Chapter 6
attribute
A characteristic of an object (user or system) that can be used to restrict access to an object. Also known as a subject attribute.
Hybrid VPN
A combination of trusted and secure VPN implementations.
Remote Authentication Dial-In User Service (RADIUS)
A computer connections system that centralizes the management of user authentication by placing the responsibility for authenticating each user on a central authentication server
Application layer proxy firewall
A device capable of functioning both as a firewall and an application layer proxy server.
Secure VPN
A VPN implementation that uses security protocols to encrypt traffic transmitted across unsecured public networks.
bastion host
A device placed between an external, untrusted network and an internal, trusted network. Also known as a sacrificial host, a bastion host serves as the sole target for attack and should therefore be thoroughly secured.
Screened host architecture
A firewall architectural model that combines the packet filtering router with a second, dedicated device such as a proxy server or proxy firewall.
Screened subnet architecture
A firewall architectural model that consists of one internal bastion hosts performing a role in protecting the trusted network.
Media access control layer firewall
A firewall designed to operate at the media access control sub layer of the networks data link layer (layer 2)
Dynamic packet-filtering firewall
A firewall type that can react to network traffic and creates or modify configuration rules to adapt.
Stateful packet filtering firewall
A firewall type that keeps track of each network connection between internal and external users using a state table and that expedites the filtering of those communications. Also known as stateful inspection firewall.
Static Packet Filtering Firewall
A firewall type that requires the configuration rules to manually created, sequenced, and modified within the firewall.
packet-filtering firewall
A network device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration rules.
Passphrase
A plain-language phrase, typically longer than a password, from which a virtual password is derived.
Virtual Private Network (VPN)
A private, secure network operated over a public and insecure network. A VPN keeps the contents of the network messages hidden from observers who may have access to public traffic.
reverse proxy
A proxy server that most commonly retrieves information from inside an organization and provides it to a requesting user or system outside the organization.
Mandatory Access Control (MAC)
A required, structured data classification scheme that rates each collection of information as well as each user. These ratings are often referred to as sensitivity or classification levels.
password
A secret word or combination of characters that only the user should know; a password is used to authenticate the user.
Next generation firewall (NexGen or NGFW)
A security appliance that delivers unified threat management capabilities in a single appliance.
Extranet
A segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public.
proxy server
A server that exists to intercept requests for information from external users and provide the requested information by retrieving it from an internal server, thus protecting and minimizing the demand on internal servers. Some proxy servers are also cache servers.
Content filter
A software program or hardware/software appliance that allows administrators to restrict content that comes into or leaves a network—for example, restricting user access to Web sites from material that is not related to business, such as pornography or entertainment.
Data Loss Prevention (DLP)
A strategy to gain assurance that the users of a network do not send high value information or other critical information outside the network.
state table
A tabular record of the state and context of each Packet in a conversion between an internal and external user or system.
Network Address Translation (NAT)
A technique in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one to one basis; that is, one external valid address directly maps to one assigned internal address.
Port Address Translation (PAT)
A technology in which multiple real, routable external IP addresses are converted to special ranges of internal IP addresses, usually on a one-to-many basis; that is, one external valid address is mapped dynamically to a range of internal addresses by adding a unique port number to the address when traffic leaves the private network and is placed on the public network.
Lattice-based access control (LBAC)
A variation on the MAC form of access control, which assigns users a matrix of authorizations for particular areas of access, incorporating the information assets of subjects such as users and objects.
Discretionary Access Control (DAC)
Access Controls that are implemented at the discretion of or option of the data user.
Non-discretionary access controls
Access controls that are implemented by a central authority.
Crossover Error Rate (CER)
Also called the equal error rate, the point at which the rate of false rejections equals the rate of false acceptances.
Trusted VPN
Also known as a legacy VPN, a VPN implementation that uses leased circuits from a service provider who gives contractual assurance that no one else is allowed to use these circuits and that they are properly maintained and protected.
Attribute based access control
An access control approach whereby the organization specifies the use of objects based on some attribute of the user or system.
smart card
An authentication component similar to a dumb card that contains a computer chip to verify and validate several pieces of information instead of just a PIN.
Kerberos
An authentication system that uses symmetric key encryption to validate an individual user's access to various network resources by keeping a database containing the private keys of clients and servers that are in the authentication domain it supervises.
