This article is from the Firewalls FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum mjr@nfr.com with numerous contributions by others.
Abuse of Privilege
When a user performs an action that they should not have, according to
organizational policy or law.
Access Control Lists
Rules for packet filters (typically routers) that define which packets
to pass and which to block.
Access Router
A router that connects your network to the external Internet.
Typically, this is your first line of defense against attackers from
the outside Internet. By enabling access control lists on this router,
you'll be able to provide a level of protection for all of the hosts
``behind'' that router, effectively making that network a DMZ instead
of an unprotected external LAN.
Application-Layer Firewall
A firewall system in which service is provided by processes that
maintain complete TCP connection state and sequencing. Application
layer firewalls often re-address traffic so that outgoing traffic
appears to have originated from the firewall, rather than the internal
host.
Authentication
The process of determining the identity of a user that is attempting to
access a system.
Authentication Token
A portable device used for authenticating a user. Authentication tokens
operate by challenge/response, time-based code sequences, or other
techniques. This may include paper-based lists of one-time passwords.
Authorization
The process of determining what types of activities are permitted.
Usually, authorization is in the context of authentication: once you
have authenticated a user, they may be authorized different types of
access or activity.
Bastion Host
A system that has been hardened to resist attack, and which is
installed on a network in such a way that it is expected to potentially
come under attack. Bastion hosts are often components of firewalls, or
may be ``outside'' web servers or public access systems. Generally, a
bastion host is running some form of general purpose operating system
(e.g., Unix, VMS, NT, etc.) rather than a ROM-based or firmware
operating system.
Challenge/Response
An authentication technique whereby a server sends an unpredictable
challenge to the user, who computes a response using some form of
authentication token.
Chroot
A technique under Unix whereby a process is permanently restricted to
an isolated subset of the filesystem.
Cryptographic Checksum
A one-way function applied to a file to produce a unique
``fingerprint'' of the file for later reference. Checksum systems are a
primary means of detecting filesystem tampering on Unix.
Data Driven Attack
A form of attack in which the attack is encoded in innocuous-seeming
data which is executed by a user or other software to implement an
attack. In the case of firewalls, a data driven attack is a concern
since it may get through the firewall in data form and launch an attack
against a system behind the firewall.
Defense in Depth
The security approach whereby each system on the network is secured to
the greatest possible degree. May be used in conjunction with
firewalls.
DNS spoofing
Assuming the DNS name of another system by either corrupting the name
service cache of a victim system, or by compromising a domain name
server for a valid domain.
Dual Homed Gateway
A dual homed gateway is a system that has two or more network
interfaces, each of which is connected to a different network. In
firewall configurations, a dual homed gateway usually acts to block or
filter some or all of the traffic trying to pass between the networks.
Encrypting Router
see Tunneling Router and Virtual Network Perimeter.
Firewall
A system or combination of systems that enforces a boundary between two
or more networks.
Host-based Security
The technique of securing an individual system from attack. Host based
security is operating system and version dependent.
Insider Attack
An attack originating from inside a protected network.
Intrusion Detection
Detection of break-ins or break-in attempts either manually or via
software expert systems that operate on logs or other information
available on the network.
IP Spoofing
An attack whereby a system attempts to illicitly impersonate another
system by using its IP network address.
IP Splicing / Hijacking
An attack whereby an active, established, session is intercepted and
co-opted by the attacker. IP Splicing attacks may occur after an
authentication has been made, permitting the attacker to assume the
role of an already authorized user. Primary protections against IP
Splicing rely on encryption at the session or network layer.
Least Privilege
Designing operational aspects of a system to operate with a minimum
amount of system privilege. This reduces the authorization level at
which various actions are performed and decreases the chance that a
process or user with high privileges may be caused to perform
unauthorized activity resulting in a security breach.
Logging
The process of storing information about events that occurred on the
firewall or network.
Log Retention
How long audit logs are retained and maintained.
Log Processing
How audit logs are processed, searched for key events, or summarized.
Network-Layer Firewall
A firewall in which traffic is examined at the network protocol packet
layer.
Perimeter-based Security
The technique of securing a network by controlling access to all entry
and exit points of the network.
Policy
Organization-level rules governing acceptable use of computing
resources, security practices, and operational procedures.
Proxy
A software agent that acts on behalf of a user. Typical proxies accept
a connection from a user, make a decision as to whether or not the user
or client IP address is permitted to use the proxy, perhaps does
additional authentication, and then completes a connection on behalf of
the user to a remote destination.
Screened Host
A host on a network behind a screening router. The degree to which a
screened host may be accessed depends on the screening rules in the
router.
Screened Subnet
A subnet behind a screening router. The degree to which the subnet may
be accessed depends on the screening rules in the router.
Screening Router
A router configured to permit or deny traffic based on a set of
permission rules installed by the administrator.
Session Stealing
See IP Splicing.
Trojan Horse
A software entity that appears to do something normal but which, in
fact, contains a trapdoor or attack program.
Tunneling Router
A router or system capable of routing traffic by encrypting it and
encapsulating it for transmission across an untrusted network, for
eventual de-encapsulation and decryption.
Social Engineering
An attack based on deceiving users or administrators at the target
site. Social engineering attacks are typically carried out by
telephoning users or operators and pretending to be an authorized user,
to attempt to gain illicit access to systems.
Virtual Network Perimeter
A network that appears to be a single protected network behind
firewalls, which actually encompasses encrypted virtual links over
untrusted networks.
Virus
A replicating code segment that attaches itself to a program or data
file. Viruses might or might not not contain attack programs or
trapdoors. Unfortunately, many have taken to calling any malicious code
a ``virus''. If you mean ``trojan horse'' or ``worm'', say ``trojan
horse'' or ``worm''.
Worm
A standalone program that, when run, copies itself from one host to
another, and then runs itself on each newly infected host. The widely
reported ``Internet Virus'' of 1988 was not a virus at all, but
actually a worm.
 
Continue to: