3DES

Triple DES. A version of DES in which three encryption phases are applied.

AAA

Authentication, Authorization, and Accounting. Processes that are used to control network access and enforce security policies.

ABR

Area Border Router. A router that is attached to more than one OSPF area.

access policy

See firewall access policy.

active-active

A high-availability mode in which both members of an HA cluster process data. The cluster master sends selected traffic to the cluster participant. This feature will be available in a future version.

active-standby

A high-availability mode in which one member of an HA cluster processes data while the other member remains in hot-standby. If the cluster master fails, most of its connections fail over to the cluster participant.

address group

A named object that contains a group of address objects.

address object

A named object that contains one or more addresses: IP, IP range, network, or domain. Address objects can be single-entry or multiple-entry.

administrative distance

A value that indicates the reliability of routes that are discovered by a routing protocol. The lower the value, the more trusted the route.

Advanced Encryption Standard

See AES.

AES

Advanced Encryption Standard. A published symmetric encryption algorithm used for IPsec that uses a 128-bit, 192-bit, or 256-bit symmetric key to encrypt data in 128-bit blocks.

AES-XCBC

Advanced Encryption Standard with Extended Cipher Block Chaining, an authentication algorithm that uses a pseudo-random function to create IKE keys.

AF

Assured Forwarding. A differentiated services (DS) per-hop behavior group that comprises four classes. These classes allow a provider DS domain to offer different levels of forwarding assurances for IP packets that are received from a customer DS domain.

aggressive mode

An IKE mode in which three total messages are exchanged during IKE phase 1 instead of six — two from the initiator and one from the respondent.

AH

Authentication Header. A part of the IPsec protocol suite, AH provides authentication for both the payload (including the original IP header) and the delivery IP header.

ALG

Application-Layer Gateway. A type of proxy server that performs special processing for applications that dynamically negotiate data ports or that otherwise might present special problems for the firewall.

anomaly

Deviation from a set standard. For example, a protocol anomaly is a deviation from normal protocol behavior.

anomaly-based IPS

IPS that detects irregularities in traffic flow, protocol headers, or protocol payloads.

anti-replay window

A sliding range of IPsec packet sequence numbers that are considered valid. The TMS zl Module drops out-of-sequence packets to protect against replay attacks. However, because packets might arrive slightly out of order, the TMS zl Module accepts packets that have sequence numbers within the anti-replay window.

application inactive timeout

A timeout that is applied to an application by port number and protocol.

application-layer gateway

See ALG.

apply

An action for an IPsec policy wherein the policy is applied to all traffic that is specified in the traffic selector. See also Ignore and Bypass.

area border router

See ABR.

AS

Autonomous System. The network or collection of networks under the same administrative control.

ASBR

Autonomous System Border Router. A router that connects to an external network and runs both OSPF and the external network’s routing protocol. ASBR router are within the OSPF backbone area (Area 0).

ASN

Abstract Syntax Notation. A standard for notation of data structures that is the joint product of the ISO/IEC and ITU-T.

assured forwarding

See AF.

authenticated network access

Network access that is granted after the user submits credentials to an authentication server.

authentication algorithm

An algorithm that uses a specific key to generate a unique message digest for a packet, which the remote endpoint checks using the same key and algorithm. If the data has been altered, the integrity check fails.

authentication header

See AH.

auto SA revalidation

Allows the TMS zl Module to automatically revalidate security associations when the associated policy is changed.

autonomous system

See AS.

autonomous system border router

See ASBR.

backup designated router

See BDR.

BDR

Backup Designated Router. A router in an OSPF network that provides redundancy for a designated router (DR). If the DR does not broadcast link-state advertisements after a set amount of time, the BDR assumes the DR has failed and takes over as the new DR.

bypass

An action for an IPsec policy in which traffic that is specified in the traffic selector is forwarded to its destination but not secured by the IPsec SA. See also Ignore and Apply.

CA

Certificate Authority. An entity that issues digital certificates and acts as a trusted third party that verifies the identity of devices that communicate over an untrusted network.

CA certificate

A certificate that is provided by a CA to verify any certificates that have been signed by that CA.

certificate

An electronic document that contains a public key and is digitally signed. Certificates are used to verify the identity of the sending device.

certificate authority

See CA.

challenge password

The password that you must input when creating a certificate request through SCEP.

CHAP

Challenge Handshake Authentication Protocol. An authentication protocol used by RADIUS. CHAP involves a three-way handshake to authenticate users.

chassis

The switch frame where the circuit components are mounted.

CIDR

Classless Inter-Domain Routing. An IPv4 addressing scheme that more efficiently allocates IP addresses than the original classful scheme by specifying a network bit length in the subnet mask. Example: 10.1.1.0/24.

cipher block chaining, extended

See AES-XCBC.

circuit-level gateway

A circuit-level gateway acts at the OSI Session Layer (Layer 5) to monitor the establishment of sessions between trusted and untrusted devices. Some circuit-level gateways establish proxy sessions with untrusted hosts for their clients.

