Screen in a high availability cluster that is keeping state and passing traffic. There is always exactly one active Screen in a correctly operating high availability cluster. See primary Screen and passive Screen.
In networking, a unique code that identifies a node to the network. SunScreen uses IP addresses.
The management component of securID.
Algorithm Discovery Protocol. Enables one entity to inform another of the capabilities it supports.
Authentication Header. A mechanism for providing strong integrity and authentication for IP datagrams.
Sequence of steps designed to solve a problem or execute a process such as drawing a curve from a set of control points, or encrypting a block of data.
Authentication Management Infrastructure.
application program interface. Set of calling conventions defining how a service is invoked through a software package. An interface between the operating system and application programs, which includes the way the application programs communicate with the operating system, and the services the operating system makes available to the programs.
Item of information following a command. It may, for example, modify the command or identify a file to be affected. Sometimes the term parameter is used.
asynchronous transfer mode. Transmits data, voice, video, and frame relay traffic in real time. With ATM, digital information is broken up into standard-sized packets, each with the address of its final destination.
Attempted cryptanalysis or an attempt to compromise system security.
Property of knowing that the claimed sender is in fact the actual sender.
Packet delivery system, where a copy of a given packet is distributed to all hosts attached to the network.
See certificate authority.
Buffer of high-speed memory used to store frequently accessed memory or values. A cache increases effective memory transfer rates and processor speed.
Cipher Block Chaining (see also DES). A mode used to chain a feedback mechanism, which essentially means the previous block is used to modify the encryption of the next block.
Certificate Discovery Protocol. Request and response protocol used by two parties to transfer certificates.
Multiple secondary Screens that are managed by the Centralized Management group's primary Screen. Note that a Screen in a centrally managed group, whether primary or secondary, can also be part of a HA cluster. See HA cluster.
Data structure that binds the identity of an entity with a public-key value.
Trusted network entity that digitally signs a certificate containing information identifying the user; such as, user's name, issued certificate, and the certificate's expiration date.
Generic naming scheme term used to identify a particular self-generated or issued certificate. It effectively decouples the identification of a key for purposes of key lookup and access control from issues of network topology, routing, and IP addresses.
Cipher Feedback. Uses a block cipher to implement a stream cipher.
Cryptographic algorithm used for encryption or decryption.
Encrypted message.
Screens in an HA cluster connected by a high-speed network that work together as if they were one Screen. See high availability.
Data objects that are relevant to all SunScreen policies. They include: address, screen, state engine, service, interface, certificate, time, and VPN gateway groups.
Property of communicating such that only the sender and the intended recipients know what is being sent, and unintended parties cannot determine what is sent.
Union of one policy with the common objects to form a complete description of the behavior of one or more Screens.
Practice of allowing or disallowing traffic based on the content of the data being sent.
Process of converting ciphertext back to plaintext.
Small protected inside network or subnetwork that provides limited public access to resources such as web servers, FTP servers, and other information resources.
Data encryption standard. A common algorithm for encrypting and decrypting data.
See demilitarized zone.
domain naming system. Distributed name and address mechanism used in the Internet.
Destination addresses.
NAT converts a set of internal private addresses into external public addresses. It allows internal hosts to contact external hosts, but cannot be used to allow external hosts to contact internal hosts.
Technique used by layered protocols in which a layer adds header information to the protocol data unit from the layer above. In Internet terminology, for example, a packet would contain a header from the physical layer, followed by a header from the network layer (IP), followed by a header from the transport layer (TCP), followed by the application protocol data. See tunneling.
Process of protecting information from unauthorized use by making the information unintelligible. Encryption is based on a code, called a key, which is used to decrypt the information. Contrast with decryption.
Encapsulating Security Payload. Mechanism for providing integrity and confidentiality to IP datagrams. In some circumstances it can also provide authentication to IP datagrams, depending on which algorithm or algorithm mode is used. It does not provide nonrepudiation and protection from traffic analysis.
