This glossary contains a list of terms, abbreviations, and acronyms frequently used when discussing networks, firewalls, and WatchGuard products.
A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z |
access control
A method of restricting access to resources, allowing
access only to privileged entities.
active mode FTP
One of two ways an FTP data connection is made.
In active mode, the FTP server establishes the data connection. In passive
mode, the client establishes the connection. In general, FTP user agents
use active mode and Web user agents use passive mode.
activity light
An LED (light-emitting diode) that verifies that
a piece of hardware is working, communicating with the network, and transmitting
data.
address learning
A method by which hubs, switches, and routers determine
the unique address number for each node on a network to enable accurate
transmission to and from each node.
Address Resolution Protocol (ARP)
A TCP/IP protocol used to convert an IP address
into a physical address such as an Ethernet address.
address space probe
An intrusion measure in which a hacker sequentially
attacks IP addresses. These probes are usually attempts to map IP address
space to look for security holes that a sender might exploit to compromise
system security.
agent
A computer program that reports information to
another computer or allows another computer access to the local system.
Agents can be used for good or malice. Many security programs have agent
components that report security information back to a central reporting
platform. However, agents can also be remotely controlled programs hackers
use to access machines.
AH (authentication header)
A protocol used in IPSec available for use with
IPSec Branch Office VPN. AH provides authentication for as much of the
IP header as possible (except for mutable fields that are nondeterministic,
such as TTL fields) and all upper protocols and payload. It offers the
functionality of ESP except for confidentiality, which ESP's encryption
provides.
algorithm (encryption)
A set of mathematical rules (logic) used in the
processes of encryption and decryption.
algorithm (hash)
A set of mathematical rules (logic) used in the
processes of message digest creation and key/signature generation.
alias
A shortcut that enables a user to identify a group
of hosts, networks, or users with one identifying name. Aliases are used
to speed user authentication and service configuration.
Application Program Interface (API)
Software that allows dissimilar software products
to interact upon one another.
armed
A state of a Firebox in which it is actively guarding
against intrusion and attack.
ARP
See Address Resolution Protocol.
ARP table
A table of active ARP addresses on a computer.
ascending
A method of ordering a group of items from lowest
to highest, such as from A to Z.
ASN.1 (Abstract Syntax Notation One)
ISO/IEC standard for encoding rules used in ANSI
X.509 certificates. Two types exist: DER (Distinguished Encoding Rules)
and BER (Basic Encoding Rules).
asymmetric keys
A separate but integrated user key pair, composed
of one public key and one private key. Each key is one way, meaning that
a key used to encrypt information cannot be used to decrypt the same data.
attack
An attempt to hack into a system. Because not all
security issues represent true attacks, most security vendors prefer the
use of the word "event" or "incident."
ATM (asynchronous transfer mode)
High-speed packet switching with dynamic bandwidth
allocation.
authentication
A method of mapping a user name to a workstation
IP address, allowing the tracking of connections based on name rather
than IP address. With authentication, it does not matter which IP address
is used or from which machine a person chooses to work.
autopartitioning
A feature on some network devices that isolates
a node within the workgroup when the node becomes disabled, so as to not
affect the entire network or group.
authorization
To convey official access or legal power to a person
or entity.
backbone
A term often used to describe the main network
connections composing the Internet.
backdoor
A cipher design fault, planned or accidental, that
allows the apparent strength of the design to be easily avoided by those
who know the trick. When the design background of a cipher is kept secret,
a back door is often suspected.
bandwidth
The rate at which a network can transfer data.
Bandwidth Meter
A monitoring tool that provides a real-time graphical
display of network activities across a Firebox. Formerly known as the
Mazameter.
bastion host
A computer placed outside a firewall to provide
public services (such as WWW and FTP) to other Internet sites. The term
is sometimes generalized to refer to any host critical to the defense
of a local network.
bitmask
A pattern of bits for an IP address that determines
how much of the IP address identifies the host and how much identifies
the network.
block cypher
A symmetric cipher operating on blocks of plain
text and cipher text, usually 64 bits.
blocked port
A security measure in which a specific port associated
with a network service is explicitly disabled, blocking users outside
the firewall from gaining access to that service port. A blocked port
takes precedence over any service settings that are generally enabled.
blocked site
An IP address outside the Firebox explicitly blocked
so it cannot connect with hosts behind the Firebox. Blocked sites can
be manual and permanent, or automatic and temporary.
Blue Screen of Death (BSoD)
A condition in which a Windows NT-based system
encounters a serious error, the entire operating system halts, and a screen
appears with information regarding the error. The name comes from the
blue color of the error screen.
boot up
To start a computer.
Branch Office Virtual Private Networking (BOVPN)
A type of VPN that creates a secure tunnel over
an unsecure network, between two networks that are protected by the WatchGuard
Firebox System, or between a WatchGuard Firebox and an IPSec-compliant
device. It allows a user to connect two or more locations over the Internet
while protecting the resources on the trusted network and the optional
or a less trusted network.
bridge
A piece of hardware used to connect two or more
networks so that devices on the network can communicate. Bridges can only
connect networks running the same protocol.
broadcast
A network transmission sent to all nodes on a network.
broadcast address
An address used to broadcast a request to a network,
usually to discover the presence of a machine.
browser
See Web browser.
bus topology
A networking setup in which a single cable, such as
thin Ethernet, is used to connect one computer to another.
cable segment
A section of network cable separated by hubs, routers,
or bridges to create a subnet.
cascade
A command that arranges windows so that they are
overlapped, with the active window in front.
cascading
Connecting hubs with 10BASE-T cable; sometimes
requires a crossover cable.
Category 3 cabling
A 10BASE-T unshielded twisted-pair cabling type
commonly used in today's 10Mbps Ethernet networks.
Category 5 cabling
A higher grade of unshielded twisted-pair cabling
required for networking applications wich as 100Mbps Fast Ethernet.
CBC
See cipher block chaining.
CD-ROM (Compact Disc Read-Only Memory)
A disk on which data is stored.
certificate
An electronic document attached to a public key
by a trusted third party, which provides proof that the public key belongs
to a legitimate owner and has not been compromised.
certificate authority (CA)
A trusted third party (TTP) who creates certificates
that consist of assertions on various attributes and binds them to an
entity and/or to their public key.
certificate revocation list (CRL)
An online, up-to-date list of previously issued
certificates that are no longer valid.
certification
Endorsement of functionality by a trusted entity.
Challenge Authentication Protocol (CHAP)
A session-based, two-way password authentication
scheme.
channel
A communications path between two computers or
devices.
checkbox
A dialog box option that is not mutually exclusive
with other options. Selecting a checkbox inserts or removes an X or a
checkmark; clearing a checkbox removes it.
