1. Home
    2. /
  2. Manuals
    3. /
  3. SnapGear
    4. /
  4. SG565
    5. /
  5. 47
Page 231 / 249 Scroll up to view Page 226 - 230
Appendix B – Terminology
226
Certificates
A digitally signed statement that contains information about an entity
and the entity's public key, thus binding these two pieces of information
together.
A certificate is issued by a trusted organization (or entity)
called a Certification Authority (CA) after the CA has verified that the
entity is who it says it is.
Certificate
Authority
A Certificate Authority is a trusted third party, which certifies public
key's to truly belong to their claimed owners.
It is a key part of any
Public Key Infrastructure, since it allows users to trust that a given
public key is the one they wish to use, either to send a private message
to its owner or to verify the signature on a message sent by that owner.
Certificate
Revocation List
A list of certificates that have been revoked by the CA before they
expired.
This may be necessary if the private key certificate has been
compromised or if the holder of the certificate is to be denied the ability
to establish a tunnel to the CyberGuard SG appliance.
Data Encryption
Standard (DES)
The Data Encryption Standard is a block cipher with 64-bit blocks and a
56-bit key.
Dead Peer
Detection
The method of detecting if the remote party has a stale set of keys and
if the tunnel requires rekeying.
To interoperate with the CyberGuard
SG appliance, it must conform to the draft draft-ietf-ipsec-dpd-00.txt
DHCP
Dynamic Host Configuration Protocol.
A communications protocol that
assigns IP addresses to computers when they are connected to the
network.
Diffie-Hellman
Group or Oakley
Group
The groups used as the basis of Diffie-Hellman key exchange in the
Oakley protocol, and in IKE.
Diffie-Hellman
Key Exchange
A protocol that allows two parties without any initial shared secret to
create one in a manner immune to eavesdropping.
Once they have
done this, they can communicate privately by using that shared secret
as a key for a block cipher or as the basis for key exchange.
Distinguished
Name
A list of attributes that defines the description of the certificate.
These
attributes include: country, state, locality, organization, organizational
unit and common name.
DNS
Domain Name System that allocates Internet domain names and
translates them into IP addresses.
A domain name is a meaningful and
easy to remember name for an IP address.
DUN
Dial Up Networking.
Encapsulating
Security Payload
(ESP)
Encapsulated Security Payload is the IPSec protocol which provides
encryption and can also provide authentication service.
Encryption
The technique for converting a readable message (plaintext) into
apparently random material (ciphertext) which cannot be read if
intercepted.
The proper decryption key is required to read the
message.
Ethernet
A physical layer protocol based upon IEEE standards.
Page 232 / 249
Appendix B – Terminology
227
Extranet
A private network that uses the public Internet to securely share
business information and operations with suppliers, vendors, partners,
customers, or other businesses.
Extranets add external parties to a
company's intranet.
Failover
A method for detecting that the main Internet connection (usually a
broadband connection) has failed and the CyberGuard SG apliance
cannot communicate with the Internet.
If this occurs, the CyberGuard
SG appliance automatically moves to a lower speed, secondary
Internet connection.
Fall-forward
A method for shutting down the failover connection when the main
Internet connection can be re-established.
Firewall
A network gateway device that protects a private network from users on
other networks.
A firewall is usually installed to allow users on an
intranet access to the public Internet without allowing public Internet
users access to the intranet.
Gateway
A machine that provides a route (or pathway) to the outside world.
Hashes
A code, calculated based on the contents of a message.
This code
should have the property that it is extremely difficult to construct a
message so that its Hash comes to a specific value.Hashes are useful
because they can be attached to a message, and demonstrate that it
has not been modified.
If a message were to be modified, then its hash
would have changed, and would no longer match the original hash
value.
Hub
A network device that allows more than one computer to be connected
as a LAN, usually using UTP cabling.
IDB
Intruder Detection and Blocking.
A feature of your CyberGuard SG
appliance that detects connection attempts from intruders and can also
optionally block all further connection attempts from the intruder's
machine.
Internet
A worldwide system of computer networks - a public, cooperative, and
self-sustaining network of networks accessible to hundreds of millions
of people worldwide.
The Internet is technically distinguished because
it uses the TCP/IP set of protocols.
Intranet
A private TCP/IP network within an enterprise.
IP Compression
A good encryption algorithm produces ciphertext that is evenly
distributed.
This makes it difficult to compress. If one wishes to
compress the data it must be done prior to encrypting.
The IPcomp
header provides for this.
One of the problems of tunnel mode is that it
adds 20 bytes of IP header, plus 28 bytes of ESP overhead to each
packet.
This can cause large packets to be fragmented.
Compressing
the packet first may make it small enough to avoid this fragmentation.
IPSec
Internet Protocol Security.
IPSec provides interoperable, high quality,
cryptographically-based security at the IP layer and offers protection for
network communications.
Page 233 / 249
Appendix B – Terminology
228
IPSec tunnel
The IPSec connection to securely link two private parties across
insecure and public channels.
IPSec with
Dynamic DNS
Dynamic DNS can be run on the IPSec endpoints thereby creating an
IPSec tunnel using dynamic IP addresses.
IKE
IKE is a profile of ISAKMP that is for use by IPsec.
It is often called
simply IKE.
IKE creates a private, authenticated key management
channel.
Using that channel, two peers can communicate, arranging
for sessions keys to be generated for AH, ESP or IPcomp.
The
channel is used for the peers to agree on the encryption, authentication
and compression algorithms that will be used.
The traffic to which the
policies will applied is also agreed upon.
ISAKMP
