Glossary of terms associated with Symantec firewall/VPN products

Article:TECH78766  |  Created: 2001-01-18  |  Updated: 2003-01-10  |  Article URL http://www.symantec.com/docs/TECH78766
Article Type
Technical Solution


Environment

Issue



You want the definition of a term used in association with Symantec/Raptor firewall/VPN products.


Solution



Symantec Firewall/VPN Technical Support uses the following common terms to describe various aspects of firewall management, DNS, and internetworking. Note that in the following definitions, the terms firewall and gateway are often used interchangeably.


Address HidingRefers to the firewall's practice of concealing the IP addresses of hosts behind the firewall. For outbound traffic, the firewall, by default, substitutes its public IP address for the client's address in the source field of the packet. For inbound traffic, the firewall, by default, substitutes its private IP address for the client's address in the source field of the packet. Both of these practices can be changed by enabling client-side transparency on the firewall's outside and inside NICs, respectively. Due to routing restrictions, enabling client-side transparency on the firewall's outside NIC should never be done for those sites that use reserved addresses or illegal addresses behind the firewall.
AHThis acronym means "Authentication Header", and refers to a protocol, within the IPSEC suite of protocols, for the authentication of IP data. The AH protocol is described in RFC 1826.
AuthenticationThe process of verifying that a client is who or what it claims to be. The Raptor Firewall supports the ACE/SecurID, Cryptocard, NT Domain, Belcore S/Key, Radius, Tacacs+, and gwpasswd authentication schemes. The Raptor Firewall supports both static and dynamic authentication modes for many of these schemes.
BehindRefers to the networks and hosts protected by the firewall; that is, in the protected hosts and network. See also inside.
CIDRThis acronym means "Classless Inter-Domain Routing", which is documented in RFCs 1517-1520.
CIFSThis acronym means "Common Internet File System".
ClientA software program that requests the use of a network service. In this context, a browser is considered a client program. Sometimes the term client is used to refer to hosts (PCs, workstations) on which the client software runs, as in the question, "How many clients are behind the firewall?"
Client-Side TransparencyThe opposite of server-side transparency (see "transparent"). A transparent connection (TCP) or data stream (UDP) in which the firewall is transparent to the server. In other words, the client's IP address, and not the firewall's IP address, is the source of the traffic on the server's side of the firewall. Typically used for inbound access, so that the server on the protected network can log the client's IP address or FQN.
Default GatewayThe default gateway, which is also known as the "default route", or "route of last resort", is an IP networking configuration parameter. Clients behind the firewall should set their default gateway to either the inside IP address of the firewall
or to a router whose default gateway points to the inside IP address of the firewall.
DNSDNS is the service used to translate Internet names, such as www.symantec.com, into IP addresses, and the reverse. This service is used by client software, such as the browser on a PC, to locate companies and resources on the Internet and uses ports 53/TCP and 53/UDP.
DNSdThis acronym means "DNS daemon", and refers to the Raptor Firewall DNS proxy that is installed as part of the firewall. DNSd is one of the firewall's standard proxies.
Dynamic AuthenticationThe opposite of static authentication. In dynamic authentication, the usernames and passcodes for the authentication scheme exist on the authentication server and not on the firewall. Hence, the firewall dynamically (that is, on an "as needed" basis) gets usernames and passcodes for authentication. Dynamic authentication is supported for ACE, Defender (SNK), Radius, CRYPTOCard, TACACS+, and NT Domain.
Entity GroupA logical association of hosts, subnets, and/or domains that can be used to build the endpoint for an authorization rule or filter. Entity groups are created and managed from the Net Entities button on the RCU toolbar or in the Net Entities tree of the RMC. Entity groups should not be confused with the groups of usernames that are used in conjunction with authentication.
ESPThis acronym means "Encapsulating Security Payload", and refers to a protocol, within the IPSEC suite of protocols, for the privacy protection of IP data. The ESP protocol is described in RFC 1827.
Fast PathThe Fast Path mechanism is a compromise between the efficiency of packet filtering and the security of application proxies. As of this writing, its use is restricted to the HTTP and HTTPS protocols. Traffic that uses the Fast Path mechanism is governed by authorization rules, but the actual connection is never proxied at the application level. The first time a connection is authorized for a Fast Path rule, the proxy daemon calls down to the firewall's VPN driver and orders the driver to put all packets that fit the parameters of the rule through the firewall at the IP level, rather than sending them up to the application level. Address hiding occurs, but traffic logging does not.
