test

SunScreen EFS Release 3.0 Reference Manual

Appendix E Glossary

ACL

access control list. Limits and controls who uses a host system or applications through communications link.

active Screen

Screen in a high availability cluster that is keeping state and passing traffic. There is always exactly one active Screen in a correctly operating high availability cluster. See primary Screen and passive Screen.

address

In networking, a unique code that identifies a node to the network. SunScreen EFS uses IP addresses.

ADP

Algorithm Discovery Protocol. Enables one entity to inform another of the capabilities it supports.

AH

Authentication Header. A mechanism for providing strong integrity and authentication for IP datagrams.

algorithm

Sequence of steps designed to solve a problem or execute a process such as drawing a curve from a set of control points, or encrypting a block of data.

AMI

Authentication Management Infrastructure.

AnswerBook(TM) online documentation

The Sun(TM) online documentation for use with the OpenWindows(TM) environment. See also online documentation.

API

application program interface. Set of calling conventions defining how a service is invoked through a software package. An interface between the operating system and application programs, which includes the way the application programs communicate with the operating system, and the services the operating system makes available to the programs.

applet

A program written in the Java(TM) programming language to run within the HotJava(TM) browser, the World Wide Web (WWW) browser.

argument

Item of information following a command. It may, for example, modify the command or identify a file to be affected.

ATM

asynchronous transfer mode. Transmits data, voice, video, and frame relay traffic in real time. With ATM, digital information is broken up into standard-sized packets, each with the address of its final destination.

attack

Attempted cryptanalysis or an attempt to compromise system security.

authentication

Property of knowing that the claimed sender is in fact the actual sender.

block

Groups of consecutive bits (or bytes). In the Java(TM) programming language, any code between matching braces ({ and }).

block cipher or block algorithm

Encryption algorithm that encrypts blocks. See stream ciphers.

Bourne shell

The shell used by the standard Bell Labs UNIX\256 developed by Steve Bourne in 1979.

broadcast

Packet delivery system, where a copy of a given packet is distributed to all hosts attached to the network.

button

One-choice element of a control area or a menu that starts an activity. Buttons execute commands (command buttons), display pop-up windows (window buttons) or a dialog box, and display menus (menu buttons).

CA

See Certification Authority.

cache

Buffer of high-speed memory used to store frequently accessed memory or values. A cache increases effective memory transfer rates and processor speed.

CBC

Cipher Block Chaining (see also DES). A mode used to chain a feedback mechanism, which essentially means the previous block is used to modify the encryption of the next block.

CDP

Certificate Discovery Protocol. Request and response protocol used by two parties to transfer certificates.

CD-ROM

compact disk, read only memory. Storage medium that uses laser optics rather than magnetic capability to read data.

Centralized Management group

Multiple secondary Screens that are managed by the Centralized Management group's primary Screen. Note that a Screen in a centrally managed group, whether primary or secondary, can also be part of a HA cluster. See HA cluster.

certificate

Data structure that binds the identity of an entity with a public-key value.

certificate identifier (ID)

Generic naming scheme term used to identify a particular self-generated or issued certificate. It effectively decouples the identification of a key for purposes of key lookup and access control from issues of network topology, routing, and IP addresses.

Certification Authority

Trusted network entity that digitally signs a certificate containing information identifying the user; such as, user's name, issued certificate, and the certificate's expiration date.

CFB

Cipher Feedback. Uses a block cipher (such as DES) to implement a stream cipher.

cipher

Cryptographic algorithm used for encryption or decryption.

ciphertext

Encrypted message.

cluster

Screens in a HA cluster connected by a high-speed network that work together as if they were one Screen. See high availability.

command

Instruction to the computer. A command typically is a character string typed at a keyboard and is interpreted by the computer as a demand for a particular action. In a graphical user interface (GUI), a button, menu item, or control.

command button

Button used to execute application commands.

