Firewalls

Data Loss Causes

Humans are involved in less than 50% of your computer damage, data loss, or data security situations.

And even when humans are involved, the likely location of the "problem" is inside the firewall, and even then it is usually not malicious damage attempts.

Generally less than 5% of any data loss situation is caused by external sources. This of course can vary greatly, depending on whether you are a US Government military site, one of the "3 letter" Federal agencies or other high visibility target for attack, but generally the typical data loss is not caused by outside forces. Some of the recent email viruses may start to skew that number, but even those would not normally be stopped by a firewall.

Consider the following breakdown of data loss causes:

Leading Causes of Data Loss (from www.ontrack.com)

Hardware or System Malfunctions (44 percent of all data loss)

Examples
Electrical failure
Head/media crash
Controller failure

Human Error (32 percent of all data loss)

Examples
Accidental deletion or drive format
Trauma caused by drop or fall

Software Corruption (14 percent of all data loss)

Examples
Corruption caused by diagnostic or repair tools
Failed backups
Configuration complexity

Computer Viruses (7 percent of all data loss)

Examples
Boot sector viruses
File infecting viruses
Polymorphic viruses

Natural Disasters (3 percent of all data loss)

Examples
Fires
Floods
Brownouts

Data Recovery and Computer Forensics

What is Data Recovery?

Put simply, data recovery is the process of retrieving computer data that, for any number of reasons, has become inaccessible using normal methods.

All Is Not Lost!

Tips on recovering data lost due to a natural disaster.

Even after the damaging winds and rains are gone after a flood, hurricane, tornado or other natural disaster, these storms have the power to inflict harm on its victims that we don't even realize. Oftentimes computer tapes and hard drives in storm-damaged computers contain vital information needed to restart a business, continue corporate operations or maintain personal finances. When handled properly by a data recovery expert, this valuable data can often be recovered.

Through their experience of recovering data from storm-damaged media, Ontrack Data International’s engineers have assembled useful tips to help protect a user's data.

Ontrack Lab Notes

Never assume that data is unrecoverable, no matter what it has been through. Send the media to a professional data recovery facility as soon as possible.

Do not shake the media or, in the case of hard disk drives, remove the cover of the assembly.

Do not power up media that has sustained a great deal of force or media that is visibly damaged.

Do not use storage media that may have been exposed to heat, moisture or soot. The media may be irreversibly damaged if not treated and recovered in an air-and static-controlled clean room by data recovery professionals.

Do not attempt to operate media that has been exposed to water. Waiting for it to dry out and then attempting to operate it on your own is the worst thing you can do.

Do not attempt to freeze dry media.

Do not attempt to dry water-damaged media by opening it or exposing it to heat. In fact, Ontrack prefers to receive media in its clean room before it has had the chance to dry out.

Do not attempt to recover data with commonly available software utility programs.

Computer Forensics

Are you finding all the DATA you need to prove your case?

With the growth of computers for virtually all corporate communication, planning and development efforts, a new arena for case evidence has emerged.

E-mail, budgeting, P&Ls and customer service databases each provide a candid look into the dealings of the organizations that can prove critical in litigation.

Electronic discovery is not just printing out a list of computer files- as much as 30% of the data associated with the files isn't shown in the content. This includes time stamps, distribution lists, and receipt acknowledgement, which can be equally incriminating, if not more so. In fact, the computer system is often the best place to start looking for evidence. Computer records are essentially permanent, creating a uniquely long-term history of the activities surrounding an event.

And computer documents contain information not available in traditional forms of evidence, including date and time stamps, records of who sent and received a document and copies of previous drafts or versions. According to Computerworld magazine, over 30% of all discovery requests now include computer evidence- a number that is sure to grow.

By piecing together information from different areas of the suspect's computer network, one can obtain a comprehensive and thorough account of an event. And as Bill Gates found out, these records are often irrefutable. A comprehensive discovery plan must be carefully developed to help ensure the admissibility of the evidence and avoid errors that can result in incomplete case preparation.

Approximately 65% of all e-mail messages are never printed onto paper, remaining digital.

