Acronym for acknowledge.
This bit comes into play when a TCP connection is to be established or closed
(i. e. a packet with its SYN or ACK bit
set is received) and serves to acknowledge the request in question.
A bridge links multiple network adaptors to a logical unit – the logical gap
between the network cards is bridged in the literal sense.
The advantage is that an existing network can be split into different segments
which, although physically separated, still form a logical unit.
Here one must distinguish between hardware and software bridges: Whereas in the
former the constituting hardware components are directly linked to each other,
in the latter the installed operating system is forwarding the data between any
bridged network segments. However, software-based solutions suffer as far as
throughput is concerned, because the architecture of their hardware proves to
be a considerable bottleneck (the bus-oriented architecture involved usually
does not permit a direct communication between different peripheral components).
Their advantage nevertheless is the considerable amount of supported hardware
and the possibility of bridging networks of different architectures with little
to no problems.
Another scope of application is virtualization which provides every virtual
machine with a virtual network device that in turn is linked to a physical
interface. This finally allows the guest OSes network communications to the
outside.
This is the name for an attack on a foreign computer aimed at getting access
with all force.
Its characteristic is the continuous bombardement of a login mechanism with
any possible password (dictionary attack or randomly- or
systematically-generated character combinations) in order to find out the
correct password.
Because one cannot completely prevent this type of attack, the only option
that normally remains is throwing as many spanners into the works for an
attacker without significantly hampering legitimate login attempts. This is
best achieved by temporary locks in the firewall and programs capable of
adapting to this type of attack.
Fast temporary memory for buffering often-used data. It can be found in
virtually any situation that requires fast access to data.
It is particularly used in CPUs, because it can access any data present in its
cache much faster than normal RAM since it doesn't have to wait on the external
data bus that tends to slow down any data transfer. However, even harddisks and
other devices are also equipped with cache memory by now so certain access
types are drastically sped up. Even operating systems can provide cache memory
to hold often-used data available for fast access.
In networks it is strongly advisable to place proxies at strategically
favorable spots for caching data, on one hand to reduce the traffic load in the
network beyond the proxy or to relieve narrow-band links, and on the other hand
to make often-used data available for fast access.
Responsible for connection tracking. Especially necessary when the firewall has
to detect whether or not new connections are related to an already established
connection.
Contains the PREROUTING and the
OUTPUT chains.
These are networks that contain servers providing certain services for the
Internet (e. g. mail, FTP, or web servers, but other services are possible,
too) that can be subject to attacks from the 'Net. To reduce the hazard
for the actual internal network, these services are relocated to another
network with a security level higher than the Internet, but still lower than
the actual internal network.
This grants the boxes on the internal network full access to those on the
DMZ (e. g. to fetch e-mail, etc.), but the boxes inside the DMZ don't get
access to the internal network in return. However, they can access the
'Net unhindered.
A method designed for flooding servers with unsolicited requests or establishing so many half-open connections that they become unable to correctly process legitimate requests any more, which is usually noticeable by lost packets – and in the worst case can cause the remote system to crash altogether.
to the top
Here it is actually determined whether or not packages are passed through. All
rules concerning these decisions reside in this table.
Contains the INPUT, the
OUTPUT, and the
FORWARD chains.
Acronym for finish.
A connection can be closed when one of the systems sends a packet with its FIN
bit set. Analogous to establishing a connection the opposite side is going to
react with a packet that has both its FIN and ACK bits set
instead of SYN and ACK. The system originally initiating
the shutdown of the connection is then going to respond with a packet with its
ACK bit set, after which the connection is officially closed for both systems
and any data packets that arrive on the now-closed connection are rejected.
Determines which packets the firewall has to forward. It is applied when data packets arrive that are not bound for the firewall.
to the top
Establishing a TCP connection uses a three-way handshake to establish the
connection. For this the client sends a packet with its SYN
bit set to the server which in turn responds with a packet that has both its
SYN and ACK bits set to acknowledge the connection initiated by
the client on the one hand, but to also request that the client acknowledge the
connection as well.
