You are on page 1of 36


Also check out:
Check Server
HTTP proxy check
SOCKS proxy check


VPN FAQ. Virtual Private Network Frequently Asked Questions.
1. What is VPN?
2. What are the features and benefits of using VPN?
3. What are the protocols used by VPN?
4. What is a Tunnel?
5. What are the components for setting up a VPN?
6. What is IPSec?
7. What is PPTP?
8. What is L2TP?
9. How does VPN work?
10. What is NAT Traversal?
11. What is an RSA Key?
12. What is PSK?
13. What is IKE?

1. What is VPN?
VPN stands for Virtual Private Network and it is the technology to create a secure private
network between two hosts using a public network like Internet. VPNs use tunneling,
encryption, authentication, and access control over a public network at the same time for
2. What are the features and benefits of using VPN?
COST: VPN replaces expensive leased connections with dial-up or DSL/cable connections.
SECURITY: Through authentication and encryption, VPN provides remote secure links for users
to access the company or any private network.
3. What are the protocols used by VPN?
The three protocols used by VPN are PPTP (point to point tunneling protocol), L2TP (layer 2
tunneling protocol) and IPSec (Internet protocol security).
4. What is a Tunnel?
VPN Tunnel is a virtual private passage through an insecure medium like Inetrnet.
5. What are the components for setting up a VPN?
VPN client, this could be a computer (any operating system) or a router depending on the
needs. VPN server, this is a connection point for VPN clients.
6. What is IPSec?
IPSec is the most common technology in use for creating and operating VPNs. In IPSec tunneling
all packets are completely and securely encapsulated and each packet receives a new header
with all address and connection information hidden from public view.
7. What is PPTP?
PPTP stands for point-to-point tunneling protocol and allows PPP packets to be encapsulated
within IP Packets and over any IP network.
8. What is L2TP?
Layer 2 Tunneling protocol is an extension of PPTP used by ISPs to enable the operation of a
private virtual networks over the Internet.
9. How does VPN work?
Basically VPN is created by the client system's VPN software establishing a connection through
a secure tunnel with a VPN server. The tunnel can be built using PPTP, L2TP or IPSec protocols.
10. What is NAT Traversal?
NAT-T is the feature that makes NAT devices IPSec aware or compliant, thereby allowing
remote access users to build IPSec tunnels through home gateways. 10- What is an RSA Key?
11. What is an RSA key?
RSA stands for Rivest, Shamir, Adelman and is an encryption algorithm using asymmetric keys.
DES, AES and the two authentication algorithms, MD5 and SHA-1 use symmetric shared secret
12. What is PSK?
PSK is short for Pre-Shared-Key. This is the key that identifies (authenticates) a communicating
party during a Phase 1 Internet Key Exchange negotiation. It is shared because both parties
know the key.
13. What is IKE?
Internet Key Exchange negotiates the IPSec security associations (SAs). This process requires
the two IPSec systems to first authenticate themselves in phase 1 and in phase 2, negotiate the
IPSec security associations and generate the required key material for IPSec.

Virtual Private Networks.
An overview.
The term "VPN" or "Virtual Private Network" is one of the most overused buzzwords in the
industry today. Proponents claim that VPNs can solve many issues, from extending the
enterprise to include strategic business partners and customers, to providing remote users
secure multiprotocol access to corporate Intranets, to securing corporate data for transport
over the public Internet.
Vendors and consumers alike disagree as to what, exactly, a VPN is. With all the excitement,
speculation and competing messages in the press regarding this technology, it's hard to figure
out some of the basic questions. What exactly is a VPN? Why do you need a VPN? And what are
some of the technologies used in deploying a VPN? This article will attempt to answer some of
these questions.
Towards a Connected Planet
While the Internet holds incredible promise as an enabler for eBusiness, there are some major
stumbling blocks that must be addressed if an organization is truly to conduct mission-critical
business functions over the 'net. The Internet's greatest assets are its openness and ubiquity.
But these characteristics are also its greatest weaknesses.
Historically, organizations built and deployed mission-critical applications over private local-
and wide area networks (LANs and WANs), where the infrastructure was a known entity and
access was tightly controlled. The end result was a private data communications infrastructure
that had somewhat predictable application availability, performance and security.
Enter the 'Net. The types of applications being deployed across the public Internet today are
increasingly mission-critical, whereby business success can be jeopardized by poor application
performance. We've all heard the horror stories of frantic Internet traders trying desperately to
unload stocks as the markets dropped, while bandwidth constraints hampered their attempts.
Remember the phrase "form follows function"? It doesn't matter how attractive and potentially
lucrative our applications are if they don't function reliably and consistently. The unpredictable
nature of Internet traffic can be a major risk factor for e-business.
What about security? As you increase your connectivity, you increase your exposure and
therefore your potential security risks. A disconnected stand-alone personal computer with
sensitive information is vulnerable only to people who can gain physical access to it. Connect it
to the Internet, however, and you drastically increase its exposure and attendant vulnerability.
Furthermore, data in transit across the Internet is subject to such threats as spoofing, session
hijacking, sniffing, and man-in-the-middle attacks.
The desire to use the Internet for business and the the risk factors associated with doing so
have given rise to a new technology niche: Virtual Private Networks (VPN). VPNs typically are IP-
based networks (usually the public Internet) that use encryption and tunneling to achieve one
or more of the following goals:

branch offices to an enterprise network (intranet)

The idea is to extend trust relationships across an economical public network without
sacrificing security. Ideally, a VPN should behave similarly to a private network; it should be
secure, highly available and have predictable performance.
Many VPN technologies already exist, with more being developed, marketed and deployed
each day. Some products are based on standards (usually emerging standards); others are
proprietary. Some address very specific requirements, such as secure remote access over the
Internet for mobile users, while others focus more on secure LAN-to-LAN connectivity. Each
product and technology has inherent strengths and weaknesses.
The trick is to understand the current technology landscape; to understand how to choose the
right solutions dependent on the underlying problems that must be addressed; and to
understand where the technology will likely head in the future.
Looking at the design goals for a VPN, security is the focus of most solutions available today,
and we therefore begin with approaches to ensuring Confidentiality, Integrity and
Authentication. Performance and availability, also important goals, are discussed towards the
end of the article.
Confidentiality protects the privacy of information being exchanged between communicating
parties. Towards this end, every VPN solution provides encryption of some sort.
The two primary cryptographic systems in use today are secret key cryptography and public
key cryptography. Secret (or private) key cryptography uses a shared key which is used to
encrypt and decrypt messages. The major problem with private key cryptography is key
exchange. Sending secret keys across the Internet unencrypted is not an option for obvious
reasons. This is where public key cryptography can help. Public key cryptography uses a
mathematically linked key pair for each communicating party. This means that data encrypted
with one key can be decrypted with the other key in the pair. A sender can encrypt a message
with the recipient's public key, which as the name implies is publicly available (on a server, for
example). The recipient can then decrypt the message using his or her own private key.
