test

SunScreen 3.2 Administrator's Overview

Glossary

active Screen

Screen in a high availability cluster that is keeping state and passing traffic. There is always exactly one active Screen in a correctly operating high availability cluster. See primary Screen and passive Screen.

address

In networking, a unique code that identifies a node to the network. SunScreen uses IP addresses.

ACE/Server

The management component of securID.

ADP

Algorithm Discovery Protocol. Enables one entity to inform another of the capabilities it supports.

AH

Authentication Header. A mechanism for providing strong integrity and authentication for IP datagrams.

algorithm

Sequence of steps designed to solve a problem or execute a process such as drawing a curve from a set of control points, or encrypting a block of data.

AMI

Authentication Management Infrastructure.

API

application program interface. Set of calling conventions defining how a service is invoked through a software package. An interface between the operating system and application programs, which includes the way the application programs communicate with the operating system, and the services the operating system makes available to the programs.

argument

Item of information following a command. It may, for example, modify the command or identify a file to be affected. Sometimes the term parameter is used.

ATM

asynchronous transfer mode. Transmits data, voice, video, and frame relay traffic in real time. With ATM, digital information is broken up into standard-sized packets, each with the address of its final destination.

attack

Attempted cryptanalysis or an attempt to compromise system security.

authentication

Property of knowing that the claimed sender is in fact the actual sender.

broadcast

Packet delivery system, where a copy of a given packet is distributed to all hosts attached to the network.

CA

See certificate authority.

cache

Buffer of high-speed memory used to store frequently accessed memory or values. A cache increases effective memory transfer rates and processor speed.

CBC

Cipher Block Chaining (see also DES). A mode used to chain a feedback mechanism, which essentially means the previous block is used to modify the encryption of the next block.

CDP

Certificate Discovery Protocol. Request and response protocol used by two parties to transfer certificates.

Centralized Management group

Multiple secondary Screens that are managed by the Centralized Management group's primary Screen. Note that a Screen in a centrally managed group, whether primary or secondary, can also be part of a HA cluster. See HA cluster.

certificate

Data structure that binds the identity of an entity with a public-key value.

certificate authority

Trusted network entity that digitally signs a certificate containing information identifying the user; such as, user's name, issued certificate, and the certificate's expiration date.

certificate identifier (ID)

Generic naming scheme term used to identify a particular self-generated or issued certificate. It effectively decouples the identification of a key for purposes of key lookup and access control from issues of network topology, routing, and IP addresses.

CFB

Cipher Feedback. Uses a block cipher to implement a stream cipher.

cipher

Cryptographic algorithm used for encryption or decryption.

ciphertext

Encrypted message.

cluster

Screens in an HA cluster connected by a high-speed network that work together as if they were one Screen. See high availability.

common objects

Data objects that are relevant to all SunScreen policies. They include: address, screen, state engine, service, interface, certificate, time, and VPN gateway groups.

confidentiality

Property of communicating such that only the sender and the intended recipients know what is being sent, and unintended parties cannot determine what is sent.

configuration

Union of one policy with the common objects to form a complete description of the behavior of one or more Screens.

content filtering

Practice of allowing or disallowing traffic based on the content of the data being sent.

decryption

Process of converting ciphertext back to plaintext.

demilitarized zone

Small protected inside network or subnetwork that provides limited public access to resources such as web servers, FTP servers, and other information resources.

DES

Data encryption standard. A common algorithm for encrypting and decrypting data.

DMZ

See demilitarized zone.

DNS

domain naming system. Distributed name and address mechanism used in the Internet.

DST

Destination addresses.

dynamic packet filtering

See stateful packet filter.

dynamic translation

NAT converts a set of internal private addresses into external public addresses. It allows internal hosts to contact external hosts, but cannot be used to allow external hosts to contact internal hosts.

encapsulation

Technique used by layered protocols in which a layer adds header information to the protocol data unit from the layer above. In Internet terminology, for example, a packet would contain a header from the physical layer, followed by a header from the network layer (IP), followed by a header from the transport layer (TCP), followed by the application protocol data. See tunneling.

encryption

Process of protecting information from unauthorized use by making the information unintelligible. Encryption is based on a code, called a key, which is used to decrypt the information. Contrast with decryption.

ESP

Encapsulating Security Payload. Mechanism for providing integrity and confidentiality to IP datagrams. In some circumstances it can also provide authentication to IP datagrams, depending on which algorithm or algorithm mode is used. It does not provide nonrepudiation and protection from traffic analysis.

