16. Glossary

Listed here are a few of the most common terms used most frequently, yet may not be familiar to some users. See the NET-3-HOWTO for further networking information, and the excellent 3Com Network Glossary for a great online glossary, available at http://www.3com.com/nsc/glossary/index.htm

There is also a security-oriented glossary available at http://www.securityinfo.com/glossary.html that will be useful.

• Host - A computer system attached to a network

• Firewall - A component or set of components that restricts access between a protected network and the Internet, or between other sets of networks.

• Bastion Host - A computer system that must be highly secured because it is vulnerable to attack, usually because it is exposed to the Internet and is a main point of contact for users of internal networks. It gets its name from the highly fortified projects on the outer walls of medieval castles. Bastions overlook critical areas of defense, usually having strongs walls, room for extra troops, and the occasional useful tub of boiling hot oil for discouraging attackers.

• Dual-homed Host - A general-purpose computer system that has at least two network interfaces.

• Packet - The fundamental unit of communication on the Internet.

• Packet Filtering - The action a device takes to selectively control the flow of data to and from a network. Packet filters allow or block packets, usually while routing them from one network to another (most often from the Internet to an internal network, and vice-versa). accomplish packet filtering, you set up a set of rules that specifiy what types of packets (those to or from a particular IP address or port) are to be allowed and what types are to be blocked.

• Perimeter network - A network added between a protected network and an external network, in order to provide an additional layer of security. A perimeter network is sometimes called a DMZ.

• Proxy server - A program that deals with external servers on behalf of internal clients. Proxy clients talk to proxy servers, which relay approved client requests on to real servers, and relay answers back to clients.

• Denial of Service - A denial of service attack is when an attacker consumes the resources on your computer for things it was not intended to be doing, thus preventing normal use of your network resources to legimite purposes.

• Secure Logging - (3Com Glossary) A method whereby an audit trail of system activity is received from a bastion host and placed in a secure location.

• Buffer Overflow - Common coding style is never to allocate buffers "large enough" and not checking for overflows. When such buffers are overflows, the executing program (daemon or set-uid program) can be tricked in doing some other things. Generally this works by overwriting a function's return address on the stack to point to another location.

• Spoofing - Spoofing is a complex technical attack that is made up of several components. It is a security exploit that works by tricking computers in a trust-relationship that you are someone that you really aren't. There is an extensive paper written by daemon9, route, and infinity in the Volume Seven, Issue Forty-Eight of Phrack Magazine, available at http://www.2600.org/phrack/p48-14.html.

• Authentication - The property of knowing that the data received is the same as the data that was sent and that the claimed sender is in fact the actual sender.

• Non-repudiation - The property of a receiver being able to prove that the sender of some data did in fact send the data even though the sender might later desire to deny ever having sent that data.

• Set User-ID (suid) / Set Group-ID (sgid) - Set User ID and Set Group ID files are files that everyone can execute as either it's owner or group privileges. Typically, you'll find root suid files, which means that regardless of who executes them, they obtain root permission for the period of time the program is running (or until that program intentionally relinquishes these privileges). These are the types of files that are most often attacked by intruders, because of the potential for obtaining root privileges. Buffer overflows (see glossary entry) have been a common method of attempting to obtain root permission using suid root files.

  You can find more information on both setuid and setgid in the File System Security section of this document.

• Digital Certificate Also called Digital IDs, is one solution to the electronic identity problem. A digital ID is a digitally-signed statement from a trusted source that attests to the identity and public key of a person, or computer, much the same way that a driver's license is an ide
• Firewall By this time, you must have some idea what a firewall is and does, and there is a multitude of information available on the Internet on firewalls. To briefly quote ``Building Internet Firewalls'' - ``An Internet firewall is more like a moat of a medieval castle than a firewall in a modern building. It serves multiple purposes:
  • It restricts people to entering at a carefully controlled point

  • It prevents attackers from getting close to your other defenses

  • It restricts people to leaving at a carefully controlled point

  An Internet Firewall is most often installed at the point where your protected internal network connects to the Internet.

  All traffic coming from the Internet or going out from your internal network passes through the firewall. Because it does, the firewall has the opportunity to make sure that this traffic is permitted to pass through, as defined by the security policy at your site.''

• Confidentiality - Information is accessible only to authorized users, with unauthorized individuals prevented from accessing or eavesdropping on the information.

• Integrity - Information traversing the network is protected from being erroneously changed by authorized or unauthorized users. This typically demands encryption mechanisms for security.