Classless Inter-Domain Routing

See CIDR.

clear DF bit

An option that permits you to set the DF bit to 0, which means that the packet can be fragmented in an IPsec SA.

cleartext

Data that is immediately comprehensible to a human being — a message that is transmitted or stored without encryption.

CLI

Command-Line Interface. An interface that requires that the user manually type commands at a command prompt, one line at a time.

client-to-site

Also known as remote access, a VPN type wherein remote VPN clients initiate VPN tunnels with a VPN server on the private, corporate network.

command-line interface

See CLI.

community name

The community name identifies a group of devices that share SNMPv2 messages.

connected route

A route between two devices that are directly connected to one another, meaning that a single network cable or interface connects the two devices.

connection timeout

See timeout.

control messages

Messages exchanged between the master and the participant in a high-availability cluster.

convergence

The time that it takes for all routers on a network to receive the same information about network topology.

copy DF bit

The IPsec option to copy the Don't Fragment (DF) bit from the original IP header to the delivery header to ensure the correct handling for the packet.

cost

Also known as metric, the desirability of a specific hop of an OSPF route. The lower the cost, the more preferred the hop.

CRL

Certificate Revocation List. A list of certificates that are no longer valid or that have been revoked.

crypto map

The name for IPsec policy on the HP ProCurve Secure Router 7000dl.

CS

Class Selectors

custom timeout

A timeout applied to a specific transport protocol and port.

CVE ID

Common Vulnerabilities and Exposures Identifier

Data Encryption Standard

See DES.

data port

Physical port 1 on the TMS zl Module (J1 on the circuit board), which plugs into the host switch backplane. In routing mode, the data port is a tagged member of every TMS VLAN. In monitor mode, the data port port receives mirrored traffic from the host switch.

dead interval

The amount of time an OSPF router waits for route advertisements from a peer router before declaring a route dead.

default gateway

The next-hop router to which a device sends all traffic that is destined to a different network or subnet.

default metric

The metric that is assigned to redistributed routes.

defragmentation

The reassembly of fragmented packets, often performed by a router or by the TMS zl Module.

demilitarized zone

See DMZ.

denial of service

See DoS.

DER

Distinguished Encoding Rules. A method for encoding data objects.

DES

Data Encryption Standard. A published symmetric encryption algorithm used for IPsec that uses a 56-bit symmetric key to encrypt data in 64-bit blocks.

designated router

See DR.

destination NAT

Network address translation in which the destination IP address is replaced by another IP address as the packet crosses a network boundary.

destination zone

The zone to which a packet is destined.

DF bit

Don't Fragment bit. The IP header bit that specifies whether the packet can be fragmented.

DHCP

Dynamic Host Configuration Protocol. A protocol that allows network administrators to set up a server to manage IP addresses, automatically assigning IP addresses to devices on the network. DHCP simplifies IP management, eliminating the need to manually assign IP addresses to devices and then track those addresses.

DHCP relay

The means by which DHCP requests from clients on one subnetwork are forwarded to a DHCP server on a different subnetwork, which eliminates the need for a DHCP server on each network segment.

dial-in user

The remote L2TP VPN client to whom you want to permit access.

Differentiated Services

Also known as Diff-Serv, a class-of-service model that enhances the best-effort services of the Internet by differentiating traffic according to user, service requirements, and other criteria.

differentiated services field

The IP header field (DS) that is used as a codepoint to select the PHB.

Diffie-Hellman key exchange

A protocol that generates the keys for an IPsec SA during the second exchange of IKE phase 1. Diffie-Hellman key agreement protocol is a secure method for generating unique, shared keys without sending them over the connection, which would render them vulnerable to interception.

DiffServ

See Differentiated Services.

Dijkstra's algorithm

A routing algorithm developed by Dutch computer scientist Edsger Dijkstra that allows a router to generate a routing tree with itself as the root.

distinguished encoding rules

See DER.

distinguished name

See DN.

DMZ

Demilitarized Zone. A zone that is located logically between the INTERNAL and EXTERNAL zones; it usually contains public Internet services.

DN

Distinguished Name. The ASN.1 name that is associated with a certificate.

DNS

Domain Name System. A protocol that translates between a human-readable address (www.example.com) and an IP address (10.1.2.15). Translation is performed in both directions.

domain name

A unique, human-readable name that is assigned to a device, such as ns1.procurveu.edu.

domain name address object

An address object that contains between one and 10 URLs or FQDNs.

domain name system

See DNS.

DoS

Denial of Service. A type of attack that monopolizes a system's resources so that other users cannot access it.