Gathering and using electronic evidence has six main types of challenges:

Accessing deleted, hidden, or password-protected files within large networked systems;

Recovering data from out-of-date media or operating systems;

Finding key files or records from vast fields of live data (e.g. e-mail records);

Analyzing the authenticity of files- knowing whether they have been changed or deleted;

Redacting privileged information; and

Presenting that information in a legally compliant manner.

The use of electronic evidence in litigation follows four main phases:

Discovery Planning

Evidence Discovery

Evidence Analysis

Evidence Reporting

DISCOVERY PLANNING

Advise on what types of evidence are likely to be found on suspect's network or storage media
Analyze password, encryption or storage systems
Determine locations of targeted evidence and define the most efficient set of data to search
Prepare discovery documents (RFPs, Interrogatories, Depositions, and Discovery Motions) to ensure the admissibility of the evidence

EVIDENCE DISCOVERY

System Overview to identify the locations of the targeted evidence
Restore records from unreadable to accessible formats
Produce all targeted files from active and stored data, including deleted, password-protected or hidden documents

EVIDENCE ANALYSIS

Key-word search of databases for relevant documents (identifiable by sender, dates, or content)
Redaction of undiscoverable (i.e. privileged) information from documents
Data authenticity or integrity analysis

EVIDENCE REPORTING

Customized evidence reports per case needs

Expert witness testimony

You need experts in where and how electronic information is stored. They can help you determine where to look for key evidence, and provide you with the capabilities to recover and analyze it. Through experience with electronic evidence in litigation, they bridge technology and litigation, allowing you to concentrate on the evidentiary power of computer information.

ELECTRONIC EVIDENCE HOT NEW TACTIC

By Elizabeth Weise, USA TODAY

As soon as word of the deadly shootings at Columbine High School in Colorado got to Investigator Ron Horak of the Loudoun County Sheriff's office in Leesburg, Va., he knew it was going to be a bad week.

Horak's full-time job for the past year has been to serve search warrants to America Online, which is based in Loudoun County.

In the Columbine case, FBI agents went directly to the company within hours, seeking material Eric Harris was believed to have posted or stored on AOL's service about music, video games and bomb-making.

But Horak knew a deluge of legal requests was coming. He generally handles about 20 warrants a month, a number that's been steadily rising over the past few years. After the Columbine attack, things went right through the roof, and the pace continues.

"Just about every high school in the country had some form of copycat. We were getting a lot of emergency requests," he says.

Each of those requests came in the form of a search warrant, issued by a judge, that requires AOL to turn over any and all information about a user who has allegedly done something illegal, usually using AOL as a conduit to the Internet.

And it doesn't just affect AOL and its 17 million users. Internet service providers and message boards around the world are increasingly the focus of legal action.

Post something illegal, defamatory or harassing and expect a knock at the door, says Lt. Stephen Ronco of the San Jose, Calif., police high-tech crime detail.

"If they think they're hiding behind the screen and that we won't find them, they're wrong. We will," says Ronco.

Long electronic trail

Whether someone is sending child porn or posting a bad rumor or tasteless joke, the user leaves indelible electronic trails through the Net. Those trails have become prime fishing grounds for lawyers waving broad subpoenas and law enforcement officials armed with search warrants.

The number of subpoenas for e-mail and Net postings is booming, and when presented with a bona fide legal demand, most Internet services will turn a user's identity over without a peep.

AOL's terms of service state that the service will release account information and private communications "to comply with a valid legal process such as a search warrant, subpoena or court order." And Yahoo!'s posted privacy policy says the portal may disclose user information "when we believe in good faith that the law requires it."

As much as 30% of the evidence used in legal cases is now electronic, says Deborah Schepers, a lawyer with the computer evidence service division of data retrieval firm Ontrack in Minneapolis. And 70% of that is employment related -- sending out trade secrets, passing along customer lists, harassment.

Courtrooms are littered with the evidence left by those who felt their e-mail was private and their postings untraceable.

" In trial, e-mail is the gift that keeps on giving," says lawyer Michael Leventhal of Wolf, Rifkin & Shapiro in Los Angeles.

