Checkpoint CCSA Vocabulary / Glossary

Vocabulary list that was developed for students working on their Checkpoint CCSA certification.

Accept A task identified for security purposes in VPN-1 or FireWall-1 which authorizes and enables the connection between units while abiding by the specified security regulations.
Access Control List (ACL) A list of permissions attached to an object in a computer. ACL specifies the users or system processes that are granted access to objects. It also specifies what actions can be performed on the given objects.
Account Management Module A module with the VPN-1/ FireWall-1 which allows the Smart- Dashboard to control the LDAP directories.
Accounting A secure process of logging or auditing the tasks performed by a user where every connection is recorded with the number of bytes that were transmitted in the connection.
Acknowledgment (ACK) A message confirming that a data packet was received at the Transport layer of the Open Systems Interconnection (OSI) and TCP/IP models.
Active Connections Log A log file or a record which consists of the present connections that are active through the VPN-1/FireWall-1 enforcement sections.
Active Mode A display in SmartView Tracker which illustrates the Active Connections Log file.
Actualize A mechanism that helps a SmartMap to generate network objects based on the implied network objects produced by an enforcement module or external gateway topology configuration.
Address Range Object A security object used to denote all contiguous arrays of IP addresses, without conforming the subnet boundaries. This object can be used to configure a collection of valid IP addresses which correspond to every private IP address in the address range object.
Address Resolution Protocol (ARP) The Network layer protocol that IP uses to ascertain the MAC address of a known IP address. The address is resolved and the protocol is used when IP determines that the destination is on the local subnet and communication must therefore occur at the Data Link layer.
Address Translation Rule A collection of specifications which categorize the original parameters of a connection that must be matched. It also classifies the NAT-related tasks that must be performed on every packet.
Address Translation Rule Base A group of address translation regulations that are implemented from the top to the bottom.
Administrative Log A log file which consists of audit data comprising of administrative tasks executed by security officials in the VPN-1/FireWall-1 security policy.
Administrator Object An object type which is present in the users database that defines VPN-1/ FireWall-1 administrators.
Alerts Window A dialog box in the user interface of the SmartView Status that displays pop-up alerts that are produced by the security rules and security events configured to produce pop-up alerts.
Amplification Attack The process of attacking the target system by a regular DoS attack. The attack takes advantage of the drawbacks in an IP protocol to amplify the number of packets to hundred or thousand times.
Anti-spoofing A security mechanism utilized on the VPN-1/ FireWall-1 which secures the network from unauthorized users trying to generate IP packets with false or spoofed sources of IP addresses.
Application-layer Gateway A firewall device which enables application-layer proxying of connections between a protected network and other external networks, and vice versa.
Application-Layer Gateways A proxy-based firewall which proxies application-layer connections on behalf of other clients. In this firewall, all access is controlled at the application layer of the OSI model.
ARP Reply An ARP message which specifies the Layer 2 address of the IP device which was queried in the initial ARP request message. This ARP message is sent to the requesting device.
ARP Request An ARP message which queries every device on a local network for the Layer 2 address of an IP device.
ARP Table A table used by the ARP to map the list of known TCP/IP addresses to their associated MAC addresses. The table is cached to avoid ARP looking up the table for frequently accessed TCP/IP addresses.
Audit Mode A display setting in SmartView Tracker which illustrates the administrative log file.
Authentication Header A protocol which provides connectionless integrity, data origin authentication, and an optional anti-replay service. AH protects the IP payload and all header fields of an IP datagram except for mutable fields.
Authentication Types The different forms of validation means supported by the VPN-1/FireWall-1. These include users, clients, and session authentication.
Authorization Scope A set of specifications for services and destination systems in a client authentication rule which an authorized user is allowed to utilize or access.
Authorization Timeout The time taken for every authorized user to create a connection to specific services and destination systems identified within the client authentication rule.
Automatic ARP An attribute that reduces the need to configure operating system ARP support for the NAT rules in VPN-1/FireWall-1 NG.
Automatic NAT An attribute that enables the VPN-1/ FireWall-1 to configure a valid IP address on the object that represents the internal device. The VPN-1/FireWall-1 automatically configuring suitable NAT rules.
Before Last A location in the Check Point security rule base that store implied security rules. An implied security rule configured to be positioned Before Last is positioned before the last explicit security rule.