Normally the client sends a packet that has its ACK bit set, but a malicious
system is going to ignore this last step, thereby leaving behind a half-open
connection on the server – which will drop it some time later once it
recognizes that the final acknowledgement won't come. If in this course
too many half-open connections are opened on the attacked system, its resources
are eventually used up so it cannot respond to any further requests any more,
which makes legitimate requests impossible and can cause the attacked system
to crash.
A computer or computer compound that serves for finding out what possible
attackers are attempting to do – a rigged bait. When properly set up, this
honey pot can be used to monitor what said honey pot is to be used for
(supplying malware, as a spam bot, integration into a bot net, etc.), but
without the attackers being able to wreak any havoc.
However, setting up a honey pot turns out to be difficult, because one needs to
take care that any attackers cannot cause any trouble, so it is recommended
only for people who are apt in this matter.
Abbreviation for Internet Control Message Protocol
The purpose of this protocol is to exchange information on different states of
the network between individual nodes. The most obvious candidate that makes use
of ICMP is the program ping that sends a particular
packet to a particular box (the so-called ICMP Echo Request). When an ICMP Echo
Reply returns one knows that the "pinged" ("ping" is an
allusion to direction finding by sonar whose scan can be heard as a
high-pitched sound, the so-called ping) box is active.
other messages conveyed via ICMP are important status messages like "Host
unreachable", "Network unreachable", "Port unreachable"
or the "Source Quench Notification" and many more.
Also certain messages that indicate the presence of a firewall
("Administratively Prohibited", etc.) can be found here.
Abbreviation for Internet Key
Exchange
This part of IPsec that always comes
first in establishing a connection enables the participating stations to
negotiate the cryptographic keys necessary for a connection and to authenticate
the participants. When this stage fails, the connection isn't established in at
all.
IKE exists in two variants now whereas IKEv2 should be preferred to IKEv1.
Determines which packets that are bound for the firewall are accepted.
Abbreviation for Internet Protocol
All data traffic across the 'Net eventually makes use of this protocol many
others are working with. This protocol is the one that allows any data to find
its way to its intended destination after all.
Abbreviation for Internet Protocol
secure
This is an additional component that enhances the original
IP with security traits like
confidentiality, data integrity and authentication. Whereas the original IP
allows for anyone connecting to anyone else and for both reading and modifying
any data in transit, this is well-nigh impossible with IPsec – at least not
without considerable effort.
If a particularly critical error occurs within the system kernel, it stops every process and prints a message indicating the problem. Possible reasons for this are:
This is a part of the OSI model (abbreviation for Open
Systems Interconnection). Each layer has a specific purpose within a
network.
The OSI model is composed of seven layers, with the lowest (layer 1) being the
one closest to the hardware and the highest layer (layer 7) being the one
closest to any applications. There are the following layers, in ascending
order:
The higher the layer on which one is working, the more abstract the functions
provided by that layer become. For example a program that makes use of
functions provided by layer 7 doesn't have to know how exactly any data that it
wants to send across a network are actually transmitted. It is therefore able
to make use of the higher functions for in- and output, the rest is handled by
the services residing on the lower layers.
In contrast a program that wants to make use of a particular protocol is
inevitably placed on a lower level, thereby requiring that it knows about the
conditions on that particular layer. A program that explicitly wants to make
use of the TCP protocol and therefore
resides on layer 4 has to be able to handle the protocol itself. Hence it
cannot simply send any data out through an output channel and receive any
arriving data on an input channel, but it is also responsible for correctly
crafting the needed TCP packets and analyzing any responses – all that in
addition to its other tasks.
A program residing on an even lower layer gets in touch with the network
infrastructure itself. A program that analyzes any incoming data packets sees
them the same way they are traveling across the network. It must therefore be
able to deal with all kinds of network types that exist (Token Ring works
differently from Ethernet, and the two again have another mode of operation
than ARCNET).
The program iptables resides on layer 3, which
allows e. g. packet sniffers and port knocking to work despite a closed
firewall.
