Glossary of Technical Terms

| All | @ | A | B | C | D | E | F | G | H | I | K | L | M | N | O | P | Q | R | S | T | U | V | W |

Triple data encryption standard. Using three DES encryptions on a single data block, with at least two different keys, to get higher security than is available from a single DES pass.


Access control list. An access control list contains the list of permissions for an object, including users, system processes, or operations that are allowed access to that object. In a typical ACL, each entry includes a subject and any allowed operations. ACLs can also apply to network resources such as port numbers or IP addresses.

The process by which a customer's licensed software becomes active.

activation key
A string of numbers and characters that allows the software to operate.

Microsoft's name for certain object-oriented programming technologies and tools. ActiveX is often downloaded and executed on a local system when browsing the Internet, and may require specific port restrictions.

admin console
A graphical user interface (GUI) used to configure and manage software.

Asymmetrical digital subscriber line. A technology allowing high-speed data transfer over existing telephone lines. Supports data rates between 1.5 and 9 Mbits/s when receiving data and between 16 and 640 Kbit/s when sending data.

Advanced encryption standard. A block cipher standard developed by NIST (the US National Institute of Standards and Technology) that replaces Data Encryption Standard (DES). AES ciphers use a 128-bit block and 128, 192, or 256-bit keys. The larger block size helps resist birthday attacks while the large key size prevents brute force attacks. 

The process responsible for managing a service's traffic. The transport layer information includes elements such as the protocol, ports, and connection or session timeouts. Agents types can be proxy, filter, or server. Each type consists of several different agents, such as the Generic Proxy, TCP/UDP Packet Filter Agent, and SNMP Agent.

Authentication header. An upper-level header located between the IP header and the payload within an IP packet. Typically, an AH includes an integrity check value of the transfer-independent contents of the IP packet. An AH is used to ensure the integrity of the IP packet (both the payload and the IP header). It does not provide data confidentiality. The AH transformation is defined in RFC 2402.

An automatic system reaction that reports a suspicious event.

An arbitrary name that a system administrator can assign to a network element.

Enables you to configure in-depth malware detection and blocking at the corporate gateway, protecting your network against attacks coming in through Web and email traffic.

Spam protection that helps keep you and your family or business safe from dangerous website spoofs that can lead to your PC, potentially compromise your identity, and threaten the security of what you value. 

Software that attempts to identify, thwart, and eliminate computer viruses and other malicious software.

Application program interface. A stable, published software interface to an operating system or specific software program by which a programmer writing a custom application can make requests of the operating system or specific software program. An API provides an easy and standardized connection to a particular software component.

A device that performs a well-defined function, and is simple to install and operate.

Address resolution protocol. A protocol used to map an IP address to a MAC address. A gratuitous ARP is a system broadcasting its own information, often after an address change, so other devices can update their ARP caches.

A relationship between two hosts or host-port pairs involved in a protocol exchange. An association is used in place of a connection for connectionless protocols such as IP, ICMP, and UDP.

A method of collecting and storing information that can be used to track system activity, such as authentication attempts, configuration modifications, and stopping and starting of services.

A process that verifies the authenticity of a person or system before allowing access to a network system or service. Authentication confirms that data is sent to the intended recipient and assures the recipient that the data originated from the expected sender and has not been altered en route.

A device or mechanism used to verify the identity of an individual logging onto a network, application, or computer.

A name server that contains the most correct information about a domain or data received from an authoritative name server.

A dump of the active stack frames left in memory by the execution of a program.

The capacity of a communications link, usually expressed in terms of how much data can pass through the link in a given amount of time, for example: 100 Mbps (megabits per second).

Bounce address tag validation. A draft Internet standard that attempts to solve the issue of bouncing spoofed mail. For the latest BATV draft, visit http://mipassoc.org/batv/index.html.

Berkeley Internet Name Domain. A standard program that implements the domain name service (DNS).

Regarding spam, blacklists are lists of known spammers, their IP addresses, and/or their ISP (Internet Service Provider). Using this information, spam filters can block all messages coming from known spammers and/or their ISPs. ISPs that fail to discipline spammers may find all email from their legitimate customers blocked by large numbers of recipients. This tactic forces the ISP to take action against spammers using their systems because legitimate users do not want to be inconvenienced by having their email blocked. The opposite of a whitelist.