Binding Order A Microsoft Windows systems sequence in which network interfaces are organized and contained within the TCP/IP protocol stack.
Blocking A technique used to secure a network against unauthorized access by blocking connections from the source of an active connection in the Active Connections Log.
Blocking Scope The range of blocking capabilities that block a specific type of connection which can either be from the source of a blocked connection or to the destination of a blocked connection.
Blocking Timeout The time period for which the block is to be applied. This can either be an indefinite period or can be a specific number of minutes.
Certificate authority (CA) An entity that issues digital certificates for use by other companies or institutions. A CA is a characteristic of many Public Key Infrastructure (PKI) schemes.
Check Point Configuration Tool A tool used to execute system-level configuration of VPN-1/FireWall-1, for example licenses, and GUI clients. This tool is also known as cpconfig.
Check Point Objects A set of security objects used for security purposes in the SmartDashboard to represent the Check Point systems. Some Check Point objects include enforcement modules and Check Point hosts.
Circuit Switching A switching method that establishes a dedicated connection between the sender and receiver throughout the communication session. ISDN establishes a circuit switched connection through a dialed number.
Cleanup Rule A security rule which is matched last, in the security rule base. This rule ensures that any traffic which does not match the policies of the security rule base is dropped and logged.
Client Authentication A form of authentication on VPN-1/FireWall-1 which authenticates services. By default this authentication needs to explicitly authenticate with the HTTP or the TELNET security server.
Client Side The location where a packet is observed by the INSPECT module. Client-side inspection occurs immediately after a packet arrives at the ingress interface.
Connection Persistence The measure of performance of an enforcement module after a new policy is installed. For active connections which are not allowed by a new policy, connection persistence determines if the existing connections are immediately dropped, or the existing connections are allowed to continue as long as it is required.
Content Vector Protocol (CVP) The Check Point protocol which facilitates anti-virus checking and content filtering by allowing the enforcement modules to send HTTP, SMTP, and FTP content to external content security servers.
Control Decisions A set of techniques that allow the stateful inspection engine of the VPN-1/FireWall-1 to determine how a packed should be handled.
CPShared A base SVN foundation component with which all Check Point products are installed. The components of CPShared include, cpstart/cpstop, Check Point registry, Check Point daemon, Watchdog, cpconfig, and SNMP daemon.
cpstart A utility which allow you to start Check Point component services.
cpstop A utility which allow you to stop Check Point component services.
Critical Notifications Pane A panel displayed in the user interface of the Smart-View Status which shows critical events.
Critical Notifications View A display panel that allows critical notifications to be displayed in a separate section of the screen. This view is created to address the changing statuses of workstations or modules.
Custom Log Query A mechanism that increases the speed of filtering using a personalized display in the SmartView Tracker. This tracker consists of various fields and filters that display data customized to the administrator’s requirements.
Customer Premises Equipment (CPE) A terminal equipment located at a subscriber's premises and connected with a carrier's telecommunication channel at the demarc. It generally refers to customer owned telephones, routers, and switches.
Daemons An application-layer service on the server-side which operates on a system. Application-layer gateways implement daemons for each application-layer.
Data Encryption Standard (DES) A block cipher that was selected by the National Bureau of Standards as an official Federal Information Processing Standard. It uses a symmetric-key algorithm with a 56-bit key.
Database Revision Control A feature used to rollback security policy changes. This can be done in the Global Properties option of the SmartDashboard menu.
Default Rule A cryptic rule which is always implemented towards the end of a rule base. The default rule drops traffic matched by the security rule base. It does not log any data packet which does not match the security rule base.
Demilitarized Zone (DMZ) A firewall setup where web and other servers are placed outside the firewall. This prevents outside users from getting direct access to a server that hosts company’s confidential data.
Denial of Service (DoS) A type of attack that is aimed at making computer resources unavailable to its users. It is also directed at making websites or web services function inefficiently.
Deny A task intended to facilitate the security rules in the VPN-1/FireWall-1. A connection request which matches a deny action of the security rule is dropped.
Destination NAT The NAT which translates destination IP addresses for connections initiated to the valid IP address that represents an internal device.
Details Pane A display in the Module window of the SmartView Status user interface which shows specific information of a section on a given workstation.
