SAM PROTOCOL: A Check Point OPSEC protocol used to signal between an NIDS and Firewall-1, so that the NIDS can tell Firewall-1 to reconfigure the Firewall policy to protect the network against a specific intrusion. Practical use may be limited since current IDSes that use Packet Signature-Based Detection are not very accurate and could cause the firewall to drop good traffic.

SCRIPT KIDDIES: Aspiring hackers who use ready-made scripts, languages, and techniques that were written by more experienced hackers to break into online distant computer sites, usually via dial-up phone lines.

SECURITY AUDIT: The process of evaluating a network's vulnerabilities against the effectiveness of the devices in place to protect that network.

SECURITY POLICY: In general, it refers to an enterprise's definition of how to handle all of its network security - including how to configure the network, implement changes, monitor devices and systems and respond to incidents. It also defines acceptable and unacceptable use policies for internal users. Applied to security devices, the Security Policy defines the security configuration of a security device. With a Centralized Management system, an administrator can define an enterprise-wide Security Policy made up of individual rules (Rule Base) that can be applied to multiple security devices on the network. With a Point-to-Point Management system, an administrator has to define and maintain an individual Security Policy for each security device on the network.

SESSION HIJACKING: The act of gaining access to a machine by taking over a TCP session between two machines. An attacker can do this by guessing the communications of the two machines and sending commands that would grant them access without ever seeing the response. This is called "blind" hijacking. Another tactic used by attackers is to go "inline" between the two machines and watch the conversation with a Sniffer program. This is called a "man-in-the-middle attack."

SESSION LOGGING: The ability to log the critical information associated with a session, which includes the start and stop of the connection, and the total bytes transferred during the session.

SHARED SECRET: The use of a single private key (symmetric key encryption) to encrypt and decrypt data. The sender produces coded text, or ciphertext, from a cleartext message and sends it over public networks, such as the Internet or a provider network. Only the recipient, who has the secret key, identical to the one used by the sender to encrypt the text, can decrypt the data.

SIGNATURE-BASED DETECTION: A method of identify attacks in a network using Attack Signatures - where the traffic flow is compared against a database of attack patterns to determine if an intrusion is in progress. The accuracy of any signature-based detection system will depend on the method by which they use the signatures to analyze traffic. Some methods include Context-Based Signature Detection, Packet Signature Detection, Stateful Signature Detection and Traffic Anomaly Detection.

SMTP MAIL TRANSFER PROTOCOL: A protocol for sending mail messages over the Internet.

SMURF ATTACK: A maliciously sent PING request to an Internet broadcast address, where it can be replicated up to 255 times. Since the attacker's address appears to be the address of the victim, all PING request replies come to the victim's address instead of the real sender's address. A single attacker sending thousands of these PING messages per second can bring an entire ISP network down by filling its T-1 or T-3 with PING replies. The Computer Emergency Response Team at Carnegie Mellon University said Smurf attacks went up from 3 percent of reported incidents in January 1998 to 10 percent by December 1998.

SNIFFER MODE: Refers to a network device that passively listens to network traffic. The term was first used to describe protocol analyzers that diagnosed network communication problems. These analyzers are usually put into a promiscuous mode, meaning that they simply listen to all network traffic. The term has since been used to apply to most Intrusion Detection Systems, which are implemented as passive devices designed to look for malicious traffic. IDSes that operate as a Sniffer are unable to actively protect a network from attacks, as opposed to IDSes that operate in a Gateway Mode.

SPAN PORT / MIRROR PORT: An interface built into a network Switch that allows a network monitoring device to connect to it and view all traffic. A switch is a device that forwards packets on a network to which other devices connect via individual ports, so that they can appear to be their own "network" rather than on a shared network. Because the switch makes every port look like it's on it's own network, the span port is the only way to look at all traffic in aggregate flowing through the switch. This is the only way that a passive IDS can be connected to the switch.

SSH (SECURE SHELL): A protocol, based on TCP protocols, that can be used to securely (Authenticate and Encrypt) execute commands in a remote machine and transfer files from one machine to another.

SSL (SECURE SOCKETS LAYER): An applied encryption technique to provide a secure channel for data exchange. Web sites use it a lot. It can also be used by just about any TCP-based protocol to secure data. For example, HTTPS (secure HTTP) utilizes SSL to encrypt HTTP traffic.

STATEFUL INSPECTION: A method by which a network device classifies packets into flows (connections) and flows into sessions. With Stateful Inspection, a network device uses IP addresses and TCP/UDP port numbers to determine the flow to which each packet belongs. It then uses application-specific information to classify multiple flows into a single session, such as in the case of FTP, where control and data connections are all part of the same session.

STATEFUL SIGNATURE DETECTION: The ability to understand the state of a communication and only look for attack patterns in the relevant portions of traffic where an attack can be perpetrated. Packet Signatures, on the other hand, look at all of the individual packets in traffic, without understanding or worrying about the stage of the communication. Stateful Signatures actually look at Packets within the context of the network traffic and can effectively differentiate between benign traffic and a real attack. This means that Packet Signatures do not differentiate between an attack pattern in a portion of the communication session that does not pose a threat and an attack pattern in the portion of the communication that constitute a real threat, resulting in a lot of False Alarms.

STATISTICAL: A method of keeping track of traffic over a period of time (generally spanning a few hours to a few days) so that deviant patterns can be detected. The deviant patterns are discernable because the system has captured the parameters for normal behavior on that network. It will alert on deviations, under the assumption that they constitute either an attack on or misuse of the system.

SUSPICIOUS ACTIVITY MONITORING PROTOCOL: A Check Point OPSEC protocol used to signal between an NIDS and Firewall-1, so that the NIDS can tell Firewall-1 to reconfigure the Firewall policy to protect the network against a specific intrusion. Practical use may be limited since current IDSes that use Packet Signature-Based Detection are not very accurate and could cause the firewall to drop good traffic.

SWITCH: An in-line (Gateway) device that is connected to different segments within a local area network (LAN) and filters and forwards packets between the segments. A Switch automatically learns the topography of the network and forwards packets appropriately, as opposed to a Router, which uses a routing table.

SYN FLOOD: A Denial of Service (DoS) attack designed to prevent legitimate users from accessing and using a server. It is caused by sending a continuous stream of forged service request messages (SYN) to a targeted server. The server will try to respond to these requests and is forced to allocate system resource as if there were real, and have to wait for the appropriate time-out duration. During this period, the server is so busy that it is unable to respond to legitimate users. The server request message (SYN) initiates the TCP three-way handshake, but is typically a non-existent system, or a system that is built not to respond the response of the server. As a result, the server sits and waits for the response to complete the connection and ignores the requests of legitimate users.

SYSLOG: A system that provides the transport and storage mechanisms for event notification messages, in the form of Logs. The syslog concept encompasses the syslog protocol, a syslog server and the syslog message (the log itself). Originally developed to provide operating system and application log collection, syslog has been used in some network and security devices as the logging mechanism.