Anatomy of an ARP Poisoning Attack
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
Products  

Tips & Best Practices

Video Tutorials

Radio Free Security

White Papers

Case Studies

Network Security Glossary

Network Security Glossary
A list of frequently used terms

This glossary contains a list of terms, abbreviations, and acronyms frequently used when discussing networks, security, firewalls, and WatchGuard products.

# | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | R | S | T | U | V | W | X | All

P

packet
A unit of information formatted according to specific protocols that allow precise transmittal of data from one node in a network to another. Also called a datagram or a data packet, it contains two parts: a header and a payload. The header is like an envelope; the payload is the contents. In Internet Protocol, any message that is larger than 1,500 bytes gets fragmented into packets for transmission.
packet filtering
Controlling access to a network by analyzing the headers of incoming and outgoing packets, and letting them pass or halting them based on rules created by a network administrator. A packet filter allows or denies packets depending on where they are going, from whom they are sent, or what port they use. Packet filtering is one technique, among many, for implementing security firewalls.
PAP (Password Authentication Protocol)
An identity verification method used to send a user name and password over a network to a computer that compares the user name and password to a table listing authorized users. WatchGuard products do not support this authentication method because the user name and password travel as clear text that a hacker could read.
See also CHAP.
parameter
In programming, some value passed to a function. The function either uses the parameter in its task, or performs an operation on the parameter. A parameter can be a value such as a number, a name, or even a file. For instance, a function that alphabetizes might not know what text file to alphabetize unless a file name is passed to the function as a parameter. The function might not know whether to print the alphabetized list, display it on a screen, or save it as a new file unless one of those options is also expressed as a parameter. A parameter can also be referred to as an argument.
passive mode FTP
See active mode FTP.
passphrase
An easy-to-remember phrase which offers better security than a single-word password, because it is longer and thus harder to guess or calculate.
password
A secret sequence of characters or a word that a user submits to a system for purposes of authentication, validation, or verification. WatchGuard recommends the use of passphrases in place of passwords.
password caching
The temporary storage of a user's username and password by some application.
peer-to-peer
Sometimes abbreviated as P2P, this is a method of distributing files over a network where all computers are treated as equals (in contrast to a client/server architecture). Using P2P client software, a client can receive files from another client. Some P2P file distribution systems require a centralized database of available files (such as Napster), while other distribution systems like Gnutella are decentralized.
perfect forward secrecy (PFS)
A cryptosystem in which, if one encryption key is compromised, only the data encrypted by that specific key is compromised. Some cryptosystems allow keys to be derived from previous keys, so that if the first key is compromised, an attacker might have enough information to figure out other keys and/or decrypt data encrypted using those keys. RFC 2409 describes PFS in detail.
PGP (Pretty Good Privacy)
An application and protocol (RFC 1991) for secure e-mail and file encryption. PGP uses a variety of algorithms (like RSA, DSA, MD5, SHA-1) to provide encryption, authentication, message integrity, and key management.
PGP/MIME
An IETF standard (detailed in RFCs 2015 and 3156) that provides privacy and authentication using the Multipurpose Internet Mail Extensions (MIME) security content types described in RFC 1847, currently deployed in PGP 5.0 and later versions.
Phase 1, Phase 2
Stages in establishing a site-to-site Virtual Private Network (VPN) tunnel. Designated computers negotiate security parameters to protect the managing of the tunnel itself using IKE (Internet Key Exchange); the result of this negotiation is called the Phase 1, or ISAKMP, security association (SA). The Phase 1 SA is then used to securely negotiate security parameters to protect IP packets; the result of that negotiation is called the Phase 2, or IPSec, SA. The Phase 2 SA is then used to securely tunnel ESP or AH-protected IP packets between these two computers.
ping
A utility to determine whether a specific IP address is accessible. It works by sending a packet to the specified address and waiting for a reply; hence, it was named after the sound echo sonar makes when trying to locate an object.
PKCS (Public Key Crypto Standards)
A set of standards published by RSA Security, developed in cooperation with an informal consortium (Apple, DEC, Lotus, Microsoft, MIT, and Sun), that includes algorithm-specific and algorithm-independent implementation standards for reliable, secure public key cryptography.
PKI (Public Key Infrastructure)
A system of digital certificates, Certificate Authorities, and other registration authorities that verify the validity of each party involved in an Internet transaction. The intent is to establish a trusted relationship between the parties. PKI's various mechanisms can provide a foundation for message confidentiality, message integrity, non-repudiation (which means the author of a message cannot later claim he did not write it), and authentication. PKI is necessary and foundational for certificate-based Virtual Private Networks (VPN).
plain text
Characters in a human readable form prior to encryption or after decryption. Also called clear text.
plug and play
An ease-of-use ideal in the personal computer market that assures the user that a hardware device (for example, a mouse, a modem, or a scanner) can be installed without resorting to manual hardware configuration of either the device or the PC into which the device is being installed.
Policy Manager
The Windows-based interface used to modify and upload a Firebox configuration file. One component of the WatchGuard Firebox System.
port
1. A physical hole in a computing device where you plug something in (such as, "this PC communicates with the printer via the serial port").
2. When used in relation to IP services, a made-up, or logical, endpoint for a connection, conceived so that the computer can handle multiple applications over one network connection. Your system figures out how to treat data coming at it partially by looking at what port the data is destined for (for example, HTTP, or Web traffic, by convention uses port 80; SMTP, or e-mail traffic, uses port 25). For a fuller explanation, read the LiveSecurity article, "Foundations: What Is a Port?"
port address translation