Details View A display in the user interface of the SmartView Status which shows detailed data related to the present workstation or section that is selected in the Modules view.
Diffie-Hellman A key generation algorithm that allows two parties to securely generate a shared session key. This key can be used for symmetric encryption. This algorithm is used in protocols such as IPSec.
Digital Signature A field in the certificate which contains a hash of the certificate constituents which are encrypted using the signing certificate authoritiy's private key. This signature provides authentication and data integrity services.
Disable a Rule A mechanism which disables a particular rule in the security rule base. The rule will not be enforced by enforcement modules; however it will continue to exist in the security policy.
Distinguished Name The entire path of an object specified by the certificate of an X.500 directory using the X.500 nomenclature.
Distributed Denial of Service (DDoS) A magnified DoS attack where multiple systems which are already compromised by the attacker, attack a single target. This combines a DoS and Ping of Death attack and forces the target system to shut down.
DNS Zone A portion of the global DNS namespace for which administrative responsibility has been delegated. It represents a boundary of authority subject to management by certain entities.
Domain Name System or Service (DNS) A distributed Internet directory service used to map domain names to their IP addresses and vice versa.
Dst A special option used to for configuring the Install On element of a rule. This is used to enforce the rule on the inbound direction for enforcement modules which are specified in the Destination element of the rule.
Dynamic Host Configuration Protocol (DHCP) A networking protocol used to request, assign, maintain, and release IP addresses to clients connected to the DHCP server.
Eitherbound The default mode of inspection in VPN-1/FireWall-1 NG. The other modes of inspection include inbound and outbound. These are inspected by the INSPECT mode.
Encapsulating Security Payload (ESP) An IP transport-layer protocol that is a part of the IP Security (IPSec) standard. It provides authentication, confidentiality, data integrity, and non-repudiation services for IPSec packets.
Enforcement Module A constituent of the VPN-1/FireWall-1which generates a gateway from the internal networks of an organization to the external networks. It enforces the security policy distributed by the SmartCenter Server component and generates security log events and forwards these to the SmartCenter Server.
Event Logging API (ELA) An API which facilitates third-party developers to use OPSEC applications to generate security log events and save them in the VPN-1/FireWall-1security logs.
Explicit Rules A security rule which is manually specified by the administrator.
Extranet Virtual Private Network (VPN) A virtual private network which connects the internal networks of two different organizations in a secure manner, with the help of a public network.
Failed Authentication Attempts The number of consecutive authentication attempts that were a failure. These attempts occur before the termination of a client’s authentication connection to the VPN-1/FireWall-1 security server.
File Transfer Protocol (FTP) A network protocol used to exchange and manipulate files over a TCP/IP-based network. It uses separate control and data connections between the client and server applications.
Filters A technique that is a part of a log query to determine the data that should be displayed in the SmartView Tracker records pane.
Fingerprint A field on a certificate that includes of a hash of the components of the certificate. It identifies the system presenting the certificate and is used in VPN-1/FireWall-1 to enable SMART clients to ensure that the SmartCenter server they are connecting to is authentic.
Firewall A generic device that creates a gateway from the internal networks of an organization and external networks. It uses permission controls in connections within connected networks.
Firewall A security infrastructure used to block unauthorized access while permitting authorized users. It can be implemented in either hardware or software, or a combination of both.
Flows The connection from one network device to another which indicates the direction of transmitted data from the client to the server.
Force This Blocking A setting that indicates the location where the blocking must be implemented. It can be implemented on the enforcement module which hosts the blocked connection or on all enforcement modules.
Fragmentation The mechanism break up IP packets into segments, to ensure that specific number of IP packets are placed on the MTU of the Layer 2 media.
Fully Automatic A mechanism that enables the session authentication to authorize permissions to every service and destination specified in the client authentication rule.
fwc A command line utility that instructs a SmartCenter server to verify an inspection script by compiling it into inspection code.
fwm logexport A command line utility that allows you to export security log files into an ASCII format. This format can be viewed by an external application or can be  exported into a database.
fwm logswitch A command line utility that allows you to rotate security log files. This option terminates the current log file and creates a new log file.
FWZ Encryption Check Point proprietary encryption protocol which only supports payload encryption. It has an IP protocol number of 94.
Gateway A system which consists of multiple network interfaces and helps create a gateway from one network to another. Gateways are also known as enforcement models.