Take the arrest of David L. Smith, alleged creator of the Melissa virus. Smith was caught through information provided by AOL about the owner of a forged account and tracked through several postings to various newsgroups under false names. He's awaiting trial.

In another case, according to court records filed in the Santa Clara, Calif., County Courthouse, a director of sales at a telecommunications equipment communications company woke up one morning to find a message from someone calling him or herself "TooLoCrew" on a Yahoo! finance discussion board. It said that her boss had a fetish for Asian women and was sleeping with at least two of them -- including her.

She sued for defamation, asking $25,000 damages, saying the message "imputed to (her) a want of chastity." The suit was ultimately dropped, and her lawyers declined to comment on the outcome.

E-mail a smoking gun

People have been warned for years that nothing they post or send on the Internet is truly private. Many obviously haven't been listening. E-mail and Internet postings are "smoking gun evidence," says Washington discrimination lawyer Debra Katz, a partner with Bernabei & Katz.

She has one case pending in which a tenured professor at a Washington, D.C., university claimed he was being pushed out of his job. The case turned around when e-mail turned up in the discovery process. It read: "We'll lower his salary $20,000 a year, we'll demote him two grades and he'll have to report to you -- he'll never agree to that."

"If I'm plaintiff's counsel, one of the things I want for sure I get is the e-mail trail because that's where the slips of the tongue and the slips of the fingers happen," adds Nancy Lasater, a litigation and employment practice lawyer in Washington.

Electronic evidence generally takes two forms: e-mail or anonymous postings to Web sites.

Anonymity is an illusion, and don't imagine e-mail can't be found. "People should assume, especially in the work context, that what they write in e-mail is going to be seen," says Erwin Chemerinksy, a law professor at the University of Southern California in Los Angeles.

If the complaint is made in a civil court, a subpoena is issued; if in criminal court, a search warrant. While notice isn't given in criminal cases, most Internet services warn users when a subpoena has been served against them. AOL, for example, gives members about 14 days to fight a civil (though not a criminal) action. "We inform them that in fact we have had a request via a court order or subpoena," says AOL's Rich D'Amato. "It allows them to go back to court and quash the subpoena."

But civil libertarians say warnings from Internet services aren't consistent or mandatory, which can leave the poster with no opportunity to argue on behalf of maintaining his or her anonymity because they don't know they're being sought until it's too late.

"The first thing they know about it is they're getting a letter from a law firm or being summoned into court," says David Sobel, general counsel for the Electronic Privacy Information Center, a Washington D.C.-based public interest research center.

First Amendment fears

A case heard Friday in Loudoun County is an excellent example of this trend, says Kent Willis, director of the American Civil Liberties Union of Virginia. Allegheny County, Pa., State Superior Court Judge Joan Orie-Melvin filed a defamation lawsuit against an anonymous AOL Web site that accused her of lobbying on behalf of a lawyer seeking a judgeship.

The ACLU entered the case on the behalf of the case's "John Doe" because it believes the suit is a threat to the First Amendment and an attempt to intimidate citizens from speaking out.

"There's no expression that's more protected than a citizen using his or her right of free expression to criticize the actions of a public official. (This filing) appears to be largely a hunt for a name," says Willis.

It's impossible to gather exact figures on the number of subpoenas being served to Web sites because centralized records aren't kept. Microsoft, for example, will only say that its MSN Web site receives "a fairly high number of subpoenas" for account information.

But a visit to the Santa Clara Courthouse turned up dozens of cases in the past year in which companies had filed civil defamation and harassment cases against high-tech companies in Silicon Valley, demanding the names of anonymous posters who maligned them.

Most of the cases involve financial message boards where posters discuss, often in arch terms, publicly held companies. Despite warnings such as the one on Yahoo!, which reminds users to "never assume that you are completely anonymous and cannot be identified by your messages," sites such as Yahoo!-Finance, Silicon Investor and The Motley Fool harbor statements that might send any CEO screaming for his lawyers.

Only the worst actually make it to court. One such case occurred last June: an employee of Cisco Systems posted a confidential, internal e-mail from the company's president onto a Yahoo! board. Another was the Silicon Graphics Inc. employee who posted proprietary sales, financial and strategic planning information. In both cases, the suits were eventually dropped.

