the Internet’s common uses and needs. However, as the Internet has become a dynamic environment in which new protocols, services and applications appear almost daily, proxies are no longer able to cope with the diversity of the Internet, or to fulfill the new business needs, high bandwidth and security requirements of networks.

Application layer

The top network communication layer in a *protocol stack. The application layer is concerned with the semantics of work, such as how to format an e-mail message for display on the screen. A message’s routing information is processed by lower layers of the network stack (see “ layered communication model”

Application Programming Interface (API)

A well-defined set of functions, syntax or languages that enable application programs to communicate with one another and exchange data.

ARP

The *protocol used inside networks to bind high level *IP addresses to low-level physical hardware addresses.

Asynchronous Transfer Mode (ATM)

A method for dynamically allocating bandwidth using a fixed packet size (called a cell). These cells can carry data, voice, and video at high speeds.

ATM

A method for dynamically allocating bandwidth using a fixed packet size (called a cell). These cells can carry data, voice, and video at high speeds.

Audit

In network security, examining and evaluating the relative security of a network.

Authentication

A method of verifying that an object is really what it appears to be: that a user or a computer is not being impersonated by another user or computer, or that a message received is the same message that was sent (that is has not been tampered with). Users are authenticated by a challenge-response mechanism: the user is asked to provide information (for example, a *password or *token) presumably known to no one else. Computers may be authenticated in a similar way. In addition, human users can be authenticated by biometric means, such as verifying fingerprints or retinal images. Authenticating a message verifies its integrity and verifying the sender’s identity, usually by means of a *digital signature.

Authentication algorithm

An algorithm, such as MD5, used to calculate the *digital signature by which a message’s integrity is verified.

B1, B2 level

In the USA, the National Security Agency’s rating system for network security. Ratings are certified by the National Computer Security Center. A B1 rating describes a basic level of enterprise-wide Internet security and is equivalent to the European E3 rating (see “ E3”). A B2 rating describes a much higher level of security typically used to protect military systems.

Bridge

A device, with two interfaces connecting two networks, that replicates packets appearing on one interface and transmits them on the other interface.

Broadcast

A message sent to every destination on the network, in contrast to *multicast and *unicast.

Certificate

A *digital signature encrypted with the (for example, *RSA) private key of the *Certificate Authority (CA) who sent the message that includes the certificate, intended to generate confidence in the legitimacy of the public key contained in the message. The recipient can verify that the message was indeed sent by the CA by computing the message’s digital signature, decrypting the transmitted digital signature using the CA’s public key (reliably available from an out-of-band source such as a printed directory) and comparing the two. If they are the same, then the message was sent by someone who knows the CA’s private key; presumably this can only be the CA.

Certificate Authority (CA)

A trusted third party from which information (for example, a person’s public key) can be reliably obtained, even over an insecure channel. For example, if Alice and Bob obtain each other’s public keys over an insecure channel such as the Internet, they must be certain that the keys are genuine. Alice cannot simply ask Bob for his public key, because there is the danger that Charlie might intercept Alice’s request and send Alice his own key instead. Charlie would then be able to read all of Alice’s encrypted messages to Bob. The CA certifies the information it provides by generating a *certificate. Anyone receiving the information verifies the certificate as proof of the information’s validity.

Community

In SNMP, a community is a logical group of managed devices and NMSs in the same administrative domain.

Computationally unfeasible

Impossible in practical terms though not theoretically so. For example, it is computationally unfeasible to compute the private part of a *public key pair from the public part, because the only known method — the “brute force” approach of trying all the possibilities one after the other — would take millions of years.

Connectionless communication

A scheme in which communication occurs outside of any context, that is, replies and requests are not distinguishable. Connectionless communication avoids the overhead inherent in maintaining a connection’s context, but at the risk of allowing transmission errors to go undetected. Streaming services usually use connectionless communication protocols such as *UDP, because they must attain high transmission speeds and there is no advantage in sending a retransmitted packet out of sequence.

Content security

The ability to specify the content of a communication as an element of a security policy, in contrast to defining a security policy on the basis of header information only. Effective content security requires that a firewall understand the internal details of the protocols and services it monitors. An example of content security is enforcing *anti-virus checking for downloaded files, disallowing email from or to specified email addresses, or allowing access to Web pages containing certain words only during specified time periods.

Content Vectoring Protocol (CVP)

An *OPSEC API that enables integration of third-party content security applications such as antivirus software into VPN- 1/FireWall- 1. The CVP API has been adopted by a wide variety of security vendors.