LAN that enables real-time communication between machines connected directly through cables.
Process by which a passive Screen in a high availability group becomes the active Screen if the active Screen becomes unavailable.
Program that reads the standard input, acts on it in some way, and then prints the results as standard output.
Computer situated between your internal network and the rest of the network that filters packets as they go by according to user-specified criteria.
Process of dividing a packet into multiple smaller packets so that they can be sent over a communication link that only supports a smaller size.
Can be configured to allow or deny specific FTP commands such as put or get.
A device that connects networks that use different communication protocols. It transfers information and converts it to a compatible format to the receiving network. See virtual private network.
See high availability.
High availability-specific groups. Multiple secondary HA cluster Screens are managed by the primary HA cluster Screen. One Screen in an HA cluster (secondary or primary) is the active Screen that is actively filtering. Additional HA cluster Screens remain passive until one detects the failure of the active HA cluster Screen and takes over the routing and filtering of the network traffic. See high availability.
Periodic message sent between the machines within an HA cluster over a private network to maintain state. If the heartbeat is not detected after a specified interval and number of retries, a passive machine in the HA cluster becomes the active machine. See high availability.
Consists of one active Screen and at least one passive Screen. If the active Screen fails, a passive Screen takes over the filtering of the network traffic and other functionality of the failed firewall.
Name of any device on a TCP/IP network that has an IP address. In SunScreen, host is only used when referring to a source or destination of a packet.
Can be configured to ALLOW or DENY Java applets, and ActiveX controls and cookies.
Internet Control Message Protocol. IP protocol that handles errors and control messages, to enable routers to inform other routers (or hosts) of IP routing problems or make suggestions of better routes. See ping.
When installing SunScreen, the user creates, compiles, and activates a configuration named Initial, which enables a user to connect to the Screen where the configurations used to implement their security policy are built.
Property of ensuring that data is transmitted from the source to destination without undetected alteration.
Describes the physical interface ports of Screen objects.
The Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction with the IPSec standard.
Suite of protocols within TCP/IP used to link networks worldwide on the Internet. See IP.
Internet Protocol. Network layer protocol for the Internet Protocol suite.
An IP security feature that provides robust authentication and encryption of IP packets.
Certificate that is issued by a certificate authority. See self-generated certificate.
Java Development Kit. Software tools used to write Java applets or application programs.
Java Runtime Environment.
Java Virtual Machine.
Code for encrypting or decrypting data.
Medium that contains the private key and certificate, and should be kept secure. The identifier for the certificate is on the label.
Facility in SunScreen administration GUI that enables the display and printing of log messages.
Message Authentication Code. (Also known as media access control, an IEEE standard.) See authentication.
See MKID.
(MAC). The lower sublayer of the OSI Reference Model layer 2, the data-link layer. It controls access to a transmission medium such Token Ring, CSMA/CD, Ethernet, and the like.
(MAC). (Also known as media access control, an IEEE standard.) See authentication.
The program responsible for delivering email messages from a mail user agent or other MTA.
Management Information Base. SNMP structure that describes the particular device being monitored. See SNMP.
Master key identifier. A component of a SKIP certificate object.
Special form of broadcast where copies of the packet are delivered to only a subset of all possible destinations.
See NSID.
Function used when packets passing through a firewall have their addresses changed (or translated) to different network addresses. Address translation can be used to translate unregistered addresses into a smaller set of registered addresses, allowing internal systems with unregistered addresses to access systems on the Internet.
Third of the seven layers in the ISO model for standardizing computer-to-computer communications.
Number used by software to separate the local subnet address from the rest of a given IP address.
Junction at which subsidiary parts originate or center.
Name by which the system is known to a communications network. Every system running Solaris is assigned a nodename. The nodename can be displayed using the Solaris uname -n command. Each Screen has a name that is normally the same as the nodename.
Property of a receiver being able to prove that the sender of a message did in fact send the message, even though the sender might later want to deny ever having sent it.
