Glossary

The preferred means of filtering IP packets at a system, router, gateway, or firewall on Tru64 UNIX operating systems. Access filtering is the means for implementing Ingress and Egress filtering. See also Ingress filtering and Egress filtering.

The set of systems or networks over which you have administrative control.

A freely available UNIX-based Web server. It is currently the most commonly used server on Internet connected sites. HP's implementation of the Apache Web Server is called the Secure Web Server for Tru64 UNIX.

See BIND.

See BSD.

Berkeley Internet Name Domain. An implementation of a Domain Name System (DNS) server developed and distributed for the University of California, Berkeley. Many Internet hosts run BIND.

Berkeley Software Distribution. A UNIX software release of the Computer System Research Group of the University of California at Berkeley—the basis for some features of the Tru64 UNIX operating system.

A third party organization that confirms the relationship between a party to the https transaction and that party's public key. Certification authorities may be widely known and trusted institutions for Internet-based transactions. Where https is used on a company's internal network, an internal department within the company may fulfill this role.

Common Gateway Interface. A standard for running external programs on a World Wide Web HTTP server. External programs are called gateways, because they provide an interface between an external source of information and the server.

See CGI.

See DoS.

A token which underpins the principle of trust in SSL-encrypted transactions. The information within a certificate includes the issuer (the Certificate Authority that issued the certificate), the organization that owns the certificate, the public key, the validity period (usually one year) of the certificate, and the host name that the certificate was issued in respect of. It is digitally signed by the Certificate Authority so that none of the details can be changed without invalidating the signature. See also certificate authority, digital signature.

A use of public key cryptography to authenticate a message. Digital signatures use a private key to indicate that the signature was made by the owner of that key. See also public key cryptography, private key.

Also called DN. A sequence of relative distinguished names (RDNs). See also relative distinguished name.

An attack against a system that is characterized by the distributed nature of the attack, in which false requests for service are generated from a set of DoS agents or servers installed on multiple systems and networks, all working together to saturate the service provider with requests. These attacks are much harder to stop than other DoS attacks because the source of the attack is more difficult to determine. Trinoo, Tribe Flood Network (TFN), and Stacheldraht are the most common kinds of Distributed DoS attacks. See also DoS attack.

See distinguished name.

Domain Name System. A general-purpose, distributed, replicated data query service chiefly used on the Internet to translate host names into Internet addresses. See also fully qualified domain name, BIND, MX record.

See DNS.

Denial of Service. Interruptions to internet service caused by a DoS attack.

An attack against a Web site, a network, a system, or other service provider intended to disrupt its ability to provide services to its users. Software that performs a DoS attack (DoS software ) overloads the service provider with requests for service until its capacity to respond to new service requests is exceeded. Legitimate requests for service cannot access to the service until the attack is stopped. See also Distributed DoS attack.

Denial of Service software used by attackers to control and initiate DoS attacks against other systems and networks, either within your administrative domain, outside it, or over the Internet. Also called Intrusion software.

Filtering software that prevents IP packets with randomly generated source addresses from exiting your system or network, when one of your systems has been compromised and when the system is being used to perpetrate an attack against other systems. See also Ingress filtering.

See FTP.

Hardware and software that lies between two networks, such as an internal network and an Internet service provider. The firewall protects your network by blocking unwanted users from gaining access and by disallowing messages to specific recipients outside the network.

See fully qualified domain name.

File Transfer Protocol. A client/server protocol that lets a user on one computer transfer files to and from another computer over a TCP/IP network.

The full name of a system, consisting of its local host name and its domain name. A fully qualified domain name is usually precise enough to determine an Internet address for any host on the Internet.

Hyper Text Transfer Protocol. The protocol that is used between a Web browser and a server to request a document and transfer its contents. The specification is maintained and developed by the World Wide Web Consortium. See also HTTPS

Ordinary http exchanged over a Secure Sockets Layer (SSL) encrypted session. See also SSL.

Internet Message Access Protocol. A method of accessing e-mail or bulletin board messages kept on a (possibly shared) mail server. IMAP permits an e-mail client program to access remote messages as if they were local.

Filtering software that removes IP packets with untrusted source addresses before they have a chance to enter and affect your system or network. See also Egress filtering.

See DoS software.

Lightweight Directory Access Protocol. An Internet standard protocol that runs over TCP/IP and can be used to provide a standalone directory service or to provide lightweight access to the X.500 directory.