War dialer
An automatic phone-dialing program that dials every number in a configured range and checks whether a person, answering machine, or modem picks up.
task-based access control (TBAC)
An example of a nondiscretionary control where privileges are tied to a task a user performs in an organization and are inherited when a user is assigned to that task. Tasks are considered more temporary than roles. TBAC is an example of an LDAC.
Access Control Matrix
An integration of access control lists (focusing on assets) and capability tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings. The matrix contains ACLs in columns for a particular device or asset and capability tables in rows for a particular user
demilitarized zone
An intermediate area between two networks designed to provide servers and firewall filtering between a trusted internal network and the outside, untrusted network. Traffic on the outside network carries a higher a level of risk.
Address restrictions
Firewall rules designed to prohibit packets with certain addresses or partial address from passing through the device.
capabilities table
In a lattice-based access control, the row of attributes associated with a particular subject (such as a user).
Strong authentication
In access control, the use of at least two different factors of authentic ovation.
minutiae
In biometric access controls, unique points of reference that are digitized and stored in an encrypted format when the users system access credentials are created.
Firewall
In information security, a combination of hardware and software that filters or prevents specific information from moving between the outside network and inside network
Unified Threat Management (UTM)
Networking devices categorized by their ability to perform the work of multiple devices, such as stateful packet inspection firewalls, network intrusion detection and prevention systems, content filters, spam filters, and malware scanners and filters.
Auditability
See accountability.
Subject Attributes
See attribute
Single bastion host
See bastion host
reverse firewall
See content filter
Access Control List (ACL)
Specifications of authorization that govern the rights and privileges of users to a particular information asset. ACLs include user access lists, matrices and capabilities tables.
Timing channels
TCSEC-defined covert channels that communicate by managing the relative timing of events.
storage channels
TCSEC-defined covert channels that communicate by modifying a stored object, such as in steganography.
Accountability
The access control mechanism that ensures all actions on a system -authorized or unauthorized- can be attributed to an authenticated identity. Also known as audit-ability.
Authentication
The access control mechanism that requires the validation and verification of an unauthenticated entity's purported identity.
identification
The access control mechanism whereby unverified or unauthenticated entities who seek access to resource provide a label by which they are known to the system.
Authorization
The access control mechanisms that represents the matching of an authenticated entity to a list of information assets as corresponding access levels.
Virtual password
The derivative of a passphrase.
Configuration rules
The instructions a system administrator codes into a server, networking device, or security device to specify how it operates.
False Reject Rate
The rate at which authentic users are denied or prevented access to authorized areas as a result of a failure in the biometric device. This failure is also known as as a type I error or a false negative.
False Accept Rate
The rate at which fraudulent users or non users are allowed access to systems or areas as a result of a failure in the biometric device. This failure is also known as a type II error or false positive.
Access Control
The selective method by which systems specify who may use a particular resource and jow they may uae it.
untrusted network
The system of network outside the organization over which the organization has no control. The internet is an example of an untrusted network.
trusted network
The system of networks inside the organization that contains its information assets and is under the organization's control.
Biometric access control
The use of physiological characteristics to provide authentication for a provided identification. Biometric means "life measurements" in Greek. Sometimes referred to as biometrics.
Authentication Factors
Three mechanisms that provide authentication based on something an unauthenticated entity knows, something an unauthenticated entity has, and something an unauthenticated entity is.
Covert Channels - volume control ex:
Unauthorized or unintended methods of communications hidden inside a computer system.
Trusted Computing Base (TCB)
Under the trusted computer system evaluation criteria (TCSEC) , the combination of all hardware, firmware, and software responsible for enforcing the security the security policy.
Reference Monitor
Within TCB, a conceptual piece of the system that manages access controls—in other words, it mediates all access to objects by subjects.
Dumb card
an authentication card that contains digital user data, such as a personal identification number (PIN), against which user input is compared
Asynchronous token
an authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computer-generated number used to support remote login authentication. This token does not require calibration of the central authentication server; instead, it uses a challenge/response system.
Synchronous token
an authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computer-generated number used to support remote login authentication. This token must be calibrated with the corresponding software on the central authentication server.
Role-Based Access Control (RBAC)
an example of a nondiscretionary control where privileges are tied to the role a user performs in an organization, and are inherited when a user is assigned to that role. Roles are considered more persistent than tasks. RBAC is an example of an LDAC.
Application Firewall
see application layer firewall.
sacrificial host
see bastion host.