Bootstrap protocol. A protocol that allows a network user to automatically receive an IP address and have an operating system boot without user interaction. BOOTP is the basis for the more advanced DHCP.

A network of remotely controlled systems used to coordinate attacks and distribute malware, spam, and phishing scams. Bots (short for robots) are programs that are covertly installed on a targeted system allowing an unauthorized user to remotely control the compromised computer for a variety of malicious purposes.

A device with two interfaces connecting two networks that replicates packets appearing on one interface and transmits them on the other interface.

CA certificate
A self-signed certificate that identifies a certification authority (CA). It is called a CA certificate because it is the certificate for the root CA.

A temporary or permanent staging area in the memory or disk storage of a computer that contains the most recently or most frequently accessed data. A cache is used to speed up data transfer, instruction execution, and data retrieval and updating.

A security feature that works in the following way: a user dials into a communications server and enters a user name and password; the communications server then hangs up the modem connection, searches its database to authenticate the user, and calls the user back at a predefined number.

Callback provides good security and is cost-effective for users who remotely access networks from the same location each time, but not for users who use different locations each time.

URLs that are grouped together based on the website type that the Internet database identifies.

Also referred to as a digital certificate. A digitally signed statement that contains information about an entity and the entity's public key, and binds these two pieces of information together. As part of the X.509 protocol (ISO Authentication framework), a certificate is issued by a certification authority (CA) after the CA has verified that the entity is who it says it is.

certificate chain
An ordered list of certificates in which the first certificate is self-signed, and the succeeding certificates were issued by their predecessors.

certification authority
A highly trusted entity that issues and revokes certificates for a set of subjects, and is ultimately responsible for their authenticity.

Common gateway interface. Any server-side code that accepts data from forms via HTTP. The forms are generally on web pages and submitted by end users.

command line interface
Provides access to an appliance using a Secure Shell (SSH) client.

configuration backup
A process that saves policy information, user account information, and home directory contents to a single backup file. You can use a configuration backup file to quickly restore a system to a previous operational state.

configuration file
A file containing data required for the setup of a computer system.

configuration wizard
A Windows-based program that allows you to create an initial configuration for your product.

A physical or virtual terminal attached to an appliance that is used to monitor and control an appliance.

control list
(1) The list of millions of Internet sites placed into categories.

(2) URLs that are grouped together based on website content.

Also referred to as the Trusted Source Web Database.

Certificate revocation list. A time-stamped list, signed by a certification authority, that identifies revoked certificates and is freely available in a public repository.

Certificate signing request. A PKCS10 message containing a subject's name and public key that are submitted to a certification authority (CA) for signing. Also called a certificate request.

A software routine within UNIX that runs in the background, performing system-wide functions.

A feature in SmartFilter that configures the system to slow down access to a site instead of blocking it. This feature can also slow down access to specified file types.

To instruct the administration server to install the latest configuration to the plug-in or authentication server.

Dynamic host configuration protocol. A communication protocol that simplifies distributing IP addresses within a network. The dynamic protocol allows administrators to centrally assign and manage IP addresses instead of having to do those tasks locally.

digital signature
Utilizes public key cryptography and one-way hash functions to produce a signature of the data that can be authenticated. The signature is difficult to forge or repudiate.

DomainKeys Identified Mail. A method that allows companies to add digital signatures to messages for verification of the domain's public key.

Distinguished name. A list of attributes that defines the description of the certificate. These attributes include: country, state, locality, organization, organizational unit, and common name.

Domain name system. A TCP/IP service that maps domain and host names to IP addresses, IP addresses to domain and host names, and provides information about services and points of contact in a network or the Internet. A set of connected name servers and resolvers allows users to use a host name rather than a 32-bit Internet address.

(1) Relative to networking, the portion of an Internet address that denotes the name of a computer network. For instance, in the IP address jones@bizco.sales.com, the domain is bizco.sales.com.

(2) Relative to Type Enforcement, an attribute applied to a process running on SecureOS that determines which system operation the process may perform.

Denial of service. An event in which a network experiences a loss of a service, such as email or a web server, that is expected to be available. This event is generally caused by a malicious attack, but may also happen accidentally.

Keeps your network interface at 100basetx full-duplex, even if you use Cisco and need to reboot your Windows servers often.

The Enhanced SMTP (ESMTP) version of HELO. ESMTP adds a number of essential additions to the SMTP protocol.

A regional designation used for business purposes that includes Europe, the Middle East, and Africa.

