ScreenOS Cookbook by Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, Joe Kelly, Sunil Wadhwa

Wireless local area network (WLAN) standard that provides up to 54 Mbps in the 5 GHz radio band.

Wireless local area network (WLAN) standard that provides up to 11 Mbps in the 2.4 GHz radio band.

Wireless local area network (WLAN) standard that provides 20+ Mbps in the 2.4 GHz radio band.

Wireless local area network (WLAN) standard that provides up to 108 Mbps in the 2.4 GHz radio band.

See Area Border Router (ABR).

Additional condition required for a successful Telnet login by an authentication user via a Remote Access Dial-In User Service (RADIUS) server.

Identifies clients by their Media Access Control (MAC) addresses, and specifies whether the wireless device allows or denies access for each address.

A list of network prefixes that are compared to a given route. If the route matches a network prefix defined in the access list, the route is either permitted or denied.

See Wireless Access Point (AP).

Information element (IE) included in the header of a GTP packet that provides information regarding how to reach a network. It is composed of a network ID and an operator ID.

See Access Control List (ACL).

Mechanism for creating a one-to-one mapping between any original address in one range of addresses and a specific translated address in another range.

When two routers can exchange routing information, they are considered to have constructed an adjacency. Point-to-point networks, which have only two routers, automatically form an adjacency. Point-to-multipoint networks are a series of several point-to-point networks. When routers pair in this more complex networking scheme, they are considered to be adjacent to one another.

See Asymmetric Digital Subscriber Line (ADSL).

A router is in an aggregate state when it is one of multiple virtual Border Gateway Protocol (BGP) routing instances bundled into one address. See also Border Gateway Protocol (BGP).

Process of combining several routes in such a way that only a single route advertises itself. This technique minimizes the size of the routing table for the router.

Object used to bundle multiple routes under one common route, generalized according to the value of the network mask.

Mechanism for accelerating the timeout process when the number of sessions in the session table surpasses a specified high-watermark threshold. When the number of sessions in the table dips below a specified low-watermark threshold, the timeout process returns to normal.

See Encapsulating Security Protocol/Authentication Header (ESP/AH).

See Application Layer Gateway (ALG).

Mechanism for detecting and blocking viruses in File Transfer Protocol (FTP), Internet Message Access Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), HyperText Transfer Protocol (HTTP)—including HTTP web mail—and Post Office Protocol version 3 (POP-3) traffic. ScreenOS offers an internal and an external antivirus scanning solution.

On a security device, a software component that is designed to manage specific protocols such as the Session Initiation Protocol (SIP) or File Transfer Protocol (FTP). The ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to permit the traffic to pass securely through the security device.

A router with at least one interface in area 0 and at least one interface in another area.

See Autonomous System (AS).

A router that connects an Autonomous System (AS) running one routing protocol to another AS running a different protocol. See also Autonomous System (AS).

Identification number of the local Autonomous System (AS) mapped to a Border Gateway Protocol (BGP) routing instance. The ID number can be any valid integer. See also Border Gateway Protocol (BGP).

List of all the Autonomous Systems (ASs) that a router update has traveled through in the current transmission.

Access list used by a Border Gateway Protocol (BGP) routing instance to permit or deny packets sent by neighbor routing instances to the current virtual routing instance. See also Border Gateway Protocol (BGP).

The Border Gateway Protocol (BGP) provides four classes of path attributes: well-known mandatory, well-known discretionary, optional transitive, and optional nontransitive. See also Border Gateway Protocol (BGP).

String that acts as an identifier for an Autonomous System (AS) path. It is configured alongside an AS Path access list ID.

Digital Subscriber Line (DSL) technology that allows existing telephone lines to carry both voice telephone service and high-speed digital transmission. A growing number of service providers offer ADSL service to home and business customers.

Object used by a Border Gateway Protocol (BGP) router to inform other BGP routers that the local system has selected a generalized route.

Stateful signatures and protocol anomalies that a security device with deep inspection (DI) functionality uses to detect attacks aimed at compromising one or more hosts on a network.

Ensures that digital data transmissions are delivered to the intended recipient. Authentication also validates the integrity of the message for the receiver, including its source (where or whom it came from). The simplest form of authentication requires a username and password for access to a particular account. Authentication protocols can also be based on secret-key encryption, such as the Data Encryption Standard (DES) or Triple DES (3DES), or on public-key systems that use digital signatures.

See Encapsulating Security Protocol/Authentication Header (ESP/AH).

Set of routers set off from the rest of the network and governed by a single technical administration. This router group uses an Interior Gateway Protocol (IGP) or several IGPs and common metrics to route packets within the group. The group also uses an Exterior Gateway Protocol (EGP) to route packets to other ASs. Each AS has a routing plan that indicates which destinations are reachable through it. This plan is called the Network Layer Reachability Information (NLRI) object. Border Gateway Protocol (BGP) routers periodically generate and receive NLRI updates.

This port is usually the same as COM 1, and is used to access external networks.

8 bits zero suppression.

In a Frame Relay network, Forward Explicit Congestion Notification (FECN) is a header bit transmitted by the source (sending) terminal requesting that the destination (receiving) terminal slow down its requests for data. BECN is a header bit transmitted by the destination terminal requesting that the source terminal send data more slowly. BECN and FECN are intended to minimize the possibility that packets will be discarded (and thus have to be resent) when more packets arrive than can be handled. See also Forward Explicit Congestion Notification (FECN).

Integrated Services Digital Network (ISDN) service also called 2B+D, because it consists of two 64 Kbps B-channels and one 16 Kbps D-channel.