DR

Designated Router. The only router in an OSPF area that floods LSAs to other routers in the area.

DR priority

The priority of a router during designated router DR election.

DSA

Digital Signature Algorithm. A published standard used to create digital signatures.

DSCP

Differentiated Services Code Point. A field in an IP header that provides a degree of quality of service.

EF

A Differentiated Services per-hop behavior protocol that is intended to provide for low delay, low jitter, and low loss services.

email forwarding

The method by which log messages are sent to up to three email addresses.

encapsulation

The process of encapsulating one protocol within another. For example, L2TP can be encapsulated by IPsec to secure tunnel data.

encapsulation mode

The method IPsec uses to secure a VPN tunnel, either tunnel mode or transport mode.

encryption algorithm

An algorithm that provides data privacy by transforming data into a new string. DES, 3DES, and AES are encryption algorithms the TMS zl Module uses to establish security associations.

ESP

Encapsulating Security Protocol. A part of the IPsec protocol suite that provides origin authenticity, integrity, and confidentiality protection for packets.

exchange method

See key exchange method.

exchange mode

See key exchange mode.

expedited forwarding

See EF.

extended ACL

The name for traffic selector on the HP ProCurve Secure Router 7000dl series.

eXtended AUTHorization

See XAUTH.

extended cipher block chaining

See AES-XCBC.

extended sequence number

An IPsec option that allows you to increase the upper limit of sequence numbers that are used in a security association (SA). This is helpful if your SA has a relatively long lifetime and transmits a great deal of traffic.

EXTERNAL

The zone that represents untrusted networks that are outside your autonomous system.

failover

The process by which a cluster participant takes over the workload of a cluster master when the master fails.

firewall access policy

A rule that specifies which traffic can pass between TMS VLANs. Firewall access policies are classified by source and destination zones, multicast or unicast, and user group.

firewall port map

An association between a port number and an application. The firewall and IPDS use the port map to track session information, including source and destination ports and translated ports for NAT.

firewall zone

A logical grouping of VLANs for which you can configure similar firewall access policies. The zones are EXTERNAL, INTERNAL, DMZ, SELF, ZONE1, ZONE2, ZONE3, ZONE4, ZONE5, and ZONE6.

FQDN

Fully Qualified Domain Name. An FQDN specifies the exact location of a node in the Domain Name System's tree hierarchy. For example: eng.procurve.edu

fragment before IPsec

An IPsec policy option where packets are fragmented before they are encrypted to help remote endpoints process and decrypt packets more quickly.

FTP bounce

An attack in which the attacker uses the PORT command to indirectly scan the ports of the targeted device. The FTP ALG protects against this attack.

gateway

The network node that provides access to other networks or subnets.

global maximum connections

The maximum number of connections that are allowed for all zones together.

GRE

Generic Routing Encapsulation. A protocol that can send non-IP packets through a tunnel on an IP network.

GRE over IPsec

A method for securing GRE tunnels with IPsec for traffic that requires data integrity or privacy.

GRE tunnel

A tunnel that is created by GRE that establishes a virtual point-to-point connection between two devices across an intervening network.

guest user group

A local user group that is designated for guest access. You can configure firewall access policies that apply to the guest group only.

H.323

A protocol suite recommended by the ITU-T for audio-visual traffic on packet-switched networks.

HA

High Availability. The means by which a system avoids network downtime through redundancy or other methods.

HA control protocol

A Layer 2 protocol to manage data flow between the master and the participant in an HA cluster.

HA data protocol

A Layer 2 protocol that sends data from the cluster master to the participant. The master sends data to the MAC address of the participant.

HA port

In routing mode, physical port 2 (J2 on the circuit board), which plugs into the host switch backplane. This port is an untagged member of the high-availability VLAN.

hardware ID

A unique identification number that is used to obtain a license key or to register a subscription.

hash algorithm

The name of the authentication algorithm on the HP ProCurve Secure Router 7000dl.

hello interval

The amount of time that determines how often an OSPF router advertises its routes.

high availability

See HA.

hook

A feature in software, often a variable, that simplifies later additions and revisions.

host

An individual device.

hostswitch

The switch in which the module is installed.

HP ProCurve VPN client

Software that can be installed on a Windows workstation to allow remote access to the corporate network over a VPN.

IANA

Internet Assigned Numbers Authority. The organization that oversees the global coordination of the DNS root, IP addressing, and other Internet protocol resources.

IANA IP protocols

Protocols for which the IANA has assigned a unique identifier. For example, TCP is identified by the number 6.

ICMP

Internet Message Control Protocol. A protocol in the IP suite that reports problems that are incurred while delivering IP packets.

ICMP echo

An ICMP function that sends a packet between two hosts (both directions). The ping command uses an ICMP echo to check network connectivity.

ICMP error message

ICMP messages that report an error that occurred while delivering IP packets.

