United States
Web App Attacks: Sneaking in the Front Door
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

White Papers

Case Studies

Network Security Glossary

Network Security Glossary
A list of frequently used terms

This glossary contains a list of terms, abbreviations, and acronyms frequently used when discussing networks, security, firewalls, and WatchGuard products.

# | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | R | S | T | U | V | W | X | All

S

salt
A tiny bit of near-random data inserted where too much predictability would be undesirable. In cryptography, salt is a random string that is added onto passwords (or random numbers) before an algorithm is performed on the password. The extra data effectively lengthens and obscures the password, making the cipher text less susceptible to dictionary attacks.
scalable architecture
Software and/or hardware constructed so that it can grow efficiently.
SCSI (Small Computer System Interface)
A processor-independent standard for system-level interfacing between a computer and intelligent devices including hard disks, floppy disks, CD-ROM, printers, and scanners. Pronounced "scuzzy."
secondary network
A network on the same physical wire as a Firebox interface having a different IP network address. This technique allows you to add as many subnets as you want to a single Ethernet interface on a Firebox.
secret key
The encryption key used in symmetric algorithms.
secret sharing
See key splitting.
secure channel
A means of conveying information from one entity to another using a method that does not offer an intruder the ability to reorder, delete, insert, or read information.
SecurID token
A hardware-based authentication method owned by RSA. The user enters his PIN into the token, which resembles a small hand-held calculator. The token combines the user's PIN with numbers inside itself to create a number that RSA calls a "passcode." The user then logs in with his username on a PC, entering the passcode number. The PC sends it to an authentication server. If the passcode matches what the server expects, the user is authorized. This method is known as "response only" because the server did not issue a challenge.
security association (SA)
In Internet Protocol Security (IPSec), settings that establish policy and encryption keys used to protect communications between two end points in a Virtual Private Network (VPN). Security associations are negotiated between two computers during the first phase of establishing an Internet Key Exchange (IKE) connection.
See also Phase 1, Phase 2.
segment
A section of a network. Typically, a segment is thought of as ending where it reaches a router or a routing device (such as the Firebox).
self-extracting file
A compressed file that automatically decompresses when double-clicked.
server
A computer that provides shared resources to network users. The network users are often referred to as clients of that server.
See also client/server.
server-based network
A network in which all client computers use a dedicated central server computer for network functions such as storage, security, and other resources.
See also server.
Server Message Block (SMB)
A message format used by DOS and Windows to share files, directories and devices (such as printers). NetBIOS is based on the SMB format, and many network products use SMB. SMB runs over most common network protocols, including TCP/IP.
Services Arena
WatchGuard's term for the area in WatchGuard Firebox System's Policy Manager that displays icons representing the services (such as proxies and packet filters) configured for a Firebox.
ServiceWatch
A graphical monitor providing a real-time display that graphs how many connections exist, by service. This comes as part of an application called Firebox Monitors.
session hijacking
An intrusion technique whereby a hacker sends a command to an already existing connection between two machines, in order to wrest control of the connection away from the machine that initiated it. The hacker's goal is to gain access to a server while bypassing normal authentication measures.
session key
The secret (symmetric) key used to encrypt each set of data on a transaction basis. A different session key is used for each communication session.
See also asymmetric key and key pair.
session stealing
See session hijacking.
setup keys (IKE)
Internet Key Exchange keys responsible for creating a security association.
SHA-1 (Secure Hash Algorithm)
A message digest function (also called a one-way hash) used in encryption. The 1994 revision to SHA, developed by NIST. SHA-1 is a mathematical process used to change the contents of a file into a 160-bit number, similar to MD4.
See also message digest.
shared secret
In IPSec usage, a passphrase or password that exists on two devices to be connected by VPN. In order to begin the security negotiations that result in a VPN tunnel, both devices must know the pre-existing secret, which is used by each party to authenticate the other.
sign
To apply a digital signature which, in the USA, is as legally binding as a handwritten signature.
signature
A digital code created with a private key.
See digital signature.
single sign-on
A log-in routine in which one logon provides access to all resources on the network.
slash notation
A concise decimal format for expressing a binary subnet mask. For example: 192.168.44.0/24 indicates that in the 32-bit IP address, the first 24 bits (192.168.44) are the address of a network. The remaining 8 bits can be used to indicate the addresses of specific devices on that network. For more, see IP address and subnet mask; for a full discussion, see the LiveSecurity articles, "Foundations: Understanding Subnetting (Part 1)" and "Part 2."
SLIP (Serial Line Internet Protocol)
A protocol for exchanging IP packets over a serial line (for example, a modem connection).
S/MIME (Secure Multipurpose Mail Extension)
A proposed standard for encrypting and authenticating MIME data, which is used primarily for Internet e-mail.
See MIME.
SMS (Security Management System)
The former name of the GUI used to configure a Firebox. Now known as the WatchGuard Policy Manager.
SMTP (Simple Mail Transfer Protocol)
A protocol for sending electronic mail between servers.
social engineering attack
An attack that does not depend on technology as much as it depends upon tricking or persuading an individual to divulge privileged information to the attacker, usually unknowingly. For example, an attacker might phone a company's internal help desk, posing as an employee, and say, "This is Fred in Accounting. I was on vacation for five weeks and forgot my network password. Could you look it up for me?" If the gullible help desk technician reveals the password to the attacker, the attacker "socially engineered" it out of him.
SOCKS
A protocol for handling TCP traffic through a proxy server. It can be used with virtually any TCP application, including Web browsers and FTP clients. It provides a simple firewall because it checks incoming and outgoing packets and hides the IP addresses of client applications. SOCKS is an IETF standard, documented in RFCs 1928, 1929 and 1961. WatchGuard's SOHO uses a SOCKSv5 proxy.