Integrated Services Digital Network (ISDN) Basic Rate Interface (BRI) service provided by telephone service providers: two bearer channels (B-channels) and one data channel (D-channel). The B-channel operates at 64 Kbps and carries user data.

See Bridge Group Interface.

Ratio of error bits to the total number of bits received in a transmission, usually expressed as 10 to a negative power.

Inter-Autonomous System (AS) routing protocol. BGP routers and ASs exchange routing information for the Internet.

Also known as the bgroup interface. These interfaces allow several physical ports to be grouped together to act like a pseudoswitch. You can group multiple wired interfaces or wireless and wired interfaces so that they are located in the same subnet.

A network that supports many routers with the capability of communicating directly with one another. Ethernet is an example of a broadcast network.

An aggregation of multiple physical links.

A list of invalid certificates.

Proxy servers are available for common Internet services; for example, a Hyper-Text Transfer Protocol (HTTP) proxy is used for web access; a File Transfer Protocol (FTP) proxy is used for file transfers. Such proxies are called application-level proxies or application-level gateways because they are dedicated to a particular application and protocol, and are aware of the content of the packets being sent. A generic proxy, called a circuit-level proxy, supports multiple applications. For example, SOCKS is a generic User Datagram Protocol (UDP) application. See also Proxy Server.

Proprietary Cisco encapsulation for transmitting LAN protocols over a wide area network (WAN). HDLC specifies a data encapsulation method on synchronous serial links by means of frame characters and checksums. Cisco HDLC enables the transmission of multiple protocols.

Support for interdomain routing, regardless of the size or class of the network. Network addresses are divided into three classes, but these are transparent in the Border Gateway Protocol (BGP), giving the network greater flexibility. See also Border Gateway Protocol (BGP).

Grouping of Border Gateway Protocol (BGP) destinations. By updating the community, you automatically update its member destinations with new attributes.

Object inside a Border Gateway Protocol Autonomous System (BGP AS) that is a subset of routing instances in the Authentication Server. By grouping devices into confederations inside a BGP AS, you reduce the complexity associated with the matrix of routing connections, known as a mesh, within the AS.

When a packet sent from one router arrives at another router, a negotiation occurs between the source and destination routers. The negotiation goes through six states: Idle, Connect, Active, OpenSent, OpenConnect, and Establish.

See Certificate Revocation List (CRL).

40-bit and 56-bit encryption algorithm that was developed by the National Institute of Standards and Technology (NIST). DES is a block-encryption method originally developed by IBM. It has since been certified by the U.S. government for transmission of any data that is not classified as top secret. DES uses an algorithm for private-key encryption. The key consists of 64 bits of data, which are transformed and combined with the first 64 bits of the message to be sent. To apply the encryption, the message is broken up into 64-bit blocks so that each can be combined with the key using a complex 16-step process. Although DES is fairly weak, with only one iteration, repeating it using slightly different keys can provide excellent security.

Message text and, if required, message signatures can be encrypted using the Data Encryption Standard (DES) algorithm in the Cipher Block Chaining (CBC) mode of operation. The character string “DES-CBC” within an encapsulated Privacy Enhanced Mail (PEM) header field indicates the use of DES–CBC.

Separates customer traffic in Frame Relay configurations.

Period that elapses before a routing instance determines that another routing instance is not running.

Allows an IP Security (IPSec) device to verify the current existence and availability of other IPSec peer devices. The device performs this verification by sending encrypted Internet Key Exchange (IKE) Phase 1 notification payloads (R-U-THERE) to the peers and waiting for DPD acknowledgments (R-U-THERE-ACK).

Mechanism for filtering the traffic permitted by the firewall. DI examines Layer 3 and Layer 4 packet headers, and Layer 7 application content and protocol characteristics in an effort to detect and prevent any attacks or anomalous behavior that might be present.

Catchall routing table entry that defines the forwarding of traffic for destination networks that are not explicitly defined in the routing table. The destination network for the default route is represented by the network address 0.0.0.0/0.

From the military term for an area between two opponents where fighting is prevented. DMZ Ethernets connect networks and computers controlled by different bodies. They may be external or internal. External DMZ Ethernets link regional networks with routers.

See Data Encryption Standard (DES).

See Data Encryption Standard–Cipher Block Chaining (DES–CBC).

Translation of the original destination IP address in a packet header to a different destination address. ScreenOS supports the translation of one or several original destination IP addresses to a single IP address (one-to-one or many-to-one relationships). The security device also supports the translation of one range of IP addresses to another range (a many-to-many relationship) using address shifting. When the security device performs NAT-dst without address shifting, it can also map the destination port number to a different predetermined port number. When the security device performs NAT-dst with address shifting, it cannot also perform port mapping.

See Deep Inspection (DI).

Base for the Digital Signal X series. Provides a transmission rate of 64 Kbps.

Routing strategy that relies on an algorithm that works by having routers sporadically broadcast entire copies of their own routing table to all directly connected neighbors. This update identifies the networks each router knows about, and the distance between each of those networks. The distance is measured in hop counts or the number of routing domains that a packet must traverse between its source device and the device it attempts to reach.

See Demilitarized Zone (DMZ).

Stores information about hostnames and domain names in a type of distributed database on networks such as the Internet. Of the many types of information that can be stored, DNS most importantly provides and network hardware work with IP addresses (such as 207.17.137.68) to perform tasks such as addressing and routing, humans generally find it easier to work with hostnames and domain names (such as http://www.juniper.com) in URLs and email addresses. DNS therefore mediates between the needs and preferences of humans and software by translating domain names to IP addresses, such as http://www.juniper.net = 207.17.137.68.