CIDR (Classless Inter-Domain Routing)
A routing mechanism designed to deal with the exhaustion
of Class B network addresses, and the subsequent allocation of multiple
Class C addresses to sites. CIDR is described in RFC 1519.
cipher block chaining
A form of DES encryption that requires the entire
message to decrypt rather than a portion of the message.
cipher text
The result of manipulating either characters or
bits by way of substitution, transposition, or both.
Class A, Class B, Class C
See Internet address class.
clear-signed message
A message that is digitally signed but not encrypted.
clear text
Characters in a human readable form prior to or
after enryption. Also called plain text.
client
A computer process that requests a service of another
computer and accepts the server's responses.
Client/Server
A network computing system in which individual
computers (clients) use a central computer (server) for services such
as file storage, printing, and communications. See peer-to-peer.
coax (coaxial) cable
A type of cable, used in Ethernet networking, with
a solid central conductor surrounded by insulator, in turn surrounded
by a cylindrical shield woven from fine wires.
cold boot
The process of starting a computer by turning on
the power to the system unit.
collisions
Conflicts that occur when two packets are sent
over the network simultaneously. Both packets are rejected; Ethernet will
automatically resend them at altered timing.
communications software
Software such as email and faxing software that
allows users to send or receive data.
compress
To compact a file or group of files so that they
occupy less disk space. See also decompress.
compression function
A function that takes a fixed-size input and returns
a shorter, fixed-sized output.
connected enterprise
A company or organization with a computer network
exchanging data with the Internet or some other public network.
Control Center
See System Manager.
Control Panel
The set of Windows NT, Windows 2000, and Windows
XP programs used to change system hardware, software, and Windows settings.
conventional encryption
Encryption that relies on a common passphrase instead
of a public key cryptography. The file is encrypted using a session key,
which encrypts using a passphrase that a user is asked to choose.
cookie
A file or token passed from the Web server to the
Web client (a user's browser) that is used to identify a user and could
record personal information such as ID and password, mailing address,
or credit card number.
coprocessor
A separate processor designed to assist in specific
functions, such as handling complex mathematics or graphics, and to temporarily
reduce the workload of the microprocessor.
corporate signing key
A public key that is designated by the security
officer of a corporation as the system-wide key that all corporate users
trust to sign other keys.
CPU (central processing unit)
The microprocessor chip that interprets and carries
out instructions. Also, simply, a term for a computer.
cracker
A codebreaker; a person who attempts to break encryption,
software locks, or network security. Can also be used as a synonym for
hacker.
CRL
See certificate revocation list.
cross-certification
Two or more organizations or certificate authorities
that share some level of trust.
crossover cable
A cable in which the receive and transmit lines
(input and output) are crossed. Crossover cables are necessary to connect
hubs.
cryptanalysis
The art or science of transferring cipher text
into plain text without initial knowledge of the key used to encrypt the
plain text.
CRYPTOCard
An authentication system that uses an offline card
to hash encryption keys, which increases their safety against unauthorized
decryption.
cryptography
The art and science of creating messages that have
some combination of being private, signed, and unmodified with non-repudiation.
CSLIP (Compressed Serial Line Internet Protocol)
A protocol for exchanging IP packets over a serial
line, which compresses the headers of many TCP/IP packets.
custom filter rules
Filter rules created in WatchGuard Policy Manager to
allow specific content types through the Firebox.
data
Distinct pieces of information, usually formatted in
a special way.
data compression
A way of storing data in a format that requires
less space than usual. Data compression is particularly useful in communications
because it enables devices to transmit the same amount of data in fewer
bits.
datagram
A packet of data that stands alone. Generally used
in reference to UDP and ICMP packets when talking about IP protocols.
data transmission speed
The number of bits that are transmitted per second
over a network cable.
DCERPC (Distributed Computing Environment Remote Procedure
Call)
A call that allows connections bound for port 135
on a machine. These initial calls typically result in a response from
the trusted machine that redirects the client to a new port for the actual
service the client wants.
decompress
To expand a compressed file or group of files so
that the file or files can be opened. See also compress.
decrypt
To decode data that has been encrypted and turn
it back into plain text.
dedicated server
A computer on a network that is assigned to function
only as a resource server and cannot be used as a client.
default
A predefined setting that is built into a program
and is used when an alternative setting is not specified.
default packet handling
The practice of automatically and temporarily blocking
hosts that originate probes and attacks against a network.
denial of service attack (DoS)
A way of monopolizing system resources so that
other users are ignored. For example, someone could Finger an unsecured
host continuously so that the system is incapable of running or executing
other services.
DES (Data Encryption Standard)
A block-oriented cipher that encrypts blocks of
64 bits. The encryption is controlled by a key of 56 bits. See also Triple DES.
descending
A method of ordering a group of items from highest
to lowest, such as from Z to A.
device
Networking equipment such as a hub, switch, bridge,
or router.
DHCP (Dynamic Host Configuration Protocol)
A means of dynamically allocating IP addresses
to devices on a network.
DHCP server
A device that automatically assigns IP addresses
to network computers from a defined pool of numbers.
dialog box
A box that displays additional options when a command
is chosen from a menu.
dial-up connection
A connection between a remote computer and a server
using software, a modem, and a telephone.
dictionary attack
An attack that attempts to reveal a password by
trying logical combinations of words.
Diffie-Hellman
A mathematical technique for securely negotatiating
secret keys over a public medium.
digital signature
An electronic identification of a person or thing
created by using a public key algorithm. Intended to verify to a recipient
the integrity of data and identity of the sender of the data.
dimmed
The grayed appearance of a command or option that
is unavailable.
disarmed
The state of a Firebox when it is not actively
protecting a network.
DMZ (Demilitarized Zone)
Another name for the optional network. One common
use for this network is as a public Web server.
DNS (Domain Name System)
A network system of servers that converts numeric
IP addresses into readable, hierarchical Internet addresses.
DoS
See denial of service attack.
dotted notation
The notation used to write IP addresses as four
decimal numbers separated by dots (periods), sometimes called dotted quad--123.212.12.4
is an example.
double-click
To press the primary mouse button twice rapidly.
download
To transfer a file from a remote computer to a
local computer.
driver
A software program that manipulates the computer
hardware in order to transmit data to other equipment.
drop-in configuration
A configuration in which the Firebox is physically
located between the router and the LAN without any of the computers on
the Trusted interface being reconfigured. This protects a single network
that is not subdivided into smaller networks.
drop-in network
A configuration that allows for distribution of
logical address space across the Firebox interface.
