Multi-Tech Systems RF600, RF660, RF760

Glossary

Multi-Tech Systems, Inc. RouteFinderVPN RF760/660/600VPN User Guide (PN S000323D) 184

Server – A server is a device on the network that provides mostly standardized services (e.g., www, FTP, news, etc.). To be

able to use these services, you as a user require the comparable client requirements for the desired service.

SHA (Secure Hash Algorithm) – A United States government standard for a strong one-way, hash algorithm that produces

a 160-bit digest. See MD5. SHA-1 is defined in FIPS PUB 180-1.

SHA-1 (Secure Hash Algorithm version one) – The algorithm designed by NSA, and is part of the U.S. Digital Signature

Standard (DSS).

S-HTTP (Secure HTTP) – The IETF RFC that describes a syntax for securing messages sent using the Hypertext Transfer

Protocol (HTTP), which forms the basis for the World Wide Web.

Secure HTTP (S-HTTP) provides independently applicable security services for transaction confidentiality,

authenticity/integrity and non-repudiability of origin. The protocol emphasizes maximum flexibility in choice of key

management mechanisms, security policies, and cryptographic algorithms by supporting option negotiation between parties

for each transaction. The current IETF RFC describes S-HTTP version 1.2. Previous versions of S-HTTP numbered 1.0 and

1.1 have also been released as Internet-Drafts.

SNAT (Source NAT) – A functionality equivalent to DNAT, except that the source addresses of the IP packets are converted

instead of the target address. This can be helpful in more complex situations (e.g., for diverting reply packets of connections

to other networks or hosts). In contrast to Masquerading, SNAT is a static address conversion, and the rewritten source

address does not need to be one of the firewall’s IP addresses. To create simple connections from private networks to the

Internet, you should use the Masquerading function instead of SNAT.

The use of private IP addresses in combination with Network Address Translation (NAT) in the form of Masquerading,

Source NAT (SNAT), and Destination NAT (DNAT) allows a whole network to hide behind one or a few IP addresses

preventing the identification of your network topology from the outside. With these mechanisms, Internet connectivity

remains available, while it is no longer possible to identify individual machines from the outside. Using DNAT makes it

possible to place servers within the protected network/DMZ and still make them available for a certain service.

SOCKS – A proxy protocol that allows the user to establish a point-to-point connection between the own network and an

external computer via the Internet. Socks, also called Firewall Transversal Protocol, currently exists at version 5.

SPI (Security Parameters Index) – The SPI is an arbitrary 32-bit value that, in combination with the destination IP address

and security protocol (AH), uniquely identifies the Security Association for a datagram. SPI values from 1 through 255 are

reserved by the Internet Assigned Numbers Authority (IANA) for future use; a reserved SPI value will not normally be

assigned by IANA unless the use of the assigned SPI value is specified in an RFC. It is ordinarily selected by the destination

system upon establishment of an SA. You can define SPI (and other protocols) for the RouteFinder from VPN > IPSEC. SPI

is defined in RFC 2401.

SSH (Secure Shell) is a text-oriented interface to a firewall, suitable only for experienced administrators. The SSH is a

secure remote login program available for both Unix and Windows NT. For access via SSH you need an SSH Client,

included in most Linux distributions. The Microsoft Windows program PuTTY is recommended as an SSH client. Access via

SSH is encrypted and therefore impossible for strangers to tap into.

Stateful Inspection – A method of security that requires a firewall to control and track the flow of communication it receives

and sends, and to make TCP/IP-based services decisions (e.g., if it should accept, reject, authenticate, encrypt and/or log

communication attempts). To provide the highest security level possible, these decisions must be based on the Application

State and/or the Communication State (as opposed to making decisions based on isolated packets). With stateful

inspection, a firewall is able to obtain, store, retrieve, and manipulate information it receives from all communication layers as

well as from other applications. Stateful inspection tracks a transaction and verifies that the destination of an inbound packet

matches the source of a previous outbound request. Other firewall technologies (e.g., packet filters or application layer

gateways) alone may not provide the same level of security as with stateful inspection.

Static Route – A directive in a node that tells it to use a certain router or gateway to reach a given IP subnet. The simplest

and most common example is the default router/gateway entry entered onto any IP-connected node (i.e., a static route telling

the node to go to the Internet router for all subnets outside of the local subnet).

Subnet Mask – The subnet mask or the net mask indicates into which groups the addresses are divided. Based on this

arrangement, individual computers are assigned to a network.

S/WAN – Secure Wide Area Network is a Linux implementation of IPSEC and IKE for Linux. At the RouteFinder’s VPN >

IPSec > Add an IKE connection > RSASig > Generate function, the imported key must meet S/WAN requirements.

Syslog – A service run mostly on Unix and Linux systems (but is also available for most other OSes) to track events that

occur on the system. Other devices on the network may also be configured to use a given node's syslog server to keep a

central log of what each device is doing. Analysis can often be performed on these logs using available software to create

reports detailing various aspects of the system and/or the network.

TCP (Transmission Control Protocol) – A widely used connection-oriented, reliable (but insecure) communications

protocol; the standard transport protocol used on the Internet. TCP is defined in IETF RFC 793.

Telnet – The Internet standard protocol for remote terminal connection service. It is defined in IETF RFC 854 and extended

with options by many other RFCs.