Glossary
Multi-Tech Systems, Inc. RouteFinderVPN RF760/660/600VPN User Guide (PN S000323D) 178
Destination Port Number ZZZZ – All the traffic going through the firewall is part of a connection. A connection consists of
the pair of IP addresses that are talking to each other, as well a pair of port numbers. The destination port number often
indicates the type of service being connected to. When a firewall blocks a connection, it will save the destination port number
to its logfile.
Port numbers are divided into three ranges:
• The Well-Known Ports are those from 0 through 1023. These are tightly bound to services, and usually traffic on this port clearly indicates the protocol for that service. For example, port 80 virtually always indicates HTTP traffic.
• The Registered Ports are those from 1024 through 49151. These are loosely bound to services, which means that while there are numerous services "bound" to these ports, these ports are likewise used for many other purposes. For
example, most systems start handing out dynamic ports starting around 1024.
• The Dynamic and/or Private Ports are those from 49152 through 65535. In theory, no service should be assigned to these ports.
DHCP (Dynamic Host Configuration Protocol) – An IETF standard for dynamically allocating and managing a pool of IP
addresses, allowing a smaller number of addresses to serve a much larger number of users.
Digital Signature – The encryption of a message digest with a private key. Digital signatures are based on public-key
cryptography, which was first introduced by Whitfield Diffie and Martin Hellman of Stanford University in 1976. Until 1976
there was only conventional cryptography, which uses the same key to both scramble (encrypt) and unscramble (decrypt)
information. Public key cryptography is based on two keys, a private key and a public key.
Where conventional cryptography is a one-key system for both locking (encrypting) and unlocking (decrypting) a message,
public key cryptography uses different keys for locking and unlocking.
In public-key systems, one key can be kept private while the other key is made public. Knowing the public key does not
reveal the private key.
DMZ (De-militarized Zone) – A special LAN on the public network side of a firewall to allow a single WAN router to support
both private (VPN) and public access to resources. A DMZ allows a single WAN router to support both private (VPN) and
public access to resources. Using a DMZ allows one IP Address (computer) to be exposed to the Internet. Some applications
require multiple TCP/IP ports to be open. A DMZ allows just one computer to be exposed for that purpose. It is
recommended that you set your computer with a static IP if you want to use DMZ.
DNAT (Dynamic NAT) – Used to operate a private network behind a firewall and make network services that only run there
available to the Internet.
The use of private IP addresses in combination with Network Address Translation (NAT) in the form of Masquerading,
Source NAT (SNAT), and Destination NAT (DNAT) allows a whole network to hide behind one or a few IP addresses
preventing the identification of your network topology from the outside. With these mechanisms, Internet connectivity
remains available, while it is no longer possible to identify individual machines from the outside. By using Destination NAT
(DNAT), it is still possible to place servers within the protected network/DMZ and make them available for a certain service.
In DNAT, only the IP address – not the port – is translated. Typically, the number of externally visible IP addresses is less
than the number being hidden behind the NAT router.
DNS (Domain Name System) (also Domain Name Service) – Refers to the more user-friendly names, or aliases instead
of having to use computer-friendly IP addresses. Name servers take care of the conversion from number to name. Every
institution connected to the Internet must operate at least two independent name servers that can give information about its
names and numbers. Additionally, there is a name server for every top-level domain that lists all the subordinate name
servers of that domain. Thus the Domain Name System represents a distributed hierarchical database. Normally, however,
the database is not accessed by the user him-/herself, but by the network application that he/she is presently working with.
DDoS (Distributed Denial of Service) – Attacks are a nefarious extension of DoS attacks because they are designed as a
coordinated attack from many sources simultaneously against one or more targets. See also "DoS attacks".
DoS (Denial of Service) attacks – A major concern to the Internet community because they attempt to render target
systems inoperable and/or render target networks inaccessible. DoS attacks typically generate a large amount of traffic from
a given host or subnet and it's possible for a site to detect such an attack in progress and defend themselves. See also
"Distributed DoS attacks".
Encapsulation – The technique used by layered protocols in which a layer adds header information to the protocol data unit
(PDU) from the layer above. For example, in Internet terminology, a packet would contain a header from the physical layer,
followed by a header from the datalink layer (e.g., Ethernet), followed by a header from the network layer (IP), followed by a
header from the transport layer (e.g. TCP), followed by the application protocol data.
Encryption – A form of security wherein readable data is changed to a form that is unreadable to unauthorized users.
Encryption involves the conversion of data into a secret code for transmission over a public network. The original (plain) text
is converted into coded form (called cipher text) using an encryption algorithm. The cipher text is decoded (decrypted) at the
receiving end, and is converted back into plain text.