Data Encryption Standard (DES)

An widely-used *secret key *encryption algorithm endorsed as an official standard by the U.S. government in 1977. To address security concerns resulting from the relatively short (56 bit) key length, triple-DES (encrypting under three different DES keys in succession, believed to be equivalent to doubling the DES key length to 112 bits) is often employed.

Data link layer (DLL)

See “ layered communication model”

Denial of service attack

An attack with the purpose of overwhelming the target with spurious data to the point where it is no longer able to respond to legitimate service requests, in contrast to an attack whose purpose is to penetrate the target system. Examples of denial of service attacks are SYN and “ping of death.”

Dial-up line

A telecommunication line available only after a dialing procedure, such as an ordinary telephone line, in contrast to a *leased line.

Diffserv

Diffserv (Differentiated Services) is a technology in which packets are marked (in the IP header TOS byte) inside the enterprise network as belonging to a certain class of service. These classes are then granted priority on the public network. FloodGate-1 can mark packets, but it does not prioritize traffic based on these markings. DiffServ markings have meaning on the public network, not inside the enterprise network. Effective implementation of DiffServ requires that packet markings be recognized and honored on all public network segments.

Digital signature

The result of a complex calculation on the contents of a message. Changing even one bit in the message results in a completely different digital signature. Moreover, it is *computationally unfeasible to compose a message with a given digital signature. A digital signature is used to verify a message’s integrity, that is, to ensure that it has not been tampered with. See also certificate.

Directory service

A standard database providing distributed, scalable, client/server-based repositories of data that are read much more frequently than modified (for example, user definitions, user profiles, and network resource definitions). Users and applications can access these directories through directory access protocols (DAPs). In network environments, example DAPs include the Novell Directory Services (NDS) and *X.500 directory access protocols. Another widely-used DAP is LDAP (see “ Lightweight Directory Access Protocol (LDAP)”).

A verifiable level of security required by European governments for any Internet firewalls employed over any of its networks. Products meeting this level of security (roughly equivalent to the U.S. B1 “Orange Book” level) are certified by the Information Technology Security Evaluation and Certification organization (ITSEC) in the United Kingdom and by the Logical Evaluation Defence Signals Directorate (DSD) in Australia. See also “ B1, B2 level”. “E3” also refers to a high speed transmission line in Europe equivalent to the T3 transmission line in the United States.

Encapsulated encryption

An *encryption scheme in which an entire packet, including the header, is encrypted, and a new header appended to the packet. Encapsulated encryption hides the true source and destination but increases a packet’s length, in contrast to *in-place encryption.

Encryption

The transformation of a message so that the encrypted message can only be read with the aid of some additional information (the *key) known to the sender and the intended recipient alone. In *secret key (symmetric) encryption, the same key is used to both encrypt a message and then to decrypt it. In *public key (asymmetric) encryption, two mathematically-related keys are used: one to encrypt the message and the other to decrypt it.

Encryption algorithm

An algorithm, such as *AES, *DES, for encrypting and decrypting data. An encryption algorithm is one element of an *encryption scheme.

Encryption domain

The computers and networks on whose behalf a *gateway encrypts and decrypts communications.

Encryption scheme

A mechanism for encrypting and authenticating messages as well as managing and distributing keys, such as *FWZ, *IPsec, *SKIP and *IKE. An encryption scheme consists of three elements:

AES’s advantages are:

an *encryption algorithm that performs the actual encryption
an *authentication algorithm for ensuring message integrity
a *key management protocol for generating and exchanging keys

Enforcement point

A machine that enforces at least some part of a VPN- 1/FireWall- 1 Security Policy. An enforcement point can be a workstation, router, switch or any machine that can be managed by a Management Server by installing a Security Policy or Access List

Enterprise-wide security management

The consistent application and management of a security policy in a complex, distributed network environment, usually including corporate *intranets and *extranets.

Extranet

In contrast to the Internet, which provides universal access to network-based information, and an *intranet, which is accessible only within an enterprise, an extranet enables a company and its partners or customers to collaborate, communicate and exchange documents in a secured network environment. extranets typically utilize virtual private networks that allow authorized users to access specific information, such as technical documentation or inventory information (see “ Virtual Private Network (VPN)”).

File Transfer Protocol (FTP)

A widely-used TCP-based protocol for copying files between hosts. In security environments, FTP commands can be controlled via *authentication schemes, *content security schemes, file name restrictions, and *anti-virus programs.

