Another term for fast Ethernet, an upgraded standard for connecting computers into a local area network (LAN). 100BaseT Ethernet works just like regular Ethernet except that it can transfer data at a peak rate of 100 Mbps. It is also more expensive and less common than its slower 10BaseT sibling. See also 10BaseT.
The most common form of Ethernet is called 10BaseT, which denotes a peak transmission speed of 10 Mbps using copper twisted-pair cable. Ethernet is a standard for connecting computers into a local area network (LAN). The maximum cable distance is 100 meters (325 feet), the maximum devices per segment is 1, and the maximum devices per network are 1024. See also 100BaseT.
An access list is a sequential list of statements against which a route is compared. Access lists apply to unicast and multicast traffic. Each statement specifies the IP address/netmask of a network prefix and the forwarding status (permit or deny the route). If a route matches a statement in the access list, the specified forwarding status is applied. Once a match condition is achieved, any other access list statements are ignored.
Authentication ensures that digital data transmissions are delivered to the intended receiver. Authentication also assures the receiver of the integrity of the message and its source (where or whom it came from). The simplest form of authentication requires a user name and password to gain access to a particular account. Authentication protocols can also be based on secret-key encryption, such as DES, or on public-key systems using digital signatures.
See ESP/AH.
Border Gateway Protocol (BGP) is a path-vector protocol that is used to carry routing information between Autonomous Systems (ASs). The BGP routing information includes the sequence of AS numbers that a network prefix (a route) has traversed. The path information associated with the prefix enables loop prevention and routing policies enforcement. ScreenOS supports BGP version 4 (BGP-4 defined in RFC 1771).
A device that forwards traffic between network segments based on data link layer information. These segments would have a common network layer address.
Proxy or Proxy Server is a technique used to cache information on a Web server and acts as an intermediary between a Web client and that Web server. It basically holds the most commonly and recently used content from the World Wide Web for users in order to provide quicker access and to increase server security. This is common for an ISP especially if they have a slow link to the Internet. On the Web, a proxy first attempts to find data locally, and if it's not there, fetches it from the remote server where the data resides permanently. Proxy servers are also constructs that allow direct Internet access from behind a firewall. They open a socket on the server, and allow communication via that socket to the Internet. For example, if your computer is inside a protected network, and you want to browse the Web using Netscape, you would set up a proxy server on a firewall. The proxy server would be configured to allow requests from your computer, trying for port 80, to connect to its port 1080, and it would then redirect all requests to the proper places.
Until recently, the most significant use of triple-DES (3DES) was for the encryption of single DES keys, and there was really no need to consider how one might implement various block cipher modes when the block cipher in question is actually one derived from multiple encryption. However, as DES nears the end of its useful lifetime, more thought is being given to an increasingly widespread use of triple-DES. In particular, there are two obvious ways to implement the CBC mode for triple-DES. With single-DES in CBC mode, the ciphertext is exclusive-ored with the plaintext before encryption. With triple-DES however, we might use feedback around all three DES operations from the ciphertext to the plaintext, something which is called outer-CBC. Alternatively, we might run the feedback around each individual encryption component, thereby making, in effect, triple-(DES-CBC). This is referred to as inner-CBC, since there are internal feedbacks that are never seen by the crypto-analyst. Performance-wise, there can be some advantages to use the inner-CBC option, but research has established that outer-CBC is in fact more secure. Outer-CBC is the recommended way for using triple-DES in the CBC mode.
A 40- and 56-bit encryption algorithm that was developed by the National Institute of Standards and Technology (NIST). DES is a block encryption method originally developed by IBM. It has since been certified by the U.S. government for transmission of any data that is not classified top secret. DES uses an algorithm for private-key encryption. The key consists of 64 bits of data, which are transformed and combined with the first 64 bits of the message to be sent. To apply the encryption, the message is broken up into 64-bit blocks so that each can be combined with the key using a complex 16-step process. Although DES is fairly weak, with only one iteration, repeating it using slightly different keys can provide excellent security.
From the military term for an area between two opponents where fighting is prevented. DMZ Ethernets connect networks and computers controlled by different bodies. They may be external or internal. External DMZ Ethernets link regional networks with routers.
