B Glossary of Firewall-Related Terms
- Abuse of Privilege
- When a user performs an action that they
should not have, according to organizational policy or law.
- Access Control Lists
- Rules for packet filters (typically
routers) that define which packets to pass and which to block.
- Access Router
- A router that connects your network to the
external Internet. Typically, this is your first line of defense
against attackers from the outside Internet. By enabling access
control lists on this router, you'll be able to provide a level of
protection for all of the hosts ``behind'' that router, effectively
making that network a DMZ instead of an unprotected external LAN.
- Application-Layer Firewall
- A firewall system in which service
is provided by processes that maintain complete TCP connection state
and sequencing. Application layer firewalls often re-address traffic
so that outgoing traffic appears to have originated from the
firewall, rather than the internal host.
- The process of determining the identity of a
user that is attempting to access a system.
- Authentication Token
- A portable device used for authenticating
a user. Authentication tokens operate by challenge/response,
time-based code sequences, or other techniques. This may include
paper-based lists of one-time passwords.
- The process of determining what types of
activities are permitted. Usually, authorization is in the context
of authentication: once you have authenticated a user, they may be
authorized different types of access or activity.
- Bastion Host
- A system that has been hardened to resist attack,
and which is installed on a network in such a way that it is
expected to potentially come under attack. Bastion hosts are often
components of firewalls, or may be ``outside'' web servers or public
access systems. Generally, a bastion host is running some form of
general purpose operating system (e.g., Unix, VMS, NT, etc.) rather
than a ROM-based or firmware operating system.
- An authentication technique whereby a
server sends an unpredictable challenge to the user, who computes a
response using some form of authentication token.
- A technique under Unix whereby a process is permanently
restricted to an isolated subset of the filesystem.
- Cryptographic Checksum
- A one-way function applied to a file to
produce a unique ``fingerprint'' of the file for later reference.
Checksum systems are a primary means of detecting filesystem
tampering on Unix.
- Data Driven Attack
- A form of attack in which the attack is
encoded in innocuous-seeming data which is executed by a user or
other software to implement an attack. In the case of firewalls, a
data driven attack is a concern since it may get through the
firewall in data form and launch an attack against a system behind
- Defense in Depth
- The security approach whereby each system on
the network is secured to the greatest possible degree. May be used
in conjunction with firewalls.
- DNS spoofing
- Assuming the DNS name of another system by either
corrupting the name service cache of a victim system, or by
compromising a domain name server for a valid domain.
- Dual Homed Gateway
- A dual homed gateway is a system that has
two or more network interfaces, each of which is connected to a
different network. In firewall configurations, a dual homed gateway
usually acts to block or filter some or all of the traffic trying to
pass between the networks.
- Encrypting Router
- see Tunneling Router and Virtual Network
- A system or combination of systems that enforces a
boundary between two or more networks.
- Host-based Security
- The technique of securing an individual
system from attack. Host based security is operating system and
- Insider Attack
- An attack originating from inside a protected
- Intrusion Detection
- Detection of break-ins or break-in
attempts either manually or via software expert systems that operate
on logs or other information available on the network.
- IP Spoofing
- An attack whereby a system attempts to illicitly
impersonate another system by using its IP network address.
- IP Splicing / Hijacking
- An attack whereby an active,
established, session is intercepted and co-opted by the attacker. IP
Splicing attacks may occur after an authentication has been made,
permitting the attacker to assume the role of an already authorized
user. Primary protections against IP Splicing rely on encryption at
the session or network layer.
- Least Privilege
- Designing operational aspects of a system to
operate with a minimum amount of system privilege. This reduces the
authorization level at which various actions are performed and
decreases the chance that a process or user with high privileges may
be caused to perform unauthorized activity resulting in a security
- The process of storing information about events that
occurred on the firewall or network.
- Log Retention
- How long audit logs are retained and maintained.
- Log Processing
- How audit logs are processed, searched for key
events, or summarized.
- Network-Layer Firewall
- A firewall in which traffic is examined
at the network protocol packet layer.
- Perimeter-based Security
- The technique of securing a network
by controlling access to all entry and exit points of the network.
- Organization-level rules governing acceptable use of
computing resources, security practices, and operational procedures.
- A software agent that acts on behalf of a user. Typical
proxies accept a connection from a user, make a decision as to
whether or not the user or client IP address is permitted to use the
proxy, perhaps does additional authentication, and then completes a
connection on behalf of the user to a remote destination.
- Screened Host
- A host on a network behind a screening router.
The degree to which a screened host may be accessed depends on the
screening rules in the router.
- Screened Subnet
- A subnet behind a screening router. The degree
to which the subnet may be accessed depends on the screening rules
in the router.
- Screening Router
- A router configured to permit or deny traffic
based on a set of permission rules installed by the administrator.
- Session Stealing
- See IP Splicing.
- Trojan Horse
- A software entity that appears to do something
normal but which, in fact, contains a trapdoor or attack program.
- Tunneling Router
- A router or system capable of routing traffic
by encrypting it and encapsulating it for transmission across an
untrusted network, for eventual de-encapsulation and decryption.
- Social Engineering
- An attack based on deceiving users or
administrators at the target site. Social engineering attacks are
typically carried out by telephoning users or operators and
pretending to be an authorized user, to attempt to gain illicit
access to systems.
- Virtual Network Perimeter
- A network that appears to be a
single protected network behind firewalls, which actually
encompasses encrypted virtual links over untrusted networks.
- A replicating code segment that attaches itself to a
program or data file. Viruses might or might not not contain attack
programs or trapdoors. Unfortunately, many have taken to calling
any malicious code a ``virus''. If you mean ``trojan horse'' or
``worm'', say ``trojan horse'' or ``worm''.
- A standalone program that, when run, copies itself from
one host to another, and then runs itself on each newly infected
host. The widely reported ``Internet Virus'' of 1988 was not a virus
at all, but actually a worm.