Name space identifier. Used to identify a naming scheme for a SKIP key. See key.
Online transaction processing. Handles real-time transactions.
Open Systems Interconnection. Suite of protocols and standards sponsored by ISO to communicate data between incompatible computer systems.
Open shortest path first. A network routing protocol.
Group of information in a fixed format that is transmitted as a unit over communications lines.
Process to ALLOW or DENY examined traffic. See stateful packet filter.
See argument.
Screen in a high availability cluster that is keeping state with the active Screen but not actually passing traffic. A passive Screen will become active if the cluster's active Screen fails. See active Screen.
Collection of characters used in a similar manner to, although longer than, password. Letters in both uppercase and lowercase can be used, as well as special characters and numbers. See password.
Unique string of characters that a user types as an identification code as a security measure to restrict access to computer systems and sensitive files.
Any functional unit in the same layer as another entity.
Perfect Forward Secrecy. Captured packets that are decrypted cannot be used to decrypt other packets.
Packet Internet Groper. Program used to test reachability of destinations by sending them an ICMP echo request and waiting for a reply. See ICMP.
Unencrypted message.
To install and configure a network interface.
PPP (the successor to SLIP) provides router-to-router and host-to-network connections over both synchronous and asynchronous circuits.
TCP/IP connectivity, usually for PCs over a telephone line.
Named set of policy data. For example, when the SunScreen software is first installed, it configures a default policy named Initial.
See Point-to-Point Protocoll.
In a high availability cluster, the Screen that controls the configuration of the cluster. In a centralized management group, the Screen that controls the configuration of the other Screens in the group. Each high availability cluster or centralized management group has exactly one primary Screen. See high availability.
Corresponds to a public key and is never disclosed to the public. See secret key.
A formal description of messages to be exchanged and rules to be followed for two or more systems to exchange information.
Proxies are separate user-level applications and provide content filtering and user authentication. Proxies are used to control the content of various network services. See HTTP proxy, FTP proxy, Telnet proxy, and SMTP proxy.
Pseudorandom numbers appear random but can be generated reliably on different systems or at different times.
Medium that contains only the certificate containing the public key. The identifier for the certificate is on the label
A digitally signed data structure containing a user's public key, as well as information about the time and date during which the certificate is valid.
Also known as asymmetric key cryptography. In public-key cryptosystems, everyone has two related complementary keys, a publicly revealed key and a secret key (also frequently called a private key). Each key unlocks the code that the other key makes. Knowing the public key does not help you deduce the corresponding secret key. The public key can be published and widely disseminated across a communications network. This protocol provides privacy without the need for the secure channels that a conventional cryptosystem requires.
Event or system that must receive a response to some stimulus within a narrow, predictable time frame, provided that the response is not strongly dependent on highly variable system-performance parameters, such as a processor load or interface.
System in another location that can be accessed through a network.
Intermediary device responsible for making decisions about which of several paths network (or Internet) traffic will follow.
Routing-mode interfaces have IP addresses and perform IP routing. Routing mode requires that you subnet the network.
All proxies are accessed through the transmission control protocol (TCP) and, therefore, can only run on systems with at least one interface configured in routing mode.
Formulas that define a security policy in terms of the common data objects for SunScreen. Policy data include filtering rules, NAT rules, and administration access rules.
Data objects relevant to the policies of one Screen. See common objectscommon objects.
Secure Data Network Service.
Screen that receives its configuration from a primary Screen. Normally, no administration is performed on a secondary Screen. A secondary Screen does, however, maintain its own logs and status, which can be examined. See high availability.
Corresponds to a public key and is never disclosed to the public. See private key.
Software to verify authentication requests and centrally administer authentication policies for enterprise networks. See also ACE/Server.
See self-signed certificate and UDH certificate. Compare with issued certificate.
A digitally signed collection of data, whose content can be checked for authenticity, and optionally used to check the authenticity of other digitally signed collections (issued certificate).
