It is a device or set of devices that is configured to permit or deny network transmissions based upon a set of rules and other criteria.
Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets.
All messages entering or leaving the intranet pass through the firewall, which inspects each message and blocks those that do not meet the specified security criteria.
- Access control list (ACL)
A list of individual users and groups of users associated with an object, and the rights that the user or group
has when accessing that object.
- Address Resolution Protocol (ARP)
A network protocol that is used to convert IP addresses to physical network addresses by sending an ARP
broadcast to request the address.
A computable set of steps to achieve a desired result.
- Application-level gateway
Application gateways function at all four layers of the TCP/IP suite. They are typically implemented through
software installed on a specialized server. Application gateways are sometimes known as proxy servers.
- Asymmetric encryption
A type of encryption that uses one key to encrypt a message and another to decrypt the message. (Also,
- Asymmetric key algorithm
An algorithm used for asymmetric encryption.
Reading and interpreting log files to identify hacker activity.
The process of identifying an individual, usually based on a username and password.
The process of giving individuals access to system objects based on their identity.
- Back door
An intentional hole in a firewall or security apparatus that allows access around security measures.
- Bastion host
Strongly secured devices that have a direct network connection to a public network such as the Internet. It can
operate as any of the three types of firewalls.
- Batch scripts
A list of commands executed by a computer’s operating system.
- Brute-force attack
An attempt by a hacker to defeat authentication by obtaining a legitimate user's password.
- Buffer overflow
A popular bug-based attack that works by sending more data than the target system is intended to receive at one
A computer program or hardware error that causes recurring malfunctions.
An attachment to an electronic message used for security purposes. A digital certificate is commonly used to
verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a
- Certificate authority
A trusted third-party organization or company that issues digital certificates used to create digital
signatures and public-private key pairs. The role of the CA in this process is to guarantee that the individual granted the unique
certificate is, in fact, who he or she claims to be.
- Checksum analysis
A simple means of checking the integrity of transmitted message using a numerical value based on the number of
set bits in the message. A formula is applied to the message to produce the numerical value that is checked at the time of receipt
by calculating the value again.
- Choke point
An intersection between a company's private and a public network used to monitor, filter, and verify all
inbound and outbound traffic.
Text which has been encrypted by some encryption system.
- Circuit-level gateway
Circuit-level gateways are similar to packet filters. The main advantage of circuit-level gateways is their
ability to provide network address translation.
- Classless Inter-Domain Routing (CIDR)
Allocates blocks of Internet addresses assigned to an Internet Service Provider (ISP) by Internic.
A network architecture in which each computer or process on the network is either a client, a PC or a
workstation for users, or a server, computers dedicated to managing files, devices, or network traffic.
- Common Gateway Interface (CGI)
A protocol that allows a Web server to pass control to a software application, based on a user request. It also
allows that program to receive and organize that information, then return it to the user in a consistent format. A CGI script
resides on a Web server, enabling the CGI process.
- Compressed Serial Line Internet Protocol (CSLIP)
Compresses the IP and TCP headers, thus reducing the size of the packet and improving bandwidth.
- Computer Emergency Response Team (CERT)
An organization devoted to dealing with computer-related security issues. Based at the Carnegie Mellon
University, CERT is a part of the Internet Society which establishes the protocols that govern the Internet.
- Computer Security Division (www.itl.nist.gov)
One of eight divisions within NIST's Information Technology Laboratory. The mission of the Division is to
enable organizations and individuals to use information technology with the assurance and trust that the confidentiality,
integrity, reliability and availability of information resources are protected.
The science of recovering plaintext messages without knowledge of the key.
The science of encrypting and decrypting plain-text messages
A process that performs a specified operation at a predefined time or in response to certain events. Daemon is
a UNIX term. In other operating systems such as Windows, daemons are referred to as services.
- Data confidentiality
The degree of confidentiality required for data transmitted, correlating to the security measures required to
maintain confidentiality. Data confidentiality is provided by encryption.
- Data encryption standard (des)
A symmetric key algorithm that is fast and simple to implement.