Group Object An object in the customer’s database which groups user objects and administrator objects. Grouped objects can be defined in security rules.
H.323 A standard which provides a foundation for audio, video, and data communications across IP-based networks. It is based on RTP, RTCP and other additional protocols used for call signaling, data and audiovisual communications.
Hide a Rule The method used to hide a rule from being viewed. This method facilitates easy management of the security rule base. It implements the rule on enforcement modules.
Host Route A route that defines a given host’s next hop IP address. Host routes are essential for manual NAT rules on a VPN-1/FireWall-1.
Hybrid Mode Authentication An authentication process where two different authentication mechanisms are combined. Hybrid mode authentication allows remote access VPN connections to be authenticated at both a machine level and at a user level.
Hypertext Transfer Protocol Secure (HTTPS) A combination of HTTP and the SSL/TLS protocol used to communicate between web server and a web browser. SSL/TLS makes the communication secure using TCP port 443 by default.
Implicit Client Authentication An authentication mechanism which specifies the semi automatic client authentication rules and is used in conjunction with client authentication rules.
Implicit Drop Rule A security rule base has an implicit drop rule at the end of the rule base. So any traffic not matched by a rule in the rule base is dropped.
Implied Network Object An automatically created network object in the SmartMap which uses the topology configuration for enforcement modules or gateways.
Implied Rules Any security rule that has been automatically generated by VPN-1/FireWall-1 NG. In the SmartDashboard, implied rules are configured via Policy _ Global Properties _ FireWall-1.
In-band Authentication A form of authentication which happens in the application-layer protocol. VPN-1/ FireWall-1 facilitates in-band authentication for HTTP, TELNET, FTP, and RLOGIN connections.
Inbound A phase in the enforcement module where data packets that are transmitted are inspected by the INSPECT module.
INSPECT An advanced scripting language that specifies the security rules and policy on an enforcement module.
INSPECT Module A kernel-mode constituent of the VPN-1/FireWall-1 enforcement module which intercepts data packets accepted from or transmitted from a network interface and applies security inspection on them.
Inspection Code The low-level machine languages created by an inspection script, which helps in containing the CPU commands that help implement security policies.
Inspection Script The INSPECT script which specifies the security policies implemented by the INSPECT section.
Installation Manager A constituent of the SmartUpdate SMART client used to manage installing, upgrading of service pack and versions, and rollbacks of the VPN-1/FireWall-1.
Internal Certificate Authority (ICA) The internal certificate authority that enables the VPN-1/ FireWall-1 NG to supply certificates to the Smart-Center servers and enforcement modules. This feature reduces the need to deploy a separate PKI.
Internet Control Message Protocol (ICMP) A protocol for TCP/IP which provides maintenance and reporting functions. The Ping utility uses ICMP. ICMP will also report if a destination is unreachable.
Internet Gateway A product of the VPN-1/FireWall-1 family which facilitates the integration of the SmartCenter server and enforcement module into a single platform. It is qualified to secure up to 250 IP addresses.
Internet Group Management Protocol (IGMP) A protocol used to manage IP multicast groups. IP multicasts can send messages or packets to a specified group of hosts.
Internet Protocol (IP) A network protocol used to communicate data across a packet switched network. It is the primary protocol in the Internet Layer and delivers packets from the source to the destination solely based on their addresses.
Intranet VPN A virtual private network which links different departments or business units in a secure manner through a private or public network.
IP Security (IPSec) A type of VPN which uses protocols that enable encryption, authentication, and integrity over an IP network. IPSec operates at Layer 3 of the OSI model.
Ipconfig A command line utility used to get the IP address information on a Windows computer. It also allows some control over active TCP/IP  connections.
IPsec (Internet Protocol Security) A group of transport-layer protocols which allow a framework to facilitate secure communications over an IP network. It enables authentication, confidentiality of information, integrity of information, and many non-repudiation features.
Kerberos An authentication protocol which allows nodes communicating over a non-secure network to authenticate in a secure manner. The messages used in Kerberos are protected against eavesdropping and replay attacks.
Kernel Mode The state reached when a software application operates as part of the operating system kernel, resulting in high speed performance.
Kernel Side A log event generation process that describes the enforcement module components which create the portions of the log.
License Manager A SmartUpdate SMART client’s component that manages the VPN-1/FireWall-1 central licenses.