common objects

Data objects that are relevant to all SunScreen EFS 3.0 policies. They include: address, screen, state engine, service, interface, certificate, time, policy, and virtual VPN gateway groups.

compiler

Translation program that converts a high-level computer language into machine language.

concatenate

Join together sequentially. The UNIX\256 cat command, for example, concatenates files.

confidentiality

Property of communicating such that only the sender and the intended recipients know what is being sent, and unintended parties cannot determine what is sent.

configuration

Union of one policy with the common objects to form a complete description of the behavior of one or more Screens.

content filtering

Practice of allowing or disallowing traffic based on the content of the data being sent.

control

Object in a menu that is used to perform an action.

cookie

General mechanism that server side connections can use to store and retrieve information on the client side of the connection. That is, cookies are small data files written to the hard drive by some Web sites when viewed in a Web browser. These data files contain information the site can use to track such things as passwords, lists of pages visited, and the date when a certain page was last looked at. The term cookie originated from "fortune cookie" because it sends a different message, or "fortune," each time used.

cryptanalysis

Art and science of breaking cryptographic algorithms and protocols.

cryptographic

Algorithm used to keep data secure.

C shell

Standard shell provided with Berkeley standard versions of UNIX\256.

daemon

UNIX\256 process that runs in the background to perform a task on behalf of the system.

data compression

Application of an algorithm to reduce the space required to store or the bandwidth required to transmit data.

datagram

In a packet-switching network, a message and associated Internet source and destination addresses.

decoder

Facility that takes data that has been encoded, or compressed, by an encoder and decodes or decompresses it.

decryption

Process of converting ciphertext back to plaintext.

demilitarized zone

Small protected inside network or subnetwork that provides limited public access to resources such as Web servers, FTP servers, and other information resources.

DES

Data Encryption Standard. A commonly used algorithm developed by IBM for the U.S. National Bureau of Standards for encrypting and decrypting data. See CBC.

Diffie-Hellman

See DH.

DH

Diffie-Hellman. Named after its inventors, DH is a classic cryptographic construction that uses exponentiations over a prime field.

digital signatures

Sixteen-byte MD5 hash of an electronic document that allows the recipient to verify the integrity of the document and the identity of the sender.

diskette

3.5-inch removable storage medium supported by some Sun systems.

DMZ

See demilitarized zone.

DN

distinguished name. Numeric string representation of a list of IP addresses or equivalent identifier for principals in the network, such as IP nodes or users.

DNS

domain naming system. Distributed name and address mechanism used in the Internet.

DSA

Digital Signature Algorithm. Each DSA is responsible for the directory information for a single organization or organizational unit.

DST

Destination addresses.

dynamic packet screening

Process of examining traffic to be either allowed or denied.

dynamic translation

NAT converts a set of internal private addresses into external public addresses. It allows internal hosts to contact external hosts, but cannot be used to allow external hosts to contact internal hosts.

EFS

Encrypting Firewall System.

encapsulation

Technique used by layered protocols in which a layer adds header information to the protocol data unit from the layer above. In Internet terminology, for example, a packet would contain a header from the physical layer, followed by a header from the network layer (IP), followed by a header from the transport layer (TCP), followed by the application protocol data. See tunnel mode.

encryption

Process of protecting information from unauthorized use by making the information unintelligible. Encryption is based on a code, called a key, which is used to decrypt the information. Contrast with decryption.

entity

In International Organization for Standardization's open systems interconnection (OSI), a layer protocol machine. An entity within a layer accesses the layer entity below and provides services locally to the layer entity above.

ESP

Encapsulating Security Payload. Mechanism for providing integrity and confidentiality to IP datagrams. In some circumstances it can also provide authentication to IP datagrams, depending on which algorithm or algorithm mode is used. It does not provide nonrepudiation and protection from traffic analysis.

Ethernet

LAN that enables real-time communication between machines connected directly through cables.

export controlled

Version of the SunScreen SKIP certificate software that uses 1024-bit keys and allows users to select DES, RC2, or RC4 for traffic encryption. Compare global and U.S. and Canada use only.

failover

Process by which a passive Screen in a high availability group takes over for the active Screen if the active Screen fails or becomes unavailable.