ICMP message handling

The user-defined method by which IPsec responds to ICMP messages.

ICMP replay

An attack where the attacker sends ICMP messages to one or many ports of the victim device to map out open and closed ports.

ICV

Integrity Check Value. A value that is assigned to a file and used to check the file (at a later date) to verify that the data has not been changed.

identity type

A name that each endpoint of an IPsec VPN uses to authenticate itself. The identity is specified in the IKE policy and can be an IP address, a domain name, an email address, or a distinguished name. For multiple clients in a client-to-site policy, you can use wildcards.

IDS

Intrusion Detection System. A device or software that is used to detect malware or unauthorized attempts to enter the network.

IETF

Internet Engineering Task Force. An organization that promotes LAN and other networking standards. See www.ietf.org.

IGMP

Internet Group Management Protocol. A protocol used by hosts and multicast routers to establish and manage IP multicast groups.

ignore

An action for an IPsec policy wherein traffic that is specified in the traffic selector is discarded and not passed through the IPsec tunnel. See also Bypass and Apply.

IGP

Interior Gateway Protocol. Routing protocols such as RIP and OSPF that are designed to operate in a single autonomous system.

IKE

Internet Key Exchange. A protocol that mutually authenticates two devices as they establish an IPsec VPN. IKE establishes an IKE security association (SA) and a set of cryptographic algorithms that will be used to protect the IPsec SA.

IKE mode

The mode in which IKE is initiated, either main or aggressive.

IKE mode config

The process through which the remote clients of a client-to-site VPN are assigned local addresses for use on the local network.

IKE phases

Two primary phases that establish an IPsec security association (SA). Phase I negotiates security parameters for the IKE SA, generates the keys used to secure data sent over the IKE SA, and authenticates the endpoints of the tunnel. In Phase 2, IKE negotiates the IPsec SA.

IKEv1 policy

The policy that the TMS zl Module uses to carry out IKE phase 1 when establishing an IPsec VPN.

inactivity timeout

The interval after which a connection is terminated by the TMS zl Module if no traffic is detected on that connection. Inactivity timeouts may apply to an authenticated user or an application.

inbound authentication key

The authentication key that a local device expects to receive from a remote device when establishing a VPN.

inbound encryption key

The encryption key that a local device expects to receive from a remote device when establishing a VPN.

initiator

The device that starts VPN negotiation and proposes the parameters.

integrity check value

See ICV.

inter-chassis failover

Failover between high-availability cluster members that are in different switch chassis.

inter-VLAN

Between different VLANs.

INTERNAL

A zone that is intended to contain TMS VLANs that are on the internal network.

intra-chassis failover

Failover between two high-availability cluster members that are in the same switch chassis.

intra-VLAN

Within the same VLAN.

intrusion detection

See IDS.

intrusion prevention

See IPS.

IP address object

An address object that contains up to 100 individual, non-contiguous IP addresses.

IP address pool

One or more IP addresses that are assigned to remote clients through IKE mode config.

IP protocol scan

An attack that is used to determine which IP protocols are in use.

IP range address object

An address object that contains up to 100 ranges of contiguous IP addresses.

IP reassembly

The process by which fragmented IP packets are restored to their original form at their destination.

IP reassembly attack

An attack in which the attacker sends an invalid IP datagram wherein the fragment offset plus the fragment size is greater than the reassembly buffer size.

IP spoofing

The use of a false IP address to penetrate a firewall or other network defence.

IPDS

Intrusion Prevention/Detection System. A device that provides both IPS and IDS capabilities.

IPS

Intrusion Prevention System. A device that can be used to react to an intrusion on a network by an unauthorized user by blocking or preventing the attack.

IPsec

A protocol suite that supports a variety of industry-standard authentication and encryption protocols. It is a flexible, highly secure method of establishing a VPN.

IPsec policy

The set of parameters that the TMS zl Module uses to carry out IKE phase 2 when negotiating an IPsec SA.

IPsec proposal

This is the TMS zl Module's equivalent of a transform set, which is the combination of security protocols, algorithms, and other settings applied to IPsec VPN traffic.

IPsec remote access server

See IRAS.

IRAS

IPsec Remote Access Server. The device that provides access to the target VPN network.  An IRAS is also known as a security gateway.

ISAKMP

Internet Security Association and Key Management Protocol. The protocol that defines the procedures for authenticating peers, creating and managing security associations (SAs), key generation techniques, and threat mitigation.

key exchange method

The method used to generate the keys used to negotiate an IPsec security association, either IKE or manual keying.

key exchange mode

The mode used to initiate IKE, either main mode or aggressive. Also known as IKE mode.

L2TP

Layer 2 Tunneling Protocol. A session-layer protocol (Layer 5) that mimics a data-link protocol (Layer 2). It tunnels PPP connections between two endpoints within UDP datagrams to establish a VPN.

