FIBERLINK

Glossary

Here is a glossary of terms used in mobile security and networking.

3G (Third Generation):
The term used to refer to the next generation of wireless communications technology, the "first generation" having been analog cellular, and the "second generation" being today's digital cellular networks. An initiative of the International Telecommunication Union and regional standards bodies, 3G aims to provide universal, high-speed (up to four megabits per second), high-bandwidth wireless services supporting a variety of advanced applications.

ANTIVIRUS:
Software used to identify and isolate computer viruses.

AUTHENTICATION:
The process of validating the claimed identity of an end user or a device such as a host, server, switch, router, etc.

AUTHORIZATION:
The act of granting access rights to a user, group of users, system, or program.

CDMA (Code Division Multiple Access):
A digital wireless technology used in radio communication for transmission between a mobile phone and a radio base station. The technology was originally developed for military use in the late 1960's, and is a multiple access technique, using sequenced code to divide traffic channels within the same radio channels.

CERT (Computer Emergency Response Team):
A formal group responsible for responding to security breaches, viruses and other potentially catastrophic incidents in enterprises that face significant security risks.

CHAP (Challenge Handshake Authentication Protocol):
A type of authentication in which the authentication agent (typically a network server) sends the client program a key to be used to encrypt the username and password. This enables the username and password to be transmitted in an encrypted form to protect them against eavesdroppers.

CRYPTOGRAPHY:
The science of writing or reading coded messages.

DATA CONFIDENTIALITY:
The process of ensuring that only the entities allowed to view the data can see it in a usable format.

DATA INTEGRITY:
The process of ensuring that data has not been altered or destroyed during transit.

DENIAL OF SERVICE ATTACK (DOS):
Any action that prevents any part of a network or host system from functioning in accordance with its intended purpose.

DIAL PROPERTIES:
Feature in the client which allows one to customize a dial location preference as well as rules specific to where one is calling from. Also, from here one has the ability to add prefixes for accessing an outside line.

DIGITAL SIGNATURE:
A string of bits appended to a message (encrypted hash) that provides authentication and data integrity.

DUN (Dial-Up Networking):
A component in Windows that enables one to connect their computer to a network via a modem. This is a collection of pre-configured protocols like PPP and TCP/IP.

ENCRYPTION:
A method of scrambling information in such a way that it is not readable by anyone except the intended recipient, who must decrypt it to read it.

ENTERPRISE MOBILITY:
The employment of mobile methods and technology in the enterprise to enable the versatile use of information, people, processes and assets for more effective resource management and communication between employees, partners and customers. Successful use results in improved cost efficiency, enhanced revenue, improved customer service, higher productivity, and/or competitive advantage.

ERROR CODE:
A number that is returned to the GUI interface if the authentication is not successful. This error code is returned and defined by the Radius service. Also see Error Message.

ERROR MESSAGE:
A message that is returned to the GUI interface of the client if one's authentication is invalid. The message is in direct relation to the error code. See Error Code.

EXTENDED ENTERPRISE:
An organization, its suppliers, partners and customers. The concept of the extended enterprise captures the modern reality that organizations are increasingly connected by computing and communications networks.

FIREWALL:
A device that protects the network from unwanted intruders and limits the traffic coming in and going out of the network.

FIREWALL RULE:
A setting that indicates whether network traffic from a particular address or port should be accepted or rejected. A firewall rule may apply to an IP address, a TCP port, or a UDP port.

FIREWALL RULE SET:
A collection of firewall rules and parameters. A firewall rule set is one element of a policy.

FIRST ATTEMPT CONNECTION (FAC):
A FAC record is written if one attempts to dial and successfully gets connected on the first attempt. This means that one had an attempt and one successful connection.

HASH FUNCTION:
A mathematical computation that results in a fixed-length string of bits (digital code) from an arbitrary size input; the function is not reversible to produce the original input.

HASH:
The resulting string of bits from a hash function.

HEARTBEAT:
An encrypted HTTP packet used in communications between Proventia Desktop agents and a Site Protector Server (a Configuration Manager and Reporting console for Proventia agents). The heartbeat is used to confirm availability and insure proper functioning (updating policies), Proventia Desktop agents routinely send heartbeats to the Site Protector Server.

