Glossary
Multi-Tech Systems, Inc. RouteFinderVPN RF760/660/600VPN User Guide (PN S000323D) 184
Server – A server is a device on the network that provides mostly standardized services (e.g., www, FTP, news, etc.). To be
able to use these services, you as a user require the comparable client requirements for the desired service.
SHA (Secure Hash Algorithm) – A United States government standard for a strong one-way, hash algorithm that produces
a 160-bit digest. See MD5. SHA-1 is defined in FIPS PUB 180-1.
SHA-1 (Secure Hash Algorithm version one) – The algorithm designed by NSA, and is part of the U.S. Digital Signature
Standard (DSS).
S-HTTP (Secure HTTP) – The IETF RFC that describes a syntax for securing messages sent using the Hypertext Transfer
Protocol (HTTP), which forms the basis for the World Wide Web.
Secure HTTP (S-HTTP) provides independently applicable security services for transaction confidentiality,
authenticity/integrity and non-repudiability of origin. The protocol emphasizes maximum flexibility in choice of key
management mechanisms, security policies, and cryptographic algorithms by supporting option negotiation between parties
for each transaction. The current IETF RFC describes S-HTTP version 1.2. Previous versions of S-HTTP numbered 1.0 and
1.1 have also been released as Internet-Drafts.
SNAT (Source NAT) – A functionality equivalent to DNAT, except that the source addresses of the IP packets are converted
instead of the target address. This can be helpful in more complex situations (e.g., for diverting reply packets of connections
to other networks or hosts). In contrast to Masquerading, SNAT is a static address conversion, and the rewritten source
address does not need to be one of the firewall’s IP addresses. To create simple connections from private networks to the
Internet, you should use the Masquerading function instead of SNAT.
The use of private IP addresses in combination with Network Address Translation (NAT) in the form of Masquerading,
Source NAT (SNAT), and Destination NAT (DNAT) allows a whole network to hide behind one or a few IP addresses
preventing the identification of your network topology from the outside. With these mechanisms, Internet connectivity
remains available, while it is no longer possible to identify individual machines from the outside. Using DNAT makes it
possible to place servers within the protected network/DMZ and still make them available for a certain service.
SOCKS – A proxy protocol that allows the user to establish a point-to-point connection between the own network and an
external computer via the Internet. Socks, also called Firewall Transversal Protocol, currently exists at version 5.
SPI (Security Parameters Index) – The SPI is an arbitrary 32-bit value that, in combination with the destination IP address
and security protocol (AH), uniquely identifies the Security Association for a datagram. SPI values from 1 through 255 are
reserved by the Internet Assigned Numbers Authority (IANA) for future use; a reserved SPI value will not normally be
assigned by IANA unless the use of the assigned SPI value is specified in an RFC. It is ordinarily selected by the destination
system upon establishment of an SA. You can define SPI (and other protocols) for the RouteFinder from VPN > IPSEC. SPI
is defined in RFC 2401.
SSH (Secure Shell) is a text-oriented interface to a firewall, suitable only for experienced administrators. The SSH is a
secure remote login program available for both Unix and Windows NT. For access via SSH you need an SSH Client,
included in most Linux distributions. The Microsoft Windows program PuTTY is recommended as an SSH client. Access via
SSH is encrypted and therefore impossible for strangers to tap into.
Stateful Inspection – A method of security that requires a firewall to control and track the flow of communication it receives
and sends, and to make TCP/IP-based services decisions (e.g., if it should accept, reject, authenticate, encrypt and/or log
communication attempts). To provide the highest security level possible, these decisions must be based on the Application
State and/or the Communication State (as opposed to making decisions based on isolated packets). With stateful
inspection, a firewall is able to obtain, store, retrieve, and manipulate information it receives from all communication layers as
well as from other applications. Stateful inspection tracks a transaction and verifies that the destination of an inbound packet
matches the source of a previous outbound request. Other firewall technologies (e.g., packet filters or application layer
gateways) alone may not provide the same level of security as with stateful inspection.
Static Route – A directive in a node that tells it to use a certain router or gateway to reach a given IP subnet. The simplest
and most common example is the default router/gateway entry entered onto any IP-connected node (i.e., a static route telling
the node to go to the Internet router for all subnets outside of the local subnet).
Subnet Mask – The subnet mask or the net mask indicates into which groups the addresses are divided. Based on this
arrangement, individual computers are assigned to a network.
S/WAN – Secure Wide Area Network is a Linux implementation of IPSEC and IKE for Linux. At the RouteFinder’s VPN >
IPSec > Add an IKE connection > RSASig > Generate function, the imported key must meet S/WAN requirements.
Syslog – A service run mostly on Unix and Linux systems (but is also available for most other OSes) to track events that
occur on the system. Other devices on the network may also be configured to use a given node's syslog server to keep a
central log of what each device is doing. Analysis can often be performed on these logs using available software to create
reports detailing various aspects of the system and/or the network.
TCP (Transmission Control Protocol) – A widely used connection-oriented, reliable (but insecure) communications
protocol; the standard transport protocol used on the Internet. TCP is defined in IETF RFC 793.
Telnet – The Internet standard protocol for remote terminal connection service. It is defined in IETF RFC 854 and extended
with options by many other RFCs.