- Data integrity
The assurance that information has not been modified in transit to the destination.
An IP packet.
- Demilitarized zone (DMZ)
Networks that are between a company's internal network and the external network. A DMZ is used as an
additional buffer to further separate the public network from your internal private network.
An attempt by attackers to prevent legitimate users of a service from using that service by flooding a network,
or by disrupting connections or services.
- Dictionary file
A file comprised of common passwords used by a hacker in an attempt to gain entrance to a network.
- Dictionary program
A program specifically written to break into a password-protected system. A dictionary program has a relatively
large list of common password names that the program repeatedly uses to gain access.
- Digital envelope
A type of security that uses two layers of encryption to protect a message. First, the message itself is
encoded using symmetric encryption, and then the key to decode the message is encrypted using public-key encryption. This technique
overcomes one of the problems of public-key encryption, which is that it is slower than symmetric encryption.
- Digital signature
A digital code that can be attached to an electronically transmitted message that uniquely identifies the
sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really
is who he or she claims to be. Digital signatures are especially important for electronic commerce and are a key component of most
- Digital wallet
Encryption software that works like a physical wallet during electronic commerce transactions. A wallet can
hold a user's payment information, a digital certificate to identify the user, and shipping information to speed
- Distribution Layer Switch
- A Distribution Layer switch is a switch used to extend the backbone core to a campus building. A Distribution Layer switch provides a point of connection for the building's Access Layer (local switches/networks). Initially, most buildings were designed for two Distribution Layer switches to improve robustness and decrease network downtime for maintenance service
- Domain name
A name that identifies one or more IP addresses. Domain names are used in URLs to identify particular Web
pages. For example, in the URL http://www.distributednetworks.com/index.html, the domain name is distributednetworks.com.
- Domain Name System (DNS) lookup
The system that allows a server, administrator or user to enter a host name to find out the corresponding
Internet address. A reverse lookup is a procedure (usually automated) that occurs when a user requests the operation of a resource
such as an e-mail server. It is an authentication technique.
- Dual-homed bastion host
Identical in function to a bastion host but must have two network interfaces. Application gateways are
typically installed on a dual-homed bastion host.
- Dummy account
A false default account that generally triggers an alarm when accessed.
- Dummy file
Intentionally misleading files to misinform an information seeker.
- Electronic commerce
Conducting business on-line.
- Electronic data interchange (edi)
The inter-organizational exchange of documents in standardized electronic form directly between participating
The process of disguising a message to make it unreadable by humans. The resulting data is called
- Event logs
A log of user actions or system occurrences.
- Execution control list (ECL)
A list of the resources and actions which a program can access/perform while it is executing.
A business-to-business Web site that allows secure access between a company's intranet and designated,
authenticated users from remote locations.
- File Transfer Protocol (FTP)
An approved method that allows the delivery of files across the Internet. An FTP server stores directories of
files using a hierarchical structure. Normally, a user is a client and a company acts as the server.
A security system designed to prevent unauthorized access to or from a private network. Firewalls can be
implemented in both hardware and software, or a combination of both.
- Firewall token
A string of information that identifies a specific user as packets pass through the firewall. A token is
- Front-door attack
An attempt by a hacker to access a network by using a valid user name and password.
A system that provides relay services between two devices. Gateways can range from an Internet application such
as a common gateway interface (CGI) to a firewall gateway that process traffic between two hosts. The term is very generic and will
be used for a firewall component that routes or processes data between two separate networks.
To access all the items in the course glossary, click the Show All Terms button below.
- Graphical user interface (GUI)
A program interface that takes advantage of the computer's graphics capabilities to make the program easier
A user who breaks into sites for malicious purposes.
- Hash algorithm
A numeric function which mixes the ordering of input values to hopefully get an even distribution. (Also, hash
To generate a number from a string of text. The hash number is smaller than the text string.
An element in an electronic document that links to another place in the same document or to an entirely
different document. Typically, you click on the hyperlink to follow the link.
- Hypertext Markup Language (HTML)
The authoring language used to create documents on the World Wide Web.
