User guide
Glossary
Multi-Tech Systems, Inc. RouteFinder RF850/860 User Guide (PN S000400E) 185
Security Policy – Enterprises should have a carefully planned set of statements in place regarding network
protection. A good corporate Internet security policy should define acceptable use, acceptable means of remote
access, information types and required encryption levels, firewall hardware and software management
processes and procedures, non-standard access guidelines, and a policy for adding new equipment to the
network. New security protocols, new services, and security software upgrades should also be considered. The
purpose of a security policy is to define how an organization is going to protect itself. The policy will generally
require two parts: a general policy and specific rules (system specific policy). The general policy sets the overall
approach to security. The rules define what is and what is not allowed. The security policy describes how data is
protected, which traffic is allowed or denied, and who is able to use the network resources.
Server – A server is a device on the network that provides mostly standardized services (e.g., www, FTP, news,
etc.). To use these services, you as a user require the comparable client requirements for the desired service.
SHA (Secure Hash Algorithm) – A United States government standard for a strong one-way, hash algorithm
that produces a 160-bit digest. See MD5. SHA-1 is defined in FIPS PUB 180-1.
SHA-1 (Secure Hash Algorithm version one) – The algorithm designed by NSA, and is part of the U.S. Digital
Signature Standard (DSS).
S-HTTP (Secure HTTP) – The IETF RFC that describes a syntax for securing messages sent using the
Hypertext Transfer Protocol (HTTP), which forms the basis for the World Wide Web.
Secure HTTP (S-HTTP) provides independently applicable security services for transaction confidentiality,
authenticity/integrity and non-reputability of origin. The protocol emphasizes maximum flexibility in choice of key
management mechanisms, security policies, and cryptographic algorithms by supporting option negotiation
between parties for each transaction. The current IETF RFC describes S-HTTP version 1.2. Previous versions
of S-HTTP numbered 1.0 and 1.1 have also been released as Internet-Drafts.
SNAT (Source NAT) – A functionality equivalent to DNAT, except that the source addresses of the IP packets
are converted instead of the target address. This can be helpful in more complex situations (e.g., for diverting
reply packets of connections to other networks or hosts). In contrast to Masquerading, SNAT is a static address
conversion, and the rewritten source address does not need to be one of the firewall’s IP addresses. To create
simple connections from private networks to the Internet, you should use the Masquerading function instead of
SNAT. The use of private IP addresses in combination with Network Address Translation (NAT) in the form of
Masquerading, Source NAT (SNAT), and Destination NAT (DNAT) allows a whole network to hide behind one or
a few IP addresses preventing the identification of your network topology from the outside. With these
mechanisms, Internet connectivity remains available, while it is no longer possible to identify individual
machines from the outside. Using DNAT makes it possible to place servers within the protected network/DMZ
and still make them available for a certain service.
SOCKS – A proxy protocol that allows the user to establish a point-to-point connection between the own
network and an external computer via the Internet. Socks, also called Firewall Transversal Protocol, currently
exists at version 5.
SPI (Security Parameters Index) – The SPI is an arbitrary 32-bit value that, in combination with the destination
IP address and security protocol (AH), uniquely identifies the Security Association for a datagram. SPI values
from 1 through 255 are reserved by the Internet Assigned Numbers Authority (IANA) for future use; a reserved
SPI value will not normally be assigned by IANA unless the use of the assigned SPI value is specified in an
RFC. It is ordinarily selected by the destination system upon establishment of an SA. You can define SPI (and
other protocols) for the RouteFinder from VPN > IPSE
C. SPI is defined in RFC 2401.
SSH (Secure Shell) is a text-oriented interface to a firewall, suitable only for experienced administrators. The
SSH is a secure remote login program available for both Unix and Windows NT. For access via SSH you need
an SSH Client, included in most Linux distributions. The Microsoft Windows program PuTTY is recommended
as an SSH client. Access via SSH is encrypted and therefore impossible for strangers to tap into.
Stateful Inspection – A method of security that requires a firewall to control and track the flow of
communication it receives and sends, and to make TCP/IP-based services decisions (e.g., if it should accept,
reject, authenticate, encrypt and/or log communication attempts). To provide the highest security level possible,
these decisions must be based on the Application State and/or the Communication State (as opposed to making
decisions based on isolated packets). With stateful inspection, a firewall is able to obtain, store, retrieve, and
manipulate information it receives from all
communication layers as well as from other applications. Stateful
inspection tracks a transaction and verifies that the destination of an inbound packet matches the source of a
previous outbound request. Other firewall technologies (e.g., packet filters or application layer gateways) alone
may not provide the same level of security as with stateful inspection.