The process of formatting non-text data into ASCII format so that it can be sent as an attachment with an email. Email can handle only 7-bit ASCII text; however, many types of files, such as images, are not saved as text because they are binary files. To send non-text binary information, the data must first be encoded into ASCII format on the sender's side, and decoded using the same procedure on the receiver's side. Common encoding methods include: MIME, BinHex, Uuencode, and Base64.

The technique for converting a readable message (plain text) into apparently random material (cipher text) so that it can be read only by computers using the same code or encryption technology. Encryption reduces the risk of unauthorized access, but does not create a totally safe networking environment on its own.

encryption algorithm
An algorithm for encrypting and decrypting data.

Extended Simple Mail Transfer Protocol. A definition of protocol extensions to the SMTP standard. The extension format was defined in RFC 1869 in 1995.

A physical layer protocol based upon IEEE standards.

A piece of software, chunk of data, or sequence of commands that take advantage of a bug, glitch, or vulnerability to cause unintended or unanticipated behavior to occur. Exploits are best identified through signature-based searches, which are computationally expensive to perform.

external DNS
Provides a limited external view of the organizational domain. No internal information is available to the external DNS and only the external DNS can communicate with the outside. Therefore, no internal naming information can be obtained by anyone on the outside. The external DNS cannot query the internal DNS or any other DNS server inside the firewall.

external interface
The name of the external network interface port and its attributes: an external IP address, sub-network mask, and host name.

A configuration that allows an active system to switch to a redundant, or standby, system if the active system experiences failure or abnormal termination.

false negative
An email that is marked as legitimate, even though it is spam.

false positive
An email that is marked as spam, even though it is legitimate.

Fully qualified domain name. The complete name of a specific computer on the Internet, an intranet, or a network. The FQDN consists of the computer's host name and domain name.

File transfer protocol. A protocol used on the Internet for transferring files.

FTP site
An Internet site that hosts directories and files that you can browse and copy to your system using the file transfer protocol (FTP).

Graphical identification and authentication. A Windows component that controls the CTRL+ALT+DELETE dialog box.


High availability. This is a configuration that aims to reduce or eliminate the potential downtime and improve the fault tolerance of a resource by introducing a level of redundancy. A high availability implementation can refer to a load sharing, clustering, hot backup, or failover configuration.

An initial negotiation between client and server that establishes the parameters of their transactions.

A cryptographic string based on the contents of a message. The algorithm used to create the hash should make it infeasible to construct a message so that its hash comes to a specific value. Hashes can be attached to a message to demonstrate that it has not been modified. If a message is modified, its new hash will no longer match the original hash value.

The part of an email message that is usually not displayed in the email client. The email header contains meta-data and routing information such as the identity and IP addresses of the sender and recipient, all email gateways between the sender and the recipient, and the email's priority and subject line. Some spammers deliberately manipulate the header information in an attempt to fool (or spoof) spam filters as to the actual source of the email message.

A message and acknowledgement between high availability (HA) cluster members to confirm that they are operational.

home directory
The directory where the user is positioned immediately after logging in.

hop count
The number of nodes a router must pass through to reach a destination host or network. The system uses this value to choose the most efficient route. This is also known as the path length. Values include:

--Direct communications link or both source and destination have connections on the same local area network.
--Packets routed through one intermediary host before reading the destination.
--Packets routed through n-1 intermediary hosts before reading the destination hops. 
--The nodes a router must pass through to reach a destination host or network.

host address
The right-most octet(s) of a dotted-quad address.

NOTE: Class D and Class E addresses, where the first octet is between 224 and 254 (inclusive), cannot be used for host addresses.

host name
The name or alias assigned to a system.

HyperText Markup Language. A simple programming language used to create web documents. HyperText uses special links that you can click to jump from one related topic to another.

HyperText Transfer Protocol. An agreed-upon format (protocol) that requests and transfers HTML documents on the World Wide Web.

HyperText Transfer Protocol Daemon. A web server capable of sending hypertext documents.

HyperText Transfer Protocol Secure. An agreed-upon format (protocol) that requests and transfers HTML documents on the web in a secured manner.

A network device that allows more than one computer to be connected as a local area network (LAN), usually using unshielded twisted pair (UTP) cabling.