Equal Cost MultiPath (ECMP) assists with load balancing among two to four routes to the same destination or increases the effective bandwidth usage among two or more destinations. When enabled, NetScreen devices use the statically defined routes or dynamically learn multiple routes to the same destination through a routing protocol. The NetScreen device assigns routes of equal cost in round robin fashion. Default: disabled
Encryption is the process of changing data into a form that can be read only by the intended receiver. To decipher the message, the receiver of the encrypted data must have the proper decryption key. In traditional encryption schemes, the sender and the receiver use the same key to encrypt and decrypt data. Public-key encryption schemes use two keys: a public key, which anyone may use, and a corresponding private key, which is possessed only by the person who created it. With this method, anyone may send a message encrypted with the owner's public key, but only the owner has the private key necessary to decrypt it. PGP (Pretty Good Privacy) and DES (Data Encryption Standard) are two of the most popular public-key encryption schemes.
The IP level security headers, AH and ESP, were originally proposed by the Network Working Group focused on IP security mechanisms, IPSec. The term IPSec is used loosely here to refer to packets, keys, and routes that are associated with these headers. The IP Authentication Header (AH) is used to provide authentication. The IP Encapsulating Security Header (ESP) is used to provide confidentiality to IP datagrams.
A local area network technology invented at the Xerox Corporation, Palo Alto Research Center. Ethernet is a best-effort delivery system that uses CSMA/CD technology. Ethernet can be run over a variety of cable schemes, including thick coaxial, thin coaxial, twisted pair, and fiber optic cable. Ethernet is a standard for connecting computers into a local area network (LAN). The most common form of Ethernet is called 10BaseT, which denotes a peak transmission speed of 10 Mbps using copper twisted-pair cable.
The connecting of two or more intranets. If an intranet as a company’s internal Web site which allows users inside the company to communicate and exchange information, an extranet connects that virtual space with another company’s intranet, thus allowing these two (or more) companies to share resources and communicate over the Internet in their own virtual space. This technology greatly enhances business to business communications.
IP service that can be used within VPN tunnels. Filters are one way the NetScreen-10/100 controls traffic from one network to another. When TCP/IP sends data packets to the firewall, the filtering function in the firewall looks at the header information in the packets and directs them accordingly. The filters operate on criteria such as IP source or destination address range, TCP ports, UDP, Internet Control Message Protocol (ICMP), or TCP responses. See also Tunneling and Virtual Private Network (VPN).
A device that protects and controls the connection of one network to another, for traffic both entering and leaving. Firewalls are used by companies that want to protect any network-connected server from damage (intentional or otherwise) by those who log in to it. This could be a dedicated computer equipped with security measures or it could be a software-based protection.
A Gigabit Interface Connector (GBIC) is the kind of interface module card used on the NetScreen-500 for connecting to a fiber optic network.
A Hello packet is a message sent out to the current network to announce the presenceof the current routing instance to the network. Hello packets aid in the discoveryof neighbors and in a router being able to connect to other devices on the network.When an OSPF interface is created, the interface sends Hello packets to the networkto announce itself.
This hardware is used to network computers together (usually over an Ethernet connection). It serves as a common wiring point so that information can flow through one central location to any other computer on the network thus enabling centralized management. A hub is a hardware device that repeats signals at the physical Ethernet layer. A hub retains the behavior of a standard bus type network (such as Thinnet), but produces a star topology with the hub at the center of the star. This configuration enables centralized management.
Also known as \"the Net\". Originally designed by the U.S. Defense Department so that a communication signal could withstand a nuclear war and serve military institutions worldwide. The Internet was first known as the ARPAnet. A system of linked computer networks, international in scope, that facilitates data communication services such as remote login, file transfer, electronic mail, and newsgroups. The Internet is a way of connecting existing computer networks that greatly extends the reach of each participating system.
Occasionally a gateway or destination host will communicate with a source host, for example, to report an error in datagram processing. For such purposes the protocol, the Internet Control Message Protocol (ICMP), is used. ICMP uses the basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral part of IP, and must be implemented by every IP module. ICMP messages are sent in several situations: for example, when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route. The Internet Protocol is not designed to be absolutely reliable. The purpose of these control messages is to provide feedback about problems in the communication environment, not to make IP reliable.
The method for exchanging keys for encryption and authentication over an unsecured medium, such as the Internet.
An Internet standard protocol that defines a basic unit of data called a datagram. A datagram is used in a connectionless, best-effort, delivery system. The Internet protocol defines how information gets passed between systems across the Internet.
A play on the word Internet, an intranet is a restricted-access network that works like the Web, but isn't on it. Usually owned and managed by a corporation, an intranet enables a company to share its resources with its employees without confidential information being made available to everyone with Internet access.