Public key systems enable encryption over an unsecured network as well as a mechanism to
exchange secret keys. On the downside, public key cryptography is computationally intensive,
and therefore often combined with secret key cryptography to get the best blend of
performance and functionality. For example, the Diffie-Hellman public key algorithm can be
used in conjunction with the DES secret key algorithm-Diffie-Hellman to produce the secret key
and DES to encrypt the traffic.
Integrity ensures that information being transmitted over the public Internet is not altered in
any way during transit. VPNs typically use one of three technologies to ensure integrity:
One-way hash functions - A hash function generates a fixed-length output value based on an
arbitrary-length input file. The idea is that it's easy to calculate the hash value of a file but
mathematically difficult to generate a file that will hash to that value. To validate the integrity
of a file, a recipient would calculate the hash value of that file and compare it to the hash value
sent by the sender. Thus, the recipient can be assured that the sender had the file at the time
he or she created the hash value. Examples of hash algorithms are MD5, SHA-1 and RIPE-MD-
Message-authentication codes (MACs) simply add a key to hash functions. A sender would
create a file, calculate a MAC based on a key shared with the recipient, and then append it to
the file. When the recipient receives the file, it is easy to calculate the MAC and compare it to
the one that was appended to the file.
Digital signatures can also be used for data integrity purposes. A digital signature is
essentially public key cryptography in reverse. A sender digitally "signs" a document with their
private key and the recipient can verify the signature via the sender's public key.
Authentication ensures the identity of all communicating parties. You may have seen the
cartoon that appeared in The New Yorker a few years back. A dog sitting in front of a PC turned
to his canine friend and said "On the Internet, nobody knows you're a dog." To correctly
identify an individual or computing resource, VPNs typically use one or more forms of
These methods are usually based on password authentication (shared secrets) or digital
certificates. Password authentication is the most prevalent form of user authentication used in
computer systems today, but it is also one of the weakest because passwords can be guessed or
stolen. Multi-factor authentication is generally a stronger form of authentication and is based
on the premise of utilizing something you have in conjunction with something you know. This
process is similar to how most ATM cards are used; a user possesses the physical ATM card and
"unlocks" it with a password.
For example, many VPNs support SecurID by Security Dynamics, a token card that combines
secret key encryption with a one-time password. The password is automatically generated by
encrypting a timestamp with the secret key. This one-time password will be valid for a short
interval, usually 30 to 60 seconds.
Digital certificates are also becoming more prevalent as an authentication mechanism for VPNs.
A digital certificate (based on the X.509 standard) is an electronic document that is issued to an
individual by a "Certificate Authority" that can vouch for an individual's identity. It essentially
binds the identity of an individual to a public key. A digital certificate will contain a public key,
information specific to the user (name, company, etc.), information specific to the issuer, a
validity period and additional management information. This information will be used to create
a message digest which is encrypted with the Certificate Authority's private key to "sign" the
By utilizing the digital signature verification procedure described above, participants in a
conversation can "mutually authenticate" each other. Although this process sounds simple, it
involves a complex system of key generation, certification, revocation and management, all
part of a Public Key Infrastructure (PKI). A PKI is a broad set of technologies that are utilized to
manage public keys, private keys and certificates. The deployment of a PKI solution should not
be taken lightly as there are major issues involved with scalability and interoperability.
VPN Protocols
As a matter of practice, the separate technologies used to provide confidentiality, integrity and
authentication in a given implementation are grouped into a broad VPN protocol. Three widely
used protocols - IPsec, tunneling and Socks5 - are described below.
The protocol which seems destined to become the de facto standard for VPNs is IPSec (Internet
Protocol Security). IPSec is a set of authentication and encryption protocols, developed by the
Internet Engineering Task Force (IETF) and designed to address the inherent lack of security for
IP-based networks. It is designed to address data confidentiality, integrity, authentication and
key management, in addition to tunneling.
The IPSec protocol typically works on the edges of a security domain. Basically, IPSec
encapsulates a packet by wrapping another packet around it. It then encrypts the entire packet.
This encrypted stream of traffic forms a secure tunnel across an otherwise unsecured network.
The majority of VPN vendors are implementing IPSec in their solutions. The comprehensive
nature of the protocol make it ideal for site-to-site VPNs, although there are still
interoperability issues that exist across different vendor's implementations. IPSec is a bi-
directional protocol, which means that extranet configurations must be carefully designed and
implemented. When setting up an extranet VPN, you may not want to give your partners access
to your entire network or allow them to access yet another partner through your network.
Point to Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP)
PPTP is a tunneling protocol which provides remote users encrypted, multi-protocol access to a
corporate network over the Internet. Network layer protocols, such as IPX and NetBEUI, are
encapsulated by the PPTP protocol for transport over the Internet. Unlike IPSec, PPTP was not
originally designed to provide Lan-to-Lan tunneling.
PPTP is built in to NT 4.0, and the client is a free add-on to Windows95. Microsoft's
implementation of PPTP has been found to have several problems that make it vulnerable to
attacks, and it also lacks scalability in that it only supports 255 concurrent connections per
server. The low cost and integration with NT and Windows 95, however, makes PPTP a viable
remote access solution where multi-protocol access is needed, heavy-duty encryption and
authentication is not needed, and a Microsoft-only solution is appropriate.
PPTP can support only one tunnel at a time for each user. However, its proposed successor,
L2TP (a hybrid of PPTP and another protocol, L2F) can support multiple, simultaneous tunnels
for each user. L2TP will be incorporated in Windows 2000 and can support IPSec for data
encryption and integrity
SOCKS version 5 is a circuit-level proxy protocol that was originally designed to facilitate
authenticated firewall traversal. It provides a secure, proxy architecture with extremely
granular access control, making it an excellent choice for extranet configurations.
SOCKS v5 supports a broad range of authentication, encryption, tunneling and key management
schemes, as well as a number of features not possible with IPSec, PPTP or other VPN
technologies. SOCKS v5 provides an extensible architecture that allows developers to build
system plug-ins, such as content filtering (denying access to Java applets or ActiveX controls, for
example) and extensive logging and auditing of users. When SOCKS is used in conjunction with
other VPN technologies, it's possible to have a more complete security solution than any
individual technology could provide. A user may, for example, incorporate IPSec and SOCKS
together. IPSec could be used to secure the underlying network transport, while SOCKS could
be used to enforce user-level and application-level access control.