Why are most cases dismissed? Sobel says that the intention of such suits is rarely to obtain legal sanctions or monetary damages. The suits are filed specifically to obtain a subpoena and find out the identity of the poster. Once a name is obtained, the companies usually file a motion for dismissal.

The real purpose for such suits is to identify and intimidate the author so that the postings end, says Sobel. "I suspect that part of the objective here is to get the word out that we will identify you, so you better think twice before you post something you think is anonymous."

When ferreting out e-mail, the problem isn't tracking down an anonymous poster, but finding e-mail messages that may have been sent months or years earlier, long after they're gone from the sender's and the receiver's computer.

As many as 5.3 trillion e-mail messages will be sent this year, and next year the number's expected to rise to 6.8 trillion, says Kerry Stackpole, president of the Electronic Messaging Association in Arlington, Va.

While only a tiny fraction of that number will turn up in court, any of them might. And hitting the delete key doesn't make them go away. E-mail is stored on the computer on which it's composed, on the computer from which it's sent, on the computer that receives it and quite possibly on a few computers in between. AOL, for example, says that members' e-mail, once it has been read, remains on its servers for 2 to 7 days and then is gone. But copies of such mail may remain on the computers of the senders and receivers.

In addition, most large corporations keep backup tapes of their entire systems, freezing quick-fingered musings forever.

"The Microsoft trial here in Washington has proven that time and time again. (E-mail messages) really and truly don't go away anymore -- they're historical," says Stackpole.

Booming area of law

A 1997 survey by the Society for Resource Management found that 86% said their organizations use e-mail. Of those, 6% of organizations have been requested to produce e-mails involved in lawsuits and 22% have received employee complaints about inappropriate or offensive e-mails involving jokes, pictures or cartoons.

"It's a booming area of the law," says Ontrack's Schepers. "People talk too candidly in e-mail, they gossip. They think they have the right to privacy -- and they don't."

They don't is right. Internet companies aren't legally required to protect information about their users, says EPIC's Sobel. "As far as federal law is concerned, I could call an Internet service provider and say 'Who is this guy?' and they could tell me."

The only protection for users is the provider's terms of service, which almost always say that the company won't disclose a user's identity unless legally required to do so. But all that means is getting a subpoena or a search warrant.

Although a goodly number of the cases involve actual lawbreaking -- 65% of the search warrants served on America Online involve child pornography -- many others are simply impulsive ramblings the posters live to regret.

"You see a lot of things that just make you scratch your head," says San Jose's Lt. Ronco. "If you're all hot and angry and want vengeance -- stop and think. Remember, you're putting it in print."

Bibliography and References

The following information is copied with permission from the ICSA web site (http://www.icsa.net) they are a good source for firewall and security information.

"...and every prudent man will sooner trust to two securities than to one."
Earl of Chesterfield (1694-1773)

[Amor] Edward Amoroso and Ronald Sharp, Intranet and Internet Firewall Strategies, (Ziff Davis Press, 1996)

[Avol94] Frederick Avolio and Marcus Ranum. A Network Perimeter With Secure Internet Access. In Internet Society Symposium on Network and Distributed System Security, pages 109-119. Internet Society, February 2-4 1994.

[Bel89] Steven M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer Communications Review, 9(2):32-48, April 1989.

[Cerf93] Vinton Cerf. A National Information Infrastructure. Connexions, June 1993.

[CERT94] Computer Emergency Response Team/Coordination Center. CA-94:01, Ongoing Network Monitoring Attacks. Available from FIRST.ORG, file pub/alerts/cert9401.txt, February 1994.

[Chap92] D. Brent Chapman. Network (In)Security Through IP Packet Filtering. In USENIX Security Symposium III Proceedings, pages 63-76. USENIX Association, September 14-16 1992.

[Chap95] D. Brent Chapman. Building Internet Firewalls. O'Reilly & Associates, 1995.