FireWall Module

A VPN- 1/FireWall- 1 security application, similar to an *Inspection Module, that provides the additional functionality of *user authentication, *content security, *encryption, *Network Address Translation, and *high availability.

Frame

The packet transmitted by the *data link layer.

FTP

FWDIR

An environment variable specifying the directory in which VPN- 1/FireWall- 1 is installed.

FWZ

Check Point’s domestic and worldwide exportable *encryption scheme, offering *Diffie-Hellman key exchange, multiple *encryption algorithms, *authentication, and *Certificate Authority capabilities.

Gateway

A device positioned between two networks through which all communications between the networks must pass. A gateway is a natural choice for enforcing a security policy and providing encryption and authentication services.

Gateway stealthing

Disallowing connections that originate or terminate on a *gateway while allowing connections to pass through the gateway, thereby making the gateway transparent (or “invisible”) to the networks which it connects.

Header

The portion of a packet, preceding the actual data, containing source and destination addresses, checksums and other fields. A header is analogous to the envelope of a letter sent by ordinary mail. In order to deliver the message (letter), it is only necessary to act on the information (address) in the header (envelope). A communication can have several layers of headers. For example, a mail message includes an application layer header specifying, the message originator, date and time. At the lower layers, the packets in which the mail message is transmitted carry IP headers and TCP headers.

High availability

A hardware and software configuration in which a device takes over the tasks of another device that has gone down.

Host

A computer connected to a network.

HTP

HTTP

A standard protocol for transferring files on the World Wide Web.

Hub

A device that connects computers, servers and peripherals together in a local area network (LAN). Hubs typically repeat signals from one computer to the others on the *LAN. Hubs may be passive or intelligent and can be stacked together to form a single managed environment. See also “ switch” and “ router”.

Hypertext Transfer Protocol (HTTP)

A standard protocol for transferring files on the World Wide Web.

IETF

The principle body engaged in the development of new Internet standard specifications. IETF identifies solutions to technical problems and makes recommendations to the Internet Engineering Steering Group (IESG) regarding the standardization of protocols and protocol usage in the Internet, and facilitates the transfer of technology developed by the Internet Research Task Force (IRTF) to the wider Internet community. IETF also provides a forum for the exchange of information between vendors, users and researchers interested in improving various aspects of the Internet. The IETF meets three times a year and is comprised entirely of volunteers.

In-place encryption

A mechanism by which only the data in an IP packet is encrypted, while the header is not encrypted. In-place encryption leaves headers exposed, but preserves the packet’s length, in contrast to *encapsulated encryption.

Information Technology Security Evaluation and Cer

An organization dedicated to evaluating the security features of information technology products and systems and to certifying the level of assurance that can be placed on them.

INSPECT

Check Point’s high-level scripting language for defining a *Security Policy. An INSPECT script is compiled into machine code and loaded into an *Inspection Module for execution.

INSPECT Script

The ASCII file generated from the *Security Policy by VPN- 1/FireWall- 1 is known as an Inspection Script. An Inspection Script can also be written using a text editor.

Inspection Code

Inspection Code compiled from an Inspection Script and loaded into a VPN- 1/FireWall- 1 FireWall Module for enforcement.

Inspection Module

A VPN- 1/FireWall- 1 security application embedded in the operating system kernel, between the data link and network layers, that enforces a VPN- 1/FireWall- 1 *Security Policy. See also “ FireWall Module”.

Internet

A public network connecting many thousands of computer networks in a three-level hierarchy including backbone networks (for example, NSFNET, MILNET), mid-level networks and stub networks. The Internet utilizes multiple communication protocols (especially TCP/IP) to create a worldwide communications medium.

Internet Engineering Task Force (IETF)

Internet Key Exchange (IKE)

A standard protocol for authentication and key exchange; part of the key management scheme used for negotiating virtual private networks (VPNs) as defined in the IETF IPSec working group. This key management scheme is mandated for deployment in IPv6. It was formerly known as *ISAKMP.

Internet Protocol (IP)

The network layer for the TCP/IP protocol suite. IP is a connectionless, best-effort packet switching protocol designed to provide the most efficient delivery of packets across the Internet.

Internet Protocol Security Standard (IPSec)

An encryption and authentication scheme supporting multiple encryption and authentication algorithms. Note – Manual IPSec is no longer supported in VPN- 1/FireWall- 1, beginning with NG.

Internet Security Association Key Management Proto

A standard protocol for authentication and key exchange that is now known as IKE. See “ Internet Key Exchange (IKE)”.