DSA (Digital Signature Algorithm)
A public key digital signature algorithm proposed
by the National Institute of Standards and Technology for DSS.
DSS (Digital Signature Standard)
A standard for digital signatures using DSA proposed
by the National Institute of Standards and Technology.
DVCP (Dynamic VPN Configuration Protocol)
A WatchGuard proprietary protocol that simplifies
configuration of VPNs.
dynamic NAT
(Also known as IP masquerading or port address
translation) A method of hiding network addresses from hosts on the external
or on a less trusted network. Hosts elsewhere on the Internet see only
outgoing packets from the Firebox itself.
dynamic packet filtering
Filtering based not only on service types, but
also on conditions surrounding the initiation of a connection.
ECC (Elliptic Curve Cryptosystem)
A method for creating public key algorithms based
on mathematical curves over finite fields or with large prime numbers.
encryption
The process of disguising a message to hide its
substance.
entropy
A mathematical measurement of the amount of uncertainty
or randomness.
ESMTP (Extended Simple Mail Transfer Protocol)
A protocol that provides extensions to SMTP for
sending email that supports graphics, audio, and video files, and text
in various foreign languages.
ESP (Encapsulation Security Payload)
A protocol used in IPSec used with IPSec Branch
Office VPN and MUVPN. ESP encapsulates and authenticates IP packets to
be passed over the tunnel, providing confidentiality, data integrity,
and origin authentication. ESP is similar to AH, except that it provides
encryption.
Ethernet
Networking standards, originally developed in 1973
and formalized in 1980, involving the transmission of data at 10 Mbps
using a specified protocol.
Ethernet address
A unique address that is obtained automatically
when an Ethernet adapter is added to the computer. This address identifies
the node as a unique communication item and enables direct communications
to and from that particular computer.
event
Any network incident that prompts some kind of
notification.
event processor
See WatchGuard Security
Event Processor.
expand
To display all subordinate entries in an outline
or in a folder.
extension
See file extension.
external interface
An interface connected to the external network
that presents the security challenge, typically the Internet.
external network
The network presenting the security challenge.
failover
Configuration that allows a secondary machine to take
over in the event of a failure in the first machine, allowing normal use to
return or continue.
failover logging
A process in which contact is automatically established
with a secondary log host, in the event that the Firebox cannot communicate
with the primary log host.
fail-shut mode
A condition in which a firewall blocks all incoming
and outgoing traffic in the event of a firewall failure. This is the opposite
of fail-open mode, in which a firewall crash opens all traffic in both
directions. Fail-shut is the default failure mode of the WatchGuard Firebox
System.
fast Ethernet
An Ethernet networking system that transmits data
at 100 Mbps, based on the Ethernet 802.3 standard.
field
An area in a form or Web page in which to enter
or view specific information about an individual task or resource.
file extension
A period and up to three characters at the end
of a file name. The extension can help identify the kind of information
a file contains.
file server
A dedicated network computer used by client computers
to store and access files.
filtering process
An Ethernet switch or bridge process that reads
the contents of a packet and discards it if it does not need to be forwarded.
filtering rate
The rate at which an Ethernet device can receive
packets and drop them without any loss of incoming packets or delay in
processing.
filters
Small, fast programs in a firewall that examine
the header files of incoming packets and route or reject the packets based
on the rules for the filter.
fingerprint
A unique identifier for a key that is obtained
by hashing specific portions of the key data.
FIPS (Federal Information Processing Standard)
A U.S. government standard published by the National
Institute of Standards and Technology.
Firebox
The WatchGuard firewall appliance, consisting of
a red box with a purpose-built computer and input/output architecture
optimized as the resident computer for network firewall software.
Firebox System Manager
A WatchGuard toolkit of applications run from a
single location, enabling configuration, management, and monitoring of
a network security policy. Formerly called Control
Center.
firewall
Any technological measures taken to secure a computer
network against unwanted use and abuse by way of net connections.
firewalling
The creation or running of a firewall.
flash disk
An 8-megabyte, on-board flash ROM disk that acts
like a hard disk in a Firebox.
FTP (File Transfer Protocol)
The most common protocol for copying files over the
Internet. See also active mode FTP.
gateway
A system or host that provides access between two or
more networks. Gateways are typically used to connect networks that are dissimilar.
graphical user interface (GUI)
The visual representation on a computer screen
that allows users to view, enter, or change information.
hack
To use a computer or network to perform illegal
acts or gain unauthorized access.
hacker
An individual who uses a computer or network to
perform illegal acts or gain unauthorized access. The term also can refer
to an individual who is simply a computer enthusiast or expert; however,
WatchGuard publications use the former definition.
hash code
A unique, mathematical summary of a document that
serves to identify the document and its contents. Any change in the hash
code indicates that the document's contents have been altered.
header
A series of bytes at the beginning of a communication
packet that provide identification information about the packet such as
its computer of origin, the intended recipient, packet size, and destination
port number.
Help system
A form of online information about a software or
hardware system.
hexadecimal
A numbering system containing 16 sequential numbers
as base units before adding a new position for the next number. Hexadecimal
uses the numbers 0-9 and the letters A-F.
hierarchical trust
A graded series of entities that distribute trust
in an organized fashion, commonly used in ANSI X.509 to issue certifying
authorities.
High Availability
A WatchGuard Firebox System option that enables
the installation of two Fireboxes on one network in a failover configuration.
At any given moment, one Firebox is in active mode while the other is
in standby mode, ready to take over if the first box fails.
Historical Reports
A WatchGuard Firebox System application that creates
HTML reports displaying session types, most active hosts, most used services,
and other information useful in monitoring and troubleshooting a network.
HMAC
A key-dependent, one-way hash function specifically
intended for use with MAC (Message Authentication Code), and based upon
IETF RFC 2104.
home page
The first page of a Web site used as an entrance
into the site.
honeypot
Programs that simulate one or more network services
that you designate on your computer's ports. An attacker assumes you're
running vulnerable services that can be used to break into the machine.
A honeypot can be used to log access attempts to those ports including
the attacker's keystrokes. This could give you advanced warning of a more
concerted attack.
host
A computer connected to a network.
host route
A setup in which an additional router is behind
the Firebox and one host is behind that router. A host route must be configured
to inform the Firebox of this additional host behind the additional router.
HostWatch
A WatchGuard Firebox System application that provides
a real-time display of the hosts that are connected from behind the Firebox
to hosts on the Internet.
HTML (HyperText Markup Language)
A set of rules used to format Web pages, including
methods to specify text characteristics, graphic placement, and links.
HTML files are read and interpreted by a Web browser.