[Ches94] William R. Cheswick and Steven M. Bellovin. Firewalls and Internet Security. Addison-Wesley, Reading, MA, 1994. [CIAC94a] Computer Incident Advisory Capability. Number e-07, unix sendmail vulnerabilities update. Available from FIRST.ORG, file pub/alerts/e-07.txt, January 1994.

[CIAC94b] Computer Incident Advisory Capability. Number e-09, network monitoring attacks. Available from FIRST.ORG, file pub/alerts/e-09.txt, February 1994.

[CIAC94c] Computer Incident Advisory Capability. Number e-14, wuarchive ftpd trojan horse. Available from FIRST.ORG, file pub/alerts/e-14.txt, February 1994.

[Cobba] Stephen Cobb. The NCSA Guide to PC & LAN Security. McGraw-Hill, 1996.

[Cobbb] Stephen Cobb. Internet Commerce White Paper. NCSA. 1996.
( http://www.icsa.net/library/research/inetsec2.shtml)

[Com91a] Douglas E. Comer. Internetworking with TCP/IP: Principles, Protocols, and Architecture. Prentice-Hall, Englewood Cliffs, NJ, 1991.

[Com91b] Douglas E. Comer and David L. Stevens. Internetworking with TCP/IP: Design, Implementation, and Internals. Prentice-Hall, Englewood Cliffs, NJ, 1991.

[Cur92] David Curry. UNIX System Security: A Guide for Users and System Administrators. Addison-Wesley, Reading, MA, 1992.

[Eward] Ronald S. Eward. Telespace, Telewar, and the Vulnerability of a Global Electronic Economy. Information Security Symposium. Florida Institute of Technology. March, 1996.

[FAQ96] The Internet Firewalls FAQ. Primary author, Marcus Ranum.

[Farm93] Dan Farmer and Wietse Venema. Improving the security of your site by breaking into it. Available from FTP.WIN.TUE.NL, file /pub/security/admin-guide-to-cracking.101.Z, 1993.

[Ford94] Warwick Ford. Computer Communications Security. Prentice-Hall, Englewood Cliffs, NJ, 1994.

[Garf92] Simpson Garfinkel and Gene Spafford. Practical UNIX Security. O'Reilly and Associates, Inc., Sebastopol, CA, 1992.

[Haf91] Katie Hafner and John Markoff. Cyberpunk: Outlaws and Hackers on the Computer Frontier. Simon and Schuster, New York, 1991.

[Hugh] Larry J. Hughes, Jr. Actually Useful Internet Security Techniques. New Riders Publishing, 1995.

[Hunt92] Craig Hunt. TCP/IP Network Administration. O'Reilly and Associates, Inc., Sebastopol, CA, 1992.

[Murph] Eamon Murphy, Steve Hayes, Matthias Enders, TCP/IP Tutorial and Technical Overview, 5th Edition, Prentice Hall, 1995.

[Netw] Network Wizards, Internet Domain Survey, July 1995, http://www.nw.com/.

[NIST91a] NIST. Advanced Authentication Technology. CSL Bulletin, National Institute of Standards and Technology, November 1991.

[NIST91b] NIST. Establishing a Computer Security Incident Response Capability. Special Publication 800-3, National Institute of Standards and Technology, January 1991.

[NIST93] NIST. Connecting to the Internet: Security Considerations. CSL Bulletin, National Institute of Standards and Technology, July 1993.

[NIST94a] NIST. Guideline for the use of Advanced Authentication Technology Alternatives. Federal Information Processing Standard 190, National Institute of Standards and Technology, September 1994.

[NIST94b] NIST. Reducing the Risk of Internet Connection and Use. CSL Bulletin, National Institute of Standards and Technology, May 1994.

[NIST94c] NIST. Security in Open Systems. Special Publication 800-7, National Institute of Standards and Technology, September 1994.

[NRP96] Various. Internet Security: Professional Reference, New Riders, 1996 [Ran93] Marcus Ranum. Thinking About Firewalls. In SANS-II Conference, April 1993.

[RFC1244] Paul Holbrook and Joyce Reynolds. RFC 1244: Security Policy Handbook. Prepared for the Internet Engineering Task Force, 1991.

