Chapter 6 - Firewalls & VPNs
Remote Authentication Dial-In User Service (RADIUS)
A computer connection system that centralizes the management of user authentication by placing the responsibility for authenticating each user on a central authentication server.
Storage channel
A covert channel that communicates by modifying a stored object.
Port Address Translation (PAT)
A method of mapping a single valid external IP address to special ranges of nonroutable internal IP addresses, known as private addresses, on a one-to-many basis, using port addresses to facilitate the mapping.
Biometric access control
An access control approach based on the use of a measurable human characteristic or trait to authenticate the identity of a proposed systems user (a supplicant).
Attribute-based access control (ABAC)
An access control approach whereby the organization specifies the use of objects based on some attribute of the user or system.
Password
An authentication component that consists of a private word or combination of characters that only the user should know.
False reject rate
In biometric access controls, the percentage of identification instances in which authorized users are denied access. Also known as a Type I error.
False accept rate
In biometric access controls, the percentage of identification instances in which unauthorized users are allowed access. Also known as a Type II error.
Auditability
See accountability.
Subject attribute
See attribute.
Covert channel
Unauthorized or unintended methods of communications hidden inside a computer system.
Secure VPN
a VPN implementation that uses security protocols to encrypt traffic transmitted across unsecured public networks.
Attribute
a characteristic of a subject (user or system) that can be used to restrict access to an object. Also known as a subject attribute.
Hybrid VPN
a combination of trusted and secure VPN implementations.
Timing channel
a covert channel that transmits information by managing the relative timing of events.
MAC layer firewall
a firewall designed to operate at the media access control sublayer of the network's data link layer (Layer 2).
Bastion host
a firewall implementation strategy in which the device is connected directly to the untrusted area of the organization's network rather than being placed in a screened area. Also known as a sacrificial host.
Application layer firewall
a firewall type capable of performing filtering at the application layer of the OSI model, most commonly based on the type of service (for example, HTTP, SMTP, or FTP). Also known as an application firewall. See also proxy server.
Dynamic filtering
a firewall type that can react to an adverse event and update or create its configuration rules to deal with that event.
Stateful packet inspection (SPI)
a firewall type that keeps track of each network connection between internal and external systems using a state table and that expedites the filtering of those communications. Also known as a stateful inspection firewall.
Static filtering
a firewall type that requires the configuration rules to be manually created, sequenced, and modified within the firewall.
Network Address Translation (NAT)
a method of mapping valid external IP addresses to special ranges of nonroutable internal IP addresses, known as private addresses, on a one-to-one basis.
Content filter
a network filter that allows administrators to restrict access to external content from within a network. Also known as a reverse firewall.
Virtual password
a password composed of a seemingly meaningless series of characters derived from a passphrase.
Virtual private network (VPN)
a private and secure network connection between systems that uses the data communication capability of an unsecured and public network.
Reverse proxy
a proxy server that most commonly retrieves information from inside an organization and provides it to a requesting user or system outside the organization.
Kerberos
a remote authentication system that uses symmetric key encryption-based tickets managed in a central database to validate an individual user to various network resources.
Unified Threat Management (UTM)
a security approach that seeks a comprehensive solution for identifying and responding to network-based threats from a variety of sources. UTM brings together firewall and IDPS technology with antimalware, load balancing, content filtering, and data loss prevention. UTM integrates these tools with management, control, and reporting functions.
Extranet
a segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public.
Proxy server
a server or firewall device capable of serving as an intermediary by retrieving information from one network segment and providing it to a requesting user on another..
Screened host firewall
a single firewall or system designed to be externally accessible and protected by placement behind a filtering firewall.
Access control list (ACL)
a specification of an organization's information asset, the users who may access and use it, and their rights and privileges for using the asset.
Capability table
a specification of an organization's users, the information assets that users may access, and their rights and privileges for using the assets. Also known as user profiles or user policies.
Nondiscretionary access controls (NDACs)
a strictly enforced version of MACs that are managed by a central authority in the organization and can be based on an individual user's role or a specified set of tasks.
State table
a tabular database of the state and context of each packet in a conversation between an internal and external user or system. A state table is used to expedite firewall filtering.
Trusted computing base (TCB)
according to the TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy.