Performance and Availability
Most VPN technologies today do not address performance and availability issues, as important
as they are. Why? Because the majority of VPN solutions exist on client machines and gateway
servers at the extreme ends of the communication path. They simply cannot consistently affect
the performance of the network components in the middle.
Unfortunately, this "middle" is exactly where the Internet fits into the architecture. Any cost
savings that a VPN provides can be quickly negated if users are forced to sacrifice QoS (quality
of service) beyond certain limits. Until a standard QoS mechanism becomes ubiquitous, end-to-
end performance guarantees will be hard to implement.
As a partial remedy several Internet Service Providers (ISPs) are offering managed VPN
services, which combine security capabilities with QoS guarantees. For example, GE
Internetworking provides a managed VPN service that combines an IPSec-based VPN solution
from TimeStep Corporation with guaranteed availability of 99.9%, and round-trip latency of less
than or equal to 125 milliseconds. This type of service can be an excellent choice for site-to-site
connectivity and is made possible by the fact that ISPs "own the plumbing." Unfortunately, the
performance guarantees only apply to traffic within the network controlled by the ISP. Once it
passes onto another ISP's portion of the Internet, all bets are off.
This article has described how applications deployed across the Internet today are increasingly
mission-critical, whereby poor performance or a lack of security can jeopardize business
success. VPNs can play a major role in ensuring that these risks are mitigated. By addressing
security and performance issues, a VPN can be a viable alternative to dedicated, private
network links. Understanding the myriad VPN solutions can help organizations build
infrastructures that will support their tactical business needs today as well as their strategic
business needs for tomorrow.

VPN and IPSec. Virtual Private Network and Internet Protocol Security.

VPN Security: IPSec
Internet Protocol Security (IPSec) provides enhanced security features such as better encryption algorithms and more comprehensive authentication.

IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the header and the payload of each packet while transport only encrypts the payload. Only
systems that are IPSec compliant can take advantage of this protocol. Also, all devices must use a common key and the firewalls of each network must have very
similar security policies set up. IPSec can encrypt data between various devices, such as:
Router to router
Firewall to router
PC to router
PC to serve
See also VPN's: IPSec vs SSL

Glossary of VPN and Security
Access Control
Refers to mechanisms and policies which restrict access to computer resources. An access
control list (ACL), for example, specifies what operations different users can perform on specific
files and directories.
Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) is a Federal Information Processing Standard (FIPS),
specifically, FIPS Publication 197, that specifies a cryptographic algorithm for use by U.S.
Government organizations to protect sensitive, unclassified information. AES is based on the
Rijndael algorithm.
Anti-Replay Service
With anti-replay service, each IP packet passing within the secure association is tagged with a
sequence number. On the receiving end, each packet's sequence number is checked to see if it
falls within a specified range. If an IP packet tag number falls outside of the range, the packet is
Application Gateway Firewall
Application gateways look at data at the application layer of the protocol stack and serve as
proxies for outside users, intercepting packets and forwarding them to the application. Thus,
outside users never have a direct connection to anything beyond the firewall. The fact that the
firewall looks at this application information means that it can distinguish among such things as
Telnet, file transfer protocol (FTP), or Lotus Notes traffic. Because the application gateway
understands these protocols, it provides security for each application it supports.
ARP (Address Resolution Protocol)
A protocol used to obtain the physical addresses (such as MAC addresses) of hardware units in
a network environment. A host obtains such a physical address by broadcasting an ARP request,
which contains the IP address of the target hardware unit. If the request finds a unit with that
IP address, the unit replies with its physical hardware address.
Asymmetrical Key Exchange
Asymmetric or public key cryptography is based on the concept of a key pair. Each half of the
pair (one key) can encrypt information so that only the other half (the other key) can decrypt it.
One part of the key pair, the private key, is known only by the designated owner; the other
part, the public key, is published widely but is still associated with the owner.
The process of determining the identity of a user that is attempting to access a network.
Authentication occurs through challenge/response, time-based code sequences or other
techniques. See CHAP and PAP.
Authentication Header (AH)
The Authentication Header is a mechanism for providing strong integrity and authentication for
IP datagrams. It might also provide non-repudiation, depending on which cryptographic
algorithm is used and how keying is performed. For example, use of an asymmetric digital
signature algorithm, such as RSA, could provide non- repudiation.
The process of determining what types of activities or access are permitted on a network.
Usually used in the context of authentication: once you have authenticated a user, they may be
authorized to have access to a specific service.
Generally speaking, bandwidth is directly proportional to the amount of data transmitted or
received per unit time. In digital systems, bandwidth is proportional to the data speed in bits
per second (bps). Thus, a modem that works at 57,600 bps has twice the bandwidth of a
modem that works at 28,800 bps.
Bastion host
A specific host that is used to intercept packets entering or leaving a network. and the system
that any outsider must ordinarily connect with to access a system or service that is inside the
network's firewall. Typically the bastion host must be highly secured because it is vulnerable to
attack due to its placement.
Buffer Overflow Attack
A buffer overflow attack works by exploiting a known bug in one of the applications running on
a server. It then causes the application to overlay system areas, such as the system stack, thus
gaining administrative rights. In most cases, this gives a hacker complete control over the
system. Also referred to as stack overflow.
CA Signature
A digital code that vouches for the authenticity of a digital certificate. The CA signature is
provided by the certificate authority (CA) that issued the certificate.
Certificate Authority (CA)
A certificate authority is an authority in a network that issues and manages security credentials
and public keys for message encryption and decryption. As part of a public key infrastructure
(PKI), a CA checks with a registration authority (RA) to verify information provided by the
requestor of a digital certificate. If the RA verifies the requestor's information, the CA can then
issue a certificate.
A common authentication technique whereby an individual is prompted (the challenge) to
provide some private information (the response). Most security systems that rely on smart
cards are based on challenge-response. A user is given a code (the challenge) which he or she
enters into the smart card. The smart card then displays a new code (the response) that the
user can present to log in.
CHAP (Challenge-Handshake Authentication Protocol)
An authentication technique where after a link is established, a server sends a challenge to the
requestor. The requestor responds with a value obtained by using a one-way hash function. The
server checks the response by comparing it its own calculation of the expected hash value. If
the values match, the authentication is acknowledged otherwise the connection is usually
Checksum or hash
A checksum is a count of the number of bits in a transmission unit that is included with the unit
so that the receiver can check to see whether the same number of bits arrived. If the counts
match, it's assumed that the complete transmission was received.
Circuit-level gateways
Circuit-level gateways run proxy applications at the session layer instead of the application
layer. They can't distinguish different applications that run on the same protocol stack.