See Dead Peer Detection (DPD).

Digital Signal 1, also known as a T1 interface. See also Digital Signal 0 (DS0).

Digital Signal 3, also known as a T3 interface. See also Digital Signal 0 (DS0); T3 Interface.

IP service that can be used within virtual private network (VPN) tunnels. Filters are one method some security devices use to control traffic from one network to another. When the Transmission Control Protocol/Internet Protocol (TCP/IP) sends data packets to the firewall, the filtering function in the firewall looks at the header information in the packets and directs them accordingly. The filters operate on criteria such as IP source or destination address range, TCP ports, User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), or TCP responses. See also Tunneling; Virtual Private Network (VPN).

Method for automatically assigning IP addresses to hosts on a network. Depending on the specific device model, security devices can allocate dynamic IP addresses to hosts, receive dynamically assigned IP addresses, or receive DHCP information from a DHCP server and relay the information to hosts.

Routing method that adjusts to changing network circumstances by analyzing incoming routing update messages. If the message indicates that a network change has occurred, the routing software recalculates routes and sends out new routing update messages. These messages populate the network, directing routers to rerun their algorithms and change their routing tables accordingly. There are two common forms of dynamic routing: distance vector routing and link state routing.

European format for digital transmission. This format carries signals at 2 Mbps (32 channels at 64 Kbps, with two channels reserved for signaling and controlling).

See Encapsulating Security Protocol/Authentication Header (ESP/AH).

IP-level security protocols, AH and ESP, were originally proposed by the Network Working Group focused on IP security mechanisms, IP Security (IPSec). The term IPSec is used loosely here to refer to packets, keys, and routes that are associated with these protocols. The IP AH protocol provides authentication. ESP provides both authentication and encryption.

Process of changing data into a form that only the intended receiver can read. To decipher the message, the receiver of the encrypted data must have the proper decryption key. In traditional encryption schemes, the sender and the receiver use the same key to encrypt and decrypt data. Public-key encryption schemes use two keys: a public key, which anyone may use, and a corresponding private key, which is possessed only by the person who created it. With this method, anyone may send a message encrypted with the owner’s public key, but only the owner has the private key necessary to decrypt it. Data Encryption Standard (DES) and Triple DES (3DES) are two of the most popular public-key encryption schemes.

Assists with load balancing among two to four routes to the same destination, or increases the effective bandwidth usage among two or more destinations. When enabled, security devices use the statically defined routes or dynamically learn multiple routes to the same destination through a routing protocol. The security device assigns routes of equal cost in round-robin fashion.

When you have two or more virtual routers (VRs) on a security device, you can configure export rules that define which routes on one VR are allowed to be learned by another VR. See also Import Rules.

Two peer Border Gateway Protocol (BGP) routers residing in two different Autonomous Systems (ASs).See Border Gateway Protocol (BGP).

List of IP addresses permitted to send packets to the current routing domain.

Device that protects and controls the connection of one network to another, for traffic entering and leaving. Firewalls are used by companies that want to protect any network-connected server from damage (intentional or otherwise) by those who log in to it. This could be a dedicated computer equipped with security measures, or it could be a software-based protection.

In a Frame Relay network, FECN is a header bit transmitted by the source (sending) terminal requesting that the destination (receiving) terminal slow down its requests for data. Backward Explicit Congestion Notification (BECN) is a header bit transmitted by the destination terminal requesting that the source terminal send data more slowly. FECN and BECN are intended to minimize the possibility that packets will be discarded (and thus have to be resent) when more packets arrive than can be handled. See also Backward Explicit Congestion Notification (BECN).

Wide area network (WAN) protocol that operates over a variety of network interfaces, including serial, T1/E1, and T3/E3. Frame Relay allows private networks to reduce costs by sharing facilities between the endpoint switches of a network managed by a Frame Relay service provider.

Also called a router, a gateway is a program or a special-purpose device that transfers IP datagrams from one network to another until the final destination is reached.

Device that acts as an interface between the General Packet Radio Service (GPRS) backbone network and the external packet data networks (radio and IP). Among other things, a GGSN converts GPRS packets coming from a Serving GPRS Support Node (SGSN) into the appropriate Packet Data Protocol (PDP) format and sends them out on the corresponding public data network (PDN).A GGSN also performs authentication and charging functions. See also General Packet Radio Service (GPRS).

See Gigabit Interface Connector (GBIC).

Packet-based technology that enables high-speed wireless Internet and other data communications. GPRS provides more than three to four times greater speed than conventional Global System for Mobile Communications (GSM) systems. Often referred to as the 2.5G mobile telecommunications system.

Protocol that encapsulates any type of packet within IPv4 unicast packets. For additional information on GRE, refer to RFC 1701, Generic Routing Encapsulation (GRE).

See Gateway GPRS Support Node (GGSN).

Type of interface module card used on some security devices for connecting to a fiber optic network.

Interface between a GPRS Support Node (GSN) and an external network or the Internet. See GPRS Support Node (GSN).

Globally accepted standard for digital cellular communication. GSM is the name of a standardization group established in 1982 to create a common European mobile telephone standard that formulates specifications for a pan-European mobile cellular radio system operating at 900 MHz.

Interface between two GPRS Support Nodes (GSNs) within the same Public Land Mobile Network (PLMN).