Internet Content Accessibility Protocol. A lightweight HTTP-based protocol designed to offload specific content to dedicated servers.

identity theft
The act of stealing a victim's personal information. Often, identity thieves will open credit accounts in the victim's name. Identity theft is a danger of falling victim to a phishing attempt.

Internet Engineering Task Force. The organization that developed the IPSec standard that protects data on unprotected (or untrusted) networks such as the Internet.

Internet Information Services. An Internet file and application server that is included with most Microsoft Windows operating systems.

Internet key exchange. A key management protocol standard that automates the implementations of other protocols (such as ISAKMP, Oakley) used in a VPN connection.

A profile of ISAKMP that is for use by IPSec. IKE creates a private, authenticated key management channel. Using that channel, two peers can communicate, arranging for session keys to be generated for AH, ESP, or IPcomp. The channel is used for the peers to agree on the encryption, authentication, and compression algorithms to be used. The traffic to which the policies are applied is also agreed upon.

Internet message access protocol. The method used to access email remotely, usually through the use of webmail or another protocol that does not download the messages to the client. It allows for messages to be kept in multiple folders, supports folder sharing, and allows online mail handling. IMAP is a more advanced method of storing mail than POP, which relies on downloading messages to a user's local drive.

A shared boundary through which information can be exchanged. An interface may be a shared portion of computer software accessed by two or more programs, a hardware component linking two devices, or a device or program allowing a user to communicate and use the computer or program.

internal DNS

Manages DNS information available only to internal systems. The internal name server cannot receive queries from external hosts because it cannot communicate directly with external networks. Resolution of queries for external information are handled by the internal name server; although it is unable to communicate directly with external hosts, it is able to send queries and receive the responses via the external DNS.

Internet Protocol
Also known as IP. The network layer for the TCP/IP protocol suite. IP is a connectionless, best-effort packet switching protocol designed to provide the most efficient delivery of packets across the Internet. IP serves as a base for a number of different protocols, defines the basic unit of transmission across the Internet, defines the Internet addressing scheme, and much more.

IP address
A 32-bit address that uses standard dotted quad notation assigned to TCP/IP network devices. An IP address is unique to each machine on the Internet, and contains a network and host field.

IP filter

IP filtering is a network layer mechanism that determines which types of traffic are allowed and which are discarded. An individual IP filter is a rule that specifies the specific type of traffic that is allowed or denied. IP filters can include many combinations of various criteria including (but not limited to):

IP spoofing
A technique where an intruder attempts to gain access by altering a packet's IP address to make it appear as though the packet originated in a part of the network with higher access privileges.

Internet Protocol Security. A set of standards created to provide interoperable, high quality, cryptographically-based security for network communications at the IP layer of the network stack.

IPv6 (Internet Protocol version 6) is a replacement for the aging IPv4, which was released in the early 1980s. IPv6 will increase the number of available Internet addresses (from 32-bits to 128-bits), resolving a problem associated with the growth of the number of computers attached to the Internet.

Industry standard architecture. An older technology for connecting computer peripherals.

Internet Security Association and Key Management Protocol. A protocol framework that sets the parameters for a VPN connection by defining the payload format, how the key exchange protocol will be implemented, and how the security association will be negotiated.


(1) Information used to encrypt and decrypt data.

(2) The Windows Registry uses keys to store computer configuration settings. When a user installs a new program or the configuration settings are otherwise altered, the values of these keys change.

key pair
The reference to a private key and a mathematically-related public key. The private key is safeguarded and known only by the owner. The public key can be distributed to anyone. This allows one key to be used for encryption, and the other key to be used for decryption.

Local area network. A computer network covering a small geographic area, such as a home, office, or group of buildings.

Lightweight Directory Access Protocol. An Internet standard for directory services that run over TCP/IP. LDAP is a protocol for accessing on-line directory services. The directory entry is a collection of attributes with a name, a type, and one or more values.

load balancing
The ability to distribute processing loads among multiple servers to improve performance and reduce access times.

log file
A file that contains data collected by a log source.

MAC address
Media access control address. A unique address assigned to network interface card hardware as a means of identification. It is a 48-bit number usually written as a series of six hexadecimal octets. For example: 00:d0:cf:00:5b:da.

mail server
A network computer that serves as an intermediate station for electronic mail transfers.

Malicious software designed to carry out annoying or harmful actions. Malware often masquerades as useful programs or is embedded into useful programs so that users are induced into activating them. Malware can include viruses, worms, and spyware.