Ethernet

LAN that enables real-time communication between machines connected directly through cables.

failover

Process by which a passive Screen in a high availability group becomes the active Screen if the active Screen becomes unavailable.

filter

Program that reads the standard input, acts on it in some way, and then prints the results as standard output.

firewall

Computer situated between your internal network and the rest of the network that filters packets as they go by according to user-specified criteria.

fragmentation

Process of dividing a packet into multiple smaller packets so that they can be sent over a communication link that only supports a smaller size.

FTP proxy

Can be configured to allow or deny specific FTP commands such as put or get.

gateway

A device that connects networks that use different communication protocols. It transfers information and converts it to a compatible format to the receiving network. See virtual private network.

HA

See high availability.

HA cluster

High availability-specific groups. Multiple secondary HA cluster Screens are managed by the primary HA cluster Screen. One Screen in an HA cluster (secondary or primary) is the active Screen that is actively filtering. Additional HA cluster Screens remain passive until one detects the failure of the active HA cluster Screen and takes over the routing and filtering of the network traffic. See high availability.

heartbeat

Periodic message sent between the machines within an HA cluster over a private network to maintain state. If the heartbeat is not detected after a specified interval and number of retries, a passive machine in the HA cluster becomes the active machine. See high availability.

high availability

Consists of one active Screen and at least one passive Screen. If the active Screen fails, a passive Screen takes over the filtering of the network traffic and other functionality of the failed firewall.

host

Name of any device on a TCP/IP network that has an IP address. In SunScreen, host is only used when referring to a source or destination of a packet.

HTTP proxy

Can be configured to ALLOW or DENY Java applets, and ActiveX controls and cookies.

ICMP

Internet Control Message Protocol. IP protocol that handles errors and control messages, to enable routers to inform other routers (or hosts) of IP routing problems or make suggestions of better routes. See ping.

IKE

See Internet Key Exchange.

Initial configuration

When installing SunScreen, the user creates, compiles, and activates a configuration named Initial, which enables a user to connect to the Screen where the configurations used to implement their security policy are built.

integrity

Property of ensuring that data is transmitted from the source to destination without undetected alteration.

interfaces

Describes the physical interface ports of Screen objects.

Internet Key Exchange

The Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction with the IPSec standard.

Internet Protocol

Suite of protocols within TCP/IP used to link networks worldwide on the Internet. See IP.

IP

Internet Protocol. Network layer protocol for the Internet Protocol suite.

IPsec

An IP security feature that provides robust authentication and encryption of IP packets.

issued certificate

Certificate that is issued by a certificate authority. See self-generated certificate.

JDK

Java Development Kit. Software tools used to write Java applets or application programs.

JRE

Java Runtime Environment.

JVM

Java Virtual Machine.

key

Code for encrypting or decrypting data.

key and certificate diskette

Medium that contains the private key and certificate, and should be kept secure. The identifier for the certificate is on the label.

log browser

Facility in SunScreen administration GUI that enables the display and printing of log messages.

MAC

Message Authentication Code. (Also known as media access control, an IEEE standard.) See authentication.

Master key identifier

See MKID.

media access control

(MAC). The lower sublayer of the OSI Reference Model layer 2, the data-link layer. It controls access to a transmission medium such Token Ring, CSMA/CD, Ethernet, and the like.

message authentication code

(MAC). (Also known as media access control, an IEEE standard.) See authentication.

message transfer agent

The program responsible for delivering email messages from a mail user agent or other MTA.

MIB

Management Information Base. SNMP structure that describes the particular device being monitored. See SNMP.

MKID

Master key identifier. A component of a SKIP certificate object.

MTA

See message transfer agent.

multicast

Special form of broadcast where copies of the packet are delivered to only a subset of all possible destinations.

Name space identifier

See NSID.

NAT

See network address translation.

network address translation

Function used when packets passing through a firewall have their addresses changed (or translated) to different network addresses. Address translation can be used to translate unregistered addresses into a smaller set of registered addresses, allowing internal systems with unregistered addresses to access systems on the Internet.

network layer

Third of the seven layers in the ISO model for standardizing computer-to-computer communications.

network mask

Number used by software to separate the local subnet address from the rest of a given IP address.

node

Junction at which subsidiary parts originate or center.

nodename

Name by which the system is known to a communications network. Every system running Solaris is assigned a nodename. The nodename can be displayed using the Solaris uname -n command. Each Screen has a name that is normally the same as the nodename.

nonrepudiation

Property of a receiver being able to prove that the sender of a message did in fact send the message, even though the sender might later want to deny ever having sent it.