Interface between two GPRS Support Nodes (GSNs) located in different Public Land Mobile Network (PLMNs).

User data message consisting of a T-PDU plus a GPRS Tunneling Protocol (GTP) header. See also T-PDU.

See General Packet Radio Service (GPRS).

Because the Gp interface is IP-based, it must support appropriate routing and security protocols to enable a subscriber to access its home services from any of its home Public Land Mobile Network’s (PLMN’s) roaming partners. Many General Packet Radio Service (GPRS) operators/carriers have abstracted these functions through the GPRS Roaming Exchange (GRX).This function is typically provided by a third-party IP network that offers virtual private network (VPN) services to connect the roaming partners. The GRX service provider ensures that all aspects of routing and security between the networks are optimized for efficient operation. See also General Packet Radio Service (GPRS).

Term used to include both Gateway GPRS Support Node (GGSN) and Serving GPRS Support Node (SGSN). See also General Packet Radio Service (GPRS).

IP-based protocol used within Global System for Mobile Communications (GSM) and Universal Mobile Telecommunications System (UMTS) networks. GTP is layered on top of User Datagram Protocol (UDP).There are actually three separate protocols: GTP, GTP-Control (GTP-C), and GTP User (GTP-U). See also General Packet Radio Service (GPRS); GTP-Control (GTP-C) Message; GTP-User (GTP-U) Message.

See GPRS Roaming Exchange (GRX).

See Global System for Mobile Communication (GSM).

See GPRS Support Node (GSN).

See GPRS Tunneling Protocol (GTP).

Exchanged between GPRS Support Node (GSN) pairs in a path. The messages are used to transfer GSN capability information between GSN pairs; to create, update and delete GPRS Tunneling Protocol (GTP) tunnels; and for path management. See also GPRS Tunneling Protocol (GTP); GTP Tunnel.

Either a GTP-C or a GTP-U message. See also GPRS Tunneling Protocol (GTP).

Exchanged between GPRS Support Node (GSN) pairs in a path. The messages are used to transfer GSN capability information between GSN pairs and to create, update, and delete GTP tunnels. See G-PDU.

For each Packet Data Protocol (PDP) context in the GPRS Support Node (GSN), a GPRS Tunneling Protocol (GTP) tunnel in the GTP-U plane is defined. A GTP tunnel in the GTP-C plane is defined for all PDP contexts with the same PDP address and access point name (APN) for tunnel-management messages or for each mobile station (MS) for messages not related to tunnel management. A GTP tunnel is identified in each node with a Tunnel Endpoint Identifier (TEID), an IP address, and a User Datagram Protocol (UDP) port number. A GTP tunnel is necessary to forward packets between an external network and an MS user.

Exchanged between GPRS Support Node (GSN) pairs or GSN/Radio Network Controller (RNC) pairs in a path. The GTP-U messages are used to carry user data packets and signaling messages for path management and error indication. The user data transported can be packets in any of IPv4, IPv6, or Point-to-Point Protocol (PPP) formats.

See High Availability (HA).

Configuring pairs of security devices to ensure service continuity in the event of a network outage or device failure.

When you have two or more virtual routers (VRs) on a security device, you can configure import rules on one VR that define which routes are allowed to be learned from another VR. If you do not configure any import rules for a VR, all routes that are exported to that VR are accepted. See also Export Rules.

Public network that combines the ubiquitous connectivity of the Internet with the assured performance and security of a private network.

International communications standard for sending voice, video, and data over digital telephone lines.

A GPRS Support Node (GSN) identifies a mobile station by its IMSI, which is composed of three elements: the Mobile Country Code (MCC), the Mobile Network Code (MNC), and the Mobile Subscriber Identification Number (MSIN). The MCC and MNC combined constitute the IMSI prefix and identify the mobile subscriber’s home network, or Public Land Mobile Network (PLMN). See also GPRS Support Node (GSN); Public Land Mobile Network (PLMN).

Occasionally, a gateway or destination host uses ICMP to communicate with a source host, for example, to report an error in datagram processing. ICMP uses the basic support of IP as though it were a higher-level protocol; however, ICMP is actually an integral part of IP, and must be implemented by every IP module. ICMP messages are sent in several situations: for example, when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route. IP is not designed to be absolutely reliable. The purpose of these control messages is to provide feedback regarding problems in the communications environment, not to make IP reliable.

Protocol that runs between hosts and routers to communicate multicast group-membership information.

Method for exchanging keys for encryption and authentication over an unsecured medium, such as the Internet.

Provides a framework for Internet-key management and specific protocol support for negotiating security attributes. By itself, it does not establish session keys; however, it can be used with various session key establishment protocols to provide a complete solution to Internet key management.

Computer network, based on Internet technology, designed to meet the internal needs for sharing information within a single organization or company.

Security standard produced by the Internet Engineering Task Force (IETF). It is a protocol suite that provides authentication, integrity, and confidentiality for secure communications and supports key exchanges even in larger networks. See also Data Encryption Standard-Cipher Block Chaining (DES-CBC); Encapsulating Security Protocol/Authentication Header (ESP/AH).

Mechanism for monitoring configured IP addresses to see whether they respond to ping or Address Resolution Protocol (ARP) requests. You can configure IP tracking with the NetScreen Redundancy Protocol (NSRP) to determine device or virtual security device (VSD) group failover. You can also configure IP tracking on a device interface to determine whether the interface is up or down.

Selection, exchange, storage, certification, expiration, revocation, changing, and transmission of encryption keys. See also Internet Security Association and Key Management Protocol (ISAKMP).