A collection of attribute and value pairs stored on an LDAP server that describe something of interest; for example, a person, a company, or a printer. LDAP entries can be organized as a hierarchical tree of objects. The full set of attributes for an entry in the tree is defined through object-oriented inheritance of attributes from parent entries.

A World Wide Web browser developed at the University of Kansas and used on cursor-addressable, character-cell terminals or terminal emulators on UNIX or OpenVMS systems.

See MX record.

Multipurpose Internet Mail Extensions. A standard for multipart, multimedia e-mail messages and World Wide Web hypertext documents on the Internet. MIME provides the ability to transfer nontextual data such as graphics, audio, and FAX.

See MIME.

Mail Exchange Record. A Domain Name System (DNS) resource record type, indicating which host can handle electronic mail for a particular domain.

See NNTP.

A hierarchical subject category into which InterNetNews articles are organized.

Network News Transfer Protocol. A protocol for the distribution, inquiry, retrieval, and posting of Usenet news articles over the Internet. NNTP is an ASCII text protocol that lets you connect to the server using telnet if you do not have a news reader program.

Post Office Protocol. A protocol that allows single-user hosts to read electronic mail from a server.

A logical channel in a communications system.

The part of the key in a public key system that is kept secret and is used only by its owner. This is the key used for decrypting messages and for making digital signatures. Compare with public key.

The part of the key in a public key system that is distributed widely and is not kept secure. This is the key used for encryption (as opposed to decryption) or for verifying signatures. Compare with private key.

Public key cryptography uses a key for encryption and a different key for decryption. Although the keys are related, it is not possible to calculate the decryption key from only the encryption key in any reasonable amount of computation time. In most practical systems, the public key system is used for encoding a session key which is used with a symmetric system to encode the actual data. RSA is an example of a public key algorithm.

See relative distinguished name.

One or more attribute/value pairs stored on an LDAP server that uniquely identify an entry from its sibling in an object tree.

A BIND library that sends queries to one or more name servers and interprets the responses. See BIND.

Part of a symmetric cipher in which the same key is used for encryption and decryption. A secure method by which the sender and recipient can agree on the key, SSL encryption uses a secret-key nested within a public key and authenticated through certificates. Secret-key encryption provides faster access than public-key encryption alone. See also public key cryptology.

See SSL.

The BSD Mail Transport Agent supporting e-mail transport by means of TCP/IP using SMTP. See also BSD, SMTP.

A key used for one message or set of messages. In a typical system, a random session key is generated for use with a symmetric algorithm to encode the bulk of the data. Only the session key is communicated using public key encryption. See also public key cryptology.

Secure Hypertext Transfer Protocol. Provides security at the document level rather than the connection level as provided by SSL. This protocol is not widely used.

Simple Mail Transport Protocol. A protocol used to transfer electronic mail between computers, usually over the Internet. SMTP is a server-to-server protocol; other protocols are used to access messages.

Secure Socket Layer. A protocol developed by Netscape for encrypted transmission over TCP/IP networks. SSL sets up a secure end-to-end link over which HTTP or any other application protocol can operate. The most common application of SSL is HTTPS for SSL-encrypted HTTP.

Transmission Control Protocol/Internet Protocol. Ethernet protocols incorporated into 4.2 BSD UNIX. While TCP and IP specify two protocols, the combined term is used to refer to the entire Department of Defense protocol suite, including telnet and FTP. See also FTP, LDAP, TELNET protocol.

The Internet standard protocol for remote logins. UNIX BSD includes the telnet program, which uses the protocol, and acts as a terminal emulator for remote login sessions.

See TCP/IP.

UNIX-to-UNIX Copy Program. A utility and protocol that allows a UNIX machine to copy files to another UNIX machine by means of serial lines. The mapping project is an effort to provide a world-wide registry of host names. The current map is posted in the comp.mail.maps newsgroup.

A dominant certificate authority on the internet, though many of its certificates are signed as RSA Data Security. Early versions of Microsoft and Netscape browsers had RSA Data Security configured as the only trusted certificate authority. This mandated that users who want to use certificates on the Internet had to obtain them from Verisign and use server software accredited by Verisign. Current versions of the Microsoft and Netscape browsers allow users to add new certificate authorities. As older versions of the browsers are replaced, new certificate authorities (such as Thawte) have emerged.

An alias name assigned to an FTP Server.

Wide Area Information Servers. A distributed information retrieval system. WAIS offers natural language input, indexed searching, and a relevance feedback mechanism that allows current search results to influence future search results.

A server process, running at a Web site, that sends out Web pages in response to HTTP requests from remote browsers. See also Apache Web Server.