Internet Service Provider (ISP)

A provider of access to the Internet. In some cases, these providers own the network infrastructure, while other lease network capacity from a third party.

Intranet

An internal private network, managed according to Internet protocols, but accessible only inside the organization.

The network layer for the TCP/IP protocol suite. IP is a connectionless, best-effort packet switching protocol designed to provide the most efficient delivery of packets across the Internet.

IP address

The 32-bit address defined by the Internet Protocol to uniquely identify Internet hosts and servers. A typical IP Address, shown here in conventional IP “dot” notation, consists of the following parts:

FIGURE A- 11 IP Address

The first bits of the Class ID specify a network’s class. Most local networks are of class C (Class ID byte = 110XXXXX; Class ID ³ 192 in IP dot notation). Class C networks can have up to 254 hosts. Larger networks can be either class B or Class A. The Net ID identifies the network. Because an IP address consists of both a network identifier (NetID) and a host identifier (HostID), it does not identify a host, but rather a network connection (interface). If a host or gateway is connected to several networks, it will have several IP addresses. By convention, host ID frefers to the network itself; that is, a network’s address ends in zeros. This scheme enables IP addresses to specify networks as well as hosts. A host identifier of all 1s is reserved for broadcast.

IP spoofing

A technique whereby an intruder attempts to gain access by altering a packet’s IP address to make it appear as though the packet originated in a part of the network with higher access privileges (for example, the IP address of a workstation in the local network). This form of attack is only possible if a network’s internal IP addresses have been exposed (see “ anti-spoofing”).

IPSec

An encryption and authentication scheme supporting multiple encryption and authentication algorithms. Note – Manual IPSec is no longer supported in VPN- 1/FireWall- 1, beginning with NG.

ISAKMP

A standard protocol for authentication and key exchange that is now known as IKE. See “ Internet Key Exchange (IKE)”.

ISP

A provider of access to the Internet. In some cases, these providers own the network infrastructure, while other lease network capacity from a third party.

ITSEC

An organization dedicated to evaluating the security features of information technology products and systems and to certifying the level of assurance that can be placed on them.

Java

A platform-independent programming environment developed by Sun Microsystems and supported by numerous vendors, including Microsoft. Java presents a security risk because Java applets run on the client and can be used to gain illicit access to its files.

Java Stripping

The ability to prevent *Java code from being executed on the client by removing all Java tags from HTML pages as they are downloaded.

Kerberos

An authentication service developed by the Project Athena team at MIT. Kerberos uses secret keys for encryption and authentication. Unlike a public key authentication system, it does not produce digital signatures; Kerberos was designed to authenticate requests for network resources rather than to authenticate authorship of documents. Thus, Kerberos does not provide for third-party verification of documents.

Key

Information used to encrypt and decrypt data. There are two kinds of keys: *secret keys and *public keys.

Key management

A mechanism for distributing encryption keys in a public key scheme. Key management is performed by a *Management Server and includes key generation, certification (although this can also be performed by an external *Certificate Authority) and key distribution. Key management can either be manual or automated.

LAN

A data network intended to serve an area of only a few square kilometers or less (more typically, an individual organization). LANs consist of software and equipment such as cabling, hubs, switches and routers, enabling communication between computers and the sharing of local resources such as printers, databases, and file and video servers.

Leased line

A dedicated telecommunications access line that is “leased” from a vendor, and thus always available, in contrast to a *dial-up line. The physical medium may be copper or fiber optic, providing a wide range of line speeds.

Lightweight Directory Access Protocol (LDAP)

A mechanism for Internet clients to access and manage a database of directory services over a TCP/IP connection. A simplification of the X.500 directory access protocol, LDAP is gaining significant support from major Internet vendors.

Load balancing

The ability to distribute processing loads among multiple servers to improve performance and reduce access times. Load balancing is often transparent to the user and improves Internet security by reducing the risks associated with certain attacks and by applying greater resources to the task of monitoring and filtering network traffic. A variety of algorithms may be used to determine how best to distribute traffic over these servers.

Local Area Network (LAN)

Logging and Event API (LEA)

An *OPSEC API that enables an application to securely receive and process both real-time and historical logging and auditing events generated by VPN- 1/FireWall- 1 . LEA can be used by a variety of applications to complement firewall management.

MAC address

The physical hardware address of a device connected to a network.

Managed Internet Security Services

Bundled security services, including secure *Internet, *intranet and *extranet, provided by an *ISP. Typically, the ISP handles management and support for the security services, which can be implemented as part of the Internet service implementation or customized to client needs.