Border Gateway Protocol (BGP) attribute superior to the Multi-Exit Discriminator (MED) attribute for selecting a packet’s path. LOCAL_PREF is the attribute used most often to configure preferences for one set of paths over another. See also Multi-Exit Discriminator (MED).

Logical interface that emulates a physical interface on the security device, but is always in the up state as long as the device is up. You must assign an IP address to a loopback interface and bind it to a security zone.

Direct one-to-one mapping of traffic destined from one IP address to another IP address.

See Mobile Country Code (MCC).

See Multi-Exit Discriminator (MED).

Address that uniquely identifies the network interface card (NIC), such as an Ethernet adapter. For Ethernet, the MAC address is a sixoctet address assigned by IEEE. On a LAN or other network, the MAC address is a computer’s unique hardware number.(On an Ethernet LAN, the MAC address is the same as the Ethernet address.) When you are connected to the Internet from your computer (or host, as the IP interprets it), a correspondence table relates your IP address to your computer’s physical (MAC) address on the LAN. The MAC address is used by the MAC sublayer of the Data-Link Control Layer of telecommunications protocols. Each physical device type has a different MAC sublayer.

An algorithm that produces a 128-bit message digest (or hash) from a message of arbitrary length. The resulting hash is used, like a fingerprint of the input, to verify authenticity.

See Multipurpose Internet Mail Extension (MIME).

See Mapped IP (MIP).

See Mobile Network Code (MNC).

One of the three elements of an International Mobile Station Identity (IMSI); the other two are the Mobile Network Code (MNC) and the Mobile Subscriber Identification Number (MSIN).The MCC and MNC combined constitute the IMSI prefix and identify the mobile subscriber’s home network, or Public Land Mobile Network (PLMN). See also International Mobile Station Identity (IMSI); Public Land Mobile Network (PLMN).

One of the three elements of an International Mobile Station Identity (IMSI); the other two are the Mobile Country Code (MCC) and the Mobile Subscriber Identification Number (MSIN).The MCC and MNC combined constitute the IMSI prefix and identify the mobile subscriber’s home network, or Public Land Mobile Network (PLMN). See also International Mobile Station Identity (IMSI); Public Land Mobile Network (PLMN).

One of the three elements of an International Mobile Station Identity (IMSI); the other two are the Mobile Country Code (MCC) and the Mobile Network Code (MNC). See also International Mobile Station Identity (IMSI).

See Mobile Subscriber Identification Number (MSIN).

Policies that allow multicast control traffic, such as Internet Group Management Protocol (IGMP) or Protocol-Independent Multicast (PIM) messages, to cross security devices.

Routing method used to send multimedia streams to a group of receivers. Multicast-enabled routers transmit multicast traffic only to hosts that want to receive the traffic. Hosts must signal their interest in receiving multicast data, and they must join a multicast group to receive the data.

Border Gateway Protocol (BGP) attribute that determines the relative preference of entry points into an Autonomous System (AS). See also Local Preference.

Border Gateway Protocol (BGP) attribute used to determine an ideal link to reach a particular prefix in or behind the current Autonomous System (AS).The MED contains a metric expressing a degree of preference for entry into the AS. You can establish precedence for one link over others by configuring a MED value for one link that is lower than other links. The lower the MED value, the higher priority the link has. The way this occurs is that one AS sets the MED value and the other AS uses the value in deciding which path to choose.

Extensions that allow users to download different types of electronic media, such as video, audio, and graphics.

See Network Address Translation (NAT).

See Destination Network Address Translation (NAT-dst).

See Network Address Translation (NAT).

Method for allowing IP Security (IPSec) traffic to pass through Network Address Translation (NAT) devices along the data path of a virtual private network (VPN) by adding a layer of User Datagram Protocol (UDP) encapsulation. The method first provides a means for detecting NAT devices during Phase 1 Internet Key Exchange (IKE) exchanges and then provides a means for traversing them after Phase-2 IKE negotiations are complete. See Internet Key Exchange (IKE); Network Address Translation (NAT).

Proprietary protocol that provides configuration and Run-Time Object (RTO) redundancy and a device failover mechanism for security units in a high availability (HA) cluster.

Translation of the source IP address in a packet header to a different IP address. Translated source IP addresses can come from a dynamic IP (DIP) address pool or from the IP address of the egress interface. When the security device draws addresses from a DIP pool, it can do so dynamically or deterministically. When doing the former, it randomly draws an address from the DIP pool and translates the original source IP address to the randomly selected address. When doing the latter, it uses address shifting to translate the source IP address to a predetermined IP address in the range of addresses that constitute the pool. When the security device uses the IP address of the egress interface, it translates all original source IP addresses to the address of the egress interface. When the translated address comes from a DIP pool using address shifting, it cannot perform source port address translation. When the translated address comes from a DIP pool without address shifting, port translation is optional. When the translated address comes from the egress interface, port translation is required. NAT is also referred to as NAT-src to distinguish it from Destination Network Address Translation (NAT-dst).

Each Autonomous System (AS) has a routing plan that indicates the destinations that are reachable through it. This routing plan is called the NLRI object. Border Gateway Protocol (BGP) routers periodically generate and receive NLRI updates. Each update contains information on the list of ASs that reachability information capsules traverse. Common values described by an NLRI update include a network number, a list of ASs that the information passed through, and other path attributes.

Index to the Packet Data Protocol (PDP) context that is using the services provided by the lower-layer Subnetwork Dependent Convergence Protocol (SNDCP). One PDP may have several PDP contexts and NSAPIs. See also Packet Data Protocol (PDP).