Lightweight Directory Access Protocol (LDAP) A protocol used to access X.500 databases. This protocol stores information about the entities within an organization.
Local.arp A Windows systems file that enables the proxy ARP functionality. This functionality allows manual NAT installations.
Log Export API An API which facilitates third-party developers to enable the OPSEC applications to obtain and analyze security log events.
Log Fragments The data associated to a logging record created by different enforcement module components. Log fragments are consolidated into logging records, which ensure all logging information is associated with a connection.
Log Mode A display mechanism in SmartView Tracker which shows the security log files.
Log Query A set of attributes which illustrate a particular type of display in the SmartView Tracker Records pane. A log query defines the filters applied to the columns, the column’s visibility, and the column width.
Log Records A unit of log fragments produced when data packets are transmitted through an enforcement module. Each log record is associated with a connection, and is transmitted to the SmartCenter server.
Log Unique Unification Identifier (LUUID) A field attached to every log; this field is used to identify the log records transmitted by the enforcement module to the SmartCenter server.
Logical Server A server that presents a virtual interpretation of an internal group or cluster of servers which provide a common service.
Manual NAT A type of NAT implemented when administrators define their own NAT rules. Manual NAT rules enable fine-tuning of NAT rules.
Many-to-one The NAT provided by the hide NAT where ‘many’ implies multiple private IP addresses and ‘one’ implies a single valid IP address.
Master An entity in the enforcement module which defines the Smart- Center server from which the enforcement module obtains as security policies. It also denotes the location where the enforcement module transmits log records.
Maximum Transmission Unit (MTU) The highest permitted size of frames that are allowed to be transmitted on a Layer 2 media, such as Ethernet or ATM.
Media Access Control (MAC) A protocol used to provide the data link layer of the Ethernet LAN system. It encapsulates payload data by adding a 14 byte header before the data and appending a 4-byte CRC after the data.
Message Digest The output of a hashing algorithm which is also called hash. It can be attached to a message to ensure that the original contents of the message are not altered in transit.
Modules A particular Check Point product installed on Check Point systems. This product is monitored by the SmartView Status.
Modules Pane A display window in SmartView Status which shows every workstations and module that is monitored by the SmartView Status.
Modules View A hierarchical view in SmartView Status which shows every Check Point workstation managed by the Smart-Center server to which SmartView Status is connected.
Negate Cell  An option used for modifying the Service Element of a rule. IT negates the selected service for the service element of a rule.
Network Address Translation (NAT) A mechanism that translates the source/destination IP addresses of data packets by ensuring that every private device can establish a connection with a device on the Internet using a valid IP address.
Network Address Translation (NAT) A process of modifying network address information in the packet headers while in transit across a traffic routing device. This is done to remap one IP address space into another.
Network Interface Card (NIC) An expansion card that plugs into the PCI slot; used to connect the computer to a network. It is connected to the network cabling used to transfer data on the network.
Node Objects Security objects within the Smart-Dashboard that represent non–Check Point systems. The types of objects include gateway node object and host node object.
Noisy Rule A security rule that reduces unnecessary cluttering of the security log files by dropping traffic which is frequent and normal in the network. It does not log the drop events.
Non-repudiation A process that reduces the ability for a party to falsely claim that they were the generators or certain information.
Non-transparent Authentication An authorization process that takes place when a user initiates an out-of-band connection for authentication purposes before initiating a connection to the desired destination system.
One-time Password (OTP) A technique used for authorization purposes that requires users to specify a different password each time they authenticate. This technique is used by S/KEY and SecurID authentication schemes.
Open Platform for Security (OPSEC) A Check Point framework which enables third-party to integrate their products with Check Point products to increase the efficiency of their products.
Open Security Extension (OSE) A licensed feature which allows the SmartCenter server to manage access control lists of third-party routers.
Open Systems Interconnection (OSI) A model defined by the ISO to categorize the process of communication between computers in terms of seven layers. The seven layers are Application, Presentation, Session, Transport, Network, Data Link, and Physical.
OS Password The authentication policy of the VPN-1/FireWall-1 which uses the enforcement module’s operating system authentication database to authenticate users.
Outbound The phase where data packets transmitted out of the network interface of an enforcement module are inspected by the INSPECT module.