Message digest algorithm 5. A secure hashing function (128-bit hash) that converts an arbitrarily long data stream into a digest of fixed size (16 bytes). It is one of two message digest algorithms available in IPSec.

Manager Disaster Recovery. A configuration involving two Network Security Managers. If one Manager fails, the other Manager takes over. The Network Security Sensors send alerts to both Managers, and the Managers synchronize their databases to fill in any gaps.

Management information base. Within SNMP architecture, a database that stores information about managed objects. These objects are used in the management of networks.

Multipurpose Internet Mail Exchange. The standard that allows Internet users to exchange emails with graphics, videos, and voice.

MX record
Mail exchanger (MX) records are entries in DNS that define where email addresses within domain names get delivered.

name resolution
The process in which name servers supply address and hostname information to hosts.

name server
A network computer that maintains a relationship between IP addresses and corresponding domain names.

Network access server. A computer that is specially made to receive communications from outside an organization and distribute them within the organization on its network. It uses TACACS+, RADIUS, or other protocols for authorization and sometimes for accounting.

Network address translation. A network protocol that rewrites the source address of a packet to a new IP address specified by an administrator. Masquerading is one form of NAT.

NDR spam
Non-delivery report spam. False, undeliverable email that attempts to trick the victim into opening the attachment, attempting to take advantage of the fact that Microsoft Exchange servers send undeliverable emails back as attachments.

The way that computers differentiate which part of a TCP/IP address refers to the network, and which part refers to the host range.

network address
The left-most octet(s) of a dotted-quad address. Class A network addresses consist of one octet, Class B network addresses consist of two octets, and Class C network addresses consist of three octets. Normally in decimal format, each octet can be in hexadecimal or octal format. Omitted octets are interpreted as 0s.

Network interface card. Hardware, like a computer circuit board, that contains a port or a jack that enables a computer to connect to network wiring (Ethernet cable, phone line, and so on).

Network news transfer protocol. The protocol by which network news articles are transferred or read across the Internet.

(1) Any network device, such as a workstation or server.

(2) The connection point for devices in a network.

The name server lookup command. Allows you to interactively query a DNS server and ensure the name server is properly resolving host names and IP addresses.


Network Security Services. NSS is set of libraries, APIs, utilities, and documentation designed to support cross-platform development of security-enabled client and server applications. NSS supports multiple security standards including Transport Layer Security (TLS), Secure Sockets Layer (SSL), and S/MIME.

NT LAN manager. An authentication protocol used in a variety of Microsoft network protocols for authentication purposes.

A number that represents the unsigned value of an 8-bit byte. The decimal number 255 represents the maximum value of an unsigned 8-bit byte.

Open database connectivity. A widely accepted application programming interface for database access. It is based on the Call-Level Interface from X/Open and ISO/IEC for database APIs and uses Structured Query Language as its database access language.

open relay
An email server that allows unauthorized users to send (or relay) email through the server. (Most modern email servers will not allow unauthorized users to send email through them.)

A free, open source implementation of the Lightweight Directory Access Protocol (LDAP).

Open shortest path first. A routing protocol that dynamically updates changes to routing table information. This protocol is an enhancement over previous protocols that required entire tables to be updated instead of only changed data.

Outlook Web Access. A web-based version of Microsoft Outlook.

A unit of data as sent across a network.

packet filter

Controls network access by analyzing incoming and outgoing packets and allowing or denying them based on the IP addresses of the source and destination.

A UNIX command that lets you change your login password after you are registered as a user in the system. The UNIX passwd file is also called passwd.

A high-tech scamming technique that uses spam or pop-up messages to deceive people into disclosing credit card numbers, bank account information, Social Security numbers, passwords, or other sensitive information. Internet scammers use email bait to “phish” for passwords and financial data from Internet users.


Personal identification number. A number known only by an individual for the purpose of helping identify a person during a computer-based authentication process. Individuals should memorize their PIN.

A command that sends an ICMP message from a host to another host over a network to test connectivity and packet loss.

Public key infrastructure. A system for distributing public cryptographic keys within a community of interested users. The predominant model (based on X.509) makes use of digital certificates generated by certificate authorities. A PKI enables secure remote communication in a number of network application areas.

(1) An optional software module that relies on a well-defined interface to add functionality to a popular software product. Vendors that create general-purpose software products such as Internet browsers often insert well-defined points within their logical flow where execution checks for the existence of an external module and executes it if it is present, passing related information back and forth according to established patterns. This allows customers or other vendors to customize specific product areas. The concept has been known by a variety of other names, including exits or user exits.

