McAfee SG310 Administration Manual page 398

Glossary
Local Private Key Certificate
& Passphrase
Local Public Key Certificate
M
MAC address
Main Mode
Manual Keying
Manual Keys
Masquerade
MD5
N
NAT
Net mask
NTP
O
Oakley Group
P
Packet Filtering
PAT
PEM, DER, PCKS#12
PCKS#07
Perfect Forward Secrecy
Phase 1
398 McAfee UTM Firewall 4.0.4 Administration Guide
The private part of the public/private key pair of the certificate resides on the UTM
Firewall appliance. The passphrase is a key that can be used to lock and unlock the
information in the private key certificate.
The public part of the public/private key pair of the certificate resides on the UTM Firewall
appliance and is used to authenticate against the CA certificate.
The hardware address of an Ethernet interface. It is a 48-bit number usually written as
a series of 6 hexadecimal octets; for example 00:d0:cf:00:5b:da. A UTM Firewall
appliance has a MAC address for each Ethernet interface. MAC addresses for ports are
listed on a label underneath the appliance.
This Phase 1 keying mode automatically exchanges encryption and authentication keys
and protects the identities of the parties attempting to establish the tunnel.
This type of keying requires the encryption and authentication keys to be specified.
Predetermined encryption and authentication keys used to establish the tunnel.
The process when a gateway on a local network modifies outgoing packets by replacing
the source address of the packets with its own IP address. All IP traffic originating from
the local network appears to come from the gateway itself and not the machines on the
local network.
Message Digest Algorithm Five is a 128 bit hash. It is one of two message digest
algorithms available in IPSec.
Network Address Translation. The translation of an IP address used on one network to
an IP address on another network. Masquerading is one particular form of NAT.
The way that computers know which part of a TCP/IP address refers to the network, and
which part refers to the host range.
Network Time Protocol (NTP) used to synchronize clock times in a network of computers.
See Diffie-Hellman Group or Oakley Group.
Controlling packet flow based on packet attributes.
Port Address Translation. The translation of a port number used on one network to a port
number on another network.
These are all certificate formats.
A property of systems such as Diffie-Hellman key exchange which use a long-term key
(such as the shared secret in IKE) and generate short-term keys as required. If an
attacker who acquires the long-term key provably can neither read previous messages
which he may have archived nor read future messages without performing additional
successful attacks then the system has PFS. The attacker needs the short-term keys in
order to read the traffic and merely having the long-term key does not allow him to infer
those. Of course, it may allow him to conduct another attack (such as
man-in-the-middle) which gives him some short-term keys, but he does not
automatically get them just by acquiring the long-term key.
Sets up a secure communications channel to establish the encrypted tunnel in IPSec.