L2TP access concentrator

See LAC.

L2TP network server

See LNS.

LAC

L2TP Access Concentrator. A LAC virtually extends an Internet connection to an LNS, which is located at the internal network.

land attack

An attack where the attacker sends a stream of TCP SYN packets that have the same source and destination IP addresses and TCP port number.

LDAP

Lightweight Directory Access Protocol. A set of protocols that allow a host to look up and access directory services.

license

The legal right to use the TMS zl Module.

link state advertisements

See LSA.

LNS

L2TP Network Server. The device that provides access to the target L2TP VPN network.

local database

A database of user credentials stored on the TMS zl Module itself.

local user

A user in the local database that can authenticate to the network through the TMS zl Module.

logging

The process of documenting events (usually security events) that are detected by the TMS zl Module.

login banner

The text that is displayed at the top of the login page.

LSA

Link State Advertisements. Messages sent by OSPF routers that distribute information about routers' connections to networks and to other routers.

main mode

An IKE mode in which six total messages are exchanged during IKE phase 1 — three each from the initiator and the respondent.

management port

In monitor mode, physical port 2 (J2 on the circuit board), which plugs into the host switch backplane. This port is an untagged member of the management VLAN.

management-access zone

A zone from which management access is permitted to SELF.

manager account

The user account on the module that has read-write access to the module's management interfaces.

manual key configuration

The use of manually input keys instead of IKE to authenticate the two endpoints of an IPsec VPN.

many-to-many

A NAT operation wherein a pool of NAT addresses is assigned to a limited number of connections.

many-to-one

A NAT operation whereby multiple connections are assigned the same IP address.

master

The member of the HA cluster that stores the primary configuration for the cluster. In an active-standby cluster, the master handles all of the traffic; in an active-active cluster, the master load-balances traffic with the participant.

maximum transmission unit

See MTU.

MD5

Message-Digest algorithm 5. A hash algorithm that is used to create digital signatures or to authenticate the endpoints of a VPN tunnel.

member

A module that is part of an HA cluster.

metric

A value that indicates the distance to a destination address. Higher values indicate greater distances between the router of origin and the destination.

MIB

Management Information Base. A set of network objects that can be managed with SNMP.

Microsoft Windows VPN client

Software on a Windows workstation that allows remote access to the internal network over a VPN tunnel.

MIME header flood

A type of attack or inadvertent condition where the packets have too many MIME headers or the headers are too long.

misaligned time stamp

A malformed packet where the time stamp is not aligned on the 32-bit boundary.

monitor mode

An operating mode in which the module acts as an IDS device.

MS-CHAP

Microsoft CHAP. The Microsoft implementation of CHAP.

MTU

Maximum Transmission Unit. The size of the largest packet that can pass between routing devices.

multicast

A send method wherein the packet is sent by one device and is destined for multiple other devices. Multicast IP addresses are in the 224.0.0.0 through 239.255.255.255 range.

multicast flooding

The process by which a protocol delivers multicast packets throughout a network.

multiple-entry address object

An address object that contains more than one address entry.

My ProCurve

The Web site on which you generate license keys for TMS zl Module products and register your IPS signature subscription.

n/a

Not Applicable.

name server

A server that implements name services protocols, usually DNS.

named object

A logical container that is used in firewall access policies, NAT policies, port triggers, and IPsec policy traffic selectors to represent a logical name for one or more addresses, services, or schedules.

NAS

Network Access Server. An intermediate device that translates and relays messages between the RADIUS server and the authenticating user.

NAS ID

NAS IDentifier. The hostname that you specify on System > Settings > General.

NAT

Network Address Translation. A means of translating an IP address and/or port number when it crosses subnet boundaries.

NAT address

An IP address that is assigned by the NAT operation. For example, if 10.1.1.10 is translated into 192.168.2.1, then 192.168.2.1 is the NAT address.

NAT policy

A policy that determines which traffic is translated and how it should be translated.

network address object

An address object that contains one or more subnet addresses in CIDR format.

network authentication

The process that requires users to submit credentials to an authentication server before they can access the network. The TMS zl Module contains an authentication server or it can relay messages from a remote RADIUS server.

not-so-stubby area

See NSSA.

NSSA

Not-So-Stubby Area. An OSPF area that connects another area to an untrusted network

one-to-one

A NAT operation wherein each internal IP address is assigned its own unique NAT address.

Open Shortest Path First

See OSPF.

operating mode

A functionality set for the TMS zl Module, either routing (Layer 3) or monitor (IDS).

operator account

The user account that has read-only access to the TMS zl Module's management interfaces.

orphaned access policy

A firewall access policy that is configured to affect traffic in the same TMS VLAN. Orphaned policies cannot be enforced by the TMS zl Module because the policies operate at Layer 3, whereas the traffic between devices on the same TMS VLAN operate at Layer 2.