(2) A hardware or software module that adds a specific feature or service to a larger system. Plugins can also display or interpret a particular file format or protocol, such as Shockwave or RealAudio.

A set of rules that govern communications.

Post office protocol. The protocol that reads mail from another host.

The number that identifies the destination application process for transmitted data. Port numbers range from 1 to 65535. For example, telnet typically uses port 23, and DNS uses 53.

Point-to-point protocol. A networking protocol for establishing simple links between two peers.

Point-to-point tunneling protocol. A protocol developed by Microsoft that is popular for VPN applications. Although not considered as secure as IPSec, PPTP is considered "good enough" technology. Microsoft has addressed many flaws in the original implementation.

private key
Used to decrypt messages that were encrypted with the corresponding public key. A private key can also be used to digitally sign messages. The recipient can use the corresponding public key to verify the authenticity of the message.

promiscuous mode
A mode that accepts all packets regardless of their destination address.

A set of rules by which one entity communicates with another, especially over a network. This is important when defining rules by which clients and servers talk to each other over a network. Important protocols become published, standardized, and widespread.


Acts as an intermediary between a client and other network or Internet resources. A client connects to the proxy and requests a connection, file, web page, or other resource available from another server. Based on the configured criteria, the proxy then allows or denies the requested action.

proxy server
A server that acts on behalf of another server, and may perform tasks such as caching, access control, or provide a route to a destination server. Administrators may choose to configure proxy servers as one of the following:

     Transparent: The end user is unaware of the proxy server's presence.

     Nontransparent: The end user must authenticate to, or interact with, the server.

public key
A public key is used to encrypt messages that only the holder of the corresponding private key can decrypt. Public keys can also be used to verify the authenticity of digitally-signed documents.

Quality of Service. In packet-switched and computer networks, a resource reservation control mechanism that provides a network with the capability to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP-routed networks that may use any or all of these underlying technologies.


The tabular or graphical report results of a customized search of the database records of a report definition’s Log Source or Log Sources. A report query is generated by a query definition. Each report definition includes one or more query definitions.

A list of tasks waiting to be used or processed.

Remote authentication dial-in user service. An authentication protocol developed by Livingston Enterprises Inc. Recognized by the Internet Engineering Task Force (IETF) as a dial-in security solution on the Internet (RFC 2138).

Redundant array of individual disks. Stores information on multiple hard disks to provide redundancy. Using RAID can improve performance and fault-tolerance.

Real-time blackhole list. A list that is added to TrustedSource.

remote management
The ability to administer a system from a remote location.

The process by which directory information stored on one machine is copied in total on one or more other remote machines.

reverse DNS lookup
Maps an IP address to its corresponding domain name.

Request for comments. One of a series of documents recognized by the Internet Engineering Task Force (IETF). Most RFCs document protocol specifications and standards. 

In UNIX, a user name that gives special privileges to a person who logs onto the system using that name and the correct password. The root user name allows the user to access all of the system's files.

A network device that forwards data between two or more networks, delivering them to their final destination or to another router. A router differs from hubs and switches because it is "intelligent" and can route packets to their final destination.

A widely used public-key algorithm that can be used for either encryption or digital signing. RSA uses public and private keys that are functions of a pair of large prime numbers.

RSA stands for Ron Rivest, Adi Shamir, and Leonard Adleman, who first publicly described the algorithm in 1977.

The basic operational unit of the electronic communications policy. It specifies conditions of the web access. It is in a ranked position within the policy. Any access that matches the conditions in a rule triggers the rule if that rule has the highest priority of all matched rules.

rule group
An organized set of rules. A rule group can consist of both rules and nested rule groups.

Secure Multipurpose Internet Mail Extensions. A standard for secure email messages. S/MIME allows for sender authentication using digital signatures, and can be encrypted. Also known as SMIME or S-MIME. 

secure shell
A network protocol that allows data to be exchanged over a secure channel between two computers. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.

Sender ID
Sender ID is a Microsoft protocol derived from SPF that validates one of the message's address header fields defined by RFC 2822. Which one it validates is selected according to an algorithm called PRA (Purported Responsible Address, RFC 4407). The algorithm aims to select the header field with the email address "responsible" for sending the message. Because it was derived from SPF, Sender ID can also validate the MAIL FROM, but it defines the new PRA identity to validate, and defines new sender policy record tags that specify whether a policy covers MAIL FROM (called MFROM by Sender ID), PRA, or both.