- Hypertext Transfer Protocol (HTTP)
A TCP/IP application that uses a browser to access and retrieve Web pages from the server.
Short for Internet Engineering Task Force, the main standards organization for the Internet. The IETF is a
large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the
Internet architecture and the smooth operation of the Internet.
An advertisement's appearance on an accessed Web page. For example, if you see two ads on a Web page,
that's two impressions. Advertisers use impressions to measure the number of views their ads receive, and publishers often sell
ad space according to impressions.
- Intellectual property
Products such as written materials, musical compositions, trademarks and other things that are protected by
copyright, trademark, or patent law.
- Internal bastion host
Firewalls that reside inside the internal network and are normally used as application gateways that receive
all incoming traffic from external hosts.
- Internet Assigned Numbers Authority (IANA)
Oversees and coordinates the assignment of every unique protocol identifier used on the Internet.
- Internet Control Message Protocol (ICMP)
A protocol used to communicate errors or other conditions at the IP layer
- Internet Service Provider (ISP)
An Internet Service Provider, a company that provides access to the Internet.
- Internet Services Application Programming Interface (ISAPI)
A method developed by Microsoft to write programs that communicate with Web servers through OLE.
- Intra-company commerce
Business conducted between two different companies.
Any network that provides similar services within an organization to those provided by the Internet outside it
but which is not necessarily connected to the Internet. The commonest example is the use by a company of one or more World-Wide Web
servers on an internal TCP/IP network for distribution of information within the company.
- Intrusion detection
Intrusion detection is a relatively new technology used with firewalls. It allows firewalls to perform
specified actions when suspicious activity occurs.
An Internet protocol or IP address is a number that is used to uniquely identify computers connected to the
- IP datagram
Individual pieces of information traveling from one host to another.
- IP spoofing
A hacker imitating an Internet Protocol (IP) device that has an IP address allowing the hacker to gain access
to the system.
A separate system that deliberately provides inaccurate information allowing an administrator time to detect
and catch the hacker.
A method of opening an encryption. A key can be as simple as a string of text characters, or a series of
- Lanham act
A 1964 law that was an important early step toward U.S. trademark legislation.
- Login scripts
Scripts executed to customize a user’s environment after the user logs on with a valid user ID and
MD5 is one in the series (including MD2 and MD4) of message digest algorithms developed by Ron Rivest. It
involves appending a length field to a message and padding it to a multiple of 512-bit blocks. Each of these 512-bit blocks is fed
through a four-round process to result in a 128-bit message digest.
- Melissa virus
A specific virus embedded in a Microsoft Word document, infecting the user's system when the document is
- Message digest
The representation of text in the form of a single string of digits, created using a formula called a one-way
hash function. Encrypting a message digest with a private key creates a digital signature, which is an electronic means of
To send data to a specific list of recipients.
- Navigational bar
Insert definition here
- Network address translation (NAT)
Network Address Translation (NAT) hides internal IP addresses from the external network. When a firewall is
configured to provide NAT, all internal addresses are translated to public IP addresses when connecting to an external
- Network News Transfer Protocol (NNTP)
A TCP/IP application that is one-to-many communication: a message is posted to a single location, and any
number of users can contact the NNTP server to retrieve it.
- Network topology
The type of network (ethernet or token ring), the IP address range, the subnet mask, and the naming scheme. The
most common network topologies are the star, bus, ring and hybrid.
The ability to demonstrate that an information exchange or financial transaction took place.
A file, program, service/daemon, or resource that is maintained and controlled by an operating system.
- One-way encryption
A type of encryption where information is encrypted once and cannot be decrypted. One-way encryption is
typically used for creating message digests.
- Open network
A group of servers and computers, such as the Internet, which allows free access.
- Open Systems Interconnect (OSI)
A model for for network communications standardized by ISO, containing seven primary layers; the physical, data
link, network, transport, session, presentation and applications.