NSID

Name space identifier. Used to identify a naming scheme for a SKIP key. See key.

OLTP

Online transaction processing. Handles real-time transactions.

OSI

Open Systems Interconnection. Suite of protocols and standards sponsored by ISO to communicate data between incompatible computer systems.

OSPF

Open shortest path first. A network routing protocol.

packet

Group of information in a fixed format that is transmitted as a unit over communications lines.

packet filtering

Process to ALLOW or DENY examined traffic. See stateful packet filter.

parameter

See argument.

passive Screen

Screen in a high availability cluster that is keeping state with the active Screen but not actually passing traffic. A passive Screen will become active if the cluster's active Screen fails. See active Screen.

passphrase

Collection of characters used in a similar manner to, although longer than, password. Letters in both uppercase and lowercase can be used, as well as special characters and numbers. See password.

password

Unique string of characters that a user types as an identification code as a security measure to restrict access to computer systems and sensitive files.

peer

Any functional unit in the same layer as another entity.

PFS

Perfect Forward Secrecy. Captured packets that are decrypted cannot be used to decrypt other packets.

ping

Packet Internet Groper. Program used to test reachability of destinations by sending them an ICMP echo request and waiting for a reply. See ICMP.

plaintext

Unencrypted message.

plumb

To install and configure a network interface.

Point-to-Point Protocol

PPP (the successor to SLIP) provides router-to-router and host-to-network connections over both synchronous and asynchronous circuits.

TCP/IP connectivity, usually for PCs over a telephone line.

policy

Named set of policy data. For example, when the SunScreen software is first installed, it configures a default policy named Initial.

PPP

See Point-to-Point Protocoll.

primary Screen

In a high availability cluster, the Screen that controls the configuration of the cluster. In a centralized management group, the Screen that controls the configuration of the other Screens in the group. Each high availability cluster or centralized management group has exactly one primary Screen. See high availability.

private key

Corresponds to a public key and is never disclosed to the public. See secret key.

protocol

A formal description of messages to be exchanged and rules to be followed for two or more systems to exchange information.

proxies

Proxies are separate user-level applications and provide content filtering and user authentication. Proxies are used to control the content of various network services. See HTTP proxy, FTP proxy, Telnet proxy, and SMTP proxy.

pseudorandom

Pseudorandom numbers appear random but can be generated reliably on different systems or at different times.

public certificate diskette

Medium that contains only the certificate containing the public key. The identifier for the certificate is on the label

public-key certificate

A digitally signed data structure containing a user's public key, as well as information about the time and date during which the certificate is valid.

public-key cryptography

Also known as asymmetric key cryptography. In public-key cryptosystems, everyone has two related complementary keys, a publicly revealed key and a secret key (also frequently called a private key). Each key unlocks the code that the other key makes. Knowing the public key does not help you deduce the corresponding secret key. The public key can be published and widely disseminated across a communications network. This protocol provides privacy without the need for the secure channels that a conventional cryptosystem requires.

real time

Event or system that must receive a response to some stimulus within a narrow, predictable time frame, provided that the response is not strongly dependent on highly variable system-performance parameters, such as a processor load or interface.

remote

System in another location that can be accessed through a network.

router

Intermediary device responsible for making decisions about which of several paths network (or Internet) traffic will follow.

routing mode

Routing-mode interfaces have IP addresses and perform IP routing. Routing mode requires that you subnet the network.

All proxies are accessed through the transmission control protocol (TCP) and, therefore, can only run on systems with at least one interface configured in routing mode.

rules

Formulas that define a security policy in terms of the common data objects for SunScreen. Policy data include filtering rules, NAT rules, and administration access rules.

Screen-specific objects

Data objects relevant to the policies of one Screen. See common objectscommon objects.

SDNS

Secure Data Network Service.

secondary Screen

Screen that receives its configuration from a primary Screen. Normally, no administration is performed on a secondary Screen. A secondary Screen does, however, maintain its own logs and status, which can be examined. See high availability.

secret key

Corresponds to a public key and is never disclosed to the public. See private key.

securID

Software to verify authentication requests and centrally administer authentication policies for enterprise networks. See also ACE/Server.

self-generated certificate

See self-signed certificate and UDH certificate. Compare with issued certificate.

self-signed certificate

A digitally signed collection of data, whose content can be checked for authenticity, and optionally used to check the authenticity of other digitally signed collections (issued certificate).

