● 127 entries

Network Security

5G SecurityThe security architecture for 5G mobile networks, defined in 3GPP TS 33.501, covering subscriber privacy, mutual authentication, and protection of signalling and user-plane traffic.
Always-On VPNA device-wide policy that establishes the VPN tunnel automatically as soon as the network is available and refuses non-tunnelled traffic, enforced by Windows, Apple, and Android profiles.
Anomaly-Based DetectionA detection approach that builds a baseline of normal activity and flags deviations from it as potentially malicious.
ARC (Authenticated Received Chain)An email standard defined in RFC 8617 that preserves authentication results across forwarding hops by letting each intermediary cryptographically sign the chain of prior checks.
ARPA link-layer protocol (RFC 826) that maps an IPv4 address to the MAC address of a host on the same broadcast domain so that frames can be delivered.
BGP HijackingAn attack in which an autonomous system announces IP prefixes it does not legitimately own, attracting and potentially intercepting global Internet traffic.
BGP Route LeakAn unintended BGP propagation in which an autonomous system advertises routes outside the intended business relationship, often steering global traffic into the wrong AS.
BIMIAn email standard that lets domain owners display a verified brand logo next to authenticated messages in supporting clients, conditional on a DMARC policy of quarantine or reject.
Bot ManagementBot management is the practice of detecting automated traffic and distinguishing good bots from malicious ones, then allowing, challenging, or blocking each accordingly.
CAA Record (Certification Authority Authorization)A DNS record type (RFC 8659) that lets a domain owner restrict which Certificate Authorities are allowed to issue certificates for the domain, blocking accidental or malicious mis-issuance by other CAs.
Canary TokenA specific type of honeytoken that quietly beacons home when triggered, providing a tripwire alert for unauthorized access or data handling.
CDN SecurityCDN security uses the global edge of a content delivery network — terminating TLS close to users — to enforce DDoS protection, WAF, bot management, and TLS hygiene.
Certificate Authority (CA)A trusted entity that issues and signs digital certificates, binding cryptographic public keys to verified identities such as domain names or organisations.
Certificate PinningA technique in which an application hard-codes an expected certificate or public key and refuses TLS connections that do not match, defeating rogue or compromised CAs.
Certificate Revocation List (CRL)A signed, periodically published list of digital certificates that a CA has invalidated before their natural expiry, used by relying parties to detect revoked certs.
CIDR NotationClassless Inter-Domain Routing notation expresses an IP prefix as an address followed by a slash and the number of significant bits, e.g., 10.0.0.0/8.
DANEA protocol family defined in RFC 6698 that uses DNSSEC-signed TLSA records to bind TLS server certificates or public keys to a service, removing reliance on the public CA system.
DDoS MitigationDDoS mitigation is the set of techniques and services that absorb, filter, and re-route distributed denial-of-service attacks before they exhaust a target's network, infrastructure, or application capacity.
Deep Packet Inspection (DPI)An inspection technique that examines the full payload of network packets — not just headers — to identify applications, content, and threats.
Demilitarized Zone (DMZ)A buffer network segment that hosts externally exposed services, isolated from the internal LAN to limit the blast radius of a breach.
DHCPA UDP-based protocol (RFC 2131, ports 67/68) that automatically assigns IP addresses and network configuration parameters to clients joining a network.
Diameter ProtocolAn AAA (authentication, authorisation, accounting) protocol standardised in RFC 6733 that replaced RADIUS in IMS, LTE EPC, and roaming/IPX networks.
DKIMAn email authentication standard defined in RFC 6376 that lets a sending domain add a cryptographic signature to outgoing messages so receivers can verify that headers and body were not altered.
DMARCAn email authentication standard defined in RFC 7489 that lets domain owners publish a policy telling receivers what to do with messages that fail SPF or DKIM and aligned domain checks.
DNS Blocklist (DNSBL)A DNS-based mechanism described in RFC 5782 that lets mail systems query a list of IP addresses or domains known to send spam or malware and apply blocking, scoring, or routing decisions.
DNS over HTTPS (DoH)A protocol that encrypts DNS queries by transporting them inside HTTPS, preventing on-path observers from reading or modifying lookups.
DNS over QUIC (DoQ)A DNS transport (RFC 9250, 2022) that runs DNS queries over QUIC, providing the confidentiality and integrity of DoT/DoH with lower handshake latency, better connection migration, and head-of-line blocking immunity from QUIC.
DNS over TLS (DoT)A protocol that encrypts DNS queries inside a dedicated TLS session, protecting them from eavesdropping and tampering on the wire.
DNS RebindingA browser-side attack that abuses short DNS TTLs to make a hostname resolve first to an attacker server, then to an internal IP, bypassing the same-origin policy.
