Glossary

ASIC. (Application-Specific Integrated Circuit) A silicon chip which is designed with specific functionalities. Having the ability to process specific functions on a dedicated ASIC chip helps offload the system main processor from having to perform the task.

Packet Fragmentation. IP packets that are fragmented when the packet is larger then the network path maximum transmission unit (MTU). A typical Ethernet network has a 1518 Bytes size MTU.

Jumbo Frame. Ethernet frame sizes that are above 1518 Bytes. A typical jumbo frame size would be 9000 Bytes.

RBL. (Real-Time Black List) An anti-spam database consisting of black listed IP address which servers that is updated frequently.

Attack vector. It is one of the ways or paths that can be used to perform an attack. For example, a worm could spread by exploiting a known vulnerability on a web server, which is via HTTP, but also could spread by attaching itself to an e-mail message (SMTP) or by sending a file containing the propagation code via Instant Messaging (IM). IM, SMTP, and HTTP would all be Attack vectors that can be used by this theoretical worm.

Best practice. Computer Security is a knowledge field where new things arise pretty much every day: new attacks are invented and then new defenses are put in place. A best practice is simply what many people think is the best way to solve a specific problem, and might change from time to time depending on the evolution of technology and common experience. One of the most known best practices is shifting towards longer complex password to avoid brute-force attacks and guessing. Another one is to always use the strongest encryption available to protect sensitive data when handling through a VPN connection.

Bot / Botnet. A bot is type of malware that, once installed on a computer, allows an entity (known as bot master) to control it to perform functions like sending a request to a web server or an e-mail message. While a single computer doing one of these actions seems normal and not harmful, if thousands of them do exactly the same thing in a coordinated way, results can be problematic. A group of bots is called a botnet, and if they launch at the same time a request to a web server, they could potentially overwhelm it, exhaust its network resources, and cause a Denial of Service. If all of them send some invalid messages, a botnet could be an effective way to send spam. One of the most famous botnets is Zeus [1], which has been extensively analyzed [2] by experts around the world, including Fortinet’s FortiGuard [3] analysts.

Cluster. It is a group of elements, like servers, gateways, or other network devices that behaves as a single entity to the network, the users, and the applications using its services. The most typical reason to configure a cluster is to increase availability or increase performance. A cluster of servers can be formed to solve a part of a complex math problem, since a single server would take too long to do it. A cluster of web servers could share the load if the amount of users is big and a single server cannot handle all the load. A cluster of firewalls can be configured to ensure there is always at least one firewall available in the event of the failure of a single firewall box.

Control. It is a mechanism to ensure policy compliance. There are many types of control classifications but here you have a couple of examples: depending on their nature they can be physical or logical. Depending on their purpose, they can be preventive, detective, or corrective. A door lock for example is a physical control, and it’s both preventive and detective, because it prevents a robbery but you can also tell if a robbery potentially happened if you find the lock broken. A network IPS is a logical control that could be preventive, detective, and corrective at the same time, depending on its configuration. Understanding the nature of controls is important especially when you are assessing and environment to determine compliance with a specific regulation.

Cracker. A computer criminal. Someone with enough computer knowledge to cause harm to another entity.

DMZ. De-Militarized Zone. This is a term that was borrowed from the military, and it implies the existence of a zone that has little or no defense, and thus is not really trusted. In computer network topologies, this is typically the zone where services that will have access from the outside will be placed and therefore the permissions will be more relaxed, which also increases the risk. In the past, a DMZ was truly a zone without defenses, meaning it was not protected by a firewall, IPS or any other security device, mainly because of cost and performance reasons. The meaning was changing with time, and now it simply means a network segment where servers and services will be placed, so they can be accessed from other network segments, and due this additional risk they need to be specifically protected.

Denial of Service. It is the name of an attack against availability. A Denial of Service, as its name implies, takes a service offline. This can be achieved in different ways, such as turning off the computer where the service resides, or launching an overwhelmingly high amount of valid requests against the service in such a way that the resources allocated to the service are exhausted and new valid requests cannot be served properly and in some cases even causes the server being shut down.