HOT-SPOT:
Term used to describe an area or place where there is public or private 802.11 wireless network coverage.

ID FIELD:
Identification ID field will hold a unique identifier that gets used in the troubleshooting process if problems occur. It can also denote the type of POP coverage one has.

IDS (Intrusion Detection System):
A device or software that detects unauthorized access to a network or computer system.

IP SECURITY PROTOCOL (IPSec):
A set of protocols for protecting IP packets.

IBM Internet Security Systems:
The security software vendor that produces Proventia Desktop agent (endpoint security) and other Internet security products. (Formerly ISS).

ISDN (Integrated Services Digital Network):
A service that provides end-to-end digital connectivity supporting higher speed connections (up to 128K if 2 bound channels are obtained).

KERBEROS:
A network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.

LDAP (Lightweight Directory Access Protocol):
A relatively simple protocol for updating and searching directories such as usernames and passwords across multiple systems. LDAP is basically a specialized database.

MOBILE ENTERPRISE:
The collection of mobile workers, supply chain partners and other extended enterprise assets that necessitate electronic connectivity for telephony, computing and data communications.

MOBILE ENTERPRISE ALLIANCE (MEA):
International market development and advocacy group that promotes the business benefits of enterprise mobility to IT and business decision makers.

MSP (Management Service Provider):
Also known as "managed-service providers," MSPs deliver network, application, system and e-management services across a network to multiple enterprises, using a "pay as you go" pricing model.

MSSP (Managed Security Service Provider):
A company that provides outsourced monitoring and management of security devices and systems. Common services include managed firewall, intrusion detection, virtual private network, vulnerability scanning and antivirus services. MSSPs use high availability security operation centers (either from their own facilities or from other data center providers) to provide 24x7 services designed to reduce the number of operational security personnel an enterprise needs to hire, train and retain to maintain an acceptable security posture.

MULTIPLE ATTEMPT CONNECTION (MAC):
A MAC record is written if call attempts that occur within minutes of each other and the final result is a successful authentication. This means that one tried to dial the same POP multiple times in a short period of time and finally authenticated.

OBJECT:
Name given to an IP Address or network block defined in a firewall.

NETWORK INTEGRITY SYSTEM (NIS):
Uses traffic pattern profiling to actively block deviant traffic and maintain high availability on the network.

P2P (PEER-TO-PEER):
A style of networking in which computers communicate directly with each other rather than depending on interactions managed via central servers and networks. Examples include: short real-time messages (instant messaging), collaborative computing, and file-sharing programs, which enable Internet users to share files (such as music files) via point-to-point file transfers.

(PAP) PASSWORD AUTHENTICATION PROTOCOL:
The most basic form of authentication, in which a user's name and password are transmitted over a network and compared to a table of name-password pairs. Typically, the passwords stored in the table are encrypted.

PHS (Personal HandyPhone System):
A Japanese standard for digital cellular service. It provides low-mobility or fixed wireless access in the 1,900-megahertz radio band.

POINT OF PRESENCE (POP):
A telecommunication center (identified by a phone number) into which users dial to obtain connection to the Internet. Often used as a synonym for phone number in a client.

POLICY:
Putting controls around who, when, and how end users get connected to the corporate network infrastructure. Parameters include cost control rules, allowed access methods, devices and venues, security configurations, and overall configuration management of trusted devices.

PRIVATE KEY:
The confidential half of the asymmetric key pair used in public-key cryptography. Unlike the "secret key" used in symmetric-key cryptography - a single key known by both the sender and the receiver - a private key is known only by the recipient.

PROVENTIA DESKTOP AGENT:
Program that runs on a user's PC to protect it from in-bound and out-bound hacker attacks. This agent is specific per company.

PUBLIC KEY AUTHENTICATION:
Based on Public Key encryption, (or "asymmetric key encryption"). This form of authentication consists of first generating a pair of encryption keys, the "public" key and the "private" key.

PUBLIC KEY INFRASTRUCTURE (PKI):
A trusted and efficient security key and certificate management system.

PUBLIC KEY:
A digital code used to encrypt information and verify digital signatures. This key can be made widely available; it has a corresponding private key.