OSPF

Open Shortest Path First. A routing protocol that uses Dijkstra's algorithm to calculate the shortest path across routers to a destination.

out-of-sequence packets

An attack check performed by the TMS zl Module that drops packets that are received out of order.

outbound authentication key

The authentication key that a remote device expects to receive from a local device when establishing a VPN.

outbound encryption key

The encryption key that a remote device expects to receive from a local device when establishing a VPN.

packet flow

The logical path of a packet through a device such as the TMS zl Module.

PAP

Password Authentication Protocol. A protocol used to authenticate a client to a remote server or an Internet service provider. PAP uses a two-way handshake to transmit usernames and passwords in unencrypted plaintext, making it unsecure.

participant

A member of the HA cluster that relies on the master to receive data in an active-active cluster or that remains in hot-standby in an active-standby cluster.

passive mode

A RIP mode in which the VLAN receives routing tables from other routers but does not  broadcast its own routing table.

passphrase

A password that is used for authentication or encryption, typically used in SNMPv3.

PAT

Port Address Translation. A type of destination NAT where the port is translated as well as (or instead of) the IP address.

PDU

Protocol Data Unit. The unit that gives the protocol control information, either the bit (Layer 1), the frame (Layer 2), the packet (Layer 3), the segment (Layer 4) or the data (all other layers).

peer ID

The identifier of the remote router in a site-to-site VPN, usually the IP address of the interface through which the VPN is established.

PEM

Privacy Enhanced Mail. An IETF proposal to secure email with public keys.

per-hop behavior

See PHB.

perfect forward secrecy

See PFS.

persistent tunnel

An IPsec option that keeps an SA open after the tunnel lifetime expires.

PFS

Perfect Forward Secrecy. The VPN key option that forces the tunnel endpoints to periodically generate new keys for the IPsec SA instead of recycling the IKE SA keys.

PHB

Per-Hop Behavior. Defines how packets are queued at network nodes.

PIM-SM

Protocol-Independent Multicast — Sparse Mode. A protocol used to efficiently route traffic to multicast groups that span wide-area (WAN and inter-domain) networks.

ping of death

An attack in which the attacker sends a ping packet that is larger than 65535 bytes, which causes the target device to crash, causing a DoS.

ping scan

An attack in which the attacker sends ICMP Echo Request packets, and the host responds with an ICMP Echo Reply packet, which indicates that the host is active and that its firewall does not filter ICMP packets.

PKI

Public Key Infrastructure. A system of digital certificates, CAs, and other registration authorities that verify and authenticate each party in an Internet transaction.

PMTU

Path Maximum Transmission Unit. A method of computing the largest packet size that a particular route will support. PMTU is used to avoid packet fragmentation.

poison reverse

A RIP message that tells a router that a route in the routing table is no longer connected, which helps to speed convergence.

policy set

A group of policies (firewall or NAT) that have the same source and destination zones.

polymorphism

The capability of an object to assume more than one property, often shifting from one property to another in response to external stimuli.

port address translation

See PAT.

port forwarding

The process in which traffic addressed to one port is forwarded to a different port. Port forwarding is often employed when a network is running well-known protocols on non-standard ports.

port map

A port-to-application association that informs the IDS/IPS and ALGs which type of traffic to expect on a particular port.

port trigger

A policy that activates in response to a connection over one or more Layer 4 ports. Port triggers can be configured for applications that dynamically negotiate data ports but for which the module does not have an ALG.

position

The location of a policy on the policy set list. The firewall checks packets against policies in the order in which they are listed, so the policy in the highest position (lowest numerical value) is checked first.

pre-connection ACK

An attack check that the TMS zl Module performs in which the module sends a RST packet whenever it receives ACK packet without first receiving a SYN packet.

preshared key

See PSK.

priority

The position of a policy relative to other policies. The policy in the top position (1) is applied first, then the next policy, then the next. As soon as a packet matches a policy, that policy is applied and all subsequent policies are ignored.

priority VLAN

A VLAN from which you can gain management access regardless of traffic volume or workload.

private key

An encryption/decryption key that is known only by the parties that exchange data.

protocol anomaly

A type of intrusion detection that looks for irregularities in protocol payloads. Protocol anomalies are found in applications, so the attack indicators are hidden in the packet payload.

protocol data unit

See PDU.

PSK

A text string that is configured on two devices before they begin communicating. This key is used by IKE to verify the identity of each device.