Trusted VPN
also known as a legacy VPN, a VPN implementation that uses leased circuits from a service provider who gives contractual assurance that no one else is allowed to use these circuits and that they are properly maintained and protected.
Packet-filtering firewall
also referred to as a filtering firewall, a networking device that examines the header information of data packets that come into a network and determines whether to drop them (deny) or forward them to the next network connection (allow), based on its configuration rules.
Lattice-based access control (LBAC)
an access control approach that uses a matrix or lattice of subjects (users and systems needing access) and objects (resources) to assign privileges. LBAC is an example of an NDAC.
Mandatory access control (MAC)
an access control approach whereby the organization specifies use of resources based on the assignment of data classification schemes to resources and clearance levels to users. MAC is an example of an LBAC approach.
Dumb card
an authentication card that contains digital user data, such as a personal identification number (PIN), against which user input is compared.
Asynchronous token
an authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computer-generated number used to support remote login authentication. This token does not require calibration of the central authentication server; instead, it uses a challenge/response system.
Synchronous token
an authentication component in the form of a token—a card or key fob that contains a computer chip and a liquid crystal display and shows a computer-generated number used to support remote login authentication. This token must be calibrated with the corresponding software on the central authentication server.
Smart card
an authentication component similar to a dumb card that contains a computer chip to verify and validate several pieces of information instead of just a PIN.
Passphrase
an authentication component that consists of an expression known only to the user, from which a virtual password is derived. See also virtual password.
War dialer
an automatic phone-dialing program that dials every number in a configured range to determine if one of the numbers belongs to a computer connection such as a dial-up line.
Screened subnet
an entire network segment that protects externally accessible systems by placing them in a demilitarized zone behind a filtering firewall and protects the internal networks by limiting how external connections can gain access to them..
Task-based access control (TBAC)
an example of a nondiscretionary control where privileges are tied to a task a user performs in an organization and are inherited when a user is assigned to that task. Tasks are considered more temporary than roles. TBAC is an example of an LDAC
Role-based access control (RBAC)
an example of a nondiscretionary control where privileges are tied to the role a user performs in an organization, and are inherited when a user is assigned to that role. Roles are considered more persistent than tasks. RBAC is an example of an LDAC.
Access control matrix
an integration of access control lists (focusing on assets) and capability tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings. The matrix contains ACLs in columns for a particular device or asset and capability tables in rows for a particular person.
Demilitarized zone (DMZ)
an intermediate area between two networks designed to provide servers and firewall filtering between a trusted internal network and the outside, untrusted network. Traffic on the outside network carries a higher level of risk.
Discretionary access controls (DACs)
controls that are implemented at the discretion or option of the data user.
Address restrictions
firewall rules designed to prohibit packets with certain addresses or partial addresses from passing through the device.
Strong authentication
in access control, the use of at least two different authentication mechanisms drawn from two different factors of authentication.
Crossover error rate (CER)
in biometric access controls, the level at which the number of false rejections equals the false acceptance. Also known as the equal error rate.
Minutiae
in biometric access controls, unique points of reference that are digitized and stored in an encrypted format when the user's system access credentials are created.
Firewall
in information security, a combination of hardware and software that filters or prevents specific information from moving between the outside network and the inside network. Each organization defines its own firewall.
Application firewall
see application layer firewall.
Sacrificial host
see bastion host.
Reverse firewalls
see content filter.
Accountability
the access control mechanism that ensures all actions on a system—authorized or unauthorized—can be attributed to an authenticated identity. Also known as auditability.
Authorization
the access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels.
Authentication
the access control mechanism that requires the validation and verification of a supplicant's purported identity.
Identification
the access control mechanism whereby unverified entities or supplicants who seek access to a resource provide a label by which they are known to the system.
Configuration rules
the instructions a system administrator codes into a server, networking device, or security device to specify how it operates.
Reference monitor
the piece of the system that mediates all access to objects by subjects.
Access control
the selective method by which systems specify who may use a particular resource and how they may use it.
Trusted network
the system of networks inside the organization that contains its information assets and is under the organization's control.
Untrusted network
the system of networks outside the organization over which the organization has not control. The Internet is an example of an untrusted network.
Authentication factors
three mechanisms that provide authentication based on something a supplicant knows, something a supplicant has, and something a supplicant is.