However, these gateways don't need a new module for every new application, either. Circuit-
level gateway is a firewall feature which can, when needed, serve as an alternative to packet
filtering or application gateway functionality.
A client is the requesting program or user in a client/server relationship. For example, the user
of a Web browser is effectively making client requests for pages from servers all over the Web.
The browser itself is a client in its relationship with the computer that is getting and returning
the requested HTML file.
Content filtering, scanning or screening
The ability to review the actual information that an end user sees when using a specific Internet
application. For example, the content of e-mail.
A message given to a Web browser by a Web server. The browser stores the message in a text
file called cookie.txt. The message is then sent back to the server each time the browser
requests a page from the server.
CoS (Class of Service)
Class of Service (CoS) is a way of managing traffic in a network by grouping similar types of
traffic (for example, e-mail, streaming video, voice, large document file transfer) together and
treating each type as a class with its own level of service priority.
A RedCreek hardware implementation that offloads the heavy computational load usually
imposed by cryptographic tasks, freeing system resources and thus allowing rapid encryption.
A branch of complex mathematics and engineering devoted to protecting information from
unwanted access. In the context of computer networking, cryptography consists of encryption,
authentication, and authorization.
A program that runs continuously and exists for the purpose of handling periodic service
requests that a computer system expects to receive. The daemon program forwards the
requests to other programs (or processes) as appropriate. Each server of pages on the Web has
an HTTPD or Hypertext Transfer Protocol daemon that continually waits for requests to come in
from Web clients and their users.
Data driven attack
A form of intrusion in which the attack is encoded in seemingly innocuous data, and it is
subsequently executed by a user or other software to actually implement the attack.
DES (Data Encryption Standard)
A widely-used method of data encryption using a private (secret) key that was judged so
difficult to break by the U.S. government that it was restricted for exportation to other
countries. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys
that can be used. For each given message, the key is chosen at random from among this
enormous number of keys. Like other private key cryptographic methods, both the sender and
the receiver must know and use the same private key.
Denial of service attack
A user or program takes up all the system resources by launching a multitude of requests,
leaving no resources and thereby "denying" service to other users. Typically, denial-of-service
attacks are aimed at bandwidth control.
DHCP (Dynamic Host Configuration Protocol)
DHCP enables individual computers on an IP network to extract their configurations from a
server (the 'DHCP server') or servers, in particular, servers that have no exact information about
the individual computers until they request the information. The overall purpose of this is to
reduce the work necessary to administer a large IP network. The most significant piece of
information distributed in this manner is the IP address.
The Diffie-Hellman Method For Key Agreement allows two hosts to create and share a secret
key. VPNs operating on the IPSec standard use the Diffie-Hellman method for key management.
Key management in IPSec begins with the overall framework called the Internet Security
Association and Key Management Protocol (ISAKMP). Within that framework is the Internet Key
Exchange (IKE) protocol. IKE relies on yet another protocol known as OAKLEY and it uses Diffie-
DiffServ (Differentiated Services)
Differential service mechanisms allow providers to allocate different levels of service to
different users of the Internet. Broadly speaking, any traffic management or bandwidth control
mechanism that treats different users differently - ranging from simple Weighted Fair Queuing
to RSVP and per-session traffic scheduling - counts. However, in common Internet usage the
term is coming to mean any relatively simple, lightweight mechanism that does not depend
entirely on per-flow resource reservation.
Digital Certificate
A digital certificate is an electronic "credit card" that establishes your credentials when doing
business or other transactions on the Web. It is issued by a certification authority (CA). It
contains your name, a serial number, expiration dates, a copy of the certificate holder's public
key (used for encrypting and decrypting messages and digital signatures), and the digital
signature of the certificate-issuing authority so that a recipient can verify that the certificate is
Digital Signature
A digital signature is an electronic rather than a written signature that can be used by someone
to authenticate the identity of the sender of a message or of the signer of a document. It can
also be used to ensure that the original content of the message or document that has been
conveyed is unchanged. Additional benefits to the use of a digital signature are that it is easily
transportable, cannot be easily repudiated, cannot be imitated by someone else, and can be
automatically time-stamped.
DMZ (de-militarized zone)
A network added between a protected network and an external network in order to provide an
additional layer of security. Sometimes called a perimeter network.
DNS (Domain Name System)
The Internet protocol for mapping host names, domain names and aliases to IP addresses.
DNS spoofing
Breaching the trust relationship by assuming the DNS name of another system. This is usually
accomplished by either corrupting the name service cache of a victim system or by
compromising a domain name server for a valid domain.
The unique name used to identify an Internet network.
Domain name server
A repository of addressing information for specific Internet hosts. Name servers use the domain
name system to map IP addresses to Internet hosts.
DSL (Digital Subscriber Line)
DSL (Digital Subscriber Line) is a technology for bringing high-bandwidth information to homes
and small businesses over ordinary copper telephone lines. xDSL refers to different variations of
DSL, such as ADSL, HDSL, and RADSL. A DSL line can carry both data and voice signals and the
data part of the line is continuously connected.
DSS (Digital Signature Standard)
The Digital Signature Standard (DSS) is a cryptographic standard promulgated by the National
Institute of Standards and Technology (NIST) in 1994. It has been adopted as the federal
standard for authenticating electronic documents, much as a written signature verifies the
authenticity of a paper document.
Dual-homed gateway
A system that has two or more network interfaces, each of which is connected to a different
network. In firewall configurations, a dual-homed gateway usually acts to block or filter some or
all of the traffic trying to pass between the networks.
e-business ("electronic business," derived from such terms as "e-mail" and "e-commerce") is
the conduct of business on the Internet, not only buying and selling but also servicing
customers and collaborating with business partners.
e-commerce (electronic commerce or EC) is the buying and selling of goods and services on the
Internet, especially the World Wide Web. In practice, this term and e-business are often used
interchangeably. For online retail selling, the term e-tailing is sometimes used.
Scrambling data in such a way that it can only be unscrambled through the application of the
correct cryptographic key.
Encryption-In-Place (EIP)
A security mode in which a Ravlin unit encrypts the IP packet's payload only (without encrypting
the packet header). Because EIP does not require encryption of the IP header or encapsulation
of the IP packet, overhead is lower and performance enhanced.
Endpoint Group
In a policy enforced network, an endpoint group represents subnets or an individual host
protected by a security appliance. By creating and configuring endpoint groups, you can permit
hosts in one subnet to exchange data securely with hosts in another subnet. Endpoint groups
along with their associated policy enforcement points are generally members of a policy group.
Enterprise Object
Within a policy enforced network, the enterprise is the highest-level object category. It
encompasses all management domains and all lower-level divisions in the organization's secure
networking environment.