Each node on a TCP/IP network usually has an IP address. The IP address has a network number portion and a host number portion: Class A, >32,768 nodes, address format: nnn.hhh.hhh.hhh); Class B, 256-32,768 nodes, address format: nnn.nnn.hhh.hhh); Class C, <256 nodes, address format: nnn.nnn.nnn.hhh).This address format is called decimal dot format. The \"n\" represents a digit of a network number and \"h\" represents a digit of a host number; for example, 128.11.2.30. If you are sending data outside of your network, such as to the Internet, you need to obtain the network number from a central authority, currently the Network Information Center. See also Subnet Mask.
Also called a router, a gateway is a program or a special-purpose device that transfers IP datagrams from one network to another until the final destination is reached.
Security standard produced by the Internet Engineering Task Force (IETF). It is a protocol suite that provides everything you need for secure communications—authentication, integrity, and confidentiality—and makes key exchange practical even in larger networks. See also DES-CBC, ESP/AH.
The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for Internet key management and provides the specific protocol support for negotiation of security attributes. By itself, it does not establish session keys, however it can be used with various session key establishment protocols to provide a complete solution to Internet key management.
The only reasonable way to protect the integrity and privacy of information is to rely upon the use of secret information in the form of private keys for signing and/or encryption. The management and handling of these pieces of secret information is generally referred to as \"key management\". This includes the activities of selection, exchange, storage, certification, expiration, revocation, changing, and transmission of keys. Most of the work in managing information security systems lies in the key management.
Link State Advertisements (LSAs) are the conveyance that enables OSPF routers to make device, network, and routing information available for the link state database. Each router retrieves information from the LSAs sent by other routers on the network to construct a picture of the entire internetwork from which they distill path information to use in the routing table.
Load balancing is the mapping (or re-mapping) of work to processors, with the intent of improving the efficiency of a concurrent computation.
Any network technology that interconnects resources within an office environment, usually at high speeds, such as Ethernet. A local area network is a short-distance network used to link a group of computers together within a building. 10BaseT Ethernet is the most commonly used form of LAN. A hardware device called a hub serves as the common wiring point, enabling data to be sent from one machine to another over the network. LANs are typically limited to distances of less than 500 meters and provide low-cost, high-bandwidth networking capabilities within a small geographical area.
Link State Advertisements (LSAs) are the conveyance that enables OSPF routers tomake device, network, and routing information available for the link state database.Each router retrieves information from the LSAs sent by other routers on the networkto construct a picture of the entire internetwork from which they distill path informationto use in the routing table.
Message Digest (version) 5, an algorithm that produces a 128-bit message digest (or hash) from a message of arbitrary length. The resulting hash is used, like a \"fingerprint\" of the input, to verify authenticity.
An address that uniquely identifies the network interface card, such as an Ethernet adapter. For Ethernet, the MAC address is a 6 octet address assigned by IEEE. On a LAN or other network, the MAC address is a computer's unique hardware number. (On an Ethernet LAN, it's the same as the Ethernet address.) When you're connected to the Internet from your computer (or host as the Internet protocol thinks of it), a correspondence table relates your IP address to your computer's physical (MAC) address on the LAN. The MAC address is used by the Media Access Control sublayer of the Data-Link Control (DLC) layer of telecommunication protocols. There is a different MAC sublayer for each physical device type.
Each routing protocol must have some way of calculating the best path to take toget to a given non-local network. The determination of best path is usually calculatedusing a value called a metric. A metric is computed in an algorithm, which assignsa number, or cost, to the path. This ability is necessary because a router will often have multiple paths to the same network.
A two-tiered model that classifies routes by type to determine the general cost levelof a specified route. The types are: External Type 1 metrics, and External Type 2metrics.
A proprietary protocol that provides configuration and run time object (RTO) redundancy and a device failover mechanism for NetScreen units in a high availability (HA) cluster.
A standard for translating secure IP addresses to temporary, external, registered IP address from the address pool. This allows Trusted networks with privately assigned IP addresses to have access to the Internet. This also means that you don’t have to get a registered IP address for every machine in your network.
Open Shortest Path First (OSPF) routing protocol is an Interior Gateway Protocol (IGP) intended to operate within a single autonomous system (AS). OSPF causes routers to distribute interface and neighbor reachability state information through messages called link-state advertisements (LSAs). The LSAs allow each router to maintain a link-state database. All routers within the AS have a self-centered shortest path view of the AS.
Policies provide the initial protection mechanism for the firewall, allowing you to determine what traffic passes across it based on IP session details. They protect the Trusted network from outsider attacks, such as the scanning of Trusted servers. Policies create an environment in which you set up security policies to monitor traffic attempting to cross your firewall.