[Stall95a] William Stallings. Internet Security Handbook. IDG Books, 1995

[Stall95a] William Stallings, Peter Stephenson, and others. Implementing Internet Security. New Riders Publishing, 1995.

[Siya] Karanjit Siyan and Chris Hare. Internet Firewalls and Network Security. New Riders Publishing, 1995.

[Wash] Washington Technology, January 1995.

[Wack] John P. Wack and Lisa J. Carnahan, Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls, NIST Special Publication 800-10, 1995.

[Wink] Ira Winkler. Case Study: Social Engineers Wreak Havoc. NCSA White Paper. 1996 (http://www.icsa.net/library/research/00002.shtml ).

Glossary

Based on the Internet Firewalls FAQ, primary author, Marcus Ranum, plus RFC791, with additions by ICSA staff.

Abuse of privilege: when a user performs an action that they should not have, according to organizational policy or law.

Access Control Lists: Rules for packet filters (typically routers) that define which packets to pass and which to block.

Access Router: A router that connects your network to the external Internet. Typically, this is your first line of defense against attackers from the outside Internet. By enabling access control lists on this router, you'll be able to provide a level of protection for all of the hosts "behind" that router, effectively making that network a DMZ instead of an unprotected external LAN.

Application-level firewall: a firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application level firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host.

Authentication: the process of determining the identity of a user that is attempting to access a system.

Authentication token: a portable device used for authenticating a user. Authentication tokens operate by challenge/response, time-based code sequences, or other techniques. This may include paper-based lists of one-time passwords.

Authorization: the process of determining what types of activities are permitted. Usually, authorization is in the context of authentication: once you have authenticated a user, they may be authorized different types of access or activity.

Bastion host: a system that has been hardened to resist attack, and which is installed on a network in such a way that it is expected to potentially come under attack. Bastion hosts are often components of firewalls, or may be "outside" Web servers or public access systems. Generally, a bastion host is running some form of general purpose operating system (e.g., UNIX, VMS, WNT, etc.) rather than a ROM-based or firmware operating system.

Challenge/response: an authentication technique whereby a server sends an unpredictable challenge to the user, who computes a response using some form of authentication token.

Chroot: a technique under UNIX whereby a process is permanently restricted to an isolated subset of the filesystem.

Cryptographic checksum: a one-way function applied to a file to produce a unique "fingerprint" of the file for later reference. Checksum systems are a primary means of detecting filesystem tampering on UNIX.

Data driven attack: a form of attack in which the attack is encoded in innocuous-seeming data which is executed by a user or other software to implement an attack. In the case of firewalls, a data driven attack is a concern since it may get through the firewall in data form and launch an attack against a system behind the firewall.

Defense in depth: the security approach whereby each system on the network is secured to the greatest possible degree. May be used in conjunction with firewalls.

DNS spoofing: assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain.

Dual homed gateway: a system that has two or more network interfaces, each of which is connected to a different network. In firewall configurations, a dual homed gateway usually acts to block or filter some or all of the traffic trying to pass between the networks.

Encrypting router: see tunneling router and virtual private network.

Firewall: a system or combination of systems that enforces a boundary between two or more networks, controlling access from one to the other.

Gateway: a system that provides and controls access and from a network. Also, an application-level gateway, a machine or set of machines that relays services between the internal and external networks by means of proxy applications.

GGP: Gateway to Gateway Protocol, the protocol used primarily between gateways to control routing and other gateway functions.

Header: control information at the beginning of a message, segment, datagram, packet or block of data.

Host-based security: the technique of securing an individual system from attack. Host based security is operating system and version dependent.

ICMP: Internet Control Message Protocol, implemented in the internet module, the ICMP is used from gateways to hosts and between hosts to report errors and make routing suggestions. Insider attack: an attack originating from inside a protected network.

Internet Address: a four octet (32 bit) source or destination address consisting of a Network field and a Local Address field. Internet datagram: the unit of data exchanged between a pair of internet modules (includes the internet header).

Internet, an: two or more networks that are connected.

Internet, the: global network of computers that is the basis for universal electronic mail, the World Wide Web, and numerous forms of electronic commerce. Typically, we reserve the term Internet for the TCP/IP-based descendant of ARPAnet's marriage to CSnet in 1982, now serving tens of millions of users via hundreds of thousands of host machines.