ESP (Encapsulated Security Payload)
The Encapsulating Security Payload provides confidentiality for IP datagrams or packets, which
are the message units that the Internet Protocol deals with and that the Internet transports, by
encrypting the payload data to be protected. I
A local-area network (LAN) protocol developed by Xerox Corporation in cooperation with DEC
and Intel in 1976. Ethernet uses a bus or star topology and supports data transfer rates of
A filter is a program or section of code that is designed to examine each input or output request
for certain qualifying criteria and then process or forward it accordingly. .
A firewall is a program that protects the resources of one network from users from other
networks. Typically, an enterprise with an intranet that allows its workers access to the wider
Internet will want a firewall to prevent outsiders from accessing its own private data resources.
Firewall denial-of service
The firewall is specifically subjected to a denial-of-service attack.
FTP (File Transfer Protocol)
FTP is the simplest way to exchange files between computers on the Internet. Like the
Hypertext Transfer Protocol (HTTP), which transfers displayable Web pages and related files,
and the Simple Mail Transfer Protocol (SMTP), which transfers e-mail, FTP is an application
protocol that uses the Internet's TCP/IP protocols.
A gateway is a network point that acts as an entrance to another network. In a company
network, a proxy server acts as a gateway between the internal network and the Internet. A
gateway may also be any machine or service that passes packets from one network to another
network in their trip across the Internet.
Hacker is a term used by some to mean "a clever programmer" and by others, especially
journalists or their editors, to mean "someone who tries to break into computer systems."
Highjacking or hijacking
Control of a connection is taken by the attacker after the user authentication has been
HMAC (Header Message Authentication Codes )
HMAC is a hash function based message authentication code that was designed to meet the
requirements of the IPsec working group in the IETF, and is now a standard.
HTML (HyperText Markup Language)
A standard set of commands used to structure documents and format text so that it can be
used on the Web.
HTTP (HyperText Transfer Protocol)
HTTP is the set of rules for exchanging files (text, graphic images, sound, video, and other
multimedia files) on the World Wide Web. Relative to the TCP/IP suite of protocols (which are
the basis for information exchange on the Internet), HTTP is an application protocol.
HTTPS (Secure Hypertext Transfer Protocol)
The secure hypertext transfer protocol (HTTPS) is a communications protocol designed to
transfer encrypted information between computers over the World Wide Web. HTTPS is http
using a Secure Socket Layer (SSL).
Hybrid Auth
The Hybrid Auth extension allows the asymmetric use of digital certificates between client and
server. The client verifies the authenticity of the server's credentials (certificate), and the server
verifies the authenticity of the client's credentials. Companies benefit from the interoperability
of standards-based IPSec with IKE as well as the increased security of the PKI at the central site,
with no disruption to remote users.
ICSA (International Computer Security Association)
An organization with the mission to continually improve commercial computer security through
certification of firewalls, anti-virus products and web sites. ICSA also shares and disseminates
information concerning information security.
Insider attack
An attack originating from inside a protected network.
Internet Key Exchange (IKE)
A hybrid protocol whose purpose is to negotiate, and provide authenticated keying material for,
security associations in a protected manner. Processes which implement this protocol can be
used for negotiating virtual private networks (VPNs) and also for providing a remote user from
a remote site (whose IP address need not be known beforehand) access to a secure host or
Intrusion detection
Detection of break-ins or break-in attempts by reviewing logs or other information available on
a network.
IP (Internet Protocol)
The Internet Protocol is the method or protocol by which data is sent from one computer to
another on the Internet. Each computer (known as a host) on the Internet has at least one
address that uniquely identifies it from all other computers on the Internet.
IP spoofing
An attack where the attacker impersonates a trusted system by using its IP network address.
IP hijacking
An attack where an active, established session is intercepted and taken over by the attacker.
May take place after authentication has occurred which allows the attacker to assume the role
of an already authorized user.
IPSec (Internet Protocol Security)
A developing standard for security at the network or packet processing layer of network
communication. IPSec provides two choices of security service: Authentication Header (AH),
which essentially allows authentication of the sender of data, and Encapsulating Security
Payload (ESP), which supports both authentication of the sender and encryption of data as well.
ISDN (Integrated Services Digital Network)
A set of communications standards allowing a single wire or optical fibre to carry voice, digital
network services and video. ISDN gives a user up to 56 kbps of data bandwidth on a phone line
that is also used for voice, or up to 128 kbps if the line is only used for data.
Kerberos was created by MIT as a solution to network security problems. The Kerberos protocol
uses strong cryptography so that a client can prove its identity to a server (and vice versa)
across an insecure network connection. After a client and server has used Kerberos to prove
their identity, they can also encrypt all of their communications to assure privacy and data
integrity as they go about their business.
In cryptography, a key is a variable value that is applied using an algorithm to a string or block
of unencrypted text to produce encrypted text. The length of the key generally determines how
difficult it will be to decrypt the text in a given message.
Key Management
The establishment and enforcement of message encryption and authentication procedures, in
order to provide privacy-enhanced mail (PEM) services for electronic mail transfer over the
L2TP (Layer 2 Tunneling Protocol)
Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol
(PPTP) used by an Internet service provider (ISP) to enable the operation of a VPN over the
Internet. L2TP merges the features of two other tunneling protocols: PPTP from Microsoft and
L2F from Cisco Systems.
LDAP (Lightweight Directory Access Protocol)
LDAP (Lightweight Directory Access Protocol) is an emerging software protocol for enabling
anyone to locate organizations, individuals, and other resources such as files and devices in a
network, whether on the Internet or on a corporate intranet. LDAP is a "lightweight" (smaller
amount of code) version of DAP (Directory Access Protocol), which is part of X.500, a standard
for directory services in a network.
Litigation Protection
Litigation protection is both the review and recording of Internet, intranet and extranet
communications that is done in order to avoid litigation or the documentation of the
communications parties and content in the event of litigation.
MAC (Media Access Control)
On a network, the MAC (Media Access Control) address is your computer's unique hardware
number. The MAC address is used by the Media Access Control sublayer of the Data-Link
Control (DLC) layer of telecommunication protocols. There is a different MAC sublayer for each
physical device type. The Data-Link Layer is the protocol layer in a program that handles the
moving of data in and out across a physical link in a network.
Management Domain
In a policy enforced network, a management domain consists of one or more policy groups. A
management domain usually encompasses a large category of users. For example, a
management domain might contain all users who work with an organization's financial data or
with an insurance company's patient records. Management domains may also be specific to
business relationships such as extranet partnerships or branch-office data transfer.
A view of individual user activity on a network, generally in real time. Provides administrators
with the ability to view the content of user utilized applications.