Preference is a weight added to a route that influences the determination of the best path for traffic to reach a destination. When you import or add a route to the routing table, the virtual router adds a preference value — determined by the protocol by which the route is learned — to the route. A low preference value (a number closer to 0) is preferable to a high preference value (a number further from 0).
Routing Information Protocol (RIP) is a distance vector protocol used as an Interior Gateway Protocol (IGP) in moderate-sized autonomous systems (AS). RIP supports point-to-point networks, broadcast/multicast ethernet networks, and point-to-multipoint connections over tunnels with or without demand circuits. Screen OS supports RIP v1 and v2 (RFC 2453) plus MD5 authentication extensions (RFC 2082).
Resembling a standard phone connector, an RJ-45 connector is twice as wide (with eight wires) and is used for hooking up computers to local area networks (LANs) or phones with multiple lines.
A route map consists of a set of statements that are applied in sequential order to a route. Match conditions can be tags, metrics, preferences, or BGP or OSPF settings. If a route does not match any entry in the route map, the route is rejected.
The exporting of route rules from one virtual router to another.
This hardware device routes data from a local area network (LAN) to a phone line's long distance line. Routers also act as traffic cops, allowing only authorized machines to transmit data into the local network so that private information can remain secure. In addition to supporting these dial-in and leased connections, routers also handle errors, keep network usage statistics, and handle security issues.
Run-time objects (RTOs) are code objects created dynamically in memory during normal operation. Some examples of RTOs are session table entries, ARP cache entries, DHCPleases, and IPSec security associations (SAs). In the event of a failover, it iscritical that the current RTOs be maintained by the new master to avoid service interruption.To accomplish this, RTOs are backed up by the members of an NSRP cluster. Workingtogether, each member backs up the RTOs from the other, which allows RTOs to be maintainedshould the master of either VSD group in an active/active HA scheme step down.
A code object created dynamically in memory during normal operation. Some examples of RTOs are session table entries, ARP cache entries, certificates, DHCP leases, and IPSec Phase 2 security associations (SAs).
Secure Sockets Layer (SSL), is a protocol designed by Netscape for providing datasecurity layered between application protocols (such as HTTP, Telnet, or FTP) and TCP/IP. This security protocol provides data encryption, server authentication, messageintegrity, and optional client authentication for a TCP/IP connection.
The combination of a Security Parameters Index and a destination address. Required for both Authentication Header and Encapsulating Security Payload protocols. See also Security Parameters Index.
(SPI) is a hexadecimal value which uniquely identifies each tunnel. It also tells the NetScreen device which key to use to decrypt packets.
A security zone is a collection of one or more network segments requiring the regulation of inbound and outbound traffic via access policies.
A server farm is a network where clients install their own computers to run Web servers, e-mail, or any other TCP/IP based services they require, making use of leased permanent Internet connections with 24-hour worldwide access. Instead of expensive dedicated-line connections to various offices, servers can be placed on server farm networks to have them connected to the Internet at high-speed for a fraction of the cost of a leased line.
Secure Hash Algorithm-1, an algorithm that produces a 160-bit hash from a message of arbitrary length. (It is generally regarded as more secure than MD5 because of the larger hashes it produces.)
Source Interface-Based Routing allows the NetScreen device to forward traffic based on the source interface (the interface on which the data packet arrives on the NetScreen device).
Source-Based Routing (SIBR) is when route lookup occurs based on the source IP address. For Netscreen devices, SBR is enabled at the virtual router (VR) level.
A subinterface is a logical division of a physical interface that borrows the bandwidth it needs from the physical interface from which it stems. A subinterface is an abstraction that functions identically to an interface for a physically present port and is distinguished by 802.1Q VLAN tagging.
In larger networks, the subnet mask lets you define subnetworks. For example, if you have a class B network, a subnet mask of 255.255.255.0 specifies that the first two portions of the decimal dot format are the network number, while the third portion is a subnet number. The fourth portion is the host number. If you do not want to have a subnet on a class B network, you would use a subnet mask of 255.255.0.0. A network can be subnetted into one or more physical networks which form a subset of the main network. The Subnet Mask is the part of the IP address which is used to represent a subnetwork within a network. Using Subnet Masks allows you to use network address space which is normally unavailable and ensures that network traffic does not get sent to the whole network unless intended. Subnet Masks are a complex feature, so great care should be taken when using them. See also IP address.
A TCP connection is established with a triple exchange of packets known as a three-way handshake. The procedure transpires as follows:1. The initiator sends a SYN (synchronize/start) packet.2. The recipient replies with a SYN/ACK (synchronize/acknowledge) packet.3. The initiator responds with an ACK (acknowledge) packet.4. At this point, the two endpoints of the connection have been established and data transmission can commence.