In the routing table, an IP address to which traffic for the destination network is forwarded. The next hop can also be another virtual router (VR) in the same security device.

In security engineering, a nonce is a number used once, often a random or pseudorandom number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. For example, nonces are used in HyperText Transfer Protocol (HTTP) digest access authentication to calculate a Message Digest 5 (MD5) digest of the password. The nonces are different each time the 401 authentication challenge-response code is presented, thus making the replay attack virtually impossible.

See Network Service Access Point Identifier (NSAPI).

See NetScreen Redundancy Protocol (NSRP).

When a security device performs an operation that uses a certificate, it is usually important to verify the validity of that certificate. Certificates might have become invalid through expiration or revocation. The default way to check the status of certificates is to use certificate revocation lists (CRLs).The Online Certificate Status Protocol (OCSP) is an alternative way to check the status of certificates. OCSP can quickly provide additional information about certificates and provide status checks.

Primary protocol(s) used for packet data communications on a public data network (PDN)—for example, Transmission Control Protocol/Internet Protocol (TCP/IP) on the Internet.

User session on a General Packet Radio Service (GPRS) network.

See Protocol Data Unit (PDU).

See Protocol Independent Multicast (PIM).

See Public Land Mobile Network (PLMN).

Allows multiple users at a site to share the same digital subscriber line, cable modem, or wireless connection to the Internet. You can configure PPPoE client instances, including the username and password, on any or devices.

Policies provide the initial protection mechanism for the firewall, allowing you to determine which traffic passes across it based on IP session details. You can use policies to protect the resources in a security zone from attacks from another zone (inter-zone policies) or from attacks from within a zone (intra-zone policies).You can also use policies to monitor traffic attempting to cross your firewall.

Translation of the original source port number in a packet to a different, randomly designated port number.

Translation of the original destination port number in a packet to a different, predetermined port number.

Value associated with a route that the virtual router (VR) uses to select the active route when there are multiple routes to the same destination network. The preference value is determined by the protocol or origin of the route. The lower the preference value of a route, the more likely the route is to be selected as the active route.

Information delivered as a unit among peer entities of a network and that may contain control information, address information, or data. In layered systems, a PDU is a unit of data specified in a protocol for a given layer and consisting of protocol-control information (and possibly user data) for the layer.

Multicast routing protocol that runs between routers to forward multicast traffic to multicast group members throughout the network. PIM-Dense Mode (PIM-DM) floods multicast traffic throughout the network and then prunes routes to receivers that do not want to receive the multicast traffic. PIM-Sparse Mode (PIM-SM) forwards multicast traffic only to those receivers that request it. Protocol Inde-pendent Multicast-Source-Specific Mode (PIM-SSM) is derived from PIM-SM and, like PIM-SM, forwards multicast traffic to interested receivers only. Unlike PIM-SM, it immediately forms a Shortest Path Tree (SPT) to the source.

Also called a proxy, a technique used to cache information on a web server and act as an intermediary between a web client and that web server. It stores the most commonly and recently used web content to provide quicker access and to increase server security. This is common for an Internet Service Provider (ISP), especially if it has a slow link to the Internet. See also Circuit-Level Proxy.

Public network dedicated to the operation of mobile radio communications.

Measurement of the strength (not necessarily the quality) of the received signal strength in a wireless environment. Measured in decibels relative to 1 milliwatt (dBm).The lower the RSSI, the stronger the signal.

Process of importing a route into the current routing domain from another part of the network that uses another routing protocol. When this occurs, the current domain has to translate all the information, particularly known routes, from the other protocol. For example, if you are on an Open Shortest Path First (OSPF) network, and it connects to a Border Gateway Protocol (BGP) network, the OSPF domain has to import all the routes from the BGP network to inform all of its devices about how to reach all the devices on the BGP network. The receipt of all the route information is known as route redistribution.

List of routes the current routing domain imported from another routing domain that uses a different protocol.

Router at the root of the multicast distribution tree. All sources in a group send their packets to the RP, and the RP sends data down the shared distribution tree to all receivers in a network.

Method used by multicast routers to check the validity of multicast packets. A router performs a route lookup on the unicast route table to check whether the interface on which it received the packet (ingress interface) is the same interface it must use to send packets back to the sender. If it is, the router creates the multicast route entry and forwards the packet to the next-hop router. If it is not, the router drops the packet.

Four-wire or six-wire connector used primarily to connect telephone equipment in the United States. RJ-11 connectors are also used to connect some types of LANs, although RJ-45 connectors are more common.

Resembling a standard telephone connector, an RJ-45 connector is twice as wide (with eight wires) and is used for hooking up computers to LANs or telephones with multiple lines.

Border Gateway Protocol (BGP) provides a technique, called flap damping, for blocking the advertisement of a route somewhere near its source until the route becomes stable. Route flap damping allows routing instability to be contained at an Autonomous System (AS) border router adjacent to the region where instability is occurring. Limiting such unnecessary propagation maintains reasonable route-change convergence time as a routing topology grows.

Used with the Border Gateway Protocol (BGP) to control and modify routing information, and to define the conditions by which routes are redistributed between routing domains. A route map contains a list of route map entries, each containing a sequence number along with a match and a set value. The route map entries are evaluated in the order of an incrementing sequence number. Once an entry returns a matched condition, no further route maps are evaluated. Once a match has been found, the route map carries out a permit or a deny operation for the entry. If the route map entry is not a match, the next entry is evaluated for matching criteria.