MPLS (Multiprotocol Label Switching)
A base technology for using label switching in conjunction with network layer routing and for
the implementation of that technology over various link level technologies, which may include
Packet-over-Sonet, Frame Relay, ATM, and Ethernet
NAPT (Network Address Port Translation)
NAPT is a special case of NAT, where many IP numbers are hidden behind a number of
addresses, but in contrast to the original NAT this does not mean there can be only that
number of connections at a time. In NAPT an almost arbitrary number of connections is
multiplexed using TCP port information. The number of simultaneous connections is limited by
the number of addresses multiplied by the number of TCP ports available.
NAR (Network Address Retention)
A simplified IP addressing capability that eliminates the need to establish an intermediate IP
address between a router and a firewall. Sometimes called Proxy-ARP. This feature allows the
implementation of a firewall into an existing network without having to establish a new IP
address scheme.
NAT (Network Address Translation)
Network Address Translation allows your Intranet to use addresses that are different from what
the outside Internet thinks you are using. It permits many users to share a single external IP
address at the same time. The NAT provides what some people call "address hiding", which is,
as it suggests, security through obscurity at best.
NAT Traversal
To enable IPsec VPNs to work with NAT devices, some of the leading technology companies
created a solution coined NAT Traversal, which is currently an IETF draft standard. The main
technology behind this solution is UDP (User Datagram Protocol) encapsulation, wherein the
IPsec packet is wrapped inside a UDP/IP header, allowing NAT devices to change IP or port
addresses without modifying the IPsec packet.
Network Service Access Policy
A high level, issue specific policy which defines those services that will be allowed or explicitly
denied from a restricted network, the way in which these services will be used, and the
conditions for exceptions to the policy.
The goal of nonrepudiation is to prove that a message has been sent and received. This is
extremely important in networks where commands and status must be issued and responded
to, where financial transactions must be verifiably completed, and where signed contracts are
A packet is the unit of data that is routed between an origin and a destination on the Internet
or any other packet-switched network. When any file (e-mail message, HTML file, GIF file, URL
request, and so forth) is sent from one place to another on the Internet, the Transmission
Control Protocol (TCP) layer of TCP/IP divides the file into "chunks" of an efficient size for
routing. Each of these packets is separately numbered and includes the Internet address of the
destination. The individual packets for a given file may travel different routes through the
Internet. When they have all arrived, they are reassembled into the original file (by the TCP
layer at the receiving end).
Packet Filters
Packet filters keep out certain data packets based on their source and destination addresses
and service type. Filters can be used to block connections from or to specific hosts, networks or
ports. Packet filters are simple and fast. However, they make decisions based on a very limited
amount of information.
Packet Sniffing
Intercepting packets of information (including such things for example as a credit card number )
that are traveling between locations on the Internet.
PEAP (Protected Extensible Authentication Protocol)
A protocol for securely transporting authentication data including passwords over 802.11
wireless networks. Like the competing standard Tunneled Transport Layer Security (TTLS), PEAP
makes it possible to authenticate wireless LAN clients without requiring them to have
certificates, simplifying the architecture of secure wireless LANs.
PGP (Pretty Good Privacy)
A cryptographic product family that enables people to securely exchange messages, and to
secure files, disk volumes and network connections with both privacy and strong
Ping of Death Attack
A notorious exploit that (when first discovered) could be easily used to crash a wide variety of
machines by overrunning the size limits in their TCP/IP stacks. The term is now used to refer to
any nudge delivered by hackers over the network that causes bad things to happen on the
system being nudged.
PKCS (Public-Key Cryptography Standards)
The Public-Key Cryptography Standards are specifications produced by RSA Laboratories in
cooperation with secure systems developers worldwide for the purpose of accelerating the
deployment of public-key cryptography. First published in 1991 as a result of meetings with a
small group of early adopters of public-key technology, the PKCS documents have become
widely referenced and implemented.
PKI (Public Key Infrastructure)
A PKI (public key infrastructure) enables users of a basically unsecure public network such as
the Internet to securely and privately exchange data and money through the use of a public and
a private cryptographic key pair that is obtained and shared through a trusted authority.
Platform attack
An attack that is focuses on vulnerabilities in the operating system hosting the firewall.
PPP (Point-to-Point Protocol)
Point-to-Point Protocol (PPP) is a protocol for communication between two computers using a
serial interface, typically a personal computer connected by phone line to a server.
PPPoE (Point-to-Point Protocol over Ethernet)
PPP over Ethernet (PPPoE) provides the ability to connect a network of hosts over a simple
bridging access device to a remote Access Concentrator (Server).
PPTP (Point-to-Point Tunneling Protocol)
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that is designed to encapsulate
the LAN protocols IPX and AppleTalk within IP, for the secure transfer of data from a remote
client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-
based data networks. PPTP supports on-demand, multi-protocol, virtual private networking
over public networks, such as the Internet.
Policy Enforced Network (PEN)
A Policy Enforced Network is a management architecture in which the creation, delivery and
enforcement of business rules in an information network are defined and automated. Policy
Enforced Networking is designed to bring structure and organization to information networks
whether they are within a campus or are distributed around the globe.
Policy Enforcement Points (PEP)
In a policy enforced network, a policy enforcement point represents a security appliance used
to protect one or more endpoints. PEPs are also points for monitoring the health and status of a
network. PEPs are generally members of a policy group.
Policy Groups
In a policy enforced network (PEN), a policy group represents endpoint groups and their
associated policy enforcement points. A policy group also contains business rules concerning
membership, access privileges, and traffic flow (including data authentication, encryption, and
address translation). In most cases, a policy group's members are related to each other in ways
useful to the organization. Policy groups are generally members of a management domain.
Policy Management Zone (PMZ)
The Policy Management Zone protects communications between trusted parties and firewalls
access to untrusted domains in an information network.
Policy Rules
In a policy enforced network (PEN), policy rules determine how the members and endpoint
groups of a policy group communicate.
POP3 (Post Office Protocol 3)
An e-mail protocol used to retrieve e-mail from a remote server over an Internet connection.
Private Key
In cryptography, a private or secret key is an encryption/decryption key known only to the party
or parties that exchange secret messages. In traditional secret key cryptography, a key would
be shared by the communicators so that each could encrypt and decrypt messages. The risk in
this system is that if either party loses the key or it is stolen, the system is broken. A more
recent alternative is to use a combination of public and private keys. In this system, a public key
is used together with a private key.
A special set of rules for communicating that the end points in a telecommunication connection
use when they send signals back and forth. Protocols exist at several levels in a
telecommunication connection. There are hardware telephone protocols. There are protocols
between the end points in communicating programs within the same computer or at different
locations. Both end points must recognize and observe the protocol. Protocols are often
described in an industry or international standard.