RADIUS (Remote Authentication Dial-In User Service):
A client/server protocol and software that enables remote access servers to communicate with a central server to authenticate users and authorize their access to the requested system or service.

REMOTE ACCESS SOLUTION (RAS):
Industry term used to describe dial-up service; facilitates network connections to an enterprise local-area or wide-area network from users remotely accessing the network over cable or telephone lines using a modem.

REMOTE END-POINT SECURITY (REPS):
REPS is used broadly to refer to any centralized managed security system that enforces all or part of enterprise security policies on an end-point. End-points can include laptops, desktop and PDAs. Methods of access include wired local network, dial-up, broadband or wireless. Types of policies enforced include anti-virus definitions, personal firewall, location, authentication, content filtering, application access control and patch levels.

RSA (RIVEST, SHAMIR, ADELMAN):
A public key cryptographic algorithm - invented in 1997 by Rivest, Shamir and Adleman - that encrypts or decrypts data and can apply or verify a digital signature.

RULEBASE:
Collection of firewall rules, objects, and services that make up a company security policy.

SCRIPT:
A text file that can run during authentication to allow authentication. For example, Fiberlink runs a script to knock CHAP POPs to PAP pops. This allows for successful authentication.

SECURID:
A form of security that utilizes a random number generator that the user carries along with a pin that is memorized by the user.

SECURITY EVENT MANAGEMENT (SEM):
System that collects security related log information from a wide variety of devices, uses real-time correlation to create actionable alerts from a multitude of events, and archives events so that they can be reviewed and analyzed at a later date.

SECURITY INTELLIGENCE SERVICES (SIS):
Information services providing alerts on new vulnerabilities and the existence of actual exploits allowing remediation efforts to be directed towards the most critical issues.

SECURITY PERIMETER:
The boundary at which security controls are placed to protect network assets.

SECURITY POLICY:
A group of rules that dictates who on the network and what services are allowed to come in and go out of the internal network.

SERVER LOCATION:
A domain or realm name used to route traffic to a specific location. Most often this should be left at default.

SERVICE:
Name given to a protocol with a defined port number. See TCP and UDP.

SHIVA ACCESS MANAGER (SAM):
A protocol-independent authentication, authorization, and accounting solution for Windows NT 4.0 and UNIX.

SPEED FIELD:
Denotes the maximum possible speed that the POP can handle. This does not guarantee that one will receive the maximum speed on the connection.

SPLIT-TUNNELING:
Split-tunneling allows for secure access to corporate resources through an encrypted tunnel while allowing Internet access directly through the ISP's resources (eliminating the corporate network from the path for web access).

SSL (Secure Sockets Layer):
A common standard that offers session-level security - after a secure session has been initiated, all information transmitted over the Internet during that session is encrypted. SSL also offers features such as server and client authentication as well as message integrity.

STREAM CIPHER:
An encryption method that encrypts and decrypts arbitrarily sized messages one character at a time.

TCP:
Common way of referring to one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.

TUNNELING:
Architecture that is designed to provide the services necessary to implement any standard point-to-point encapsulation scheme. See also Encapsulation.

UDP (User Datagram Protocol):
A connectionless protocol, like TCP, that runs on top of the IP protocol. Unlike TCP, UDP provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network.

VIRTUAL PRIVATE NETWORK (VPN):
Any dedicated communications connection on a public communications network. This enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses "tunneling" to encrypt all information at the IP level.

VULNERABILITY MANAGEMENT:
The process of finding, evaluating and remediating vulnerabilities (existing exploitable weaknesses) on servers and workstations.

VULNERABILITY SCANNING AND ASSESSMENT SERVICES (VSAS):
Vulnerability Scanning and Assessment Services (VSAS) network and host-based scans performed both externally and internally to determine what vulnerabilities exist on the network's components. Vulnerabilities are identified by severity, allowing remediation efforts to be directed towards the most critical issues.

WI-FI (WIRELESS FIDELITY):
The Wireless Ethernet Compatibility Alliance's (WECA's) name for the IEEE's 802.11b standard for wireless LANs operating at 2.4 gigahertz.

WIRELESS LAN (WLAN):
Wireless local-area network, typically based on IEEE protocols (802.11 and its successors), intended to operate within buildings or over outdoor distances of approximately 100m.