(1) The time period during which a terminal user logs on the system until they log off the system.

(2) Sessions define a set of cryptographic security parameters that can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection. Sessions are created by the handshake protocol.

The degree to which a vulnerability may affect a targeted system.

A signature describes an exploit for a known vulnerability that may be found when evaluating traffic to a destination network object.

Session initiation protocol. An application-layer protocol that manages VoIP telephone calls, multimedia distribution, and multimedia conferences with one or more participants.

site name
The first or only domain name (with its extension) in a URL string. When one website hosts another website, the first domain name (with its extension) is the site name and the last domain name (with its extension) is the host name. For example, in the URL string “www.SecureWeb.com/aaa/www.example.com/home.htm,” the site name is “www.SecureWeb.com” and the host name is “www.example.com.”

A peer-to-peer Internet telephony (VoIP) network. The network is provided by all combined users of the free desktop software application. Skype users can speak to other Skype users for free, call traditional telephone numbers for a fee (SkypeOut), receive calls from traditional phones (SkypeIn), and receive voicemail messages.

smart card
A hardware authenticator that contains password or cryptographic information that can identify an authorized user, but that cannot be used without an additional "smart card reader" because it contains no keyboard or display.

Simple Mail Transfer Protocol. The TCP/IP protocol that transfers email as it moves through the system.

Simple network management protocol. The industry standard protocol used for network management.

SNMP agent
A server that communicates with simple network management protocol (SNMP) management stations to provide information and status for a network node.


An open-source network intrusion detection system (NIDS). Snort is a packet sniffer that performs real-time traffic monitoring and packet logging on Internet Protocol (IP) networks. It can be used to detect dangerous probes and attacks.

social engineering
The act of conning someone into giving out personal information.

Socket secure protocol. A generic proxy protocol used by applications to communicate over TCP/IP networks. The SOCKS protocol provides a flexible framework for developing secure communications by easily integrating other security technologies. SOCKS includes two components: the SOCKS server and the SOCKS client. The SOCKS server is implemented at the application layer, while the SOCKS client is implemented between the application and transport layers. The basic purpose of the protocol is to enable hosts on one side of a SOCKS server to gain access to hosts on the other side of a SOCKS server, without requiring direct IP-reachability.

Unsolicited commercial emails, sent using an automated email program, that advertise products, services, and websites. Spam can also be used as a delivery mechanism for malware and other cyber threats.

A person who sends spam.

SPAN port
Switched port analyzer. A port on a switch that is configured to mirror traffic transmitted on one or more switch ports or VLANS.

Sender policy framework. Defined in RFC 4408. Validates the HELO domain and the MAIL FROM address given as part of the SMTP protocol (RFC 2821 – the "envelope" layer). The MAIL FROM address is usually displayed as "Return-Path" if you select the "Show all headers" option in your email client. Domain owners publish records via DNS that describe their policy for which machines are authorized to use their domain in the HELO and MAIL FROM addresses, which are part of the SMTP protocol.

(1) The creation of a fraudulent website that mimics an actual, well-known website run by another party.

(2) Altering an email sending address so it appears to be from a different sender.

Malware installed without the user's knowledge to track and/or transmit data to an unauthorized third party.

Secure Socket Layer protocol. Provides a method of encapsulating data to allow privacy between two applications communicating over the Internet. Transport Later Security (TLS) is based on SSL version 3.0.

Single Sign On. Also known as Passport. The ability of a user to authenticate once and then have access to protected content on sites in multiple Internet domains.

Refers to a device or software program that is self-contained; one that does not require any other device or software program to function.

A media file that is transmitted in a continuous flow over a network. Streams are of two types: live and on-demand.

streaming media
Media files that begin playing while they are being transmitted over the network to the media player on the client computer.

strong authentication
A login process that requires a user to enter a unique, one-time response to a login challenge or special code presented by an authentication server. The authentication server resides somewhere in the internal network and sends a login challenge to a user when he or she attempts to log in. The user must make the proper response to the challenge using a special hardware or software token.

A network addressing scheme that separates a single network into a number of smaller physical networks to simplify routing.