In general usage, a packet is a unit of information transmitted as a whole from one device to another on a
network. In packet-switching networks, a packet is defined more specifically as a transmission unit of fixed maximum size that
consists of binary digits representing data, a header containing an identification number, source, and destination addresses, and
sometimes error-control data.
- Packet filter
A type of firewall devices that process network traffic on a packet-by-packet basis. Packet filter devices
allow or block packets, and are typically implemented through standard routers.
- Packet sniffer
A device or program that is used to monitor traffic on a network, can be installed anywhere in a networked
system, and is virtually undetectable. Sniffers are used for legitimate network management functions or for stealing information
off a network.
- Packet trace
The activity of learning where a packet of information has come from. Since any information sent across the
Internet has likely passed between at least five or six computers, it is often necessary to learn the route by which that
- Password authentication
A type of authentication that requires the use of a password to verify an entity’s authenticity.
- Password cracking
An attempt by a hacker to access a network using possible passwords. A dictionary file is often used to crack
- Password sniffing
Finding a way to intercept the transmission of a password during the authentication process. A sniffer is a
program used to intercept passwords.
A patent for an invention is the grant of a property right to the inventor, issued by the Patent and Trademark
Office. The term of a new patent is 20 years from the date on which the application for the patent was filed in the United States
or, in special cases, from the date an earlier related application was filed, subject to the payment of maintenance fees. US patent
grants are effective only within the US, US territories, and US possessions.
- Payment gateway
The system (usually software) that interfaces between the merchant and the merchant’s bank to perform
credit card authorizations.
A cross-platform programming language that enables users to write custom CGI programs, as well as system
- Physical authentication
A type of authentication that uses what you have such as a physical key or card, to verify a person’s
- Physical line trace
The attempt to determine the port or telephone line a hacker has used.
A message before encryption or after decryption, i.e. in its usual form which anyone can read, as opposed to
its encrypted form, ciphertext.
- Point-to-Point Protocol (PPP)
A protocol for connecting to the Internet. PPP provides error checking and compression of the IP and TCP
- Proxy server
Proxy servers communicate with external servers on behalf of the internal clients. When the terms application
gateway or circuit-level gateway are used, they refer to the specific services provided by each form of firewall.
- Public-key encryption
A cryptographic system that uses two keys, public key known to everyone and a private or secret key known
only to the recipient of the message.
- Push publishing
A means of reaching an audience by automatically delivering information, such as news headlines or product
updates, directly to a user's computer in a customized format at designated times.
- Remote access device
Devices that have access a network from a remote site.
- Request for Comment (RFC)
The written definitions of the protocols and policies of the Internet.
- Reverse Address Resolution Protocol (RARP)
A network protocol that causes a host to broadcasts its physical address. The RARP server then replies with the
host’s IP address.
- Reverse proxy service
A company's registered Web or email server located outside a network's firewall system is used to
prevent public users from contacting the Web server directly. When public users access the reverse proxy Web server, it contacts
the Web server that resides behind the firewall.
A standard for public-key cryptosystems named after its inventors, Ron Rivest, Avi Shamir, and Rick Adleman,
who developed it in 1978 while working at MIT. Its security is based on factoring very large prime numbers. The size of the key
used in RSA is completely variable, but for normal use, a key size of 512 bits is common. In applications where key compromise
would have serious consequences or where the security must remain valid for many years into the future, 1024-bit and 2048-bit keys
Containing built-in constraints to protect a program from malicious activity or from accessing important
- Screened host firewall
A firewall that uses a bastion host to support both circuit- and application-level gateways and creates a
demilitarized zone (DMZ) that functions as an isolated network between the Internet and the internal network.
- Screened subnet firewall
A type of firewall that uses a bastion host to support both circuit- and application-level gateways and creates
a demilitarized zone(DMZ) that functions as an isolated network between the Internet and the internal network.
- Screening router
Examines inbound and outbound packets based upon filter rules. Screening router is another term for a packet
- Secure electronic transactions (set)
A standard enabling secure credit card transactions on the Internet.
- Secure hash algorithm (SHA).
