Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: September 2018
 
 

Network Security Glossary

3DES

See Triple-DES.

AES

Advanced Encryption Standard. A symmetric block data encryption technique. The U.S. government adopted the Rijndael variant of the algorithm as its encryption standard in October 2000. AES replaces DES encryption as the government standard.

asymmetric key cryptography

An encryption system in which the sender and receiver of a message use different keys to encrypt and decrypt the message. Asymmetric keys are used to establish a secure channel for symmetric key encryption. The Diffie-Hellman algorithm is an example of an asymmetric key protocol. Contrast with symmetric key cryptography.

authentication header

An extension header that provides authentication and integrity, without confidentiality, to IP packets.

bidirectional SA

An ISAKMP SA, which protects packets in both directions. An IPsec SA is unidirectional.

broadcast address

IPv4 network addresses with the host portion of the address having all zeroes (192.0.2.0) or all one bits (192.0.2.255). A packet that is sent to a broadcast address from a system on the local network is delivered to all systems on that network.

certificate authority (CA)

A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The CA guarantees the identity of the individual who is granted the unique certificate.

certificate revocation list (CRL)

A list of public key certificates that have been revoked by a CA. CRLs are stored in the CRL database that is maintained through IKE.

chain of trust

In X.509 certificates, the assurance from the certificate authority that the certificates from the trust anchor to the user's certificate provide an unbroken chain of authentication.

packet

See IP packet.

DES

Data Encryption Standard. A symmetric-key encryption method developed in 1975 and standardized by ANSI in 1981 as ANSI X.3.92. DES uses a 56-bit key.

digital signature

A digital code that is attached to an electronically transmitted message that uniquely identifies the sender.

distinguished name (DN)

A standardized method of using ordinary strings to represent shared information. Distinguished names are used in LDAP and in X.509 certificates, as well as in other technologies. For more information, see A String Representation of Distinguished Names (http://www.ietf.org/rfc/rfc1779.txt).

domain of interpretation (DOI)

A DOI defines data formats, network traffic exchange types, and conventions for naming security-relevant information. Security policies, cryptographic algorithms, and cryptographic modes are examples of security-relevant information.

DoS attack

Denial of Service attack. An attack that floods the system or network with packets and thus prevents or slows the delivery of legitimate packets. DDos is a Distributed Denial of Service attack, an attack that originates from several locations.

DSA

Digital Signature Algorithm. A public key algorithm with a variable key size from 512 to 4096 bits. The U.S. Government standard, DSS, goes up to 1024 bits. DSA relies on SHA-1 for input.

Diffie-Hellman algorithm

Also known as "public key" cryptography. An asymmetric cryptographic key agreement protocol that was developed by Diffie and Hellman in 1976. The protocol enables two users to exchange a secret key over an insecure medium without any prior secrets. Diffie-Hellman is used by the IKE protocol.

ECDSA

Elliptic Curve Digital Signature Algorithm. A public key algorithm that is based on elliptic curve mathematics. An ECDSA key size is significantly smaller than the size of a DSA public key needed to generate a signature of the same length.

encapsulating security payload (ESP)

An extension header that provides integrity and confidentiality to packets. ESP is one of the five components of the IP Security Architecture (IPsec).

encapsulation

The process of a header and payload being placed in the first packet, which is subsequently placed in the second packet's payload.

FIPS 140-2

A U.S. Federal Information Processing Standard that is a requirement for many regulated industries and U.S. government agencies that process sensitive but unclassified information. The aim of FIPS 140-2 is to provide a degree of assurance that the system has implemented the cryptography correctly.

firewall

Any device or software that isolates an organization's private network or intranet from the Internet, thus protecting it from external intrusions. A firewall can include packet filtering, proxy servers, and NAT (network address translation).

hash value

A number that is generated from a string of text. Hash functions are used to ensure that transmitted messages have not been tampered with. SHA-1 is an example of a one-way hash function.

HMAC

Keyed hashing method for message authentication. HMAC is a secret key authentication algorithm. HMAC is used with an iterative cryptographic hash function, such as SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function.

ICMP echo request packet

A packet sent to a system on the Internet to solicit a response. Such packets are commonly known as "ping" packets.