ISAKMP is a framework for doing Security Association Key
Management.
It can, in theory, be used to produce session keys for
many different systems, not just IPsec.
Key lifetimes
The length of time before keys are renegotiated.
LAN
Local Area Network.
LED
Light-Emitting Diode.
Local Private Key
Certificate &
Passphrase
The private part of the public/private key pair of the certificate resides
on the CyberGuard SG appliance.
The passphrase is a key that can be
used to lock and unlock the information in the private key certificate.
Local Public Key
Certificate
The public part of the public/private key pair of the certificate resides on
the CyberGuard SG appliance and is used to authenticate against the
CA certificate.
MAC address
The hardware address of an Ethernet interface.
It is a 48-bit number
usually written as a series of 6 hexadecimal octets, e.g.
00:d0:cf:00:5b:da.
A CyberGuard SG appliance has a MAC address for
each Ethernet interface.
These are listed on a label on the underneath
of the device.
Main Mode
This Phase 1 keying mode automatically exchanges encryption and
authentication keys and protects the identities of the parties attempting
to establish the tunnel.
Manual Keying
This type of keying requires the encryption and authentication keys to
be specified.
Manual Keys
Predetermined encryption and authentication keys used to establish the
tunnel.
Masquerade
The process when a gateway on a local network modifies outgoing
packets by replacing the source address of the packets with its own IP
address.
All IP traffic originating from the local network appears to
come from the gateway itself and not the machines on the local
network.
MD5
Message Digest Algorithm Five is a 128 bit hash.
It is one of two
message digest algorithms available in IPSec.
Page 234 / 249
Appendix B – Terminology
229
NAT
Network Address Translation.
The translation of an IP address used on
one network to an IP address on another network.
Masquerading is
one particular form of NAT.
Net mask
The way that computers know which part of a TCP/IP address refers to
the network, and which part refers to the host range.
NTP
Network Time Protocol (NTP) used to synchronize clock times in a
network of computers.
Oakley Group
See Diffie-Hellman Group or Oakley Group.
PAT
Port Address Translation.
The translation of a port number used on
one network to a port number on another network.
PEM, DER,
PCKS#12
PCKS#07
These are all certificate formats.
Perfect Forward
Secrecy
A property of systems such as Diffie-Hellman key exchange which use
a long-term key (such as the shared secret in IKE) and generate short-
term keys as required.
If an attacker who acquires the long-term key
provably can neither read previous messages which he may have
archived nor read future messages without performing additional
successful attacksthen the system has PFS.
The attacker needs the
short-term keys in order to read the traffic and merely having the long-
term key does not allow him to infer those.
Of course, it may allow him
to conduct another attack (such as man-in-the-middle) which gives him
some short-term keys, but he does not automatically get them just by
acquiring the long-term key.
Phase 1
Sets up a secure communications channel to establish the encrypted
tunnel in IPSec.
Phase 2
Sets up the encrypted tunnel in IPSec.
PPP
Point-to-Point Protocol.
A networking protocol for establishing simple
links between two peers.
PPPoE
Point to Point Protocol over Ethernet.
A protocol for connecting users
on an Ethernet to the Internet using a common broadband medium
(e.g.
single DSL line, wireless device, cable modem, etc).
PPTP
Point to Point Tunneling Protocol.
A protocol developed by Microsoft™
that is popular for VPN applications.
Although not considered as
secure as IPSec, PPP is considered "good enough" technology.
Microsoft has addressed many flaws in the original implementation.
Preshared secret
A common secret (passphrase) that is shared between the two parties.
Quick Mode
This Phase 2 keying mode automatically exchanges encryption and
authentication keys that actually establishes the encrypted tunnel.
Rekeying
The process of renegotiating a new set of keys for encryption and
authentication.
Road warrior
A remote machine with no fixed IP address.
Page 235 / 249
Appendix B – Terminology
230
Router
A network device that moves packets of data.
A router differs from
hubs and switches because it is "intelligent" and can route packets to
their final destination.
RSA Digital
Signatures
A public/private RSA key pair used for authentication.
The CyberGuard
SG appliance can generate these key pairs.
The public keys need to
be exchanged between the two parties in order to configure the tunnel.
SHA
Secure Hash Algorithm, a 160 bit hash.
It is one of two message digest
algorithms available in IPSec.
Security
Parameter Index
(SPI)
Security Parameter Index, an index used within IPsec to keep
connections distinct.
Without the SPI, two connections to the same
gateway using the same protocol could not be distinguished.
Subnet mask
See "Net mask".
Switch
A network device that is similar to a hub, but much smarter.
Although
not a full router, a switch partically understands how to route Internet
packets.
A switch increases LAN efficiency by utilizing bandwidth more
effectively.
TCP/IP
Transmission Control Protocol/Internet Protocol.
The basic protocol for
Internet communication.
TCP/IP address
Fundamental Internet addressing method that uses the form
nnn.nnn.nnn.nnn.
TripleDES
(3DES)
Using three DES encryptions on a single data block, with at least two
different keys, to get higher security than is available from a single DES
pass.
UTC
Coordinated Universal Time.
UTP
Unshielded Twisted Pair cabling.
A type of Ethernet cable that can
operate up to 100Mb/s.
Also known as Category 5 or CAT 5.
VPN
Virtual Private Networking.
When two locations commmunicate
securely and effectively across a public network (e.g.
the Internet).
The three key features of VPN technology are privacy (nobody can see
what you are communicating), authentication (you know who you are
communicating with), and integrity (nobody can tamper with your
messages/data).
WAN
Wide Area Network.
WINS
Windows Internet Naming Service that manages the association of
workstation names and locations with IP addresses.

Rate

4 / 5 based on 3 votes.

Popular SnapGear Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top