This function was developed by the National Institute of Standards and Technology (NIST) and is based heavily
on Ron Rivest's MD series of algorithms. The message is first padded with MD5, then fed through four rounds, which are more
complex than the ones used in MD5. The resulting message digest is 160 bits long.
- Secure HTTP (SHTTP)
A form of encryption that takes place at the hypertext markup language level. This allows a Web browser to
transfer sensitive information across the Internet.
- Secure Multipurpose Internet Mail Extension (S/MIME)
A specification for secure electronic mail. S/MIME was designed to add security to e-mail messages in MIME
format. The security services offered are authentication (using digital signatures) and privacy (using encryption).
- Secure Sockets Layer (SSL)
A technology embedded in Web servers and browsers that encrypts traffic.
- Security mechanism
The systems and software that provide the different security services (access control, authentication, data integrity, data confidentiality, and nonrepudiation).
- Security service
A basic method for providing data security. Security services include authentication, access control, data
integrity, data confidentiality, and nonrepudiation.
- Security system
All components used by a company to provide a security strategy, including hardware, software, employee
training, and a security policy.
- Serial Line Internet Protocol (SLIP)
A data link layer protocol, a simple form of connecting to the Internet.
- Simple Mail Transfer Protocol (SMTP)
The Internet standard protocol to transfer electronic mail messages from one computer to another. It specifies
how two mail systems interact, as well as the format of control messages they exchange to transfer mail.
- Simple Network Management Protocol (SNMP)
A TCP/IP application that allows administrators to check the status and sometimes modify the configuration of
- Single-homed bastion host
A bastion host that has only one network interface and is normally used for application-level gateway firewalls.
- Single-purpose bastion host
A separate bastion host dedicated to a single application.
- Smurf attack
A type of denial-of-service attack in which a series of pings are sent to a remote host to inundate the
A program used to intercept passwords.
- Social engineering
The use of tricks and disinformation to gain access to passwords and other sensitive information.
A form of identity theft in which a hacker attempts to defeat authentication. Specific examples include IP
spoofing, ARP spoofing, router spoofing, and DNS spoofing.
- Stateful inspection
Stateful inspection, a term introduced by CheckPoint Corporation, allows a firewall to analyze packets and view
them in context. (Also called stateful multi-layer inspection)
- Symmetric encryption
A type of encryption where the same key is used to encrypt and decrypt the message.
- System snooping
The action of a hacker who enters a computer network and begins mapping the contents of the system.
A high-speed (1.5 Mbps) connection to the Internet using dial-up leased lines. In some localities, T1 lines can
be leased for $3,000.00 per month or less.
A TCP/IP application that is used for remote terminal access and can be used to administer a UNIX
- Transmission Control Protocol/Internet Protocol (TCP/IP)
A suite of protocols that turns information into blocks of information called packets. These are then sent
across networks such as the Internet.
An account in a network used to alert a security administrator of a potential hacker when penetration of the
- Trojan (trojan horse)
A file or program that purports to operate in a legitimate way, but which also has an alternative, secret operation, such as emailing sensitive company information to a hacker.
A trojan horse is a specific program that destroys information on a hard drive.
- two-factor authentication
Two-factor authentication (also known as 2FA or 2-Step Verification) is a technology patented in 1984 that provides identification of users by means of the combination of two different
- UDP (User Datagram Protocol)
A connectionless protocol at the transport layer of the TCP/IP protocol stack, often used for broadcast-type
protocols such as audio or video traffic.
- Value added network (VAN)
A network that provides special communication over leased lines, usually offering enhanced services. A Value
Added Network usually offers some service or information that is not readily available on public networks.
- Virtual Private Network (VPN)
An extended local area network (LAN) that enables an organization to conduct secure, real-time communication.
Self-replicating software used to infect a computer.
- Web server
A central computer system that hosts a Web site and enables remote clients to access the pages of the site.
- Web storefront
The part of a virtual enterprise that allows a client/end-user to interact with the server-side elements,
usually in the form of buying and selling.
- A program that exploits the Windows TCP/IP stack causing Windows machines running an older version of the TCP/IP protocol stack to either crash or lock up.