Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions

201

202

203

204

205

206

207

208

209

210

will be used. IKE also manages the distribution and update of the symmetric (shared) encryption

keys used by ESP and AH. See also ESP and AH.

IPSec policy IPSec policies specify the rules according to which data is transferred securely. IPSec policies

generally contain packet filter information and an action. The packet filter is used to select a policy

for a packet and the action is applied to the packets using the policy

Kerberos A network authentication protocol designed to provide strong authentication for client or server

applications. Kerberos allows users to authenticate themselves without transmitting unencrypted

passwords over the network.

LDAP

(Lightweight

Directory

Access

Protocol)

The LDAP protocol provides network directory access. LDAP uses a directory structure similar to the

OSI X.500 directory service, but stores data as strings and uses the TCP/IP network stack instead

of the OSI network stack.

MAC A message authentication code (MAC) is an authentication tag, also called a checksum, derived

by application of an authentication algorithm, together with a secret key, to a message. MACs are

computed and verified with the same key so they can only be verified by the intended receiver,

unlike digital signatures.

Hash function-based MACs (HMACS) use a key or keys in conjunction with a hash function to

produce a checksum that is appended to the message. An example is the keyed-MD5 method of

message authentication.

MACs can also be derived from block ciphers. The data is encrypted in message blocks using DES

CBC and the final block in the ciphertext is used as the checksum. The DES-CBC MAC is a widely

used US and international standard.

man-in-the-middle attack

See third-party-attack.

manual keys Manually configured cryptographic keys for IPSec. An alternative to using the Internet Key Exchange

(IKE) protocol to generate cryptographic keys and other information for IPSec Security Associations

(SAs).

MD5 Message Digest-5. Authentication algorithm developed by RSA. MD5 generates a 128-bit message

digest using a 128-bit key. IPSec truncates the message digest to 96 bits.

NAT Network Address Translation. A method to allow multiple systems in an internal, private network

share one public internet IP address. A NAT gateway replaces (translates) internal IP addresses

and ports to its public IP address when forwarding packets from the internal network to the public

internet and performs the reverse translation for the return path.

object A system or network resource such as a system, file, printer, terminal, database record. In the context

of authorization, authorization is granted for a subject's operation on an object.

operation A specific mode of access to one or more objects. For example, writing to a file. In the context of

authorization, authorization is granted for a subject's operation on an object.

out-of-band

key exchange

A key exchange using a secure communication channel that is outside of normal computer

communication channels, such as a face-to-face meeting or telephone call.

packet filter A filter used to select or restrict network packets. Packet filters specify network packet characteristics.

Packet filters typically specify source and destination IP addresses, upper-layer protocols (such as

TCP or UDP), and TCP or UDP port numbers. Packet filters may also define other packet fields, such

as IPv6 header types, upper-layer message types (for example, ICMP message types), and TCP

connection states.

208 Glossary