FDDI

Fiber Distributed Data Interface. High-speed networking standard. The underlying medium is fiber optics, and the topology is a dual-attached, counter-rotating token ring. FDDI networks can often be identified by the orange fiber "cable."

filter

Program that reads the standard input, acts on it in some way, and then prints the results as standard output.

firewall

Computer situated between your internal network and the rest of the network that filters packets as they go by according to user-specified criteria.

fragmentation

Process of dividing a packet into multiple smaller packets so that they can be sent over a communication link that only supports a smaller size.

ftp

Command used to copy files.

FTP

File Transfer Protocol. An interactive file transfer protocol often used on TCP/IP networks to copy files to and from remote computers. Requires users to log in to the remote computer.

FTP proxy

Can be configured to allow or deny specific FTP commands such as PUT or GET.

gateway

indication of systems that translate from one native format to another. Transfers and converts information to a receiving network. See VPN.

gif

Graphics Interchange Format. A format for compressing bitmap files to define how the computer accesses and draws files. See jpeg and tiff.

global

Version of the SunScreen SKIP certificate software that uses 512-bit keys and allows users to select RC2 or RC4 for traffic encryption. Compare export controlled and U.S. and Canada use only.

graphical user interface

Provides the user with a method of interacting with the computer and its special applications, usually with a mouse or other selection device.

GUI

See graphical user interface.

HA

See high availability.

HA cluster

High availability-specific groups. Multiple secondary HA cluster Screens are managed by the primary HA cluster Screen. One Screen in an HA cluster (secondary or primary) is the active Screen that is actively filtering. Additional HA cluster Screens remain passive until one detects the failure of the active HA cluster Screen and takes over the routing and filtering of the network traffic. See high availability.

hash

Message digest or cryptographic checksum.

header file

File of information, identified at the beginning of the program, that contains the definitions of data types and variables used by the functions in the program.

heartbeat

A periodic message sent between the two membership monitors t each other. Lack of a heartbeat after a specified interval and number of retries can trigger a takeover. See high availability.

high availability

Consists of one active Screen and at least one passive Screen. If the active Screen fails, a passive Screen takes over the filtering of the network traffic and other functionality of the failed firewall.

host

Name of any device on a TCP/IP network that has an IP address. In SunScreen EFS 3.0, host is only used when referring to a source or destination of a packet of the network traffic being discussed.

HTML

Hypertext Markup Language. A file format, based on SGML, for hypertext documents on the Internet.

HTTP

Hypertext Transfer Protocol. Internet protocol that fetches hypertext objects from remote hosts. See URL.

HTTP proxy

Can be configured to allow or deny Java applets, and Active-X controls and cookies.

ICMP

Internet Control Message Protocol. IP protocol that handles errors and control messages, to enable routers to inform other routers (or hosts) of IP routing problems or make suggestions of better routes. See ping.

icon

On-screen graphic symbol that simplifies access to a program, command, or data file. Displaying objects as icons conserves screen real estate while keeping the window available for easy access.

IDEA

International Data Encryption Algorithm. Used to make a message impossible for others to read.

IEEE

Institute of Electrical and Electronics Engineers. The group that produced the standards for Ethernet and Token Ring.

Interfaces

Describes the physical interface ports of Screen objects.

Initial configuration

When installing SunScreen EFS, the user creates, compiles, and activates a configuration named "Initial," which enables a user to connect to the SunScreen EFS Screen where the configurations used to implement their security policy are built.

integrity

Property of ensuring that data is transmitted from the source to destination without undetected alteration.

International Organization for Standardization

International standards-setting organization whose mandate is to foster trade between countries.

Internet Protocol

Suite of protocols within TCP/IP used to link networks worldwide, developed by the United States Department of Defense and is used on the Internet. Note that this protocol suite was developed for the ARPANET, forerunner of the Internet. The prominent feature of this suite is the IP protocol. See IP.