See NAT.
port forwarding
See NAT.
port space probe
An intrusion technique whereby a hacker attempts to connect to sequential port numbers. These probes are usually attempts to find security holes which the attacker might exploit. When a listening computer responds to a message sent to a given port, the attacker then knows there really is a computer there, listening on that port.
PPP (Point-to-Point Protocol)
A method of connecting a computer to the Internet, often used with dial-up modems.
PPPoE (Point-to-Point Protocol over Ethernet)
A method of transmitting PPP traffic over Ethernet to the Internet through a common broadband medium. Commonly used in Europe. The users have the appearance of "dialing" the Internet, but their computers are in fact always connected.
PPTP (Point-to-Point Tunneling Protocol)
A VPN tunneling protocol with encryption. It uses one TCP port (for negotiation and authentication of a VPN connection) and one IP protocol (for data transfer) to connect the two nodes in a VPN. Though favored by Microsoft, many experts feel PPTP offers weaker confidentiality of data than a competing standard, IPSec.
Pretty Good Privacy
See PGP.
primary key(IPSec)
An IPSec key responsible for creating a security association. Values can be set in time or data size.
principle of precedence
Logic followed by the Firebox when deciding which permissions and prohibitions in your security policy override others. As a general guideline, a more specific rule usually overrides a more general rule. For example, if you've established a general a rule that says to let Any Internet traffic enter your network, and you also have a rule that says to block any traffic over port 31337, then port 31337 will be blocked: the specific rule takes precedence over the general.
private key
The "secret" component of an asymmetric key pair, often referred to as the decryption key. In a key pair (composed of a public key and a private key), it is essential that you keep the private key to yourself.
See also asymmetric key, key pair, and public key.
private network address
A private network address is an IP address range that is used only within the confines of a single organization. Private addresses are used for traffic from one location to another within a clearly defined network and at no time are meant to extend beyond the perimeter, or firewall, of the organization. They are not routable on the Internet, and require some sort of address translation (see NAT) to reach the Internet. Private network address ranges are defined by the IANA and RFC 1918 as being 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
privilege elevation
See elevation of privilege.
probe
A type of hacking attempt characterized by repetitious, sequential access attempts. For example, a hacker might try to probe a series of ports in search of one that is open, or one might probe a range of IP addresses in search of a responsive computer.
procedure
See function.
protocol
A set of formal rules describing how to transmit data, especially across a network. The protocol determines issues such as: the type of error checking to be used, data compression method, if any; how the sending device will indicate that it has finished sending a message, and how the receiving device will indicate that it has received a message. Low-level protocols define the electrical and physical standards to be observed, bit- and byte-ordering, and the transmission and error detection and correction of the bit stream. High-level protocols deal with the data formatting, including the syntax of messages, character sets, and sequencing of messages.
proxy ARP
Proxy Address Resolution Protocol allows a network to use one network address across two physical interfaces. In typical routing, separate network interfaces on a routing device must connect to different networks with distinct IP addresses (e.g., 192.168.10.n and 192.168.11.n). Thus, adding a firewall appliance that has multiple interfaces could potentially force a network to be subdivided into separate network addresses (because although a firewall appliance is not a router, it performs routing). Proxy ARP is the answer for administrators who do not want to renumber their network. It is a technique that the Firebox uses to handle traffic between hosts that don't expect to encounter a routing device -- those hosts would expect to transmit directly to hosts now placed behind a firewall. Using Proxy ARP, the Firebox responds to ARP requests for hosts on the "other side" of it that can't reply for themselves. The Firebox gives an ARP reply matching the remote IP address with the Firebox's own Ethernet address (in essence, a lie, so that the requesting half of the network can continue acting as if the other half of the network is local). The Firebox then receives packets on behalf of hosts behind it, and forwards them appropriately. Proxy ARP is what allows you to use the same network address across all three Ethernet interfaces of the Firebox, known as drop-in mode.
See also Address Resolution Protocol.
proxy server
A server that sits between a client application (such as a browser) and a "real" server. The proxy server intercepts client requests and forwards them to the other server. Its purpose is two-fold: for outgoing traffic, it allows private, non-routable machines to reach a machine which can reach the Internet for them. Secondly, as it receives responses to the client machine requests (for example, Web pages) it can cache them locally so that further client requests can be answered locally and immediately. Use of the Firebox removes the need for a proxy server, unless the proxy server is used for caching files.
proxy service
A combination of stateful packet filtering with content inspection. Essentially, the Firebox intercepts traffic intended for another destination (for example, a Web server or an e-mail server) and imposes rigid access and routing rules with the defense of the internal networks and servers in mind. Dangerous traffic is discarded, while normal traffic is passed to the intended destination.
pseudo-random number
A number that results from applying randomizing algorithms to input derived from the computing environment, such as mouse coordinates or the time of day.
See also random number.
Public Key Crypto Standards
See PKCS.
public key
The publicly available component of an asymmetric key pair, often referred to as the encryption key. In a key pair (composed of a public key and a private key), you can make your public key well-known, as messages encrypted with it can only be decrypted by your private key.
See also asymmetric key, key pair, and private key.
public key cryptography
Cryptography in which a public and private key pair is used, encrypting the data at the sender's end and decrypting it at the receiver's end. Since the data is encrypted while it travels the public Internet, no additional security is needed -- it can safely use public networks without loss of confidentiality.
See also asymmetric key and key pair.
Public Key Infrastructure
See PKI.