FetcherThe fetcher daemon is responsible for downloading and installing updates to the WebNOT and NewsNOT ratings databases.
FTPdThis acronym means "FTP daemon", and refers to the firewall's standard proxy for FTP, which is installed as part of the Raptor software.
Fully-Qualified NameA fully-qualified name (FQN), such as thefw.peach.com is composed of a hostname (thefw) and an Internet domain name (peach.com).
FTPThis acronym means "File transfer protocol". The standard ports for FTP are 21/TCP (control) and 20/TCP (data). The firewall can pass FTP through its standard proxy, as well as browser FTP proxied through an HTTP connection on 80/TCP.
GIDA decimal number that uniquely identifies a group on the firewall. In essence, the GID becomes for the firewall software synonymous with the group name. GIDs are entered as part of the process of creating a group on the firewall.
GopherA text and information management application-level protocol that uses port 70/TCP. The firewall can pass Gopher through its standard proxy, as well as browser Gopher proxied through an HTTP connection on 80/TCP.
GopherdThis acronym means "Gopher daemon", and refers to the firewall's standard proxy for Gopher, which is installed as part of the Raptor firewall software.
GroupA logical association of usernames on the firewall. Groups are used in conjunction with certain kinds of authentication, such as gwpasswd, to strengthen the security on an authorization rule. Groups should not be confused with entity groups.
GSPThis acronym means "Generic Service Passer". See also Special Service. GSPs are used to provide application-level proxy for protocols not handled by the standard proxies. A single GSP can be used to manage a single TCP or UDP port for either transparent or non-transparent, inbound or outbound access. Examples of protocols that should be managed using a GSP include POP-3, Notes, and IRC.
Like the standard proxies on the firewall, GSPs are controlled using authorization rules. They also perform address hiding and traffic logging. The major difference between the standard proxies and the GSP is that the GSP has no knowledge of the underlying application level protocol, and hence, cannot perform any protocol-specific security monitoring. Another related limitation is that authentication cannot be applied to any rule that governs a GSP, as there is no means to guarantee that the application can respond. Hence, applying a rule to a GSP will cause it to fail.
GwcontrolThis term means "Gateway Control", and refers to the daemon that handles the authorization phase of all application-level traffic on the Raptor Firewall.
GwpasswdThis term means "Gateway Password", and refers to a simple password authentication mechanism provided by the Raptor Firewall. All user account and password information for gwpasswd authentication is created and managed on the firewall.
H.323The H.323 streaming audiovideo protocol is used by applications such as Net Meeting, TeleVox, and CuSeeMe. The Raptor Firewall can pass H.323 traffic through a standard proxy.
Host EntityA Net Entity that denotes a single IP host.
Host RouteA route for a specific host address, rather than a network address. Useful for assigning a virtual address.
HTTPThis acronym means "Hyper-Text Transfer Protocol" and refers the application-level protocol used to browse the World Wide Web. HTTP typically uses port 80/TCP.
HTTPdThis acronym means "HTTP daemon", and refers to the firewall's standard proxy for HTTP, which is installed as part of the Raptor software.
HTTPSThe HTTPS protocol is sometimes referred to as Secure HTTP, and is basically HTTP over SSL (Secure Socket Layer). The Raptor Firewall's standard HTTP proxy, called httpd, also handles HTTPS traffic via port 443/TCP.
IKEThis acronym means "Internet Key Exchange" and refers to the dynamic keying (Oakley) component of ISAKMP.
Illegal AddressRefers to the ill-advised practice of configuring the hosts on a network with IP addresses that are registered to (that is, owned by) another entity on the Internet. Since the locations of the legitimate owners of these addresses are known to the ISPs, any host with an illegal address that sends packets to the Internet will not receive return packets from the destination host.
InboundRefers to network traffic that originates from the unprotected side of a Raptor Firewall.
InsideRefers to the hosts protected by the firewall. In common parlance, these hosts are behind the firewall, and hence on an inside network. So, by extension, the unprotected networks and hosts are considered to be outside the firewall.
Interface-based RuleA very general authorization rule that applies to packets that arrive on a particular interface on the firewall.