IKE

Internet Key Exchange. IKE automates the provision of authenticated keying material for IPsec security associations (SAs).

Internet Protocol (IP)

The method or protocol by which data is sent from one computer to another on the Internet.

IP

See Internet Protocol (IP), IPv4, IPv6.

IP address

IP addresses that are used in Oracle Solaris documentation conform to RFC5737 IPv4 Address Blocks Reserved for Documentation (https://tools.ietf.org/html/rfc5737) and RFC 3849 IPv6 Address Prefix Reserved for Documentation (https://tools.ietf.org/html/rfc3849).

IPv4 addresses used in this documentation are blocks 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24. IPv6 addresses have prefix 2001:DB8::/32. To show a subnet, the block is divided into multiple subnets by borrowing enough bits from the host to create the required subnet. For example, host address 192.0.2.0 might have subnets 192.0.2.32/27 and 192.0.2.64/27.

IP packet

A packet of information that is carried over IP. An IP packet contains a header and data. The header includes the addresses of the source and the destination of the packet. Other fields in the header help identify and recombine the data with accompanying packets at the destination.

IP header

Twenty bytes of data that uniquely identify an Internet packet. The header includes source and destination addresses for the packet. An option exists within the header to allow further bytes to be added.

IP in IP encapsulation

The mechanism for tunneling IP packets within IP packets.

IP link

A communication facility or medium over which nodes can communicate at the link layer. The link layer is the layer immediately below IPv4/IPv6. Examples include Ethernets (simple or bridged) or ATM networks. One or more IPv4 subnet numbers or prefixes are assigned to an IP link. A subnet number or prefix cannot be assigned to more than one IP link. In ATM LANE, an IP link is a single emulated LAN. When you use ARP, the scope of the ARP protocol is a single IP link.

IPsec

IP security. The security architecture that provides protection for IP packets.

IP stack

TCP/IP is frequently referred to as a "stack". This refers to the layers (TCP, IP, and sometimes others) through which all data passes at both client and server ends of a data exchange.

IPv4

Internet Protocol, version 4. IPv4 is sometimes referred to as IP. This version supports a 32-bit address space.

IPv6

Internet Protocol, version 6. IPv6 supports a 128-bit address space.

key management

The way in which you manage security associations (SAs).

keystore name

The name that an administrator gives to the storage area, or keystore, on a network interface card (NIC). The keystore name is also called the token or the token ID.

label

1. An IKEv2 rule's keyword whose value must match the value of the label keyword in a preshared key file if the auth_method is preshared.

2. A keyword used when creating an IKEv2 certificate. This value is convenient for locating all parts of the certificate (private key, public key, and public key certificate) in the keystore.

3. A mandatory access control (MAC) indication of the level of sensitivity of an object or process. Confidential and Top Secret are sample labels. Labeled network transmissions contain MAC labels.

4. An IKEv1 rule's keyword whose value is used to get the rule.

link-local address

In IPv6, a designation that is used for addressing on a single link for purposes such as automatic address configuration. By default, the link-local address is created from the system's MAC address.

link layer

The layer immediately below IPv4/IPv6.

message authentication code (MAC)

MAC provides assurance of data integrity and authenticates data origin. MAC does not protect against eavesdropping.

multicast address

An IPv6 address that identifies a group of interfaces in a particular way. A packet that is sent to a multicast address is delivered to all of the interfaces in the group. The IPv6 multicast address has similar functionality to the IPv4 broadcast address.

multihomed host

A system that has more than one physical interface and that does not perform packet forwarding. A multihomed host can run routing protocols.

NAT

See network address translation (NAT).

network address translation (NAT)

The translation of an IP address used within one network to a different IP address known within another network. Used to limit the number of global IP addresses that are needed.

network interface card (NIC)

Network adapter card that is an interface to a network. Some NICs can have multiple physical interfaces, such as the igb card.

network policies

The settings that network utilities configure to protect network traffic.

packet

A group of information that is transmitted as a unit over communications lines. Contains an IP header plus a payload.

packet filter

A firewall function that can be configured to allow or disallow specified packets through a firewall.

packet header

See IP header.

payload

The data that is carried in a packet. The payload does not include the header information that is required to get the packet to its destination.

perfect forward secrecy (PFS)

In PFS, the key that is used to protect transmission of data is not used to derive additional keys. Also, the source of the key that is used to protect data transmission is never used to derive additional keys. Therefore, PFS can prevent the decryption of previously recorded traffic.