Determines in what fashion data packets that pass the firewall are to be
modified. Please note that no address modification takes place here –
that's performed exclusively in the nat table!
This table contains every rule chain.
Virtually always a reference to addresses that can be seen but not reached. It
is the exact same problem with Mars: You may see it, but you cannot reach it by
ordinary means.
If an address is called martian, it denotes an invalid address that isn't
supposed to show up in the zone in which it has appeared, for example an
address from a private network that has somehow reached the public network.
See also NAT
Describes a mode that permits boxes with private IP addresses to access the
Internet. The private IP address of the box attempting to establish the
connection is replaced with the public IP address of the NAT router behind
which the box resides.
Multicasting describes the process of distributing a single data stream to multiple recipients within a network. The server opens a multicast group and assigns it an address. Any clients can join this multicast group by signing in with said multicast address. The network (to be more precise: The routers located between server and clients) takes care of the rest and replicates the data packets to be forwarded where necessary.
to the top
Abbreviation for network address translation.
This describes the modification of network addresses upon transition from one
network segment to another and is used particularly when accessing the Internet
from a network with private addresses. In this case the origin address is
replaced with the address of the gateway that performs the NAT.
There are additional application spectrums that nevertheless use the same
procedures, but with other approaches. For example, requests that are meant for
a particular destination can be redirected to other targets. This is used in
conjunction with certain hot spots to redirect users to a login screen before
they are allowed to access the 'Net.
Determines how IP addresses in which data packets are to be modified. This way
private networks can be concealed from the Internet, and data packets meant for
a certain destination can be redirected to other addresses.
This table contains the chains PREROUTING,
OUTPUT, and
POSTROUTING.
This term specifies several methods of dealing with the problem of addresses
modified by NAT. This is necessary especially with client-to-client
applications (e. g. VoIP, peer-to-peer networks, etc.), thus also affecting
IPsec.
NAT possesses the nasty characteristic of thwarting end-to-end connections,
which guarantees the functionality of such connections only for machines
directly hooked up to the 'Net (i. e. those that have been assigned
public IP addresses), because no address translations are necessary.
Machines residing behind a NAT gateway cannot be accessed the easy way, but
instead some additional steps are necessary to reach this goal. This could be
servers that have been assigned public IP addresses that function as a relay,
by acting either as a switch for the connections or as a hub for the entire
communication. Another approach instead encapsulates the data in another
protocol at the transmitting side and sends it to the receiver (usually a
NAT gateway as well) that “unpacks” the data and forwards it to
the intended recipient.
The Internet has been divided into so-called network classes before 1993, that is, address blocks of a fixed size. It could easily be determined simply by looking at the four most significant bits of an IP address:
Division of the Internet into classes | |
---|---|
Bits 31-28 | Meaning |
0XXX | Networks of class A (2²⁴ addresses per segment) |
10XX | Networks of class B (2¹⁶ addresses per segment) |
110X | Networks of class C (2⁸ addresses per segment) |
1110 | Networks of class D (Multicast addresses) |
1111 | Networks of class E (reserved) |
Because a strict paritioning in network classes has proven to be too inflexible in the long run, it has finally been abandoned, which made it possible to determine the size the network segments behind a router by oneself, and so appropriately distribute the assigned IP addresses among multiple physical subnets. However, many operating systems still apply the old class scheme so that a private subnet in the range 192.168.0.0/16 is automatically assumed to be a class C network, which yields e. g. 192.168.1.0/24 as a possible subnet.
This permits accessing data stored centrally without having to resort to
auxiliary means like FTP or the likes. When a server exports a directory inside
a network every box it is shared with may mount it into its directory tree as
if it were a local directory.
However, it must be kept in mind that an NFS only incorporates rudimentary
security measures. Because the data stream is neither encrypted nor secured
against modifications, an NFS is only meant to be used inside a secure
environment, and if it has to be exported across an insecure network, it should
only happen via secure connections, for example as
established by StrongSwan.