InterNICThis acronym means "Internet Information Center" and refers to the Internet's governing/charter organization.
IPSECThis acronym means "Internet Protocol (IP) Security" and refers to the suite of protocols being developed at the IETF (Internet Engineering Task Force) that can be used for secure, private communications across the Internet, over VPN. IPSEC generally uses static keys to accomplish its security and privacy goals, though the underlying protocols can also be handled using ISAKMP.
IRCThis acronym means "Internet Relay Chat", or simply "Chat", and refers to the application protocol that uses 6667/TCPxr.
ISAKMPThis acronym means "Internet Security Association Key Management Protocol", and refers to a proposed standard for dynamic key exchange for VPN. Also known as IKE.
ISPThis acronym means "Internet Service Provider".
Local TunnelLocal tunnelling is the basically the same as packet filtering. Packets that pass through the filter/tunnel are unaltered, hence, address hiding, traffic logging, and authorization using rules do not occur. Access to the tunnel can be controlled by source and destination IP address, traffic direction, and port number.
Mail WizardRefers to the SMTP/Mail setup screen in the RCU configuration GUI (RCU> Gateway> Configure> Mail). The Mail wizard is a quick and easy way to create the rules and Service Redirections necessary to get SMTP/Mail through the firewall, but it does have a few limitations. For instance, configuration information from any previous invocation of the Mail Wizard is not displayed in the window fields. Also, the Mail Wizard can only be used to configure how traffic for the first (initial) SMTP/mail server will be handled. Access to subsequent SMTP/mail servers behind the firewall must be accomplished by manually creating the rules and Service Redirections.
MX RecordThis acronym means "Mail eXchange" Record, and refers to the DNS resource record used to describe where SMTP mail should be delivered for a given Internet domain. For most customers, the MX record for their domain should point to the outside address of their Raptor Firewall.
Net EntityA net entity is a network object, such as a host, a subnet, or a group containing hosts and/or subnets. Net entities can be used to build rules, filters, tunnels, and VPNs.
NICThis acronym means Network Interface Card, and is used interchangeably with the term "adapter". Both terms are used when referring to the network communication cards that are placed in the PC.
NewsAnother way of referring to servers that provide the NNTP service. News is a free-form discussion forum on a multitude of topics.
Non-TransparentRefers to a connection made by a client application that is directed to a gateway, where it is covertly sent to the server. In other words, the client believes that the gateway is the server, and is unaware of the true server's identity. The opposite of transparent. Non-transparent access is routinely used for inbound access so that the inside topology is never revealed.
NNTPThis acronym means Network News Transport Protocol, and is also known as Usenet, or just simply as News. News is a discussion list application protocol that uses port 119/TCP.
NTPThis acronym means Network Time Protocol, and refers to the application protocol that uses port 123/UDP. The Raptor Firewall comes equipped with a standard proxy for NTP.
OutboundRefers to network traffic that originates from behind an Raptor Firewall.
PingPing is a program that uses ICMP (Internet Control Message Protocol) echo request packets to verify IP connectivity to another host or network. The standard ping program that comes with Windows NT 4.0 is run from the Command Prompt window and takes an IP address or resolvable name as its command line parameter.
POP-3This acronym means Post Office Point version 3, and refers to an email application protocol that uses port 110/TCP. POP-3 is usually passed through the Raptor Firewall using a GSP.
Proxy RedirectionProxy Redirection allows the Network Administrator to combine VPN with application-level proxies. In effect, this allows network traffic to be sent securely across an untrusted network and then be handled by the application-level proxies on the firewall, where authorization rules, address hiding, and traffic logging can occur.
RaptorMobileRaptorMobile runs on windows-based PCs, and allows the user of the PC to securely connect across hostile networks, such as the Internet, to servers behind a Raptor Firewall.
RaptorRemoteA RaptorRemote firewall is basically the same as a Raptor Firewall, except that it does not have a locally installed GUI (RMC or RCU). Since a GUI is necessary for configuring the firewall, the RaptorRemote must be configured and managed from the GUI on another firewall, or from a standalone GUI.
RCUThis acronym means Raptor Console for UNIX. RCU is essentially an updated version of the Hawk GUI that was used to manage prior versions of the Raptor Firewall. RCU can be installed on the Raptor Firewall on a UNIX system, as well as on a standalone Solaris workstation, and can be used to manage both NT and UNIX versions of the Raptor Firewall 6.0.