HTTP (HyperText Transfer Protocol)
A communications standard designed and used to
transfer information and documents between servers or from a server to
a client.
HTTPS (Secure HTTP)
A variation of HTTP enabling the secure transmission
of data and HTML files. Generally used in conjunction with Secure Sockets
Layer (SSL).
hub
A device that receives and sends signals along
the network between the nodes connected to it.
hyperlink
An object on a Web page such as a graphic or underlined
text that represents a link to another location in the same file or a
different file. When clicked, the page or graphic appears.
IANA (Internet Assigned Number Authority)
The central authority charged with assigning parameter
values to Internet protocols. For example, IANA controls the assignment
of well-known TCP/IP port numbers. Currently IANA manages port numbers
1 through 1023.
ICMP (Internet Control Message Protocol)
A protocol used to pass control and error messages
back and forth between nodes on the Internet.
identity certificate
A signed statement that binds a key to the name
of an individual and therefore delegates authority from that individual
to the public key.
IDS
See Intrusion Detection System.
IETF
See Internet Engineering Task
Force.
IKE (Internet Key Exchange)
A protocol used with IPSec virtual private networks.
Automates the process of negotiating keys, changing keys, and determining
when to change keys.
implicit trust
A condition reserved for pairs located on a local
keyring. If the private portion of a key pair is found on a user's keyring,
PGP assumes that user is the owner of the key pair and implicitly trusts
himself or herself.
initialization vector
A block of arbitrary data that serves as the starting
point for a block cipher using a chaining feedback mode. See also cipher block chaining.
initialize
To prepare a disk for information storage.
installation wizard
A wizard specifically designed to guide a user
through the process of installing software. See wizard.
integrity, data integrity
Assurance that data is not modified by unauthorized
persons during storage or transmittal.
interface
A boundary across which two independent systems
meet and act on or communicate with each other. The term generally refers
to a hardware interface--the wires, plugs, and sockets that hardware devices
use to communicate with each other.
Internet address class
To efficiently administer the 32-bit IP address
class space, IP addresses are separated into three classes that describe
networks of varying sizes:
Class A --If the first
octet of an IP address is less than 128, it is a Class A address. A network
with a Class A address can have up to about 16 million hosts.
Class B --If the first
octet of an IP address is from 128 to 191, it is a Class B address. A
network with a Class B address can have up to 64,000 hosts.
Class C --If the first
octet of an IP address is from 192 to 223, it is a Class C address. A
network with a Class C address can have up to 254 hosts.
Internet Engineering Task Force (IETF)
A large, open international community of network
designers, operators, vendors, and researchers concerned with the evolution
of the Internet architecture and the smooth operation of the Internet.
intranet
A self-contained network that uses the same communications
protocols and file formats as the Internet.
Intrusion Detection System (IDS)
A class of networking products devoted to detecting,
monitoring, and blocking attacks from hackers. IDSs that operate on a
host to detect malicious activity on that host are called host-based IDSs.
IDSs that operate on network data flows are called network-based IDSs.
IP (Internet Protocol)
A protocol used by the Internet that enables computers
to communicate over various physical media.
IP address host
The 32-bit address that identifies a host. Technically,
a host is a network device connected to the Internet. In common usage,
a host is a computer or some other device that has a unique IP address.
Computers with more than one IP address are known as multihomed hosts.
IP fragment
An IP datagram that is actually part of a larger
IP packet. IP fragments are typically used when an IP packet is too large
for the physical media that the data must cross. For example, the IP standard
for Ethernet limits IP packets to about 1,500 bytes, but the maximum IP
packet size is 65,536 bytes. To send packets larger than 1,500 bytes over
an Ethernet, IP fragments must be used.
IP masquerading
See dynamic NAT.
IP options
Extensions to the Internet Protocol used mainly
for debugging and special applications on local networks. In general,
there are no legitimate uses of IP options over an Internet connection.
IP options attack
A method of gaining network access by using IP
options.
IPSec (Internet Protocol Security)
An open-standard methodology of creating a secure
tunnel through the Internet, connecting two remote hosts or networks.
IPSec provides several encryption and authentication options to maximize
the security of the transmission over a public medium such as the Internet.
IP spoofing
The act of inserting a false sender IP address
into an Internet transmission to gain unauthorized access to a computer
system.
ISA (Industry Standard Architecture)
A unique network interface card on the motherboard
of a computer.
ISAKMP (Internet Security Association Key Management Protocol)
Defines the procedures for authenticating a communicating
peer, creation and management of security associations, key generation
techniques, and threat mitigation; for example, denial of service and
replay attacks.
ISO (International Organization for Standardization)
An organization responsible for a wide range of
standards, like the OSI model and international relationship with ANSI
on X.509.
ISP (Internet service provider)
A business that sells access to the Internet. A
government organization or an educational institution may be the ISP for
some organizations.
ITU-T (International Telecommunication Union-Telecommunication)
Formerly the CCITT (Consultative Committee for
International Telegraph and Telephone), a worldwide telecommunications
technology standards organization.
IV
See initialization vector.
Java applet
A program written in the Java programming language
that can be included on an HTML page, much in the same way an image is
included. When someone uses a Java technology-enabled browser to view
a page that contains an applet, the applet's code is transferred to that
user's system and carried out by the browser's Java virtual machine (JVM).
Kerberos
A trusted third-party authentication protocol developed
at Massachusetts Institute of Technology.
key
A means of gaining or preventing access, possession,
or control represented by any one of a large number of values.
key exchange
A scheme for two or more nodes to transfer a secret
session key across an unsecured channel.
key fingerprint
A uniquely identifying string of numbers and characters
used to authenticate public keys.
key ID
A code that uniquely identifies a key pair. Two
key pairs can have the same user ID, but they have different key IDs.
key length
The number of bits representing the key size; the
longer the key, the stronger it is.
key management
The process and procedure for safely storing and
distributing accurate cryptographic keys; the overall process of generating
and distributing cryptographic key to authorized recipients in a secure
manner.
key pair
A public key and its complementary private key.
keyring
A set of keys. Each user has two types of keyrings:
a private keyring and a public one.
key splitting
The process of dividing a private key into multiple
pieces and sharing those pieces among several users. A designated number
of users must bring their shares of the key together to use the key. Also
called secret sharing.
LAN (local area network)
A computer network that spans a relatively small
area generally confined to a single building or group of buildings.
LDAP (Lightweight Directory Access Protocol)
A protocol that supports access and search operations
on directories containing information such as names, phone numbers, and
addresses across otherwise incompatible systems over the Internet.