Contains the rules that are to be applied to outgoing packets.
to the topThis protocol serves brokering dial-up connections and the communication of both endpoints with each other. To this end it facilitates different means of negotiating the parameters of the connection and for authenticating any subscribers. The transmission of user data via this connection is handled as well.
In the end this is a modified variant of the
Point to Point Protocol, except that the
PPP is encapsulated in an Ethernet frame. Because of the size of the PPP header
the size of a transmission unit (MTU) is limited to 1492 bytes.
Because Ethernet has an MTU of 1500 bytes and the entire PPP packet including
its header data has to fit into the data field of the Ethernet packet, the size
of the payload is eight bytes – the size of the PPP header – less than that
Determines the rules that are applied for reworking outbound packets (that is, those that have already passed the FORWARD or OUTPUT chain and are now awaiting transfer via the network). Here any final modifications can be applied to the data packets before they actually leave the machine, and here also is where any masquerading takes place.
Defines the rules for modifying any packets that have just arrived on any of the interfaces and now await processing (say: Before they even reach the INPUT or the FORWARD chain. Here any adjustments related to masquerading are applied (e. g. returning responses to queries from an internal network or inbound queries from the outside that are to be forwarded to the inside), but redirecting packets to another destination is also possible here.
A network card that has been switched to this mode reads the entire traffic
arriving at its port and passes the data to the operating system for further
processing.
This mode is a necessity e. g. for configuring a computer as a router,
because only this way it is able to accept traffic to be passed on. The data
thus received can be inspected and relayed by the operating system, however,
there is the hazard of monitoring programs recording the data traffic.
A state in which two or more processes attempt to gain access to the same
resource. Which process actually “wins the race”, that is, gains
access first, remains entirely open.
Proboems occur whenever any processes involved need to access said resource in
a specific order for it to remain in a defined state, but that cannot be
guaranteed due to lacking or deficient protective measures.
A regular expression, as its name already implies,
defines the rules by which a string of characters needs to abide in order to
score a match. This expression may be as trivial as a word that you find in a
diictionary or highly complex so that you are able to look for strings that
match a specific pattern, e. g. phone numbers, e-mail addresses, et al.
Because once the structure of an expression is known, you are able to derive a
set of rules from it for searching for the desired expressions, up to a
full-fledged parser that takes a source text and evaluates it according to
various criteria.
Even though a regular expression appears to be completely unintelligible for
a layman, it nevertheless is a powerful tool that permits searching a huge heap
of data for the desired expressions in next to no time. This spares you a
manual search that on the one hand requires large amounts of time and also
poses a risk of missing something, and on the other hand the regular expression
can also preprocess any results so that they may immediately be processed
without having to enter them copiously into a program.
Acronym for remote procedure call.
This permits certain services to provide function calls via a network that can
be accessed by remote processes. An example for this is the NFS that enables
mounting directories across a network on another computer so that they can be
accessed as if they were locally present.
On top of that it offers a lot more uses.
Acronym for reset.
A data packet that has this bit set will reset an existing connection, i. e.
that connection is instantly aborted. This is helpful particularly after a
system crash when the crashed system had a connection opened. Since the system
at the opposing side cannot immediately discover that something is amiss, the
local system can easily tell the opposing side in this fashion that a problem
has occurred and that the connection is no longer valid.
Spam (originally an abbreviation for spiced ham which had been the only food that hadn't been rationed during World War II and could be freely obtained everywhere) is a name for unsolicited messages that are sent in large numbers within a very short period of time and cause excessive load. These messages can be rather harmless (product advertisements) or outright dangerous (propagation of malicious code, phishing mails, etc.).
This denotes feigning facts that in reality are not true. In information
technology there are a multitude of possibilities for feigning something (IP
addresses, e-mail, web pages to mention a few of them).
They all have in common that something trustworthy is pretended, although in
truth something else hides behind this, which deceptively seems to be
real.
Something unfriendly almost always is concealed behind such a fake that
normally is targeted at eliciting authentication information, planting
malicious code at someone or even initiating an attack at foreign computers.