Registered AuthorityThis refers to the DNS servers that have been registered at the InterNIC as the authorities for an Internet (DNS) domain. These name servers maintain the definitive information about a domain, such as where to send mail to users in the domain, where the domain's web server is, etc. All other name servers can only provide non-authoritative answers (that is, answers from their cache). If you do not know which servers are the registered authorities for your Internet domain, you can either ask your ISP, or refer to our online procedure to find out for yourself.
Reserved AddressReserved addresses are a bank of IP addresses set aside for Intranet use. They are not registered to any network, and hence, are not routable across the Internet. RFC 1597 and its replacement, RFC 1918, are the documents that specify the range of reserved addresses. At this writing, these ranges are 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 173.31.255.255, and 192.168.0.0 to 192.168.255.255.
ResolverRefers to the client software that is used to talk to a DNS server, such as DNSd, and hence, translate Internet names into IP addresses. Since resolvers do not know the location or IP address of any DNS servers, let alone which servers they should talk to, the resolver's configuration parameters are critically important. An incorrectly configured resolver can prevent clients from getting Internet name resolution, and hence, from accomplishing any Internet-related work. The resolver on the Raptor Firewall, like all Windows NT 4.0 systems, is set in the DNS Search Order field found in Start> Settings> Networks> Protocols> Tcpip properties> DNS tab.
RMCThis acronym means Raptor Management Console. RMC is a new product on Raptor Firewall 6.0. It replaces Hawk, which was the firewall's GUI on prior Raptor Firewall versions, and is built on the Microsoft Management Console. RMC can be installed on the Raptor Firewall on Windows NT systems, as well as on standalone Windows NT workstations, and can be used to manage both NT and UNIX versions of the Raptor Firewall 6.0.
Root ServersRefers to the name servers of the root domains .com, .edu, .gov, and .org. These name servers specialize in providing referrals to the registered authorities within their domains.
RouteA logical delivery path between two IP networks or hosts. When a specific path for a particular network or host does not exist, packets being sent to that host or network are delivered using the sender's default route, which is also known as the default gateway. The routing table is used to hold all the routes (that is, delivery paths) known by a host and can be displayed from the Command Prompt window using the "route print" command. Static routes to particular hosts or networks can be set in the registry using the "route add -p" command. Full command syntax for the route command can be displayed using "route -help".
Secondary ServerRefers to an authoritative DNS server that receives domain/zone information (that is, the DNS resource records it is responsible for) by requesting this information from the primary server for the domain in a process known as a zone transfer. The main reason secondary servers were invented was to lower administrative burden. In other words, the administrator only has to maintain the primary server, after which the zone transfer mechanism ensures that the secondary servers are automatically updated.
Security AssociationThe IPSEC mechanism by which the management of authentication and encryption algorithms and their keys are decoupled from the suite of IPSEC protocols. A bidirectional communications session (A<->B) will normally have one Security Association (SA) for each direction - one for A->B traffic, and another for B->A traffic. The SPI, a 32-bit number contained in the packet, identifies the SA, and, hence, the algorithms and keys to be used in the processing of the packet.
Server-Side TransparencyThe opposite of client-side transparency (see "transparent"). A transparent connection (TCP) or data stream (UDP) in which the firewall is transparent to the client. In other words, the client addresses the server directly, rather than indirectly through the firewall. Another way of putting it is that the true server, and not the gateway, is the target of the traffic. Typically used for outbound access. Outbound server-side transparency requires that the client's default route or gateway points to the IP address of the firewall's inside interface (or to a router whose default route gets there).
Service RedirectionService Redirection is an application-level feature of the Raptor Firewall that operates with the firewall's standard proxies and the GSP. In simple terms, service redirection allows the firewall administrator to specify where non-transparent traffic for specific application-level services, such as HTTP or SMTP, will be sent.