In SKIP, the CA certificates are self-signed. Obtained out-of-band, they are used as the basis for issued certificate from a CA, no matter how they are obtained

session key

Common cryptographic component to encrypt each individual conversation between two people with a separate key.

SET

Secure Electronic Transaction. Protocol that is an emerging standard for Internet bank card transactions.

shell

Program within which a user communicates with the operating system.

SKIP

Simple Key-Management for Internet Protocols. IP-layer encryption package integrated into SunScreen, which provides a system with the ability to encrypt any protocol within the TCP/IP suite efficiently. Once installed, systems running SunScreen SKIP can encrypt all traffic to any SKIP-enabled product, including SunScreen products.

SMTP

Simple Mail Transfer Protocol. Used on the Internet to route email.

SMTP proxy

TCP/IP protocol that sends messages from one computer to another on a network and is used on the Internet to route email.

SNMP

Simple Network Management Protocol. Network management protocol that enables a user to monitor and configure network hosts remotely.

snoop

Sun Microsystems, Inc. UNIX utility that captures packets from the network and displays their contents.

source code

Uncompiled version of a program written in a language such as C, C++, or Java. The source code must be translated to machine language by a program (the compiler) before the computer can execute the program.

stateful packet filter

Packet filter that bases its decision to allow or deny the packet using both the data in the packet and information (that is, state) saved from previous packets or events. A stateful packet filter has memory of past events and packets.

stateless packet filter

Packet filter that bases its decision to allow or deny a packet using only the data in that packet. A stateless packet filter has no memory of past events and packets.

static translation

Address translation that provides fixed translation between an external address and a private (possibly unregistered) address. It provides a way for external hosts to initiate connections to internal hosts without actually using an external address. See network address translation.

stealth mode

Stealth-mode interfaces do not have IP addresses. They bridge the MAC layer. Stealth mode interfaces partition an existing single network and, consequently, do not permit you to subnet the network. If all of your interfaces are in stealth mode, SunScreen offers optional hardening of the OS, which removes packages and files from the Solaris operating system that are not used by SunScreen.

subnet

In the Internet Protocol, a mechanism to subdivide (registered) networks into locally defined pieces. This technique provides better use of the IP address space while minimizing routing-table complexity. See subnet mask.

subnet mask

Specifies which bits of the 32-bit IP address represent network information. The subnet mask, like an IP address, is a 32-bit binary number: a 1 is entered in each position that will be used for network information and a 0 is entered in each position that will be used as node number information. See node.

SunScreen

Name of the family of security products produced by Sun Microsystems, Inc.

SunScreen SKIP

See SKIP.

TCP

See Transmission Control Protocol .

TCP/IP

Transmission Control Protocol/Internet Protocol. Protocol suite originally developed by the Department for Defense for the Internet. It is also called the Internet protocol suite. SunOS networks run on TCP/IP by default.

Telnet proxy

Enables users of one host to log into a remote host and interact as normal terminal users of that host.

traffic analysis

Analysis of network traffic flow for the purpose of deducing information such as frequency of transmission, the identities of the conversing parties, sizes of packets, flow identifiers used, and the like.

Transmission Control Protocol

The protocol within TCP/IP that governs breaking data messages into packets that are sent using IP, reassembling these packets into the complete message, and verifying the reassembled message as the same as the original data message.

tunnel address

Destination address on the outer (unencrypted) IP packet to which tunnel packets are sent. Generally used for encrypted gateways where the IP address of the host serves as the intermediary for any or all hosts on a network whose topography must remain unknown or hidden from the rest of the world.

tunneling

Process of encrypting an entire IP packet, and wrapping it in another (unencrypted) IP packet. The source and destination addresses on the inner and outer packets may be different.

UDH certificate

Unsigned Diffie-Hellman certificate. UDH public value can be used when entities are named using the message digest of their DH public value, and these names are securely communicated. This term is now mostly replaced by self-signed certificate. See certificate identifier (ID).

UDP

User Datagram Protocol. All CDP communication uses UDP.

unicast

Packet sent to a single destination. Compare broadcast, multicast.

version

Manner in which a policy's historical versions are preserved.

virtual private network

A network with the appearance and functionality of a regular network, but which is really like a private network within a public one.

The use of encryption in the lower protocol layers provides a secure connection through an otherwise insecure network, typically the Internet. VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption system at both ends. The encryption may be performed by firewall software or possibly by routers.

VPN

See virtual private network.

VPN gateway

See virtual private network.