Acronym for synchronize.
Status bit in a data packet that is sent to a server as a request to open a
connection. The response to such a packet is another data packet that has both
its SYN and ACK bits set when the server intends to accept
the connection, and when the server refuses the connection, the packet will
have its RST bit set instead.
Either of the two systems can terminate a connection by sending a packet that
has its FIN bit set.
Abbreviation for Transmission Control Protocol
Because TCP is a stateful protocol, it is possible to actually organize data
transfers. TCP thereby offers the option to explicitly establish connections
across the Internet and transmit data under supervision. TCP therefore utilizes
a so-called handshake (a "receipt" for data packets).
The four most important status bits that are defined for TCP are
ACK, FIN, RST, and
SYN, and allow for controlling the entire data traffic.
There are other status bits, but their effect normally isn't noticed that
much.
Because of these four state bits and a sequential number assigned to these
packets within a particular connection it is guaranteed that they reach their
destination safely on an undisturbed connection and that the data stream can
be reassembled in the correct order at its destination. These states are what
allows for opening and closing connections and transmitting data over them in
the first place – but also to notice whether or not a connection has collapsed
or is reset and if any data sent has actually reached its destination. And even
if any data packets are lost en route, they are retransmitted within certain
parameters.
That's why TCP is considered to be very robust concerning the stability of its
connections, however, potential attackers could attempt to sabotage open
connections with properly forged packets in order to disrupt them – however,
due to the peculiarities of TCP this cannot be done that easily.
This term has been borrowed from Greek mythology and names an obviously
useful program that is to plant malicious code at an unwitting computer
user.
Like the Greeks who had constructed this horse – presumably in recognition
of the Trojans' strength after ten years had passed without the
attacking Greeks being able to gain victory – in whose belly several Greek
warriors lay in hiding in order to get into the city and thus being able to
open the gates for the attackers who only pretended to have retreated, such
a program serves as camouflage for the malicious code contained therein
which are secretly planted into the system to open backdoors so attackers
can gain unauthorized access or collect and transmit data in the background.
Abbreviation for User Datagram Protocol
Tbhis stateless protocol, often jokingly called
unreliable datagram protocol, has one major weakness
compared to TCP: It is unreliable.
Once an UDP packet has been forwarded to the network the sender doesn't have
any means of checking on what has happened to it. The only option to find
anything out would be the recipient sending back an acknowledgement that the
data has arrived (but because that also happens by UDP there is a danger that
that packet is lost as well in the expanse of the 'Net) or an
ICMP error message arrives. Otherwise the sender has to
wait some time, just in case it gets a reaction (albeit late) and after a
certain timeout to consider the packet to be lost and either retransmit it or
consider the communication to have failed.
However, UDP has one significant advantage over TCP. A station is capable of
doing multicast by using UDP (i. e. data is sent only
once and then forwarded to multiple recipients by intermediate nodes when
necessary). Certain services like VoIP or internet radio rely on this feature,
and where many connections would have to be kept open when using TCP, sending a
data packet just once(!) is sufficient to reach many recipients.
When a particular physical local area network (LAN) is split into multiple logical parts, one talks about a virtual local area network (VLAN) as far as these parts are concerned. It is however necessary that network components are used that are capable of virtualizing networks (chiefly switches that provide the means necessary). Its advantage is obvious: The association to a LAN of any server can be easily changed instead of plugging its cable elsewhere, just by assigning a VLAN domain to which one has access rights to a network adaptor.
to the top
Abbreviation for Wide Area Network
The exact opposite of a LAN. Normally this refers to the 'Net, but it may also
mean any publicly available network that does not belong to the local
(non-public) network in which one currently resides.
However, in some cases there is just a fine line between a LAN and a WAN.
Different local networks that are physically separated from each other by a WAN
may be interconnected e. g. by an IPsec tunnel to form a logical network,
thereby forming a larger coherent private network, even though its physical
segments are distributed across the entire globe.
to the top
to the top