Next
Previous
Contents
Listed here are a few of the most common terms used most frequently,
yet may not be familiar to some users. See the NET-3-HOWTO for
further networking information, and the excellent 3Com Network
Glossary for a great online glossary, available at
http://www.3com.com/nsc/glossary/index.htm
There is also a security-oriented glossary available at
http://www.securityinfo.com/glossary.html that will be useful.
- Host - A computer system attached to a network
- Firewall - A component or set of components that
restricts access between a protected network and the Internet, or
between other sets of networks.
- Bastion Host - A computer system that must be highly
secured because it is vulnerable to attack, usually because it is
exposed to the Internet and is a main point of contact for users of
internal networks. It gets its name from the highly fortified
projects on the outer walls of medieval castles. Bastions overlook
critical areas of defense, usually having strongs walls, room for
extra troops, and the occasional useful tub of boiling hot oil for
discouraging attackers.
- Dual-homed Host - A general-purpose computer system that
has at least two network interfaces.
- Packet - The fundamental unit of communication on the
Internet.
- Packet Filtering - The action a device takes to
selectively control the flow of data to and from a network. Packet
filters allow or block packets, usually while routing them from one
network to another (most often from the Internet to an internal
network, and vice-versa). accomplish packet filtering, you set up a
set of rules that specifiy what types of packets (those to or from a
particular IP address or port) are to be allowed and what types are to
be blocked.
- Perimeter network - A network added between a protected
network and an external network, in order to provide an additional
layer of security. A perimeter network is sometimes called a DMZ.
- Proxy server - A program that deals with external
servers on behalf of internal clients. Proxy clients talk to proxy
servers, which relay approved client requests on to real servers, and
relay answers back to clients.
- Denial of Service - A denial of service attack is when
an attacker consumes the resources on your computer for things it was
not intended to be doing, thus preventing normal use of your network
resources to legimite purposes.
- Secure Logging - (3Com Glossary) A method whereby an
audit trail of system activity is received from a bastion host and
placed in a secure location.
- Buffer Overflow - Common coding style is never to
allocate buffers "large enough" and not checking for overflows. When
such buffers are overflows, the executing program (daemon or set-uid
program) can be tricked in doing some other things. Generally this
works by overwriting a function's return address on the stack to point
to another location.
- Spoofing - Spoofing is a complex technical attack
that is made up of several components. It is a security exploit that
works by tricking computers in a trust-relationship that you are
someone that you really aren't. There is an extensive paper written
by daemon9, route, and infinity in the Volume Seven, Issue
Forty-Eight of Phrack Magazine, available at
http://www.2600.org/phrack/p48-14.html.
- Authentication - The property of knowing that the data
received is the same as the data that was sent and that the claimed
sender is in fact the actual sender.
- Non-repudiation - The property of a receiver being able
to prove that the sender of some data did in fact send the data even
though the sender might later desire to deny ever having sent that
data.
- Set User-ID (suid) / Set Group-ID (sgid) - Set User ID
and Set Group ID files are files that everyone can execute as either
it's owner or group privileges. Typically, you'll find root suid
files, which means that regardless of who executes them, they obtain
root permission for the period of time the program is running (or
until that program intentionally relinquishes these privileges).
These are the types of files that are most often attacked by
intruders, because of the potential for obtaining root privileges.
Buffer overflows (see glossary entry) have been a common method of
attempting to obtain root permission using suid root files.
You can find more information on both setuid
and
setgid
in the File System Security section of this
document.
- Digital Certificate Also called Digital IDs, is one
solution to the electronic identity problem. A digital ID is a
digitally-signed statement from a trusted source that attests to the
identity and public key of a person, or computer, much the same way
that a driver's license is an ide
- Firewall By this time, you must have some idea what a
firewall is and does, and there is a multitude of information
available on the Internet on firewalls. To briefly quote
``Building Internet Firewalls'' - ``An Internet firewall is
more like a moat of a medieval castle than a firewall in a modern
building. It serves multiple purposes:
- It restricts people to entering at a carefully controlled point
- It prevents attackers from getting close to your other defenses
- It restricts people to leaving at a carefully controlled point
An Internet Firewall is most often installed at the point where your
protected internal network connects to the Internet.
All traffic coming from the Internet or going out from your internal
network passes through the firewall. Because it does, the firewall
has the opportunity to make sure that this traffic is permitted to
pass through, as defined by the security policy at your site.''
- Confidentiality - Information is accessible only to
authorized users, with unauthorized individuals prevented from
accessing or eavesdropping on the information.
- Integrity - Information traversing the network is
protected from being erroneously changed by authorized or unauthorized
users. This typically demands encryption mechanisms for security.
Next
Previous
Contents