Management Module

The VPN? 1/FireWall? 1 module in which a VPN? 1/FireWall? 1 *Security Policy is defined.

Management Server

The VPN? 1/FireWall? 1 application, controlled by a GUI on a client, that manages a VPN? 1/FireWall? 1 *Security Policy. If the Management Server is deployed in Client/Server mode, then the Graphical User Interface (GUI) can be run on another workstation.

Manual IPsec

An encryption and authentication scheme supporting multiple encryption and authentication algorithms. Note – Manual IPSec is no longer supported in VPN- 1/FireWall- 1, beginning with NG.

Master

In VPN? 1/FireWall? 1, the station to which logs and alerts are directed.

The Master also maintains the most recent Inspection Code for each of the FireWalled systems it controls. If a FireWalled system loses its Inspection Code for any reason, it can retrieve an up-to-date copy from the Master. In practice, the Master and Management Server are usually on the same system, but Failover Masters can be defined.

Multi-homed host

A computer with two or more physical network connections is often referred to as n a multi-homed host.

Multicast

A message sent to all the destinations in a specific group of hosts in a network, in contrast to *broadcast and *unicast.

NAT

Network Address Translation

Netmask

For a standard Class A, B, or C network, the netmask has no meaning. An explanation of the use of net masks with network classes follows. The standard IP addressing scheme can be extended by the use of net masks. For simple, unextended Class C networks, the net mask is 255.255.255.0; that is,
11111111 11111111 11111111 00000000
in binary notation. The 1s in the mask (the first 24 bits) indicate the bits that identify the network and the 0s (last 8 bits) indicate the bits that identify the host. By changing the interpretation of the IP address slightly, it is possible to extend the addressing scheme. If we “borrow” some of the bits from the HostID for the NetID portion of the address, we can extend the IP address to include subnets within one NetID. For instance, the net mask 255.255.255.192 (last byte is 11000000) indicates that 26 bits are being used for the network ID and only 6 bits for the HostID.

Network address

The network portion of an IP address. Depending on the class of network; this may comprise the first one to three bytes of an IP address, with the remainder being the host or server address.

Network Address Translation

Translating an internal network’s real IP addresses to “false” IP addresses, either to prevent exposing the real addresses or to enable hosts with “invalid” addresses to communicate on the Internet, thus avoiding the need to change a network’s IP addresses (a formidable, error-prone task).

NIC

Network Interface Card; also Network Information Center, an organization that provides services to Internet networks and users.

Node

A computing device with an IP address, connected to a network.

Open Platform for Secure Enterprise Connectivity

An open, industry-wide alliance, driven by Check Point Software Technologies, to ensure inter operability at the policy level between security products. Inter operability is achieved through a combination of published APIs, industry-standard protocols, and a high-level scripting language. OPSEC encourages partnerships in the areas of infrastructure (network products and services), framework (security products), and passport (applications developers).

OPSEC

Overlapping encryption domains

Encryption domains overlap when they have at least one host in common.

Packet

A unit of data as sent across a network.

Packet filter

A type of *firewall that examines only the network layer, typically implemented by *routers. This type of firewall cannot support dynamic protocols and cannot apply application intelligence to the data stream.

Password

A short string of characters, knowledge of which is required to gain access to some resource. Passwords are considered unreliable security devices because they are relatively easy to guess at, and people tend not to take strict precautions against their disclosureSee also “ token”.

Perfect Forward Secrecy

In *IKE encryption, a method of assuring that if an intruder breaks into a system at a given point of time, and gains access to the entire state (all current Phase 1 and Phase 2 keys), he will not be able to decrypt future communications after the next Phase 2 exchange takes place.

PPP (Point-to-Point Protocol)

A method for transmitting packets over serial point-to-point links, such as a *dial-up line.

PPTP (Point-to-Point Tunneling Protocol)

An extension to PPP that encapsulates different protocols, including IPX and Appletalk, into an IP data stream so that they can be transmitted over the Internet.

Protocol

A formal description of message formats and the rules required to accomplish some task.

Protocol stack

A synonym (in practice if not in theory) for the *communication layers as supported by an operating system.

Proxy

An application-layer implementation of a service that provides additional functionality (for example, security or caching) that is not part of the original service.