Protocol Attacks
A protocol attack is when the characteristics of network services are exploited by the attacker.
Examples include the creation of infinite protocol loops which result in denial of services (e.g.,
echo packets under IP), the use of information packets under the Network News Transfer
Protocol to map out a remote site, and use of the Source Quench protocol element to reduce
traffic rates through select network paths.
An agent that acts on behalf of a user, typically accepting a connection from a user and
completing a connection on behalf of the user with a remote host or service. See also gateway
and proxy server.
Proxy Server
A proxy server is one that acts on behalf of one or more other servers, usually for screening,
firewall, caching, or a combination of these purposes. Gateway is often used as a synonym for
"proxy server." Typically, a proxy server is used within a company or enterprise to gather all
Internet requests, forward them out to Internet servers, and then receive the responses and in
turn forward them to the original requestor within the company. Buy proxy and you could use
alive proxy for your purpose.
Public Key
A public key is a value provided by some designated authority as a key that, combined with a
private key derived from the public key, can be used to effectively encrypt and decrypt
messages and digital signatures. The use of combined public and private keys is known as
asymmetric encryption. A system for using public keys is called a public key infrastructure (PKI).
QoS (Quality of Service)
On the Internet and in other networks, QoS is the idea that transmission rates, error rates, and
other characteristics can be measured, improved, and, to some extent, guaranteed in advance.
QoS is of particular concern for the continuous transmission of high-bandwidth video and
multimedia information.
RA (Registration Authority)
An RA (registration authority) is an authority in a network that verifies user requests for a
digital certificate and tells the certificate authority (CA) to issue it. RAs are part of a public key
infrastructure (PKI), a networked system that enables companies and users to exchange
information and money safely and securely.
RADIUS (Remote Authentication Dial-In User Service) is a client/server protocol and software
that enables remote access servers to communicate with a central server to authenticate dial-in
users and authorize their access to the requested system or service. RADIUS allows a company
to maintain user profiles in a central database that all remote servers can share.
Rijndael Algorithm
The algorithm used by the Advanced Encryption Standard (AES). It's characteristics are very
good performance in both hardware and software across a wide range of computing
environments regardless of its use in feedback or non-feedback modes. Rijndael's key setup
time is excellent, and its key agility is good. It has very low memory requirements making it very
well suited for restricted-space environments, in which it also demonstrates excellent
performance. Rijndael's operations are among the easiest to defend against power and timing
RIP (Routing Information Protocol)
The oldest routing protocol on the Internet and the most commonly used routing protocol on
local area IP networks. Routers use RIP to periodically broadcast which networks they know
how to reach.
Routing Agent
On the Internet, an agent (also called an intelligent agent) is a program that gathers information
or performs some other service without your immediate presence and on some regular
schedule. Typically, an agent program, using parameters you have provided, searches all or
some part of the Internet, gathers information you're interested in, and presents it to you on a
daily or other periodic basis.
RSA (Rivest-Shamir-Adleman)
One of the fundamental encryption algorithms or series of mathematical actions developed in
1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm is the most
commonly used encryption and authentication algorithm and is included as part of the Web
browsers from Netscape and Microsoft.
RSACi (Recreational Software Advisory Council on the Internet)
A computer software ratings system of Web site content developed by RSACI in response to the
passage of US federal legislation prohibiting the transmittal of offensive, or indecent, materials
over the Internet. RSACi was developed with the express intent of providing a simple, yet
effective rating system for web sites which protect both children, by providing and empowering
parents with detailed information about site content, and the rights of free speech of everyone
who publishes on the World Wide Web.
Criteria that are used to organize and control incoming messages automatically. When you set
up a rule, you designate the criteria that selects a specific class of messages and then you select
one or more actions to handle the messages that meet the criteria.
Screening router
A router configured to permit or deny traffic based on a set of permission rules installed by the
Security Association (SA)
A Security Association (SA) is a relationship between two or more entities that describes how
the entities will utilize security services to communicate securely. This relationship is
represented by a set of information that can be considered a contract between the entities. The
information must be agreed upon and shared between all the entities.
Secure Hash Algorithm-1 (SHA-1)
A one-way cryptographic function which takes a message produces a 160-bit message digest. A
message digest is a value generated for a message or document that is unique to that message,
and is sometimes referred to as a "fingerprint" of that message or data. Once a message digest
is computed, any subsequent change to the original data will, with a very high probability,
cause a change in the message digest, and the signature will fail to verify. This process is used
to compress large data strings to a 20-byte length which is used in a cryptographic process. The
reduced data length relieves computational requirements for data encryption.
Self-signed Certificate
A self-signed certificate uses its own certificate request as a signature rather than the signature
of a CA. A self-signed certificate will not provide the same functionality as a CA-signed
certificate. A self-signed certificate will not be automatically recognized by users' browsers, and
a self-signed certificate does not provide any guarantee concerning the identity of the
organization that is providing the website.
In the Open Systems Interconnection (OSI) communications model, the Session layer
(sometimes called the "port layer") manages the setting up and taking down of the association
between two communicating end points that is called a connection. A connection is maintained
while the two end points are communicating back and forth in a conversation or session of
some duration. Some connections and sessions last only long enough to send a message in one
direction. However, other sessions may last longer, usually with one or both of the
communicating parties able to terminate it.
Shared Secret
An authentication method used to establish trust between computers in a VPN that utilizes a
password, also termed pre-shared authentication keys, for establishing trust-not for application
data packet protection.
SLIP is a TCP/IP protocol used for communication between two machines that are previously
configured for communication with each other. SLIP has been largely supplanted by PPP.
SMTP (Simple Mail Transport Protocol)
The standard protocol used for Internet e-mail messages.
SNMP (Simple Network Management Protocol)
The protocol governing network management and the monitoring of network devices and their
Social engineering
An attack based on tricking or deceiving users or administrators into revealing passwords or
other information that compromises a target system's security. Social engineering attacks are
typically carried out by telephoning users or operators and pretending to be an authorized user.
Normal IP packets have only source and destination addresses in their headers, leaving the
actual route taken to the routers in between the source and the destination. Source-routed IP
packets have additional information in the header that specifies the route the packet should
take. This additional routing is specified by the source host, hence the name source-routed.
Source-Route Attack
A form of spoofing whereby the routing, as indicated in the source routed packet, is not coming
from a trusted source and therefore the packet is being routed illicitly.
The term for establishing a connection with a forged sender address. This normally involves
exploiting a trust relationship that exists between source and destination addresses/systems.
SSH (Secure Shell)
A protocol which permits secure remote access over a network from one computer to another.