IP

Internet Protocol. Network layer protocol for the Internet Protocol suite.

ISDN

Integrated Services Digital Network. Worldwide digital communications network.

ISO

See International Organization for Standardization.

ISP

Internet service provider. A company providing an Internet package. This often includes a phone number access code, username, and software--all for a provider fee.

issued certificate

Certificate that is issued by a Certification Authority. See self-generated certificate.

ISV

Independent software vendor. Third-party software developer.

Java(TM)

Object-oriented, platform independent programming language developed by Sun Microsystems to solve a number of problems in modern programming practice. The Java language is used extensively within the HotJavaTM browser.

JDK

Java Development Kit. Software tools used to write Java applets or application programs.

JPEG

Joint Photographic Experts Group. A format for compressing bitmap files to define how the computer accesses and draws files. See gif and tiff.

JRE

Java Runtime Environment.

kernel

Core system support software group used to manage the hardware and supply basic services.

key

Code for encrypting or decrypting data.

Key and Certificate Diskette

Medium that contains the private key and certificate, and should be kept secure. The identifier for the certificate is on the label.

log browser

Facility in SunScreen EFS GUI that enables the display and printing of log messages.

MAC

Message Authentication Code. (Also known as media access control, an IEEE standard.) See authentication.

man pages

UNIX online documentation.

MD

Message Digest. Authentication code that cryptographically guarantees that data has not been forged or tampered with.

MD5

Message digest one-way hash function designed by Ron Rivest. The algorithm produces a 128-bit hash, or message digest, of the input message.

menu

List of application options.

menu button

Multiple-choice control that has a menu mark and is used to display a menu.

menu mark

Hollow triangle in the border of a button or following a menu item that has a submenu attached to it. The triangle points to where the menu or submenu is displayed.

MIB

Management Information Base. SNMP structure that describes the particular device being monitored. See SNMP.

MIC

Message Integrity Check.

modulus

Arithmetic operation used in programming whose result is the remainder of a division operation.

multicast

Special form of broadcast where copies of the packet are delivered to only a subset of all possible destinations.

NAT

See network address translation.

NC

See Network Computer.

network

Hardware connecting various systems, enabling them to communicate.

network address translation

Function used when packets passing through a firewall have their addresses changed (or translated) to different network addresses. Address translation can be used to translate unregistered addresses into a smaller set of registered addresses, thus allowing internal systems with unregistered addresses to access systems on the Internet.

network administrator

Person who maintains a network.

network computer

Connected to a network through its hardware and software.

network layer

Third of the seven layers in the ISO model for standardizing computer-to-computer communications. See ISO.

network mask

Number used by software to separate the local subnet address from the rest of a given IP address.

NFS(TM)

Network file system. A Sun distributed file system that enables a set of computers to cooperatively access each others files in a transparent manner.

NIS and NIS+

SunOS(TM) 4.x network information service. NIS+ is a newer version, SunOS 5.x, with enhanced security.

node

Junction at which subsidiary parts originate or center.

nodename

Name by which the system is known to a communications network. Every system running Solaris is assigned a nodename. The nodename can be displayed using the Solaris uname -n command. Each Screen has a name that is normally the same as the nodename.

nonrepudiation

Property of a receiver being able to prove that the sender of a message did in fact send the message, even though the sender might later want to deny ever having sent it.

NSA

National Security Agency. United States of America's official cryptographic organization.

NSID

Name space identifier. Used to identify a naming scheme for a key. See key.

OLTP

On-Line Transaction Processing. Handles real-time transactions.

one-way hash

Cryptographically secure hash function that cannot be reversed. See MD5, SHA, hash.

OSI

Open Systems Interconnection. Suite of protocols and standards sponsored by ISO to communicate data between incompatible computer systems.