RADIUS

Remote Authentication Dial-In User Service. An authentication protocol that allows a server to store all of the security information for a network in a single central database.

rate limiting

The means by which connections that are permitted by a firewall access policy are throttled.

re-key on sequence number overflow

An IPsec option that automatically reestablishes the SA before it reaches its last sequence number.

rebalance now

The command that instructs the modules in an active-active HA cluster to redistribute the workload among the cluster members.

reconnaissance scan

A attack in which the attacker floods the target device with a certain packet (for example, ping or ACK packets) so that they can learn which of the target device's ports are open, closed, or filtered.

remote access

Communication with a network from an untrusted location.

rendezvous point

See RP.

reservation count

The number of connections that are reserved for each address that is specified in a connection reservation.

responder

In a VPN, the device that does not initiate the VPN negotiation.

RFC

Request For Comments. An IETF document that proposes a standard or explains general networking techniques. See tools.ietf.org.

RIP

Routing Internet Protocol. A well-known and commonly used distance-vector routing protocol that relies purely on hop count. RIP is simple to configure but can be slow to converge.

route computation

The process of adding route costs in OSPF to find the shortest route to an arbitrary destination.

route redistribution

The process of learning routes that are discovered by a different protocol. For example, RIP can redistribute routes discovered by OSPF, so RIP can learn about routes that it may not otherwise have been able to reach.

routing mode

The default, Layer 3 operating mode of the module where the VLANs are assigned to zones and NAT, routing, and VPN capabilities are available.

RP

Rendezvous Point. The device to which IGMP group members send multicast traffic.

RSA

Rivest-Shamir-Adleman. A public-key encryption technology that was developed by RSA Data Security, Inc.

RTSP

Real-Time Streaming Protocol. A protocol that allows a client to remotely control a streaming media server and that allows time-based access to files on the server.

running configuration

The configuration that the module currently uses. If you shut down the module without saving the running configuration,  you will lose the unsaved settings.

SA

Security Association. A logical connection that establishes shared security information between two devices on a VPN. An SA may include cryptographic keys, initialization vectors, or digital certificates.

SA lifetime

The time in seconds that can pass or amount of data in kilobytes that can be sent before the SA must be renegotiated or terminated.

SCEP

Simple Certificate Enrollment Protocol. A PKI communication protocol that provides secure issuance of certificates in a scalable manner.

schedule object

A named object that specifies the days and times of day that a specific firewall access policy is enforced.

scheduled policy

A firewall access policy to which a schedule object has been applied.

security association

See SA.

SELF

The zone that contains all of the module's interface and NAT addresses. All traffic that terminates at the module is destined for SELF, and all traffic that originates with the module is from SELF.

sequence number out of range

A condition wherein a packet's sequence number falls outside the TCP sliding window's parameters,  which can indicate an attack.

sequence number overflow

A condition wherein an IPsec SA exhausts all of its sequence numbers before the session has ended.

sequence number prediction

An attack wherein the attacker predicts the TCP session sequence number to secure a new session or hijack an existing session with a network device.

serial console

A management access method that requires a serial connection between the host switch and a workstation plus terminal-emulation software.

serial number

A unique number that identifies each TMS zl Module. The serial number is displayed on the dashboard.

services OS

An underlying layer of software on which the TMS zl Module's product software runs. The services OS is designed primarily for blade maintenance. It is from this CLI context that you install the product license and update the module's software.

SHA-1

Secure Hash Algorithm 1. One of five cryptographic hash functions that were designated by the National Security Agency.

signature server

The HP ProCurve server from which the latest signatures are downloaded. The signature server address is preloaded in the TMSzl Module and cannot be altered.

signature-based IDS

Attack detection that compares audit data with known attack signatures that are stored in the module's signature database.

signatures

Preset definitions that specify characteristics that are indicative of a particular attack.

single-entry address object

An address object that specifies only a single IP address, IP address range, or network address.

site-to-site

A type of VPN tunnel between two stationary VPN gateways, both of which can be initiator or responder.

sliding window

A TCP header field that specifies the maximum number of unacknowledged bytes allowed in a session.

slot ID

The letter that is assigned to a chassis slot.

SNMP

Simple Network Management Protocol. An application-layer protocol that supports the exchange of management information between network devices.

SNMP community

A group to which devices that support SNMP belong. SNMP devices do not respond to SNMP messages for other SNMP communities.

SNMP trap

A message that is initiated by a network device and sent to the network management system. For example, a PCM+ server can be specified as the SNMP trap destination for the the TMS zl Module's traps.

source NAT

Network address translation in which the source IP address is replaced by another IP address as the packet crosses a network boundary.

source routing

A process in which a sender specifies the route by which a packet will travel. As an attack technique, the sender specifies a route to see if the route is successful, then learns legitimate paths from the failed and successful routing attempts.

source zone

The firewall zone from which a packet is sent.

SPI

Security Parameters Index. A unique number that is one of the three factors that identifies a particular SA.

SPR

Shortest Path First. An algorithm used in OSPF to determine which route to a destination is the fastest.