Out-of-band Authentication A form of authentication which takes place outside of the application-layer protocol connection which a user tries to initiate. Client authentication provides out-of-band authentication.
Packet Filtering A firewall feature which selectively accepts or rejects packets as they pass through a network interface. Packets are filtered based on rules associated with the source and destination addresses, ports, or protocols that packets use.
Packet Filtering Firewall A generic firewall which investigates Layer 3 or Layer 4 data packets and determines whether to allow or block the packet. It is the basic form of a firewall.
Packet Switching The process of breaking messages into packets at the sending router for easier transmission over a WAN.
Partially Automatic A mechanism that allows user authentication to be utilized for any HTTP, FTP, TELNET, or RLOGIN connections specified in the rule. This authorizes access to every service and destination automatically.
Permissions A collection of rights specified for the administrators of the VPN-1/ FireWall-1 which identify the level of access for every user.
Point-to-Point Protocol (PPP) A full-duplex line protocol that supersedes Serial Line Internet Protocol (SLIP). It’s part of the standard TCP/IP suite and is often used in dial-up connections.
Point-to-Point Tunneling Protocol (PPTP) A network protocol that encapsulates PPP packets into IP datagrams for transmission over the Internet. It can also be used in private LAN-to-LAN networks.
Policy Definition Point The phase at which security policy rules are specified and configured. SMART clients and SmartCenter server represent the policy definition point.
Policy Distribution Point The phase at which security policy rules are transformed into a form that a policy enforcement point can understand. It is later circulated to every policy enforcement point.
Policy Enforcement Point The phase at which security policy rules are enforced at gateways between the internal networks of an organization and external, untrusted networks. The enforcement module represents the policy enforcement point.
Port Address Translation A feature which translates TCP/UDP communications made between hosts on a private network and hosts on a public network. It allows a single public IP address to be used by many hosts on a private network.
Port Address Translation (PAT) A mechanism utilized by hide NAT which translates the source IP address and the source TCP/UDP port of a connection. This enables the translated source TCP/UDP port to uniquely identify the private device.
Predefined Log Query A built-in view of the SmartView Tracker which shows fields and filters specific to a VPN-1/FireWall-1 component.
Product Details View A display mechanism in SmartView Status which displays the different workstations with a specific type of installation of Check Point product and statistics particular to the product.
Proxy ARP A device’s response to an ARP request on behalf of a different system. Proxy ARP is used by NAT to ensure that enforcement modules respond for the valid IP addresses configured for NAT.
Proxy Server A server that acts as an intermediary for requests from clients from other servers. It evaluates the request according to the filtering rules.
Public Key Infrastructure (PKI)    An arrangement needed to create, manage, distribute, use, store, and revoke digital certificates. It is a two-key encryption system where messages are encrypted with a private key and decrypted with a public key.
Public/Private Key Pair A pair of keys used to provide authentication, confidentiality of information, integrity of information, and non-repudiation services provided by certificates.
Quality of Service (QoS) The level of a service given by the network to a particular application. It is defined in terms of bandwidth, packet loss, latency, and jitter.
Query Tree A component of the SmartView Tracker application which lists all predefined queries and custom queries. A query is a set of parameters that defines how records are displayed in the Records pane.
RADIUS The protocol that enables centralized authentication services for multiple enforcement modules to a RADIUS server which hosts a central authentication database.
Read-only A permission defined for administrators that allows a specific component or function to be viewed but not modified.
Read-write A permission defined for administrators that allows a specific component or function to be viewed and modified.
Records Pane A pane in SmartView Tracker which shows the security log entries.
Reject An action specified in the security rule of the VPN-1/FireWall-1. This drops any notification that is transmitted back to the requesting system.
Remote Access VPN A virtual private network which connects remote users to the internal network of an organization through the Internet, in a secure manner.
Resource Object A security object used for the SmartDashboard. This allows traffic forwarding common application- layer protocol traffic to security servers for inspection.
Routing Information Protocol (RIP) A distance-vector route discovery protocol used by Internetwork Packet Exchange and Internet Protocol. IPX uses hops and ticks to determine the cost for a particular route.
Rule Elements A collection of units that form the various components or fields of a security rule. Every security rule consists of source, destination, service, action, track, time, install on, and comment element.
Secure Internal Communications (SIC) A technique that implements a secure connection between the components in VPN-1/FireWall-1 NG. It provides authentication, integrity and confidentiality services.