LED (light-emitting diode)
A small indicator light on a networking device
that provides indication of status and other information about the device.
link
See hyperlink.
Linux
An open source version of the UNIX operating system.
LiveSecurity Service
See WatchGuard LiveSecurity
Service.
LogViewer
A WatchGuard Firebox System application that displays
a static view of a log file.
loopback interface
A pseudo interface that allows a host to use IP
to talk to its own services. A host is generally configured to trust packets
coming from addresses assigned to this interface. The Class A address
group 127.0.0.0 has been reserved for these interfaces.
MAC (Machine Authentication Code)
A key-dependent, one-way hash function, requiring the
use of the identical key to verify the hash.
MAC address
Media Access Control address that is unique to a computer,
and is used to identify its hardware.
mail server
Refers to both the application and the physical machine
tasked with routing incoming and outgoing electronic mail.
management station
The computer on which the WatchGuard Firebox System
Manager and Policy Manager runs; sometimes referred to as the administration
host.
man-in-the-middle attack
An attack that deceives two parties into thinking they
are communicating with each other while, in fact, they are both communicating
with a third party. This type of attack is often attempted when the attacker
desires communication with a system under the identity of a particular user.
masquerading
A method of setting up addressing so that a firewall
presents its IP address to the outside world in lieu of the IP addresses of
the hosts protected by the firewall.
Mazameter
See Bandwidth Meter.
MD2 (Message Digest 2)
A 128-bit, one-way hash function that is dependent on
a random permutation of bytes.
MD4 (Message Digest 4)
A 128-bit, one-way hash function that uses a simple
set of bit manipulations on 32-bit operands.
MD5 (Message Digest 5)
An improved, more complex version of MD4, but still
a 128-bit, one-way hash function.
message digest
A number that is derived from a message. A change to
a single character in the message will cause it to have a different message
digest.
MIME (Multipurpose Internet Mail Extensions)
Extensions to the SMTP format that allow binary data,
such as that found in graphic files or documents, to be published and read on
the Internet.
modem
A communications device that sends computer transmissions
over a standard telephone line.
motherboard
The main printed circuit board in a computer, which
contains sockets that accept additional boards (daughterboards).
MSDUN
Microsoft Dial-Up Networking is an executable program
required for remote user VPN.
multiple network configuration
A configuration used in situations in which a Firebox
is placed with separate logical networks on its interface.
name resolution
The allocation of an IP address
to a host name. See Domain Name System.
NetBIOS (Network
Basic Input / Output System)
An extension of the DOS BIOS that enables a computer
to connect to and communicate with a LAN (Local Area Network).
NetBEUI (NetBIOS
Extended User Interface)
A non-routable networking protocol used by smaller,
non-subnetted networks for internal communications. Because NetBEUI is
not routable, network transmissions sent via NetBEUI cannot be transmitted
over the Internet.
network address translation (NAT)
A method of hiding internal network addresses from hosts
on an external network.
National Institute for Standards and Technology
A division of the U.S. Department of Commerce that
publishes open interoperability standards called Federal Information Processing
Standards (FIPSs).
network address
The network portion of an IP address. For a class
A network, the network address is the first byte of the IP address. For
a class B network, the network address is the first two bytes of the IP
address. For a class C network, the network address is the first three
bytes of the IP address. In each case, the remainder is the host address.
In the Internet, assigned network addresses are globally unique.
network address translation (NAT)
A method of hiding or masquerading network addresses
from hosts on another network, protecting the confidentiality and architecture
of the network.
netmask
An inverse mask of the significant bits of a network
address. On a local net, the range of addresses one can expect to be found
directly connected to the network. Because netmasks generally occur with
a Class C license address space of 8 bits, the netmask is 255.255.255.0.
It can be a smaller number of bits if subnetting is in effect. Some systems
require the netmask to be an even number of bits.
network adaptor, network interface card
A device that sends and receives data between the
computer and the network cabling. It may work either internally, such
as a PCI, or externally, such as a SCSI adaptor which connects to a computer's
SCSI port.
network number
The portion of an IP address that is common to
all hosts on a single network and is normally defined by the set portion
of the corresponding netmask.
network range
The portion of an IP address that is allocated
to individual hosts on a single network and is normally defined by the
cleared portion of the corresponding netmask.
NFS (Network File System)
A popular TCP/IP service for providing shared file
systems over a network.
NIST
See National Institute for Standards
and Technology.
node
A computer or CPU on a network.
non-seed router
A router that waits to receive routing information
(the routing maintenance table) from other routers on the network before
it begins routing packets.
NTP (Network Time Protocol)
An Internet service used to synchronize clocks
between Internet hosts. Properly configured, NTP can usually keep the
clocks of participating hosts within a few milliseconds of each other.
Oakley
The Oakley Session Key Exchange provides a hybrid
Diffie-Hellman session key exchange for use within the ISA/KMP framework.
Oakley provides the important property of Perfect Forward Secrecy.
octet
A byte. Used instead of "byte" in most
IP documents because historically many hosts did not use 8-bit bytes.
one-time pad
A large, non-repeating set of truly random key
letters used for encryption, considered the only perfect encryption scheme.
one-way hash function
A function that produces a message digest that
cannot be reversed to produce the original.
optional interface
An interface that connects to a second secured
network, typically any network of servers provided for public access.
optional network
A network protected by the firewall but still accessible
from the trusted and external networks. Typically, any network of servers
provided for public access.
OSI (Open Systems Interconnection)
A standard description or reference model for how
messages should be transmitted between any two points in a telecommunication
network. Its purpose is to guide product implementors so that their products
will consistently work with other products.
out-of-band (OOB)
A management feature that enables the management
station to communicate with the Firebox using a telephone line and a modem.
OOB is very useful for remotely configuring a Firebox when Ethernet access
is unavailable.
packet
A unit of information containing specific protocols
and codes that allow precise transmittal from one node in a network to
another.
packet filtering
A way of controlling access to a network by analyzing
the incoming and outgoing packets and letting them pass or halting them
based on the IP addresses of the source and destination. Packet filtering
is one technique, among many, for implementing security firewalls.
passive mode FTP
See active mode FTP.
passphrase
An easy-to-remember phrase used for better security
than a single password; key crunching converts it into a random key.
password
A sequence of characters or a word that a user
submits to a system for purposes of authentication, validation, or verification.
password caching
The storage of a user's username and password in
a network administrator database or encrypted file on a computer.
Password Authentication Protocol (PAP)
An authentication protocol that allows PPP peers
to authenticate one another. It does not prevent unauthorized access,
but identifies the remote end.
PCI (peripheral component interconnect)
A unique network interface card slot on the motherboard
of a computer.