OSPF

Open shortest path first. A network routing protocol.

packet

Group of information in a fixed format that is transmitted as a unit over communications lines.

page

To advance text displayed in a window by one full screen at a time, usually using a scroll bar.

passive Screen

Screen in a high availability cluster that is keeping state with the active Screen but not actually passing traffic. A passive Screen will become active if the cluster's active Screen fails. See active Screen.

passphrase

Collection of characters used in a similar manner to, although longer than, password. Letters in both uppercase and lowercase can be used, as well as special characters and numbers. See password.

password

Unique string of characters that a user types as an identification code as a security measure to restrict access to computer systems and sensitive files.

peer

Any functional unit in the same layer as another entity.

PFL

Packet Filtering Language. Packet filter used by SunScreen EFS.

PFS

Perfect Forward Secrecy. Captured packets that are decrypted cannot be used to decrypt other packets.

PGP

Pretty Good Privacy. Public-domain email encryption program that uses IDEA for data encryption, RSA for key management, and MD5 as a one-way hash function. See RSA, and MD5.

PID

process identification number. Unique, system-wide, identification number assigned to a process.

ping

Packet Internet Groper. Program used to test reachability of destinations by sending them an ICMP echo request and waiting for a reply. See ICMP.

plaintext

Unencrypted message.

plumb

To install and configure a network interface.

Point-to-Point Protocol

PPP (the successor to SLIP) provides router-to-router and host-to-network connections over both synchronous and asynchronous circuits. Used for TCP/IP connectivity, usually for PCs over a telephone line.

policy

Named set of policy data. For example, when the SunScreen EFS 3.0 software is first installed, there is one policy, named "Initial."

policy objects

Rules that define a security policy in terms of the common data objects for SunScreen EFS 3.0. Policy data include filtering rules, NAT rules, and administration access rules.

policy rules

Rules that pertain to a centralized managed group or an HA cluster. See Screen-specific rules.

pop-up window

Window that displays to perform a specific function and then is dismissed.

POSIX

Portable Operating System Interface for Computer Environments. A set of standards that define the applications interface to basic system services for input/output, file system access, and process management, using the C programming language, which establishes standard semantics and syntax.

PPP

See Point-to-Point Protocol.

primary Screen

In a high availability cluster, the Screen that controls the configuration of the cluster. In a centralized management group, the Screen that controls the configuration of the other Screens in the group. Each high availability cluster or centralized management group has exactly one primary Screen. See high availability.

private key

Corresponds to a public key and is never disclosed to the public. See secret key.

protocol

A formal description of messages to be exchanged and rules to be followed for two or more systems to exchange information.

proxies

Proxies are separate user-level applications and provide content filtering and user authentication. Proxies are used to control the content of various network services. See HTTP proxy, FTP proxy, Telnet proxy, and SMTP proxy.

pseudo-random

Pseudo-random numbers appear random but can be generated reliably on different systems or at different times.

Public Certificate Diskette

Medium that contains only the certificate containing the public key. The identifier for the certificate is on the label

public-key certificate

A data structure containing a user's public key, as well as information about the time and date during which the certificate is valid.

public-key cryptography

Also known as asymmetric key cryptography. In public-key cryptosystems, everyone has two related complementary keys, a publicly revealed key and a secret key (also frequently called a private key). Each key unlocks the code that the other key makes. Knowing the public key does not help you deduce the corresponding secret key. The public key can be published and widely disseminated across a communications network. This protocol provides privacy without the need for the secure channels that a conventional cryptosystem requires.

query

Process for extracting particular data.

quit

To stop in an orderly manner; to execute the normal shutdown of a program and return control to the operating system.

RC2 and RC4

Variable-key-size encryption algorithms designed by Ron Rivest. RC2 is a variable-key-size block cipher, designed to be a replacement for DES. RC4 is a variable-key-size stream cipher that is stated to be ten times faster than DES. Both algorithms are quite compact, and their speed is independent of the key's size. See DES.

