Appendix E

Glossary

 

 

ACK

An Acknowledgment packet (ACK) is a packet that is sent from the client to the server to

 

complete a TCP connection. See SYN.

DHCP

Dynamic Host Configuration Protocol (DHCP) is a protocol that automatically requests an IP

 

address, subnet mask, and default gateway for a network client.

DMA

Direct Memory Access (DMA) is a method by which devices in a hardware system can transfer

 

data without occupying the CPU. In the case of the P-Series, the network interface card can

 

transfer matched packets directly to the host memory by taking control of the PCI-X bus.

DPI

Dynamic Parallel Inspection (DPI) is an engine based on Multiple Instruction Single Data

 

(MISD) hardware architecture that can simultaneously execute thousands of security policies

 

and capture/blocking operations on the same data.

Dynamic Rules

Dynamic rules allocate generic registers inside the firmware to allow you to create and modify

 

rules at runtime without changing the firmware.

Flow

A flow is a series of packets with the same state. See State.

FPGA

Field Programmable Gate Array (FPGA) is a logic device that is re-programmable; it is a

 

counterpart to the Application-Specific Integrated Circuit (ASIC) that cannot be modified once it

 

has been programmed.

Garbage

Garbage is data that is no longer necessary; garbage collection is the process of discarding

Collection

this data to free resources. In the context of the P-Series, garbage is old state or flows.

IDS/IPS

Intrusion Detection System/Intrusion Prevention System

MISD

Multiple Instruction Single Data (MISD) is a computer architecture that executes many

 

operations simultaneously on one set of data. It is a counterpart to Single Instruction Multiple

 

Data (SIMD) and Multiple Instruction Multiple Data (MIMD) architectures.

Null Firmware

Null firmware is firmware that has no static rules. Null firmware is used to maximize the

 

dynamic rule capacity on the FPGA.

Offset

Offset is a Snort keyword that specifies a pattern-matching start location within a packet. For

 

example, an offset of 5 directs Snort inspect packets beginning after the first 5 bytes of the

 

payload. The P-Series does not support this Snort keyword. Rather, the P-Series has an offset

 

feature that enables offsets for all rules. This feature is optionally activated during the

 

PNIC-Compiler configuration phase.

meta.rules

meta.rules is a Snort rules file supplied with the P-Series appliance by Force10. The rules in

 

this file report on flow information and handle possible TCP segmentation evasion attempts.

 

They also provide compatibility with Snort, and including them allows you to run Snort on the

 

DPI interface.

SFP

Small Form-factor Pluggable (SFP) is an optical transceiver that interfaces a network device

 

and a fiber or unshielded twisted pair (UTP) network cable. SFPs support the SONET and

 

Gigabit Ethernet standards and can transmit data at a rate of 4.25 Gb/s.

P-Series Installation and Operation Guide, version 2.3.1.2

127

Page 126 Page 128
Page 127
Image 127
Force10 Networks 100-00055-01 manual Dynamic Rules, Flow, Garbage, Collection, Null Firmware, Offset, Meta.rules
Page 126 Page 128
Top Page Image Contents