Secure Internal Communications (SIC) A feature in Check Point VPN-1/FireWall-1 NG which ensures that administrative communications between SVN components are secure.
Secure Sockets Layer (SSL) A protocol that secures messages by operating between the Application layer (HTTP) and the Transport layer.
Secure Virtual Network (SVN) A range of Check Point products which put together provide an end-to-end security solution for an organization.
Secure Virtual Network Architecture (SVN) A security architecture that provides a unified framework for implementing and maintaining network security. Network security is maintained and implemented across networks, applications, and users.
Security Log (fw.log) A log file which consists of every security event that took place on a VPN-1/ FireWall-1 enforcement module. This is managed by the SmartCenter server.
Security Objects A set of components of the VPN-1/FireWall-1 security policy. The components include networks, systems, applications, and users.
Security Policy A rule which specifies the network security policies and procedures of an organization. Security policies can cover a broad range of security rules.
Security Rule Base A set of security policies that form the entire list of security rules which are enforced by an enforcement module.
Security Rules A collection of policies or protocols that categorize particular types of connections. It also denotes the tasks that an enforcement module must execute for such connections.
Seed A variable that introduces randomness in the output produced when seeds and encryption keys are combines and passed through an encryption algorithm.
Selections A process used to specify the filter which must be used in displaying only specific data in a column of the SmartView Tracker. It also defines column width and column visibility.
Self-signed The certificate of the root CA of a PKI.  The root CA is the trusted entity in a PKI that generates a certificate that identifies itself and then signs the certificate itself.
Server Objects A security object which specifies the backend services such as RADIUS authentication. Every server object needs a workstation object to be specified.
Server Side A phase during which the INSPECT module inspects a data packet.  This inspection occurs after a packet has been received and routed by the operating system to the appropriate egress interface.
Service Objects The set of objects that represent the transport-layer and application layer protocols.
Session Authentication A form of authentication which initiates per-connection authentication of any given service. It requires a session authentication agent to be present on the authenticating client.
Session Authentication Agent Check Point software installed on a client workstation. It is required for session authentication.
Session State A state of a session or a connection in a stateful inspection firewall. The session state information includes information about Layer 3 and Layer 4 parameters of a connection, such as source port, destination port, and TCP sequence number.
Simple Mail Transfer Protocol (SMTP) A network protocol for e-mail transmission across IP networks. It is specified for outgoing mail transport and uses TCP port 25.
Simple Network Management Protocol (SNMP) A UDP-based network protocol used to monitor network-attached device. It has a set of standards for network management which includes an application layer protocol, a database schema, and a set of data objects.
SMART Clients A client used to provide a GUI for the VPN-1/FireWall-1 security policy specified on a SmartCenter server. It can also be used to access security logs, and control the status of VPN-1/FireWall-1 hosts and products.
SmartCenter Server A central constituent of the VPN-1/FireWall-1 which saves the security policy database, sends suitable security policy to every enforcement module, and also saves security log events produced by the enforcement modules.
SmartDashboard A Check Point GUI SMART client which configures security policies for a VPN-1/FireWall-1 SmartCenter server.
SmartMap A graphical application which illustrates the IP topology of a complete internetwork as configured by the VPN-1/FireWall-1.
SmartUpdate A Check Point SMART client that controls licenses centrally as well as for Check Point product versions and upgrades.
SmartView Status A Check Point SMART client that generates a real-time monitoring mechanism and alert for Check Point systems.
SmartView Tracker A Check Point SMART client used to control and view different Check Point security log files.
SmartView Tracker Mode A SmartView Tracker which consists of different modes that define the security log file which is viewed in the SmartView Tracker.
Source NAT A type of NAT that converts the source IP address for connections that are initiated from devices with private IP addresses.
Spoofing Attack A type of attack where a person or a program successfully masquerades as another by falsifying data and gaining an illegitimate advantage.
Src A special option used to for configuring the Install On element of a rule. This is used to enforce the rule on the outbound direction for enforcement modules specified in the Source element of the rule.
Stateful Inspection Technology A type of technology provides the intelligence of the application layer gateways with the operating speed of packet filtering firewalls.
Stateful Packet Filtering A firewall technology that monitors the state of active connections and determines which network packets to allow through the firewall.