Application gateways use proxies to implement firewalls. A proxy’s primary advantage is its ability to provide partial communication-derived state, full application-derived state information and partial communication information. The disadvantages of using proxies as firewalls are:n limited connectivity — each service needs its own proxy, so the number of available services and their scalability are limited, and there is usually a significant delay before a new service can be implemented (a new proxy must be written)

n limited technology — application gateways cannot provide proxies for UDP, RPC and other services from common protocol familiesn performance — application level implementation entails a discernible performance penalty

In addition, proxies are vulnerable to OS and application level bugs, overlook information contained in lower layers, and in the case of traditional proxies, are rarely transparent.

Public key

A scheme in which each correspondent has a pair of mathematically related keys: a public key known to everyone, and a private key known only to its owner. n The *RSA public key scheme is used for encryption as follows: if Bob wants to send Alice an encrypted message, he encrypts the message with Alice’s public key. The encrypted message can only be decrypted with Alice’s private key, which only Alice knows.n The *Diffie-Hellman public key scheme is used for sharing a secret key without communicating any secret information, thus avoiding the need for a secure channel.

The disadvantage of public key encryption is that it is much slower than *secret key encryption.

The terminology can be confusing, because “public key” is sometimes used to mean both keys together (in the context of schemes) and sometimes to mean only the public part of the key.

Public Key Infrastructure (PKI)

A set of security services, usually provided by a *Certificate Authority, enabling *authentication, *encryption and certificate management using *public key encryption technology.

Public network

Any computer network, such as the Internet, that offers long-distance inter-networking using open, publicly accessible telecommunications services, in contrast to a *WAN or *LAN.

RC2, RC4

A widely used *encryption method developed by Rivest Corporation for RSA Data Security.

Remote Authentication Dial In Service (RADIUS)

A centralized network-authentication scheme developed by Livingston Enterprises and proposed as a standard to the IETF, which includes *authentication, authorization, and accounting features and may also include the ability to pass-through authentication to proxy servers.

Replay Protection

A mechanism to prevent an intruder resending legitimate packets. The system detects that the packet was seen in the past in ignores it.

Request For Comments (RFC)

A numbered series of documents, available from *NIC, which are the primary means of technical discussion about the Internet. Some RFCs define standards.

Resource Reservation Protocol (RSVP)

A *unicast and *multicast signaling *protocol, designed to install and maintain reservation state information at each router along the path of a stream of data. RSVP-enabled applications may improve the quality of service across IP networks. Networked multimedia applications, many of which benefit from a predictable end?to?end connection, are likely to be initial users of RSVP-signaled services.

Router

A device providing network-to-network transmission capabilities, including routing, segmenting and filtering. Most routers support multiple communicationsprotocols, such as ISDN and Ethernet. By examining only packet headers, routers can: n pass the packets between networks running different protocolsn determine which network should receive the packet

n determine whether to block the transmission

RSA

A public key scheme used for *encryption and *digital signatures, invented in 1977 by Ron Rivest, Adi Shamir and Leonard Adelman; also a company founded by them to market products based on their inventions.

Rule Base

An ordered set of rules that defines a VPN? 1/FireWall? 1 *Security Policy. A rule describes a communication in terms of its source, destination and service, and specifies whether the communication should be accepted or rejected, as well as whether it is to be logged. Each communication is tested against the Rule Base; if it does not match any of the rules, it is dropped

S-HTTP

A security-enhanced version of *HTTP providing a variety of mechanisms to enable confidentiality, *authentication and integrity. Unlike SSL, which layers security beneath application protocols like HTTP, NNTP, and Telnet, S-HTTP adds message-based security to HTTP. SSL and S-HTTP can co-exist by layering S-HTTP on top of SSL.

SAM

Suspicious Activity Monitoring Protocol (SAM)

Secret key

A symmetric key used to both encrypt and decrypt data. Ensuring the key’s secrecy is critical, since anyone who knows the key can decrypt and read the message.Secret key encryption is simple and fast, but has its disadvantages:

n A secure channel is required by which the correspondents can agree on a key before their first encrypted communication. Direct face?to?face negotiation may be impractical or unfeasible, and the correspondents may have to agree on a key by mail or telephone or some other insecure means. The number of keys required can quickly become unmanageable, since there must be a different key for each pair of possible correspondents.

Public (asymmetric) key systems, where each correspondent has a pair of keys, can solve both of these problems (see “ public key”).

Secure Socket Layer (SSL)

A protocol combining *RSA *public key encryption and the services of a *Certificate Authority to provide a secure environment for electronic commerce and communications. SSL provides three levels of security server authentication:n verification of the iden

n *encryption, which ensures the privacy of client-server communications by encrypting the data stream

tity of the server using a *certificate

n integrity, which verifies that the contents of the message arrive at their destination in the same form as they were sent.