RC2-40 and RC4-40

Globally exportable encryption algorithms from RSA, Inc., that use 40-bit keys.

real time

Event or system that must receive a response to some stimulus within a narrow, predictable time frame, provided that the response is not strongly dependent on highly variable system-performance parameters, such as a processor load or interface.

remote

System in another location that can be accessed through a network.

RISC

Reduced Instruction-Set computer. A central processing unit technology used by Sun Microsystems, Inc.

root user name

SunOS user name that grants special privileges to the person who logs in with that ID. The user who can supply the correct password for the root user name is given superuser privileges for the particular machine.

router

Intermediary device responsible for making decisions about which of several paths network (or Internet) traffic will follow.

routing mode

Routing-mode interfaces have IP addresses and perform IP routing. Routing mode requires that you sub-net the network.

All proxies are accessed through the transmission control protocol (TCP), and therefore can only run on systems with at least one interface configured in routing mode.

RSA

Popular public-key algorithm, which was named after its three inventors, Ron Rivest, Adi Shamir, and Leonard Adleman.

Screen-specific objects

Data objects relevant to the policies of one Screen. See common objects.

SDNS

Secure Data Network Service.

SDS

Sun Directory Services.

secondary Screen

Screen that receives its configuration from a primary Screen. Normally, no administration is performed on a secondary Screen. A secondary Screen does, however, maintain its own logs and status, which can be examined. See high availability.

secret key

Corresponds to a public key and is never disclosed to the public. See private key.

security association

Set of security information relating to a given network connection or set of connections.

self-generated certificate

Public key value only used when entities are named using the message digest of their public value, and these names are securely communicated. See issued certificate.

session key

Common cryptographic technique to encrypt each individual conversation between two people with a separate key.

SET

Secure Electronic Transaction. Protocol that is an emerging standard for Internet bank card transactions.

SGML

Standard Generalized Markup Language. Method of tagging a document to apply to many format elements.

SHA

Secure Hash Algorithm. Used to verify a digital signature.

shared-key cryptography

Also known as symmetric key cryptography. Cryptography where each party must have the same key to encrypt or decrypt ciphertext.

shell

Program within which a user communicates with the operating system.

SKIP

Simple Key-Management for Internet Protocols. IP-layer encryption package integrated into SunScreen EFS, which provides a system with the ability to encrypt any protocol within the TCP/IP suite efficiently. Once installed, systems running SKIP can encrypt all traffic to any SKIP-enabled product, including SunScreen products.

SMTP

Simple Mail Transfer Protocol. Used on the Internet to route email.

SMTP proxy

TCP/IP protocol that sends messages from one computer to another on a network and is used on the Internet to route email.

SNMP

Simple Network Management Protocol. Network management protocol that enables a user to monitor and configure network hosts remotely.

snoop

Sun Microsystems, Inc. UNIX utility that captures packets from the network and displays their contents.

source code

Uncompiled version of a program written in a language such as C or Pascal. The source code must be translated to machine language by a program known as the compiler before the computer can execute the program.

spam

Electronic equivalent of junk mail.

SPARC

Scalable Processor Architecture. An architecture for a family of RISC processors. See RISC.

special characters

Also called a metacharacter, is a character having a special meaning to UNIX. For example, the UNIX shell interprets the ? character to stand for any single character.

SQL

structured query language. International standard language for defining and accessing relational databases.

stack

List constructed and maintained so that the next item to be retrieved and removed is the most recently stored item still in the list.

stateful packet filter

Packet filter that bases its decision to allow or deny the packet using both the data in the packet and information (that is, state) saved from previous packets or events. A stateful packet filter has memory of past events and packets.

stateless packet filter

Packet filter that bases its decision to allow or deny a packet using only the data in that packet. A stateless packet filter has no memory of past events and packets.

static translation

Address translation that provides fixed translation between an external address and a private (possibly illegal) address. It provides a way for external hosts to initiate connections to internal hosts without actually using an external address. See NAT.