SSH negotiates and establishes an encrypted connection between an SSH client and an SSH
SSL (Secure Sockets Layer)
A program layer created by Netscape for managing the security of message transmissions in a
network. Netscape's idea is that the programming for keeping your messages confidential
ought to be contained in a program layer between an application (such as your Web browser or
HTTP) and the Internet's TCP/IP layers. The "sockets" part of the term refers to the sockets
method of passing data back and forth between a client and a server program in a network or
between program layers in the same computer.
S/WAN (Secure Wide Area Network)
An initiative to promote the deployment of Internet based Virtual Private Networks (VPN)
Symmetric Encryption
The oldest form of key-based cryptography is called secret-key or symmetric encryption. In this
scheme, both the sender and recipient possess the same key, which means that both parties
can encrypt and decrypt data with the key.
SYN Flood Attack
A TCP connection is initiated when a client issues a request to a server with the SYN flag set in
the TCP header. Normally the server will issue a SYN/ACK back to the client identified by the 32-
bit source address in the IP header. The client will then send an ACK to the server and data
transfer can commence. When the client IP address is spoofed (changed) to be that of an
unreachable host, however, the targeted TCP cannot complete the three-way hand-shake and
will keep trying until it times out. That is the basis for the attack.
TCP/IP (Transmission Control Protocol/Internet Protocol)
The standard family of protocols for communicating with Internet devices.
A terminal emulation program for TCP/IP networks such as the Internet. The Telnet program
runs on your computer and connects your PC to a server on the network. You can then enter
commands through the Telnet program and they will be executed as if you were entering them
directly on the server console
Triple DES (3DES)
Triple DES is simply another mode of DES operation. It takes three 64-bit keys, for an overall key
length of 192 bits. The procedure for encryption is exactly the same as regular DES, but it is
repeated three times. Hence the name Triple DES. The data is encrypted with the first key,
decrypted with the second key, and finally encrypted again with the third key.
Token Ring
A type of computer network in which all the computers are arranged (schematically) in a circle.
A token, which is a special bit pattern, travels around the circle. To send a message, a computer
catches the token, attaches a message to it, and then lets it continue to travel around the
Trojan horse
A software entity that appears to do something quite normal but which, in fact, contains a
trapdoor or attack program.
TTLS (Tunneled Transport Layer Security)
A proposed wireless security protocol that combines network-based certificates with other
authentication such as tokens or passwords. Also known as EAP-TTLS.
The path established by one network to send its data via another network's connections.
Tunneling works by encapsulating a network protocol within packets carried by the second
network. For example, Microsoft's PPTP technology enables organizations to use the Internet to
transmit data across a virtual private network (VPN). It does this by embedding its own network
protocol within the TCP/IP packets carried by the Internet.
Tunneling router
A router or system capable of routing traffic by encrypting it and encapsulating it for
transmission across an untrusted network, for eventual de-encapsulation and decryption.
UDP (User Datagram Protocol
A connectionless protocol that, like TCP, runs on top of IP networks. Unlike TCP/IP, UDP/IP
provides very few error recovery services, offering instead a direct way to send and receive
datagrams over an IP network. It's used primarily for broadcasting messages over a network.
URL (Uniform Resource Locator)
An address in a standard format that locates files (resources) on the Internet and the Web. The
type of resource depends on the Internet application protocol. Using the World Wide Web's
protocol, the Hypertext Transfer Protocol (HTTP) , the resource can be an HTML page (like the
one you're reading), an image file, a program such as a CGI application or Java applet, or any
other file supported by HTTP. The URL contains the name of the protocol required to access the
resource, a domain name that identifies a specific computer on the Internet, and a hierarchical
description of a file location on the computer.
ULA (User Level Authentication)
User Level Authentication refers to the ability to track the usage of a VPN connection Ito a given
individual, on a specific machine, during a specific time period, by the assignment of a unique
username. It also implies the restriction of patron use of the VPN in an anonymous manner.
VPN (Virtual Private Networking)
A VPN is a technology that overlays communications networks with a management and security
layer. Though VPN technology, network managers can set up secure relationships while still
enjoying the low cost of a public network such as the Internet.
WAP (Wireless Application Protocol)
An open global standard for communications between a mobile handset and the Internet or
other computer applications as defined by the WAP forum.
Web Attack
Any attack from the outside aimed at Web server vulnerabilities.
Web Browser
A Web browser is a client program that uses the Hypertext Transfer Protocol (HTTP) to make
requests of Web servers throughout the Internet on behalf of the browser user.
Web denial-of-service
The Web server is specifically subjected to denial-of-service attacks.
WEP (Wired Equivalent Privacy)
A security protocol for wireless local area networks (WLAN) defined in the 802.11b standard.
WEP is designed to provide the same level of security as that of a wired LAN. WEP aims to
provide security by encrypting data over radio waves so that it is protected as it is transmitted
from one end point to another. However, it has been found that WEP is not as secure as once
believed. WEP is used at the two lowest layers of the OSI model - the data link and physical
layers; it therefore does not offer end-to-end security.
Wireless Protocols (802.11x)
802.11 refers to a family of specifications developed by the IEEE for wireless LAN technology.
802.11 specifies an over-the-air interface between a wireless client and a base station or
between two wireless clients. The IEEE accepted the specification in 1997. There are several
specifications in the 802.11 family:
802.11 -- applies to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band
using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum
802.11a -- an extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in
the 5GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme
rather than FHSS or DSSS.
802.11b (also referred to as 802.11 High Rate or Wi-Fi) -- an extension to 802.11 that applies to
wireless LANS and provides 11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mbps) in the
2.4 GHz band. 802.11b uses only DSSS. 802.11b was a 1999 ratification to the original 802.11
standard, allowing wireless functionality comparable to Ethernet.
802.11g -- applies to wireless LANs and provides 20+ Mbps in the 2.4 GHz band.
WLAN (Wireless LAN)
Acronym for wireless local-area network. Also referred to as LAWN. A type of local-area
network that uses high-frequency radio waves rather than wires to communicate between
WPA (Wi-Fi Protected Access)
WPA is a standards-based, interoperable security specification that utilizes Temporal Key
Integrity Protocol to provide improved over-the-air encryption of wireless data.
The most widely used standard for defining digital certificates. X.509 is actually an ITU
Recommendation, which means that has not yet been officially defined or approved. As a
result, companies have implemented the standard in different ways. For example, both
Netscape and Microsoft use X.509 certificates to implement SSL in their Web servers and
browsers. But an X.509 Certificate generated by Netscape may not be readable by Microsoft
products, and vice versa.

The XAuth extension to the IKE protocol allows two-factor authentication for remote users: The
digital certificate authenticates the user's machine or desktop, while the use of passwords or
tokens binds that user to his digital ID and authorizes him for network access.