Static NAT A type of NAT which enables a single one-to-one mapping from a private IP address to an external valid IP address. It enables connections to be established from external devices to internal devices represented by their corresponding valid IP address.
Stealth Rule A reliable security rule which must be situated at the top of the security rule base which helps protect enforcement modules from any intrusion.
Subnet Broadcast A type of broadcast which is transmitted to every host in an IP subnet. It is represented by the last IP address available with an IP subnet.
Suspicious Activity Monitoring (SAM) A monitoring mechanism used by enforcement modules to allow temporary security rules to be placed without any modifications made to the normal security policy.
SVN Foundation A constituent of the Common Check Point that is shared across all Check Point NG products that facilitates common functionality, secure internal communications, and other monitoring features.
SYSLOG A protocol often utilized by Unix-based systems. This protocol specifies the template according to which a system must generate errors and data messages. It also specifies how those messages must be stored.
System Alerts A feature of the Check Point NG Feature Pack SmartView Status SMART client that enables personalized alerts to be applied for particular system management events.
TACACS The Terminal Access Controller Access Control System protocol which operates like the RADIUS protocol and enables a centralized authentication service for various enforcement modules to a TACACS server which hosts a central authentication database.
TCP ACK Attack A type of attack where the attacker sends TCP connections requests faster than a machine can process them. Any service that binds to and listens on a TCP socket is potentially vulnerable to TCP SYN flooding attacks.
TCP Sequence Attack A type of attack where the attacker intercepts the communication between and authentic sender and receiver. The attacker then sends a sequence number similar to the one used in the original session and either disrupts or hijacks a valid session.
Telnet A network protocol used to provide a bi-directional interactive text-oriented communication via a virtual terminal connection. It uses TCP port number 23.
Terminal Access Controller Access Control System (TACACS) A remote authentication protocol used to communicate with an authentication server commonly used in UNIX networks. It allows a remote access server to communicate with an authentication server to determine if a user has access to the network.
Token Software or hardware component used to generate one-time passwords for users who require one-time-passwords for authentication.
Transitive The mechanism of inherent trust relationships between entities. This is an integral concept of a PKI.
Transmission Control Protocol (TCP) A network protocol that operates at a higher level of the OSI model. It provides reliable, ordered delivery of data from a program on one computer to another program on another computer.
Transparent Authentication An authorization process that takes place when a user initiates a connection to the desired destination system and is automatically prompted for authentication.
Triple DES A block cipher which transforms each 64-bit plaintext block by applying the Data Encryption Algorithm three successive times. It uses either two or three different keys for an effective key length of 112 or 168 bits.
User Authentication Session Timeout The amount of time an authenticated user authentication session can remain idle before the connection is deemed invalid and disconnected.
User Datagram Protocol (UDP) A network protocol which enables computer applications to send messages to other hosts on an IP network. It does not require prior communication to set up special transmission channels or data path.
User Mode A mode enabled when a software application operates outside the operating system kernel. This can slow the performance due to interaction with other applications and the network.
User Object A type of object that is placed in the user’s database. It defines a particular user.
User Template Object An object that defines a template to create user objects and administrator objects with similar attributes. It is placed in the users database.
Users Database A database that stores information about the user, administrator, templates, and group objects for the VPN-1/FireWall-1. It is stored in files called $FWDIR/conf/fwauth.NDB*.
Virtual LAN (VLAN) A network arrangement created to provide the segmentation services provided by routers in LAN configurations. It allows for hosts to be grouped together even if they are not located on the same network switch.
Virtual Private Network (VPN) A network arrangement that encapsulates data transfers between networked devices which not on the same private network. It provides remote access to corporate resources over the public Internet.
Voice over IP (VoIP) The technology that encapsulates voice traffic into IP packets and transmits it across a TCP/IP network.
VPN-1 & FireWall-1 Password An authentication mechanism used by the VPN-1/ FireWall-1 which authorizes users by using the passwords stored for user objects in the user’s database.
Wide Area Network (WAN) A computer network that connect LANs and other types of networks together. It enables the users and computers in one location to communicate with users and computers in other locations.
Workgroup  A defined group of users and network devices that are organized either by job function or by proximity to shared resources.
X.509 An ITU-T standard for PKI for SSO and PMI. It specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and the certification path validation algorithm.