Exporting of route rules from one virtual router (VR) to another.

Router whose Border Gateway Protocol (BGP) configuration enables readvertising of routes between Interior BGP (IBGP) neighbors or neighbors within the same BGP Autonomous System (AS).A route reflector client is a device that uses a route reflector to readvertise its routes to the entire AS. It also relies on that route reflector to learn about routes from the rest of the network.

Dynamic routing protocol used within a moderately sized Autonomous System (AS).

List in a virtual router’s (VR’s) memory that contains a real-time view of all the connected and remote networks to which a router is currently routing packets.

See Received Signal Strength Indicator (RSSI).

Object created dynamically in memory during normal operation. Some examples of RTOs are session table entries, Address Resolution Protocol (ARP) cache entries, certificates, Dynamic Host Configuration Protocol (DHCP) leases, and IP Security (IPSec) Phase-2 Security Associations (SAs).

See Source-Based Routing (SBR).

Method of transferring files between a remote client and a security device using the Secure Shell (SSH) protocol. The security device acts as an SCP server, accepting connections from SCP clients on remote hosts.

Algorithm that produces a 160-bit hash from a message of arbitrary length.(It is generally regarded as more secure than Message Digest 5 (MD5) because of the larger hashes it produces.)

Protocol that allows device administrators to remotely manage the device in a secure manner. You can run either an SSH version 1 or version 2 server on the security device.

Unidirectional agreement between the virtual private network (VPN) participants regarding the methods and parameters to use in securing a communication channel. For bidirectional communications, there must be at least two SAs, one for each direction. The VPN participants negotiate and agree to Phase-1 and Phase-2 SAs during an autokey Internet Key Exchange (IKE) negotiation. See also Security Parameters Index (SPI).

Hexadecimal value that uniquely identifies each tunnel. It also tells the security device which key to use to decrypt packets.

A collection of one or more network segments requiring the regulation of inbound and outbound traffic via policies.

32-character unique identifier attached to the header of packets sent over a wireless local area network (WLAN), which acts as a password when a mobile device tries to connect to the basic service set (BSS).The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the BSS unless it can provide the unique SSID.

Connects one or more base station controllers (BSCs) to the GPRS backbone network, providing IP connectivity to the Gateway GPRS Support Node (GGSN).

Session descriptions appear in many Session Initiation Protocol (SIP) messages, and provide information that a system can use to join a multimedia session. SDP information includes IP addresses, port numbers, times, dates, and information about the media stream.

Internet Engineering Task Force (IETF)-standard protocol for initiating, modifying, and terminating multimedia sessions over the Internet. Such sessions might include conferencing, telephony, or multimedia, with features such as instant messaging and application-level mobility in network environments.

Multicast distribution tree where the source transmits the multicast traffic to the Rendezvous Point (RP), which then forwards the traffic downstream to receivers on the distribution tree.

Multicast distribution tree where the source is at the root of the tree and it forwards multicast data downstream to each receiver. This is also referred to as a source-specific tree.

Ratio of the amplitude of a desired analog or digital data signal to the amplitude of noise in a transmission channel at a specific time. SNR is typically expressed logarithmically in decibels (dB).

See Session Initiation Protocol (SIP).

Configuration of a virtual router (VR) on a security device to forward traffic based on the source address of the data packet instead of just the destination address.

Allows a security device to forward traffic based on the source interface (the interface on which the data packet arrives on the device).

See Service Set Identifier (SSID).

User-defined routes that cause packets moving between a source and a destination to take a specified path. Static routing algorithms are table mappings established by the network administrator prior to the beginning of routing. These mappings do not change unless the network administrator alters them. Algorithms that use static routes are simple to design and work well in environments where network traffic is relatively predictable, and where network design is relatively simple. The software remembers static routes until you remove them. However, you can override static routes with dynamic routing information through judicious assignment of administrative distance values. To do this, you must ensure that the administrative distance of the static route is higher than that of the dynamic protocol.

Logical division of a physical interface that borrows the bandwidth it needs from the physical interface from which it stems. A subinterface is an abstraction that functions identically to an interface for a physically present port and is distinguished by 802.1Q virtual local area network (VLAN) tagging.

Physical wide area network (WAN) symmetric Digital Subscriber Line (DSL) interface capable of sending and receiving high-speed symmetrical data streams over a single pair of copper wires at rates between 192 Kbps and 2.31 Mbps. G. SHDSL incorporates features of other DSL technologies, such as asymmetric DSL, and transports T1, E1, Integrated Services Digital Network (ISDN), Asynchronous Transfer Mode (ATM), and IP signals.

Protocol that enables a device to send log messages to a host running the syslog daemon (syslog server).The syslog server then collects and stores these log messages locally.

Physical wide area network (WAN) interface for transmitting digital signals in the T-carrier system, used in North America and Japan. Usually a dedicated phone connection supporting data rates of 1.544 Mbps.

Physical wide area network (WAN) interface for transmitting digital signals in the T-carrier system, used in North America and Japan. A dedicated phone connection supporting data rates of about 43 Mbps. This interface is also known as DS3.

See Tunnel Endpoint Identifier (TEID).

See Tunnel Identifier (TID).

Payload tunneled in the GPRS Tunneling Protocol (GTP) tunnel.

Set of communication protocols which support peer-to-peer connectivity functions both for LANs and wide area networks (WANs).TCP/IP controls how data is transferred between computers on the Internet.