SecuRemote Client

A software component installed on a desktop or mobile computer that enables secure encrypted communications with an enterprise network.

SecuRemote Server

A FireWall Module or VPN Module with which a SecuRemote Client conducts encrypted communications.

Security Policy

A Security Policy is defined in terms of firewalls, services, users, and the rules that govern the interactions between them. Once these have been specified, an *Inspection Script is generated and then installed on the firewalled hosts or gateways. These gateways can enforce the Security Policy on a per-user basis, enabling verification not only of the communication’s source, destination and service, but the authenticity of the user as well. A user-based Security Policy also allows control based on content. For example, mail to or from certain addresses can be rejected or redirected, access can be denied to specific URLs, and anti-virus checking of transferred files can be performed.

Simple Key Management for Internet Protocols SKIP

An automated *key management system developed by Sun Microsystems and proposed to the IETF as a standard *IPSec key management scheme. SKIP adds key management functionality to IPSec. Several vendors have successful implementations of SKIP, and both SKIP and *IKE can be deployed/ implemented within the IPSec fr SKIP is no longer supported in VPN? 1/FireWall? 1, beginning with NG.amework.

Simple Mail Transfer Protocol (SMTP)

A *protocol used to transfer electronic mail between computers. Subsequently enhanced to support not only e-mails but file attachments as well, SMTP’s flexibility poses a challenge to security systems.

Simple Network Management Protocol (SNMP)

A *protocol for managing nodes on an IP network. In security environments, SNMP is used to communicate management information (monitoring, configuration and control) between the network management stations and network elements (for example, devices such as hosts, gateways and servers).

Single Gateway Product

Single Gateway products (VPN? 1/FireWall? 1/25, VPN? 1/FireWall? 1/50 etc.) include: n Management Servern VPN/FireWall Module

VPN? 1/FireWall? 1 single gateway products enforce restrictions based on the number of protected hosts. If these restrictions are exceeded, VPN? 1/FireWall? 1 will issue an error message.

These restrictions are: n number of internal hostsUp to n nodes behind the gateway are allowed, where n is the number in the product name. For example, VPN? 1/FireWall? 1/50 is restricted to 50 nodes, VPN? 1/FireWall? 1/250 is restricted to 250 nodes, etc.

A node is defined as a computing device with an IP address. A multi-user computer with one IP address is counted as one node.This restriction relates to the number of protected hosts. Every host behind VPN? 1/FireWall? 1 is protected by VPN? 1/FireWall? 1, even if no connections to the outside are initiated from that host. Every node protected by VPN? 1/FireWall? 1 is counted against the limit, even if its IP address is hidden from VPN? 1/FireWall? 1 by a proxy or by other means.n number of external interfaces

For all VPN? 1/FireWall? 1/n products, only one external interface may be connected to the VPN? 1/FireWall? 1 machine.There is no restriction on the number of internal interfaces on the VPN? 1/FireWall? 1 machine. n no external Modules An additional restriction for these products is that they cannot manage external VPN/FireWall or FloodGate Modules, that is, the Management Server and the VPN/FireWall and FloodGate Module must both be on the same machine. However, the GUI Client can be installed on a different machine from the Management Server. This configuration is sometimes referred to as a Client/Server configuration.

Note – If you exceed the restriction on the number of protected hosts, VPN? 1/FireWall? 1 will display warning messages on the system console notifying you that you have violated the terms of the VPN? 1/FireWall? 1 license. You should immediately upgrade to the appropriate product in order to be in compliance with the terms of the VPN? 1/FireWall? 1 license. In the meantime, your security is not compromised and VPN? 1/FireWall? 1 will continue to protect your network.

SKIP

SMTP

SNMP

SSL

n *encryption, which ensures the privacy of client-server communications by encrypting the data stream

tity of the server using a *certificate

n integrity, which verifies that the contents of the message arrive at their destination in the same form as they were sent.

State information

Information describing the context of a communication. There are two types of state information: communication derived and application derived. n Communication-derived state information is extracted from past communications and is compared against current attempts to access or manipulate information. For example, an outgoing PORT command of an *FTP session can be saved so that a later incoming FTP data connection can be verified against it.

n Application-derived state information is extracted from other applications to verify user access. For example, an *extranet application may be used to allow a previously authenticated access through the firewall for authorized services only.