Internet Protocol: one of two major protocols in the Internet Protocol Suite, otherwise known as TCP/IP, of which Internet Protocol is the IP. See IP.

Internet Protocol Suite: official name of TCP/IP, as used in Internet standards documents, see TCP/IP.

Internetwork: the process of connecting two networks together. The result is referred to as an internet without a capital `I.' Intranet: a closed network of computers that uses similar technology to the Internet, such as Web servers and browsers, to make information available to users to a controlled group of users. An intranet may have a connection to the Internet, or it may exist on the Internet, achieving controlled access through passwords or other means.

Intrusion detection: detection of break-ins or break-in attempts either manually or via software expert systems that operate on logs or other information available on the network.

IP: Internet Protocol, provides host-to-host communication. IP is referred to as an unreliable datagram service, meaning that upper-level protocols should not depend upon IP to deliver the packet every time. IP does its best to make the delivery to the requested destination host, but if it fails for any reason, it just drops the packet [Amor].

IP spoofing: an attack whereby a system attempts to illicitly impersonate another system by using its IP network address. For example, someone might determine the IP address of a legitimate user inside the firewall, then forge packets from outside the firewall which the firewall allows to pass because they are from a legitimate user.

IP splicing /hijacking: an attack whereby an active, established, session is intercepted and co-opted by the attacker. IP Splicing attacks may occur after an authentication has been made, permitting the attacker to assume the role of an already authorized user. Primary protections against IP splicing rely on encryption at the session or network layer.

Least privilege: designing operational aspects of a system to operate with a minimum amount of system privilege. This reduces the authorization level at which various actions are performed and decreases the chance that a process or user with high privileges may be caused to perform unauthorized activity resulting in a security breach.

Logging: the process of storing information about events that occurred on the firewall or network. Log retention: how long audit logs are retained and maintained.

Log processing: how audit logs are processed, searched for key events, or summarized.

Network-level firewall: a firewall in which traffic is examined at the network protocol packet level.

Perimeter-based security: the technique of securing a network by controlling access to all entry and exit points of the network.

Policy: organization-level rules governing acceptable use of computing resources, security practices, and operational procedures.

Protocol: a formal description of messages to be exchanged and rules to be followed for two or more systems to exchange information [Murph].

Proxy: a software agent that acts on behalf of a user. Typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.

Screened host: a host on a network behind a screening router. The degree to which a screened host may be accessed depends on the screening rules in the router.

Screened subnet: a subnet behind a screening router. The degree to which the subnet may be accessed depends on the screening rules in the router.

Screening router: a router configured to permit or deny traffic based on a set of permission rules installed by the administrator.

Session stealing: See IP splicing.

Social engineering: An attack based on deceiving users or administrators at the target site. For example, telephoning users or operators pretending to be an authorized user, to attempt to gain illicit access to systems.

S/Key: freely available authentication system, developed at Bellcore (based on a paper by Leslie Lamport of DEC) that avoids many types of password attack [Amor].

S/WAN: emerging standard for secure firewall-to-firewall communication.

TCP/IP: Transmission Control Protocol/Internet Protocol, otherwise known as the Internet Protocol Suite.

Transmission Control Protocol: protocol that provides reliable transmission of packets over IP [Amor].

Trojan horse: a software entity that appears to do something normal but which, in fact, contains a trapdoor or attack program.

Tunneling router: A router or system capable of routing traffic by encrypting it and encapsulating it for transmission across an untrusted network, for eventual de-encapsulation and decryption.

UDP: User Datagram Protocol: a user level protocol for transaction oriented applications.

Virtual private network: a network that appears to be a single protected network behind firewalls, which actually encompasses encrypted virtual links over untrusted networks.

Virus: a self-replicating code segment. Viruses may or may not contain payloads, attack programs or trapdoors.

Worm: A standalone program that, when run, copies itself from one host to another, and then runs itself on each newly infected host. The widely reported "Internet Virus" of 1988 was not a virus at all, but actually a worm.