Exploit. It is a program that contains code aimed to use a known vulnerability. Typically, exploits are used by security researchers to prove their findings. Exploits are also made available by knowledgeable crackers, so others can simply execute the code to abuse a system. Another way to define them would be “canned attacks” or “attacks on a click.”

Fail over. It is a condition that occurs when one of the elements of a cluster goes down and its load is sent to the active members of such cluster. A fail over can be triggered by a failure condition, such as a network disconnection or by a scheduled condition, such as system maintenance.

Hacker. This is probably one of the concepts most commonly misunderstood concept. Hacker, in reality, is someone with deep curiosity and deep knowledge on how computers work, some of them boast this knowledge to the point of becoming arrogant, but certainly not all of them. With the popularization of computers, a hacker culture evolved: there is even a Hacker manifesto [4] that was originally published on a hacker magazine and a How To Become A Hacker [5] document. Due the curious technical curiosity of hackers, sometimes they might go beyond the legal frontier on their experiments, and since several hackers were unfortunately responsible of security incidents, the name eventually got bad reputation and it was confused with a computer criminal. For the effects of this book, we will use the term as someone with deep knowledge but that not necessarily commits bad actions.

Proxy. Generally speaking, a proxy is a system that operates on behalf of another system. If we are talking about network proxies, there are entities that open a connection at application level to perform some kind of action or inspection. Proxy firewalls for example, are firewalls that open a session at application level to decide whether a connection is authorized or not. A Web Proxy Cache in the other side opens web applications to review if the content is stored locally, so it’s not grabbed again from the origin, but served locally instead of saving bandwidth and time.

Script. It is a program to automate routine tasks. If the same steps can be done manually, but need to be repeated several times to achieve an objective, a script could be an automated solution to save both time and effort.

Single Sign-On (SSO). It is a technology that allows sharing credentials of a single user among several applications, in such a way that if the user is identified in one place, automatically this user is recognized by other applications without asking the user for authentication again. Single sign-on technologies greatly enhance user experience within an environment, because access to resources is more direct and transparent, saving time and effort.

Social Engineering. It is a form of attack, but instead of exploiting network vulnerabilities, it attempts to exploit the human link in the chain by making a person say or do something that shouldnot. For example an attractive person could ask somebody to help her or him on a situation, and eventually ask for that person’s password. Someone on the telephone could impersonate a systems administrator, asking a user to change her password to something the attacker knows. Someone could convince a security analyst the alarm raised by the IPS is perfectly normal due to some tests being conducted. Social Engineering can only be fought with education.

Tunnel. It is a networking concept on which there are two sides on a logical connection and something that enters into one side exits in the other side, regardless where both sides are physically located. Typically this is achieved by establishing a connection between two points, then encapsulating and/or encrypting a packet that travels through a public network, which is decapsulated and/or decrypted by the other side. From the perspective of the processed packet, it only traveled one jump and one network, while in reality it probably traversed several.

Virus. Computer code that can replicate itself by “infecting” clean programs, this is, adding its own code to the code of the infected program. Once a program is infected, the virus is loaded once the valid program is executed, and then in turn can infect other programs. It might have or not a payload, which is a malicious code that is executed once a trigger condition is met. The Jerusalem virus, also known as Friday 13th for example, would delete all the executable program files if the date was Friday 13th.

Wire speed. The speed of a connection if only the wire and nothing else is in place. In other words, this is the maximum speed that can be achieved on a network connection, limited only by the physical connection speed. In networking, the term is used when a device imposed no noticeable delay on connections, and thus the speed reached by such connections is the same with and without the device connected.

Worm. An enhanced type of virus that uses the network to replicate itself. A worm is also typically autonomous, which means it does not require a clean or valid program to attach itself to it. Famous worms are the Morris worm, which replicated by exploiting a vulnerability in the sendmail daemon. The Anna Kournikova worm, one of the first using Social Engineering, since its way of replication was by attaching itself to an email message, which was sent to the entire address book of the victim with a message that was apparently a picture of the famous tennis player. Other widely known worms were Nimda and CodeRed.