A network device that is similar to a hub, but much smarter. Although not a full router, a switch partially understands how to route Internet packets. A switch increases LAN efficiency by utilizing bandwidth more effectively.

Refers to the spelling and grammar of a programming language. Computers are inflexible machines that understand what you type only if you type it in the exact form (syntax) that the computer expects.


Transmission control protocol. A connection-oriented and stream-oriented Internet standard transport layer protocol.

Transmission control protocol over Internet protocol. The basic networking protocol suite for Internet communication.

A TCP/IP protocol that directs the exchange of character-oriented data during a client-to-server session.

Transport layer security. The latest version of SSL. It is an enhancement of SSL version 3.0.

A UNIX command that shows all of the routing steps between a host and another host.

The process of sending information from one point to another.

An SNMP alert message sent as an unsolicited transmission of information from a managed node (router, firewall) to an SNMP management station.

trojan horse
A malicious program that poses as a benign application. A Trojan horse program purposefully does something the user does not expect. Trojans are not viruses because they do not replicate, but Trojan horse programs can be just as destructive.

Threat response update. In Email Gateway, the configuration update of dictionaries, rules, and thresholds.

A global threat correlation engine and intelligence base that follows trends in email, web traffic, and malware, and assigns Web Reputation ratings. TrustedSource also has a tool to verify if a site is included in the most current version of the Trusted Source Web Database.

The transmission of data using a protocol other than that for which the data is formatted. Tunneling is typically used when communication via the desired protocol is blocked by a firewall or similar mechanism. The data is structured to use an allowed protocol, sent through the firewall, and then deciphered on the other side.

User datagram protocol. A connectionless protocol that transfers data across a network with no reliability checking or error checking.


User-defined signature. A signature that a user or other administrator creates to add functionality for a specific attack, or attacks, to a signature set.


Universal naming convention. A convention that is used to identify a share without having to specify the storage device it is on.

A message sent to a single destination.

A powerful operating system used in high-end workstations and computer systems on the Internet. It allows a single computer to operate multiple programs and be accessed by other computers, all at the same time.

Uniform resource locator. Provides the address of specific documents on the web. Every Internet file has a unique URL; they indicate the name of the server, the directory, and the specific document. The form of a URL is protocol://pathname. For example: ftp://www.website.com and  http://www.website.com.

user group
A logical grouping of two or more users, identified by a single name.

Coordinated Universal Time. Also known as Greenwich Mean Time (GMT). A time-scale that forms the basis of a coordinated dissemination of standard frequencies and time signals throughout the world.

A program (usually an executable program) that infects a computer file by inserting a copy of itself into the file. These copies are usually executed when the infected file is loaded into memory, allowing the virus to infect other files. A virus requires human involvement (usually unwittingly) to propagate. When a virus is active in a host computer, the infection can spread rapidly throughout a network to other systems.

Some viruses may be benign and result only in amusement or slight annoyance. Others can be malicious and destroy or alter data. 

Virtual private network. A method of authenticating and encrypting data transmissions between the machines (firewall-to-firewall, firewall-to-client) via the Internet. VPN makes it appear as though the networks on the internal side of the firewalls are connected to each other via a pair of routers with a leased line between them.

Wide area network. A computer network that covers a broad area, including metropolitan, regional, and national boundaries.

web filtering
Managing access to web content, such as blocking certain pages or domains, based on a combination of how the web content's URL is categorized in a database and the site's web access policy.

web interface
A collection of web pages provided for accessing a computer system via a web browser.

web server
A network device that stores and serves up any kind of data file including text, graphic images, video, or audio. Its stored information can be accessed via the Internet using standard protocols, most often HTTP/HTTPS.

Also called web-based email. An email account that is accessed through a web browser. Popular consumer versions of this technology include Gmail, Hotmail, and Yahoo Mail. Many corporations are also adopting web mail as a way to allow employees to access their email accounts remotely.

A list of trusted entities that are allowed to send messages. The opposite of a blacklist. Use whitelisting conservatively to avoid allowing lots of spam through.

Windows Internet Naming Service. Manages the association of workstation names and locations with IP addresses.

A computer on the network, defined by the name of the computer rather than the name of the person using the computer.

An independent computer program that reproduces by copying itself from one system to another across a network. Unlike computer viruses, worms do not require human involvement to propagate. Worms are constructed to infiltrate legitimate data processing programs and alter or destroy the data. What is often seen as a virus infection is actually a worm.