In SKIP, the CA certificates are self-signed. Obtained out-of-band, they are used as the basis for issued certificate from a CA, no matter how they are obtained
Common cryptographic component to encrypt each individual conversation between two people with a separate key.
Secure Electronic Transaction. Protocol that is an emerging standard for Internet bank card transactions.
Program within which a user communicates with the operating system.
Simple Key-Management for Internet Protocols. IP-layer encryption package integrated into SunScreen, which provides a system with the ability to encrypt any protocol within the TCP/IP suite efficiently. Once installed, systems running SunScreen SKIP can encrypt all traffic to any SKIP-enabled product, including SunScreen products.
Simple Mail Transfer Protocol. Used on the Internet to route email.
TCP/IP protocol that sends messages from one computer to another on a network and is used on the Internet to route email.
Simple Network Management Protocol. Network management protocol that enables a user to monitor and configure network hosts remotely.
Sun Microsystems, Inc. UNIX utility that captures packets from the network and displays their contents.
Uncompiled version of a program written in a language such as C, C++, or Java. The source code must be translated to machine language by a program (the compiler) before the computer can execute the program.
Packet filter that bases its decision to allow or deny the packet using both the data in the packet and information (that is, state) saved from previous packets or events. A stateful packet filter has memory of past events and packets.
Packet filter that bases its decision to allow or deny a packet using only the data in that packet. A stateless packet filter has no memory of past events and packets.
Address translation that provides fixed translation between an external address and a private (possibly unregistered) address. It provides a way for external hosts to initiate connections to internal hosts without actually using an external address. See network address translation.
Stealth-mode interfaces do not have IP addresses. They bridge the MAC layer. Stealth mode interfaces partition an existing single network and, consequently, do not permit you to subnet the network. If all of your interfaces are in stealth mode, SunScreen offers optional hardening of the OS, which removes packages and files from the Solaris operating system that are not used by SunScreen.
In the Internet Protocol, a mechanism to subdivide (registered) networks into locally defined pieces. This technique provides better use of the IP address space while minimizing routing-table complexity. See subnet mask.
Specifies which bits of the 32-bit IP address represent network information. The subnet mask, like an IP address, is a 32-bit binary number: a 1 is entered in each position that will be used for network information and a 0 is entered in each position that will be used as node number information. See node.
Name of the family of security products produced by Sun Microsystems, Inc.
See SKIP.
Transmission Control Protocol/Internet Protocol. Protocol suite originally developed by the Department for Defense for the Internet. It is also called the Internet protocol suite. SunOS networks run on TCP/IP by default.
Enables users of one host to log into a remote host and interact as normal terminal users of that host.
Analysis of network traffic flow for the purpose of deducing information such as frequency of transmission, the identities of the conversing parties, sizes of packets, flow identifiers used, and the like.
The protocol within TCP/IP that governs breaking data messages into packets that are sent using IP, reassembling these packets into the complete message, and verifying the reassembled message as the same as the original data message.
Destination address on the outer (unencrypted) IP packet to which tunnel packets are sent. Generally used for encrypted gateways where the IP address of the host serves as the intermediary for any or all hosts on a network whose topography must remain unknown or hidden from the rest of the world.
Process of encrypting an entire IP packet, and wrapping it in another (unencrypted) IP packet. The source and destination addresses on the inner and outer packets may be different.
Unsigned Diffie-Hellman certificate. UDH public value can be used when entities are named using the message digest of their DH public value, and these names are securely communicated. This term is now mostly replaced by self-signed certificate. See certificate identifier (ID).
User Datagram Protocol. All CDP communication uses UDP.
Packet sent to a single destination. Compare broadcast, multicast.
Manner in which a policy's historical versions are preserved.
A network with the appearance and functionality of a regular network, but which is really like a private network within a public one.
The use of encryption in the lower protocol layers provides a secure connection through an otherwise insecure network, typically the Internet. VPNs are generally cheaper than real private networks using private lines but rely on having the same encryption system at both ends. The encryption may be performed by firewall software or possibly by routers.