A set of communications protocols that support peer-to-peer connectivity functions for both local and wide area networks. A communications protocol which allows computers with different operating systems to communicate with each other. Controls how data is transferred between computers on the Internet.
A trunk port allows a switch to bundle traffic from several VLANs through a single physical port, sorting the various packets by the VLAN identifier (VID) in their frame headers.
A tunnel interfaces is the opening, or doorway, through which traffic to or from a VPN tunnel passes. A tunnel interface can be numbered (that is, assigned an IP address) or unnumbered. A numbered tunnel interface can be in either a tunnel zone or security zone. An unnumbered tunnel interface can only be in a security zone that contains at least one security zone interface. The unnumbered tunnel interface borrows the IP address from the security zone interface.
A tunnel zone is a logical segment that hosts one or more tunnel interfaces. A tunnel zone is associated with a security zone that acts as its carrier.
A method of data encapsulation.With VPN tunneling, a mobile professional dials into a local Internet Service Provider's Point of Presence (POP) instead of dialing directly into their corporate network. This means that no matter where mobile professionals are located, they can dial a local Internet Service Provider that supports VPN tunneling technology and gain access to their corporate network, incurring only the cost of a local telephone call. When remote users dial into their corporate network using an Internet Service Provider that supports VPN tunneling, the remote user as well as the organization knows that it is a secure connection. All remote dial-in users are authenticated by an authenticating server at the Internet Service Provider's site and then again by another authenticating server on the corporate network. This means that only authorized remote users can access their corporate network, and can access only the hosts that they are authorized to use.
A standard way developed to specify the location of a resource available electronically.Also referred to as a location or address, URLs specify the location of files on servers. A general URL has the syntax protocol://address. For example, http://www.srl.rmit.edu.au/pd/index.html specifies that the protocol is http and the address is www.srl.rmit.edu.au/pd/index.html.
The ScreenOS architecture that provides generic interfaces that the admin can customize and bind to predefined and user-defined security zones.
Also known as 10BaseT. This is the standard cabling used for telephone lines. It is also used for Ethernet connections.
A protocol in the TCP/IP protocol suite, the User Datagram Protocol or UDP allows an application program to send datagrams to other application programs on a remote machine. Basically UDP is a protocol that provides an unreliable and connectionless datagram service where delivery and duplicate detection are not guaranteed. It does not use acknowledgments, or control the order of arrival.
A VIP address maps traffic received at one IP address to another address based on the destination port number in the packet header.
All areas in an OSPF internetwork must connect directly to the backbone area. Thisrequirement can severely limit the placement of areas and it also has the potentialof making OSPF unusable on some networks, especially if the network is very wide. There are situations when a new area is added after the OSPF internetwork has been designed and configured and it is not possible to provide that new area with directaccess to the backbone. To solve the problems that this limitation may cause, a virtual link can be constructed to provide the connectivity to the backbone area.
A logical rather than physical grouping of devices that constitute a single broadcast domain. VLAN members are not identified by their location on a physical subnetwork but through the use of tags in the frame headers of their transmitted data. VLANs are described in the IEEE 802.1Q standard.
A VPN is an easy, cost-effective and secure way for corporations to provide telecommuters and mobile professionals local dial-up access to their corporate network or to another Internet Service Provider (ISP). Secure private connections over the Internet are more cost-effective than dedicated private lines. VPNs are possible because of technologies and standards such as tunneling, screening, encryption, and IPSec.
A virtual router is the component of ScreenOS that performs routing functions. By default, a NetScreen device supports two virtual routers: Untrust-VR and Trust-VR.
A single logical device composed by a set of physical NetScreen devices.
A logical entity at layer 3 that is linked to multiple layer 2 physical interfaces in a VSD group. The VSI binds to the physical interface of the device acting as master of the VSD group. The VSI shifts to the physical interface of another device in the VSD group if there is a failover and it becomes the new master.
A Virtual System is a subdivision of the main system that appears to the user to be a stand-alone entity. Virtual Systems reside separately from each other in the same NetScreen device. Each one can be managed by its own Virtual System Administrator.
WINS is a service for mapping IP addresses to NetBIOS computer names on Windows NT server-based networks. A WINS server maps a NetBIOS name used in a Windows network environment to an IP address used on an IP-based network.
A zone can be a segment of network space to which security measures are applied (a security zone), a logical segment to which a VPN tunnel interface is bound (a tunnel zone), or either a physical or logical entity that performs a specific function (a function zone).