SOHO
An abbreviation for businesses categorized as Small Office/Home Office. Also the name of the WatchGuard firewall devices designed for businesses of this size.
spam
Unsolicited commercial e-mail sent to many recipients, much like an electronic version of junk mail.
spoofing
Altering data packets to falsely identify the originating computer. Spoofing is generally used when a hacker wants to make it difficult to trace where the attacks are coming from.
SSID (Service Set Identifier)
Usually pronounced as a word, rather than initials. A unique string, up to 32 characters, that serves as the name of a wireless local area network (WLAN). Because a SSID differentiates one network from another, multiple wireless networks can function even when their ranges overlap. In an open network, the access point broadcasts the SSID. You can configure your wireless access point (WAP) not to broadcast the SSID, so that users trying to join the network must already know the network name.
SSL (Secure Sockets Layer)
A protocol for transmitting private documents over the Internet, often used by e-commerce sites (among others). SSL works by using a private key to encrypt data transferred over an SSL connection.
stance
The policy of a firewall regarding the default handling of IP packets. Stance dictates what the firewall will do with any given packet in the absence of explicit instructions. The WatchGuard default stance is to discard all packets that are not explicitly allowed, often stated as "That which is not explicitly allowed is denied."
star topology
A networking setup used with 10Base-T Ethernet cabling and a hub. Each node on the network is connected to the hub, like points of a star.
stateful packet filtering
"Packet filtering" means using a firewall to examine where each packet comes from (by IP source address), where it's going (IP destination), and what port it's using. This information helps the firewall determine whether to allow or deny the packet's passage through your network. In stateful inspection, the firewall also examines more of the packet's delivery information and its conditions, including what port the packet is using, and maintains a sense of context. For example, a packet might arrive looking like a valid Reply packet, but if you never issued a Request, through dynamic packet filtering the firewall can sense that this is a spurious packet, and deny it.
static NAT (Network Address Translation)
The ability to have the Firebox forward all traffic received on a given port and a given public IP, to a private IP behind the firewall.
See also NAT.
stream cypher
A class of symmetric key encryption that encrypts each byte of data as it is received, instead of gathering the data into large blocks before encrypting. Useful for equipment that has little memory for buffering data.
subnet
A subdivision of a network that uses a sequential range of IP addresses (i.e. 10.45.32.1 to 10.45.32.128). Administrators divide large networks into subnets for many reasons. One reason: subnets are typically easier to troubleshoot than a large network because the administrator is dealing with fewer machines at a time.
subnet mask
This is a difficult concept to express succinctly. If it is new to you, please begin by reading the entry for IP address.
A subnet mask is a numeric value that helps a networked host or router understand how to interpret the destination IP address on packets the machine receives. When a computer receives a data packet, it tries to figure out if the IP address the packet is destined for is local (meaning, on the same network segment as the machine), or non-local. This matters to the machine because if the destination is local, the machine can deliver the packet (using ARP). If the address is not local, the machine does not know how to deliver the packet. Figuratively, it says, "I give up!" and forwards the packet to the default gateway (another machine, often a router, which handles everything non-local).
In trying to decide whether a destination IP address is local or not, the machine must discern how much of the IP address designates the destination network, and how much of the address designates the destination host. If the destination address is 192.168.14.10, what part of that address specifies the destination network? 192? Or 192.168? Or perhaps 192.168.14?
The subnet mask, which is specified on each networked machine in a routing table, provides the answer. Like an IP address, a subnet mask is a 32-bit value. The machine combines it mathematically with the destination IP address, using an operation called a "Boolean AND." The nature of the subnet mask plus the Boolean AND guarantee a result that will tell the machine, in binary values, how much of the IP address is the network range and how much is the host address. The machine then understands how to properly forward the packet.
See also CIDR and slash notation. For a full discussion, see the LiveSecurity articles, "Foundations: Understanding IP Addresses and Binary," "Foundations: Understanding Subnetting (Part 1)," and "Foundations: Understanding Subnetting (Part 2)."
subroutine
See function.
substitution cipher
An encoding method in which plain text characters are replaced with other characters to form coded text. For example, the most elementary substitution cipher might say A=1, B=2, C=3, etc. to encrypt the word "DOG" as "4-15-7." Real substitution ciphers, of course, are much more complex.
switch
A device that filters and forwards packets between LAN segments. A typical switch has numerous physical ports, each acting as a connection point for a network segment. Larger networks utilize switches to break the network into smaller, more manageable chunks, which are easier to secure. With the traffic on the entire network broken into smaller units, packets encounter fewer collisions, enhancing network performance.
symmetric algorithm
An encryption method where the same key is used both to encrypt and decrypt messages. Also called conventional, secret key, and single key algorithm.
See also asymmetric keys.
SYN flood attack
A method of denying service to legitimate users of a network resource (such as a Web server) by intentionally overloading a network with illegitimate TCP connection requests. SYN is short for "synchronize," the first packet sent when one computer tries to connect to another using TCP. In a normal TCP connection, or handshake:
1. Computer A sends a SYN packet;
2. Computer B acknowledges the connection attempt and sends back its own SYN packet (thus, a SYN/ACK packet), and
3. Computer A acknowledges Computer B's response.
In a SYN flood attack, Computer A never acknowledges Computer B (in other words, Step 3 never happens). This forces Computer B to wait for A's acknowledgment until B times out and drops the connection. Flooding Computer B with a huge number of such incomplete requests keeps B tied up uselessly. This is one version of a Denial of Service attack.
syslog
An industry-standard protocol used for sending and receiving log information for devices on a network. Syslog support is included in Unix-based and Linux-based systems.