SSH

Secure SHell. An encrypted management access method that requires a Layer 3 connection between the host switch and a workstation plus terminal-emulation software.

startup-config

The configuration to which all applied changes are saved and that the module uses when booting up.

stateful

Said of a device or system such as a firewall that maintains session information for every connection that passes through it.

stateless

Said of a device or system such as a firewall that does not maintain session information for connections that pass through it.

static route

A route that is manually added to the routing table rather than being discovered through a dynamic routing protocol.

stub area

An OSPF area that receives traffic destined for its hosts but does not pass traffic to another network. A stub area connects only with the network backbone (Area 0).

SYN flood

A denial-of-service attack in which the attacker sends a rapid succession of SYN (synchronize) packets to the targeted system.

syslog

A client/server protocol that sends log messages from network devices to a syslog server.

syslog server

A server that receives and stores syslog messages from network devices for later retrieval and analysis.

TCP ACK scan

An attack wherein the attacker sends an unsolicited ACK packet to a port and the host sends an RST packet if the port is unfiltered.

TCP FIN scan

An attack wherein the attacker sends an unsolicited FIN packet to a port, and the host sends an RST packet if the port is closed.

TCP null flag scan

An attack wherein the attacker sends a TCP packet with all flags set to 0, and the host sends an RST packet if the port is closed.

TCP SYN scan

An attack wherein the attacker sends a SYN packet to a port, and the host sends an ACK packet if the port is open.

timeout

The amount of time the firewall will keep a session open without packets being exchanged.

TMS VLAN

A VLAN that has been associated with a zone on a TMS zl Module in routing mode.

tools

A column in many TMSzl Web browser interface windows that contains some or all of the following: move icon, to move the entry to a higher or lower position; edit icon, to edit the entry; delete icon, to delete the entry.

ToS

Type of Service. Now called Differentiated Services.

traffic selector

A method to specify which traffic will pass through a VPN or GRE tunnel.

transform set

The name for IPsec proposal on the HP ProCurve Secure Router 7000dl.

transport mode

The IPsec mode in which a packet is encapsulated with an IPsec header before the IP header is added. Both ends of the tunnel must be the ultimate originators of the traffic.

Triple DES

See 3DES.

tunnel

A virtual path through an intervening network. Some tunnels protect the packets with encryption and/or authentication; other tunnels enable one type of PDU to travel over a network that uses a different type of PDU.

tunnel mode

The IPsec mode in which the VPN gateway secures traffic on behalf of endpoints within the private network. Traffic is already encapsulated with an IP header when it reaches the gateway, then it is encapsulated with an IPsec header as well as a new delivery IP header that directs the packet to the remote tunnel endpoint.

UDP scan

An attack in which the attacker sends a packet to a UDP port, and the host returns data if the port is open.

unicast

Traffic that originates with one endpoint and is destined for another endpoint.

user group

A logical group of users in the TMS zl Module's local database or in a RADIUS server.

virtual interface

An interface that does not correspond physically to an interface such as an RJ-45 port. The TMS zl Module has a virtual interface for each TMS VLAN that it filters.

virtual IP address

The IP address of a virtual interface on the TMS zl Module.

VLAN

Virtual Local Area Network. A logical subnetwork on a switch that is IEEE 802.1Q-enabled. Traffic on one VLAN cannot cross into another VLAN without a Layer 3 routing device.

VoIP

Voice over Internet Protocol. A method of transmitting telephony signals over the packet-switched Internet.

VPN

Virtual Private Network. A network that is tunneled through another network, often a connection to a private network over the Internet. The tunneling is usually achieved through authentication and encryption.

VPN client

The remote endpoint in a client-to-site VPN.

VPN tunnel

A virtual path across an intermediary network (usually the Internet) wherein the ends of the tunnel functions as if they were in the same physical network.

Web browser interface

A management access method that requires an HTTPS over IP connection to the module plus a Web browser. Firefox 2.x and IE 7 are supported.

well-known port

The port on which the IANA has assigned a protocol to run. For example, the well-known port for HTTP is 80.

WESM

Wireless Edge Services zl Module. An HP ProCurve module that manages wireless traffic over the radio ports that it controls.

WinNuke attack

An attack that is launched by sending out-of-band data to port 139, causing the target device to crash.

XAUTH

eXtended AUTHentication. An  optional layer of security that can be enabled in addition to IKE. When enabled, XAUTH requires endpoints to authenticate themselves to the network.

zero-day attack

Any new and previously unknown attack for which a signature has not yet been devised.

zone

Logical groupings of VLANs that can be created when the TMS zl Module is in routing mode. Firewall and NAT policies govern traffic flow between zones.

ZONEx

ZONE1 - ZONE6. Additional zones that are intended for whatever the user needs: additional internal VLANs, more VLANs in the DMZ, or other VLANs that connect to untrusted networks.