PCMCIA (Personal Computer Memory Code International Association)
card
A standard compact physical interface used in personal
computers. The most common application of PCMCIA cards is for modems and
storage.
perfect forward secrecy (PFS)
A cryptosystem in which the cipher text yields
no possible information about the plain text, except possibly the length.
PEM
See Privacy Enhanced Mail.
peer-to-peer
A network computing system in which all computers
are treated as equals on the network.
peripherals
Equipment such as disk drives, CD-ROM drives, modems,
and printers that are connected to a computer.
permission
Authorization to perform an action.
PGP
See Pretty Good Privacy.
PGP/MIME
An IETF standard (RFC 2015) that provides privacy
and authentication using the Multipurpose Internet Mail Extensions (MIME)
security content types described in RFC1847, currently deployed in PGP
5.0 and later versions.
Phase 1, Phase 2
Stages in the IKE negotiation. Phase 1 authenticates
the two parties and sets up a key management security association for
protecting the data. Phase 2 negotiates data management security association,
which uses the data management policy to set up IPSec tunnels in the kernel
for encapsulating and decapsulating data packets.
ping (packet Internet groper)
A utility for determining whether a specific IP
address is accessible. It works by sending a packet to the specified address
and waiting for a reply.
PKCS
See Public Key Crypto Standards.
PKI
See Public Key Infrastructure.
plain text
Characters in a human-readable form prior to or
after encryption. Also called clear text.
PLIP (Parallel Line Internet Protocol)
A protocol for exchanging IP packets over a parallel
cable.
Plug and Play
A standard in the personal computer market that
assures the user that the product is as simple to install as possible.
Policy Manager
One component in the WatchGuard Firebox System
that provides a user interface for modifying and uploading a Firebox configuration
file.
pop-up window
A window that suddenly appears (pops up) when an
option is selected with a mouse or a function key is pressed.
port
A channel for transferring electronic information
between a computer and a network, peripherals, or another computer.
port address translation
See dynamic NAT.
portal
A Web site that serves as a gateway to the World
Wide Web and typically offers a search engine or links to other pages.
port forwarding
In the WatchGuard Firebox System, an option in
which the Firebox redirects IP packets to a specific masqueraded host
behind the firewall based on the original destination port number. Also
called static NAT.
port space probe
An intrusion measure in which a hacker sequentially
attacks port numbers. These probes are usually attempts to map port space
to look for security holes which the sender might exploit.
port, TCP or UDP
A TCP or UDP service endpoint. Together with the
hosts' IP addresses, ports uniquely identify the two peers of a TCP connection.
PPP (Point-to-Point Protocol)
A link-layer protocol used to exchange IP packets
across a point-to-point connection, usually a serial line.
PPPoE (Point-to-Point Protocol over Ethernet)
A specification for connecting the users on an
Ethernet to the Internet through a common broadband medium.
PPTP (Point-to-Point Tunneling Protocol)
A VPN tunnelling protocol with encryption. It uses
one TCP port (for negotiation and authentication of a VPN connection)
and one IP protocol (for data transfer) to connect the two peers in a
VPN.
Pretty Good Privacy (PGP)
An application and protocol (RFC 1991) for secure
email and file encryption. PGP uses a variety of algorithms, like IDEA,
RSA, DSA, MD5, SHA-1, for providing encryption, authentication, message
integrity, and key management.
primary key (IPSec)
An IPSec key responsible for creating a security
association. Values can be set in time or data size.
principle of precedence
Rules that determine which permissions and prohibitions
override which others when creating a combination of security policies.
Privacy Enhanced Mail (PEM)
A protocol to provide secure Internet mail (RFC
1421-1424), including services for encryption, authentication, message
integrity, and key management. PEM uses ANSI X.509 certificates.
private key
The privately held "secret" component
of an integrated asymmetric key pair, often referred to as the decryption
key.
probe
A type of hacking attempt characterized by repetitious,
sequential access attempts. For example, a hacker might try to probe a
series of ports for one that is more open and less secure.
protocol
A set of formal rules describing how to transmit
data, especially across a network. Low-level protocols define the electrical
and physical standards to be observed, bit- and byte-ordering, and the
transmission and error detection and correction of the bit stream. High-level
protocols deal with the data formatting, including the syntax of messages,
the terminal-to-computer dialog, character sets, and sequencing of messages.
provisioning
The process of setting the parameters of the Firebox
or SOHO before it is sent to a customer. With respect to the Firebox,
the minimum Policy Manager configuration is set with the most basic services
on the box, Ping and WatchGuard. Provisioning also sets the IP addresses
on the Firebox.
proxy ARP
The technique in which one host, usually a router,
answers Address Resolution Protocol (ARP) requests intended for another
machine. By "faking" its identity, the router accepts responsibility
for routing packets to the "real" destination.
proxy server
A server that stands in place of another server.
In firewalling, a proxy server poses as a specific service but has more
rigid access and routing rules.
pseudo-random number
A number that results from applying randomizing
algorithms to input derived from the computing environment, such as mouse
coordinates. See also random number.
public key
The publicly available component of an integrated
asymmetric key pair, often referred to as the encryption key.
public key cryptography
Cryptography in which a public and private key
pair is used, and no security is needed in the channel itself.
Public Key Crypto Standards
A set of standards for public key cryptography
developed in cooperation with an informal consortium (Apple, DEC, Lotus,
Microsoft, MIT, RSA, and Sun) that includes algorithm-specific and algorithm-independent
implementation standards.
Public Key Infrastructure
A widely available and accessible certificate system
for obtaining an entity's public key.
QuickSetup Wizard
A wizard that creates a basic Firebox configuration.
It consists of a series of windows that prompt for essential configuration
information for drop-in or advanced network installations.
RADIUS (Remote Authentication Dial-In User Service)
A protocol for distributed security that secures
remote access to networks and network services against unauthorized access.
RADIUS consists of two pieces--authentication server code and client protocols.
random number
A necessary element in generating unique keys that
are unpredictable to an adversary. True random numbers are typically derived
from analog sources, and usually involve the use of special hardware.
RC4 (Rivest Cipher 4)
A variable key size stream cipher, once a proprietary
algorithm of RSA Data Security, Inc.
RC5 (Rivest Cipher 5)
A block cipher with a variety of arguments, block
size, key size, and number of rounds.
related hosts
A method to place hosts on the optional or external
interface when using a simple or drop-in network configuration. Examples
include placing a router on the external interface or an HTTP server on
the optional interface.
related networks
Networks on the same physical wire as the Firebox
interfaces but with network addresses that belong to an entirely different
network.
repeater
A network device that regenerates signals so that
they can extend the cable length.
report
A formatted collection of information that is organized
to provide project data on a specific subject.
revocation
Retraction of certification or authorization.