SRLThis acronym means "Secure Remote Login", and refers to the encrypted and secured login facility available with the Raptor Firewall. SRL uses port 423/TCP.
SMTPThis acronym means Simple Mail Transport Protocol, and refers to the primary method of moving email across the Internet. SMTP uses port 25/TCP.
SMTPdThis acronym means "SMTP daemon", and refers to the Raptor SMTP proxy that is installed as part of the Raptor Firewall. SMTPd is one of the firewall's standard proxies.
SnetshotA packet sniffer that comes with the Raptor Firewall.
SNMPThis acronym means Simple Network Management Protocol, and refers to the protocols that use ports 161/UDP and 162/UDP. SNMP is described in a number of RFCs, the most recent being RFCs 1901 thru 1908.
SPIThis acronym means Security Parameter Index, and refers to the number that uniquely identifies an IPSEC Security Association (SA). Specifically, the SPI is used to identify data integrity (authentication) and data privacy (encryption) algorithms, as well as the keys, to be used when handling IP traffic within the SA.
Standard ProxiesEvery Raptor 6.0 firewall comes equipped with application-level proxies for managing CIFS/SMB, DNS, FTP, Gopher, HTTP, H.323, NTP, NNTP, Ping, realaudio/video, SMTP, and telnet access. The standard proxies provide arguably the most secure means of passing traffic through the Raptor Firewall, as they are governed by authorization rules, perform various application-layer security functions, and perform address hiding and traffic logging.
Special ServiceAnother way of referring to a GSP. This name is derived from the fact that GSPs handle ports or protocols not managed by the standard proxies, which, in this context at least, makes them special.
Static AuthenticationThe opposite of dynamic authentication. Static authentication refers to an authentication scheme where the usernames and groups are replicated on the firewall in addition to the authentication server.
TelnetThis acronym means "Telecommunications Network", and refers to the terminal session application-level protocol that uses port 23/TCP.
TransparentRefers to a connection (TCP) or data stream (UDP) sent by a client directly to a server, in which the client is unaware of the intervening gateway. The opposite of non-transparent. Transparent access is routinely used for outbound traffic so that clients are unaware of the intervening gateway. This is sometimes referred to as server-side transparency, because the true server, and not the gateway, is the target of the connection.
TunnelTunnel is an often misused term. In one sense it can be used to refer to the Raptor Firewall's packet filtering ability - that is, local tunnels. It can also be used when discussing the implementation of VPN, as in RaptorMobile tunnels, IPSEC tunnels, or ISAKMP tunnels.
UIDA decimal number that uniquely identifies a gateway username on the firewall. In essence, the UID becomes, for the firewall software, synonymous with the username. UIDs are entered as part of the process of creating a gateway username on the firewall.
UniverseThis net entity that acts as a wildcard.
Virtual AddressThis term is most often used when describing service redirection, and refers to an additional IP address that is assigned to the firewall's outside NIC through host routes on the Internet router (not through the network control panel on the firewall, as Raptor Firewall does not support this).
VPNThis acronym means "Virtual Private Networking". VPN is a secure means of moving sensitive information across an inherently unsecure network, such as the Internet, to a protected network behind a secure gateway. VPN traffic is encrypted to secure the information, and encapsulated so that the secure gateway understands where to send the traffic in the protected network. Encapsulation can also have the desirable side-effect of concealing the final destination, or the real source from prying eyes during its transmission across the unsecure network. The Raptor Firewall supports the ISAKMP dynamic key exchange mechanism, which reduces the administrative tasks necessary for configuring VPN traffic. Since the IPSEC and ISAKMP technologies are public domain standards, the VPN functionality of the Raptor firewall can interoperate with other vendor platforms that are also compliant.
VultureThe firewall function responsible for terminating unauthorized software services and logons.
WebNotWebNot is a subscription service purchased from Symantec. It provides Web site content ratings that allow you to create content-based Web access rules.
XNTPdThis acronym means "XNTP daemon", and refers to the firewall's standard proxy for NTP, which is installed as part of the Raptor firewall software.
Zone TransferRefers to the process whereby a secondary DNS server requests and receives a download of all the information for which it is authoritative from the primary DNS server for the zone.







Legacy ID



2000060213225454


Article URL http://www.symantec.com/docs/TECH78766


Terms of use for this information are found in Legal Notices