stealth mode

Stealth-mode offers optional hardening of the OS, which removes packages and files from the Solaris operating system that are not used by SunScreen EFS 3.0. Stealth-mode requires the Screen to partition a single network.

stream algorithm or stream cipher

Symmetric algorithm that operates on plaintext a single bit (or byte) at a time. See block cipher.

submenu

Menu that displays additional choices displayed through a menu item on a menu.

subnet

Working scheme that divides a single logical network into smaller physical networks to simplify routing.

subnet mask

Specifies which bits of the 32-bit IP address represent network information. The subnet mask, like an IP address, is a 32-bit binary number: a 1 is entered in each position that will be used for network information and a 0 is entered in each position that will be used as node number information. See node.

SunCA

Certification authority operated by Sun Microsystems, Inc. that issues Export-Controlled (1024-bit) certificates.

SunCAglobal

Certification authority operated by Sun Microsystems, Inc. that issues Global (512-bit) certificates.

SunScreen

Name of the family of security products produced by Sun Microsystems, Inc.

superuser

Special user who has privileges to perform all administrative tasks on the system. Also known as root.

symmetric key cryptography

See shared-key cryptography.

TCP

See transmission control protocol.

TCP/IP

Transmission Control Protocol/Internet Protocol. Protocol suite originally developed for the Internet. It is also called the Internet protocol suite. SunOS networks run on TCP/IP by default.

telnet

Virtual terminal protocol in the Internet suite of protocols. Enables users of one host to log in to a remote host and interact as normal terminal users of that host.

telnet proxy

Enables users of one host to log into a remote host and interact as normal terminal users of that host.

3DES

Also called triple-DES. Indicates that encryption is performed on a block three times with two keys: beginning with the first key, then with the second key, and finally with the first key again. See DES and EDE.

tiff

Tagged Image File Format. A format for compressing bitmap files to define how the computer accesses and draws files. See gif and jpeg.

token

Data object or message that describes the current state of the network.

token ring

LAN formed in a closed loop topology to regulate online traffic.

traffic analysis

Analysis of network traffic flow for the purpose of deducing information such as frequency of transmission, the identities of the conversing parties, sizes of packets, flow identifiers used, and the like.

tunneling

Process of encrypting an entire IP packet, and wrapping it in another (unencrypted) IP packet. The source and destination addresses on the inner and outer packets may be different.

tunnel address

Destination address on the outer (unencrypted) IP packet to which tunnel packets are sent. Generally used for encrypted gateways where the IP address of the host serves as the intermediary for any or all hosts on a network whose topography must remain unknown or hidden from the rest of the world.

UDH

Unsigned Diffie-Hellman. UDH public value can be used when entities are named using the message digest of their DH public value, and these names are securely communicated. See certificate Identifier (ID).

UDP

User Datagram Protocol. All CDP communication uses UDP.

unicast

Packet sent to a single destination. Compare broadcast, multicast.

UNIX

Operating system originally developed at AT&T Bell Laboratories by Ken Thompson and Dennis Ritchie in 1969.

URL

Uniform Resource Locator. A code that searches for the location of a specific address on the Internet.

U.S. and Canada use only

Version of the SunScreen SKIP certificate software that uses 2048-bit keys and allows users to select 3DES, IDEA, and so forth, for traffic encryption. Compare export controlled and global.

version

Manner in which a policy's historical versions are preserved.

user ID

Name by which a user is known to the system.

Virtual Private Network

A network with the appearance and functionality of a regular network, but which is really like a private network within a public one.

The use of encryption in the lower protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet. VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption system at both ends. The encryption may be performed by firewall software or possibly by routers.

VPN gateway

See Virtual Private Network.

VPN

See Virtual Private Network.

Web

See World Wide Web.

Web page

Document on the Web.

World Wide Web

Network of servers on the Internet with one or more home pages that provide information and can include hypertext links to other documents on that server and often other servers as well.

window button

Button used to display a window containing additional controls. See Button.

X.509

See UDH and certificate Identifier (ID).