RFC (Request for Comments)
RFC documents describe standards used or proposed
for the Internet. Each RFC is identified by a number, such as RFC 1700.
RFCs can be retrieved either by email or FTP.
ring topology
A basic networking topology in which all nodes
are connected in a circle with no terminated ends on the cable.
route
The sequence of hosts through which information
travels to reach its destination host.
routed configuration or network
A configuration with separate network addresses
assigned to at least two of the three Firebox interfaces. This type of
configuration is intended for situations in which the Firebox is put in
place with separate logical networks on its interfaces.
router
A device, connected to at least two networks, that
receives and sends packets between those networks. Routers use headers
and a forwarding table to forward packets to their destination. Most rely
on ICMP to communicate with one another and configure the best route between
any two hosts.
RUVPN (Remote User VPN)
Remote User Virtual Private Networking establishes
a secure connection between an unsecured remote host and a protected network
over an unsecured network.
salt
A random string that is concatenated with passwords
(or random numbers) before being operated on by a one-way function. This
concatenation effectively lengthens and obscures the password, making
the cipher text less susceptible to dictionary attacks.
scalable architecture
Software and/or hardware constructed so that, after
configuring a single machine, the same configuration can be propagated
to a group of connected machines.
screening router
A machine that performs packet filtering.
SCSI (Small Computer System Interface)
A processor-independent standard for system-level
interfacing between a computer and intelligent devices including hard
disks, floppy disks, CD-ROM, printers, and scanners.
secondary network
A network on the same physical wire as a Firebox
interface that has an address belonging to an entirely different network.
secret key
Either the private key in public key (asymmetric)
algorithms or the session key in symmetric algorithms.
secret sharing
See key splitting.
secure channel
A means of conveying information from one entity
to another such that an intruder does not have the ability to reorder,
delete, insert, or read.
Secure Sockets Layer (SSL)
A protocol for transmitting private documents over
the Internet. SSL works by using a private key to encrypt data transferred
over an SSL connection.
SecurID server
Each time an end user connects to the specialized-HTTP
server running on the Firebox on port 4100, a Java-enabled applet opens
and prompts for the username, password, and whether or not to use SecurID
(PAP) Authentication. The username and password are DES-encrypted using
a secret key shared between the Java client and the Firebox. The Firebox
then decrypts the name and password to create a RADIUS PAP Access-Request
packet, and then sends it to the configured RADIUS server.
security traffic display
An LED indicator on the front of a Firebox that
indicates the directions of traffic between the Firebox interfaces. The
display can either be a triangle display, for Fireboxes with three interfaces,
or a star display, for Fireboxes with six interfaces.
seed router
A router that supplies routing information (such
as network numbers and ranges) to the network.
segment
One or more nodes in a network. Segments are connected
to subnets by hubs and repeaters.
self-extracting file
A compressed file that automatically decompresses
when double-clicked.
server
A computer that provides shared resources to network
users.
server-based network
A network in which all client computers use a dedicated
central server computer for network functions such as storage, security,
and other resources.
Server Message Block (SMB)
A message format used by DOS and Windows to share
files, directories, and devices. NetBIOS is based on the SMB format, and
many network products use SMB. These SMB-based networks include LAN Manager,
Windows for Workgroups, Windows NT, and LAN Server.
Services Arena
An area in Policy Manager that displays the icons
that represent the services (proxied and filtered) configured for a Firebox.
ServiceWatch
A graphical monitor that provides a real-time display
that graphs how many connections exist, by service.
session key
The secret (symmetric) key used to encrypt each
set of data on a transaction basis. A different session key is used for
each communication session.
session stealing
An intrusion maneuver whereby a hacker sends a
command to an already existing connection in order to have that command
provide the information needed to stage a separate attack.
setup keys (IKE)
IKE keys responsible for creating a security association.
SHA-1 (Secure Hash Algorithm)
The 1994 revision to SHA, developed by NIST, (FIPS
180-1). When used with DSS, it produces a 160-bit hash, similar to MD4.
shared secret
A passphrase or password that is the same on the
host and the client computer. It is used for authentication.
SHTTP
See HTTPS.
sign
To apply a signature.
signature
A digital code created with a private key.
single sign-on
A sign-on in which one logon provides access to
all resources on the network.
slash notation
A format for writing IP addresses in which the
number of bits in the IP number is specified at the end of the IP address.
For example: 192.168.44.0/24.
SLIP (Serial Line Internet Protocol)
A protocol for exchanging IP packets over a serial
line.
S/MIME (Secure Multipurpose Mail Extension)
A proposed standard for encrypting and authenticating
MIME data. S/MIME defines a format for the MIME data, the algorithms that
must be used for interoperability (RSA, RC2, SHA-1) and the additional
operational concerns such as ANSI X.509 certificates and transport over
the Internet.
SMS (Security Management System)
The former name of the GUI used to configure a
Firebox. Now known as WatchGuard Policy Manager.
SMTP (Simple Mail Transfer Protocol)
A protocol for sending electronic messages between
servers.
social engineering attack
An attack in which an individual is persuaded or
tricked into divulging privileged information to an attacker.
SOCKS
A protocol for handling TCP traffic through a proxy
server. It can be used with virtually any TCP application, including Web
browsers and FTP clients. It provides a simple firewall because it checks
incoming and outgoing packets and hides the IP addresses of client applications.
SOHO
Small Office-Home Office. Also the name of the
WatchGuard firewall devices designed for this segment of the market.
spam
Unsolicited email sent to many recipients, much
like an electronic version of junk mail.
spoofing
Altering packets to falsely identify the originating
computer to confuse or attack another computer. The originating computer
is usually misidentified as a trusted computer within an organization.
SSL
See Secure Sockets Layer.
stance
The policy of a firewall regarding the default
handling of IP packets. Stance dictates what the firewall will do with
any given packet in the absence of explicit instructions. The WatchGuard
default stance is to discard all packets that are not explicitly allowed,
often stated as "That which is not explicitly allowed is denied."
star topology
A networking setup used with 10BASE-T cabling and
a hub in which each node on the network is connected to the hub like points
of a star.
static NAT
Network address translation in which incoming packets
destined for a public address on an external network are remapped to an
address behind the firewall.
stream cypher
A class of symmetric key encryption where transformation
can be changed for each symbol of plain text being encrypted; useful for
equipment with little memory to buffer data.
subnet
A network segment connected by hubs or repeaters.