Stateful Inspection

A technology developed and patented by Check Point that provides the highest level of security currently available. A stateful *Inspection Module accesses and analyzes all the data derived from all communication layers. This state and context data is stored and updated dynamically, providing virtual session information for tracking connectionless protocols.Cumulative data from the communication and application states, network configuration and security rules are all used to decide on an appropriate action, either accepting, rejecting or encrypting the communication (see the figure below).

Any traffic not explicitly allowed by the *Security Policy is dropped.

Technology Comparison

firewall capability

routers

proxies

Stateful Inspection

communication information

Partial

Yes

communication?derived state

Partial

Yes

application?derived state

Yes

information manipulation

Partial

Yes

Stub network

A network that carries only packets to and from local hosts. Even if it has paths to more than one network, a stub network does not carry traffic for other networks. Stub networks are the third and last layer of the Internet network topography.

Subnet

A physically independent network segment, which shares a network address with other portions of the network. Subnets enable greater security from unauthorized internal access by dividing the intranet into discrete managed portions.

Suspicious Activity Monitoring Protocol (SAM)

An *OPSEC API used to integrate third party intrusion detection applications into firewalls.

Switch

A hub-like device that maximizes the performance of a high-speed connection by providing a dedicated link between two devices via MAC-layer addresses.

Symmetric

Public (asymmetric) key systems, where each correspondent has a pair of keys, can solve both of these problems (see “ public key”).

TCP

Transmission Control Protocol

TCP/IP

Transmission Control Protocol over Internet Protocol (TCP/IP)

TELNET (Telecommunications Network Protocol)

A remote terminal protocol enabling any terminal to login to another host

Token

A *password that can be used only once, typically generated as needed by a hardware device. Tokens are considered to be secure because even if one is revealed, it cannot be misused because it is no longer valid after its first use.

Transmission Control Protocol

An connection-oriented and stream-oriented Internet standard transport layer protocol, in contrast to the connectionless UDP protocol ( “ User Datagram Protocol (UDP)”).

Transmission Control Protocol over Internet Protoc

The common name for the suite of UNIX-based protocols developed by the U.S. Department of Defense in the 1970s. TCP/IP is the primary language of the Internet.

UDP

User Datagram Protocol (UDP)

Unicast

A message sent to a single destination, in contrast to *broadcast and *multicast.

Uniform Resource Locator (URL)

An address format used by Internet communications protocols such as the *Hyper Text Transfer Protocol (HTTP) popularized by the World Wide Web. URLs typically identify the type of service required to access an item, its location on an Internet host and the file name or item name on that machine.

URL

URL Filtering Protocol (UFP)

An *OPSEC API that enables the integration of third-party application to categorize and control access to specific URL addresses.

User authentication

The process of verifying that a user is actually who he or she claims to be. See also “ authentication

User Datagram Protocol (UDP)

An Internet-standard transport layer protocol which adds a level of reliability and multiplexing to IP. UDP is a connectionless protocol, making no distinction between the originator of the request and the response to it. Connectionless protocols are problematic in a security environment, but can be tracked and controlled using communication-derived state information (see “ state information”).

Virtual Private Network (VPN)

A network with some public segments in which data passing over its public segments is encrypted to achieve secure communications. A VPN is significantly less expensive and more flexible than a dedicated private network.

Virus

A program that replicates itself on computer systems by incorporating itself into other programs which are shared among computer systems. Once in the new host, a virus may damage data in the host’s memory, display unwanted messages, crash the host or, in some cases, simply lie dormant until a specified event occurs (for example, the turning of a new year).

VPN

WAN

A (usually private) geographically large network. A WAN is typically constructed to span numerous locations within a single city.

Web Server

A network device that stores and serves up any kind of data file, including text, graphic images, video, or audio. Its stored information can be accessed via the Internet using standard protocols, most often *HTTP.

Wide Area Network (WAN)

A (usually private) geographically large network. A WAN is typically constructed to span numerous locations within a single city.

World Wide Web (WWW)

A hypertext-based information service providing access to multimedia, complex documents and databases via the Internet. Web application programs can access many other Internet services as well, including Gopher, Usenet news, file transfer, remote connectivity and even special access to data on the local network.

X.25

A widely-used set of *protocols based on the OSI model. See also “ layered communication model

X.500

A *protocol used for communication between a user and an X.500 directory services system. Multiple X.500 directory system agents may be responsible for the directory information for a single organization or organizational unit.

X.509

A certification methodology providing authenticated, encrypted access to private information, which establishes a trust model enabling certain transactions such as those involving money or funds. For example, X.509 certificates are used in the *IKE encryption scheme to obtain public keys and to verify the authenticity of the parties in an exchange.