Allows a switch to bundle traffic from several virtual local area networks (VLANs) through a single physical port, sorting the various packets by the VLAN identifier (VID) in their frame headers.

One of two security zones which enables packets to be secured from being seen by devices external to your current security domain.

Uniquely identifies a tunnel endpoint in the receiving GTP-User (GTP-U) or GTP-Control (GTP-C) protocol entity. The receiving end side of a GPRS Tunneling Protocol (GTP) tunnel locally assigns the TEID value that the transmitting side has to use. The TEID values are exchanged between tunnel endpoints using GTP-C messages. See also GPRS Tunneling Protocol (GTP); GTP-Control (GTP-C) Messages; GTP Tunnel; GTP-User (GTP-U) Messages.

Packets traveling along the General Packet Radio Service (GPRS) backbone are wrapped inside an additional addressing layer to form GPRS Tunneling Protocol (GTP) packets. Each GTP packet then carries a TID. See also Global System for Mobile Communication (GSM).

Method of data encapsulation. With virtual private network (VPN) tunneling, a mobile professional dials into a Point of Presence (POP) of a local Internet Service Provider (ISP) instead of dialing directly into a corporate network. This means that no matter where mobile professionals are located, they can dial a local ISP that supports VPN tunneling technology and gain access to their corporate network, incurring only the cost of a local telephone call. When remote users dial in to their corporate network using an ISP that supports VPN tunneling, the remote user as well as the organization knows that it is a secure connection. All remote dial-in users are authenticated by an authenticating server at the ISP’s site, and then again by another authenticating server on the corporate network. This means that only authorized remote users can access their corporate network, and that they can access only the hosts that they are authorized to use.

Opening, or doorway, through which traffic to or from a virtual private network (VPN) tunnel passes. A tunnel interface can be numbered (i. e., assigned an IP address) or unnumbered. A numbered tunnel interface can be in either a tunnel zone or a security zone. An unnumbered tunnel interface can only be in a security zone that contains at least one security zone interface. The unnumbered tunnel interface borrows the IP address from the security zone interface.

Logical segment that hosts one or more tunnel interfaces. Associated with a security zone that acts as its carrier.

Standard method developed for specifying the location of a resource available electronically. Also referred to as a location or an address, a URL specifies the location of files on servers. A general URL has the syntax protocol://address. For example, http://www.juniper.net/support/manuals.html specifies that the protocol is HTTP and that the address is http://www.juniper.net/support/manuals.html.

External bus standard that supports data transfer rates of up to 12 Mbps.

One of two security zones that enable packets to be seen by devices external to your current security domain.

Protocol in the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite that allows an application program to send datagrams to other application programs on a remote machine. UDP provides an unreliable and connectionless datagram service where delivery and duplicate detection are not guaranteed. It does not use acknowledgments or control the order of arrival.

Transmission Control Protocol/Internet Protocol (TCP/IP) settings that a security device assigns to a remote Xauth user for use in a virtual private network (VPN) connection. These settings include IP address, Domain Name System (DNS) server addresses, and Windows Internet Naming Service (WINS) server addresses.

A VIP address maps traffic received at one IP address to another address based on the destination port number in the packet header.

Logical path from a remote Open Shortest Path First (OSPF) area to the back-bone area.

Logical rather than physical grouping of devices that constitutes a single broadcast domain. VLAN members are not identified by their location on a physical subnetwork, but rather, through the use of tags in the frame headers of their transmitted data. VLANs are described in the IEEE 802.1Q standard.

Network scheme in which portions of a network are connected via the Internet, but information sent across the Internet is encrypted. The result is a virtual network that is also part of a larger network entity. This enables corporations to provide telecommuters and mobile professionals with local dial-up access to their corporate network or to another Internet Service Provider (ISP).VPNs are possible because of technologies and standards such as tunneling, screening, encryption, and IP Security (IPSec).

Component of ScreenOS that performs routing functions. By default, a security device supports two VRs: untrust-vr and trust-vr.

Single logical device comprising a set of physical security devices.

Logical entity at Layer 3 that is linked to multiple Layer 2 physical interfaces in a virtual security device (VSD) group. The VSI binds to the physical interface of the device acting as the master of the VSD group. The VSI shifts to the physical interface of another device in the VSD group if there is a failover, and it becomes the new master.

Subdivision of the main system that appears to the user to be a standalone entity. VSYS reside separately from each other in the same security device. Each one can be managed by its own VSYS administrator.

See Wired Equivalent Privacy (WEP).

Wi-Fi standard designed to improve the security features of Wired Equivalent Privacy (WEP).

Service for mapping IP addresses to Net-BIOS computer names on Windows NT server-based networks. A WINS server maps a NetBIOS name used in a Windows network environment to an IP address used on an IP-based network.

Encrypts and decrypts data as it travels over the wireless link with the Rivest Cipher 4 (RC4) stream cipher algorithm.

Hardware device that acts as a communication hub for wireless clients to connect to a wired LAN.

Type of LAN that uses high-frequency radio waves rather than wires to communicate between nodes.

See Wi-Fi Protected Access (WPA).

Protocol comprising two components: remote virtual private network (VPN) user authentication (username plus password) and Transmission Control Protocol/Internet Protocol (TCP/IP) address assignments (IP address, netmask, Domain Name System [DNS] server, and Windows Internet Naming Service [WINS] server assignments).

Segment of network space to which security measures are applied (a security zone), a logical segment to which a virtual private network (VPN) tunnel interface is bound (a tunnel zone), or a physical or a logical entity that performs a specific function (a function zone).