For example, one could take a class C network with 256 available addresses
and create two additional netmasks under it that separate the first 128
and last 128 addresses into separate identifiable networks. Subnetting
enables a client with a single network to create multiple networks; the
advanced or multiple network configurations can then be used when setting
up the Firebox.
subnet mask
A 32-bit number used to identify which port of
an IP address is masked.
substitution cypher
A method in which the characters of the plain text
are substituted with other characters to form the cipher text.
switch
A device that filters and forwards packets between
LAN segments.
symmetric algorithm
Also called conventional, secret key, and single
key algorithms; the encryption and decryption key are either the same
or can be calculated from one another.
SYN flood attack
A method of denying service to legitimate users
by overloading a network with illegitimate TCP connection attempts.
syslog
An industry-standard protocol used for capturing
log information for devices on a network. Syslog support is included in
Unix-based and Linux-based systems.
System Manager
A WatchGuard toolkit of applications run from a
single location, enabling configuration, management, and monitoring of
a network security policy. Formerly called Control
Center.
TCP (Transmission Control Protocol)
A reliable byte-streaming protocol that implements
a virtual connection. Most long-haul traffic on the Internet uses TCP.
TCP/IP (Transmission Control Protocol/Internet Protocol)
A common networking protocol with the ability to
connect different elements.
TCP session hijacking
An intrusion in which an individual takes over
a TCP session between two machines. A hacker can gain access to a machine
because most authentication occurs only at the start of the TCP session.
Telnet
A terminal emulation program for TCP/IP networks.
It runs on a computer and connects a workstation to a server on a network.
terminator
A resistor at the end of an Ethernet cable that
absorbs energy to prevent reflected energy back along the cable (signal
bounce). It is usually attached to an electrical ground at one end.
Thick Ethernet cable
Industry-standard Ethernet cable or any other cable
that uses the IEEE 802.3 Media Access Unit interface. Also called 10-BASE-5.
Thin Ethernet cable
IEEE 802.3, 10BASE2 cable that connects to the
Ethernet cable system with a cylindrical BNC connector. Usually, quarter-inch
black coaxial cable.
timestamping
Recording the time of creation or existence of
information.
TLS
See Transport Layer Security.
TLSP
See Transport Layer Security
Protocol.
token
An abstract concept passed between cooperating
agents to ensure synchronized access to a shared resource. Whoever has
the token has exclusive access to the resource it controls.
tooltip
A name or phrase that appears when the mouse pointer
pauses over a button or icon.
topology
A wiring configuration used for a network.
Transport Layer Security (TLS)
Based on the Secure Sockets Layer (SSL) version
3.0 protocol, TLS provides communications privacy over the Internet.
Transport Layer Security Protocol (TLSP)
ISO 10736, draft international standard.
transposition cipher
A cipher in which the plain text remains the same
but the order of the characters is transposed.
triple-DES
An advanced form of encryption using three keys
rather than one or two. It is roughly as secure as single DES would be
if it had a 112-bit key.
trust
Confidence in the honesty, integrity, or reliability
of a person, company, or other entity.
Trusted interface
The interface on the Firebox that connects to the
internal network, which should be protected to the maximum practical amount.
Trusted network
The network behind the firewall that must be protected
from the security challenge--usually, the Internet.
tunnel
An entity through which one network sends its data
by way of another network's connections. Tunneling works by encapsulating
a network protocol within packets carried by the second network. For example,
Microsoft's PPTP technology enables organizations to use the Internet
to transmit data across a virtual private network (VPN). It does this
by embedding its own network protocol within the TCP/IP packets carried
by the Internet.
twisted-pair cable
A cable used for both network and telephone communications.
Also known as UTP (unshielded twisted pair) and 10BASE-T/100BASE-T cable.
UDP (User Datagram Protocol)
A connectionless protocol. Used less frequently
for long-distance connections, largely because it lacks TCP's congestion
control features. Used quite heavily in local area networks for NFS.
URL (Universal Resource Locator)
The user-friendly address that identifies the location
of a Web site such as http://www.watchguard.com.
validation
A means to provide timeliness of authorization
to use or manipulate information or resources.
verification
The act of comparing a signature created with a
private key to its public key. Verification proves that the information
was actually sent by the signer and that the message has not been subsequently
altered by anyone else.
VPN (virtual private network)
A virtual, secured network over a public or unsecure
network (such as the Internet) where the alternative--a dedicated physical
network--is either prohibitively expensive or impossible to create. Companies
with branch offices commonly use VPNs to connect multiple locations.
WAN (wide area network)
A computer network that spans a relatively large
geographical area. Typically, a WAN consists of two or more local area
networks (LANs).
WatchGuard installation directory
The directory into which the WatchGuard Firebox
System software is installed by default.
WatchGuard LiveSecurity Service
Part of the WatchGuard Firebox System offering,
separate from the software and the Firebox, which keeps network defenses
current. It includes the broadcast network that transmits alerts, editorials,
threat responses, and software updates via email; a technical support
contract; and a Web site containing information, archives, online training,
and the latest software.
WatchGuard Security Event Processor (WSEP)
A program that controls notification and logging
on the log hosts. It provides critical timing services for the Firebox
and includes its own GUI.
Web browser
Software that interprets and displays documents
formatted for the Internet or an intranet.
Web of Trust
A distributed trust model used by PGP to validate
the ownership of a public key.
Web page
A single HTML-formatted file.
Web site
A collection of Web pages located in the directory
tree under a single home page.
WebBlocker
An optional WatchGuard software module that blocks
users behind the Firebox from accessing undesirable Web sites based on
content type, time of day, and/or specific URL.
WINS (Windows Internet Name Service)
WINS provides name resolution for clients running
Windows NT and earlier versions of Microsoft operating systems. With name
resolution, users access servers by name rather than needing to use an
IP address.
wizard
A tool that guides a user through a complex task
by asking questions and then performing the task based on responses.
World Wide Web (WWW)
The collection of available information on the
Internet viewable using a Web browser.
World Wide Web Consortium (W3C)
An international industry consortium founded in
1994 to develop common protocols for the evolution of the World Wide Web.
worm
A program that seeks access into other computers.
After a worm penetrates another computer, it continues seeking access
to other areas. Worms often steal or vandalize computer data. Many viruses
are actually worms that use email or database systems to propagate themselves
to other victims.
XOR
Exclusive-or operation; a mathematical way to represent
differences.
X.509v3
An ITU-T digital certificate that is an internationally
recognized electronic document used to prove identity and public key ownership
over a communication network. It contains the issuer's name, the user's
identifying information, and the issuer's digital signature, as well as
other possible extensions in version 3.
Copyright
© 1996 - 2004 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use