PFS applies to authenticated key exchange only. See also Diffie-Hellman algorithm.

physical interface

A system's attachment to a link. This attachment is often implemented as a device driver plus a network interface card (NIC). Some NICs can have multiple points of attachment, for example, igb.

PKI

Public Key Infrastructure. A system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction.

policy

Generally, a plan or course of action that influences or determines decisions and actions. For computer systems, policy typically means security policy. For example, IPsec security policy might require symmetric keys that are minimally 512 bytes long, and certificate policy might require that the certificate expire within a year.

public key cryptography

A cryptographic system that uses two different keys. The public key is known to everyone. The private key is known only to the recipient of the message. IKE provides public keys for IPsec.

replay attack

In IPsec, an attack in which a packet is captured by an intruder. The stored packet then replaces or repeats the original at a later time. To protect against such attacks, a packet can contain a field that increments during the lifetime of the secret key that is protecting the packet.

router

A system that usually has more than one interface, runs routing protocols, and forwards packets. You can configure a system with only one interface as a router if the system is the endpoint of a PPP link.

router advertisement

The process of routers advertising their presence together with various link and Internet parameters.

router discovery

The process of hosts locating routers that reside on an attached link.

RSA

A method for obtaining digital signatures and public key cryptosystems. The method was first described in 1978 by its developers, Rivest, Shamir, and Adleman.

SADB

Security Associations Database. A table that specifies cryptographic keys and cryptographic algorithms. The keys and algorithms are used in the secure transmission of data.

security association (SA)

An association that specifies security properties from one host to a second host.

security parameter index (SPI)

An integer that specifies the row in the security associations database (SADB) that a receiver should use to decrypt a received packet.

security policy database (SPD)

Database that specifies the level of protection to apply to a packet. The SPD filters IP traffic to determine whether a packet should be discarded, should be passed in the clear, or should be protected with IPsec.

SHA-1

Secure Hashing Algorithm. The algorithm operates on any input length less than 264 to produce a message digest. The SHA-1 algorithm is input to DSA.

smurf attack

To use ICMP echo request packets directed to an IP broadcast address or multiple broadcast addresses from remote locations to create severe network congestion or outages.

sniff

To eavesdrop on computer networks. Sniffers are frequently used as part of automated programs to sift information, such as clear-text passwords, off the wire.

spoof

To gain unauthorized access to a computer by sending a message to it with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.

stateful packet filter

A packet filter that can monitor the state of active connections and use the information obtained to determine which network packets to allow through the firewall. By tracking and matching requests and replies, a stateful packet filter can screen for a reply that does not match a request.

stream control transport protocol (SCTP)

A transport layer protocol that provides connection-oriented communications in a manner similar to TCP. Additionally, SCTP supports multihoming, in which one of the endpoints of the connection can have more than one IP address.

subnet

A logical subdivision of an IP network that connects systems with subnet numbers and IP address schemas, including their respective netmasks. See also IP address.

symmetric key cryptography

An encryption system in which the sender and receiver of a message share a single, common key. This common key is used to encrypt and decrypt the message. Symmetric keys are used to encrypt the bulk of data transmission in IPsec. AES is one example of a symmetric key.

Triple-DES

Triple-Data Encryption Standard. A symmetric-key encryption method. Triple-DES requires a key length of 168 bits. Triple-DES is also written as 3DES.

trust anchor

In X.509 certificates, the root certificate from the certificate authority. The certificates from the root certificate to the end certificate establish a chain of trust.

tunnel

The path that is followed by a packet while it is encapsulated. See encapsulation.

In IPsec, a configured tunnel is a point-to-point interface. The tunnel enables one IP packet to be encapsulated within another IP packet.

virtual private network (VPN)

A single, secure, logical network that uses tunnels across a public network such as the Internet.