DNS TunnelingA covert channel that encodes arbitrary data inside DNS queries and responses on UDP/TCP port 53, frequently used for command-and-control and data exfiltration.
DNSSECA set of DNS extensions that uses digital signatures to let resolvers verify the authenticity and integrity of DNS records.
EAP-TLSAn EAP authentication method (RFC 5216) that mutually authenticates an 802.1X supplicant and a RADIUS server with X.509 certificates over a TLS handshake — the gold standard for enterprise Wi-Fi and wired NAC.
Extended Validation CertificateA TLS certificate issued only after a CA performs a strict, standardised verification of the legal identity, physical existence and authority of the requesting organisation.
FirewallA network security device or software that monitors and controls inbound and outbound traffic based on a defined ruleset, separating trusted from untrusted networks.
Forward ProxyA proxy configured on the client side that relays outbound requests to external services on the user's behalf.
FTPA legacy file-transfer protocol (RFC 959) that uses TCP port 21 for control and port 20 for data, transmitting credentials and files in cleartext and largely deprecated for security reasons.
GnuPG (GPG)The GNU Privacy Guard, a free software implementation of the OpenPGP standard (RFC 4880, RFC 9580) used to sign, encrypt, and decrypt data, including emails and software packages.
GreylistingAn anti-spam technique that initially returns a temporary SMTP rejection for unknown sender triplets and only accepts the message on a later, properly retried delivery attempt.
HoneynetA controlled network of interconnected honeypots designed to study attacker behavior across a realistic, multi-host environment.
HoneypotA decoy system or service deliberately exposed to attract attackers, observe their techniques, and divert them from production assets.
HoneytokenA piece of fake data — credential, file, record, or API key — that has no legitimate use and triggers an alert the moment it is accessed.
Host-Based IDS (HIDS)An intrusion-detection agent installed on a server or endpoint that monitors local files, processes, logs, and system calls for malicious activity.
HTTP Strict Transport Security (HSTS)A web security policy delivered via an HTTP response header that tells browsers to access a domain only over HTTPS for a declared period of time.
HTTP/2 SecurityThe security model of HTTP/2 (RFC 9113) over TLS 1.2+, plus the operational pitfalls of HPACK, multiplexing, CONTINUATION frames, and the 2023 Rapid Reset attack.
HTTP/3 / QUICHTTP/3 (RFC 9114) is the HTTP mapping over QUIC (RFC 9000), a UDP-based, encrypted transport that integrates TLS 1.3 and provides per-stream multiplexing without head-of-line blocking.
HTTPSHTTP carried over a TLS-protected connection, providing confidentiality, integrity, and server authentication for web traffic.
ICMPA network-layer control and diagnostics protocol (RFC 792 for IPv4, RFC 4443 for IPv6) used by hosts and routers to report errors and signal path conditions.
IEEE 802.1XA port-based network access control standard that authenticates a device or user before allowing traffic to pass on a wired or wireless port.
Intrusion Detection System (IDS)A passive security control that monitors network or host activity for malicious behaviour and raises alerts without blocking traffic.
Intrusion Prevention System (IPS)An inline security control that detects malicious traffic and actively blocks, resets, or scrubs it in real time.
IP AddressA numeric identifier assigned to a network interface for routing across IP networks: 32 bits in IPv4 (RFC 791) or 128 bits in IPv6 (RFC 8200).
IPsecA suite of IETF protocols that authenticates and encrypts IP packets to provide secure communications at the network layer.
JA3 FingerprintA TLS client fingerprinting method by John Althouse, Jeff Atkinson, and Josh Atkins (Salesforce, 2017) that hashes the ordered TLS ClientHello parameters into a 32-character MD5 — used to identify and group TLS clients without inspecting payload.
JA4 FingerprintA 2023 successor to JA3, published by John Althouse at FoxIO, that produces structured, human-readable TLS, HTTP, SSH, and TCP fingerprints designed to remain robust as TLS clients evolve and to be paired across protocols.
known_hosts FileAn OpenSSH client file (~/.ssh/known_hosts) that pins server public keys so SSH can detect host-key changes that could indicate a man-in-the-middle attack.
LTE SecurityThe security architecture for 4G/LTE mobile networks, defined in 3GPP TS 33.401, covering EPS-AKA authentication and ciphering of RRC, NAS, and user-plane traffic.
MAC AddressA 48-bit hardware identifier (IEEE 802) burned into a network interface and used for delivery within a single link-layer segment.
MicrosegmentationA fine-grained form of segmentation that applies allow-list policies between individual workloads or applications, often via host or hypervisor enforcement.
MTA-STSAn email security mechanism defined in RFC 8461 that lets a domain require TLS for inbound SMTP and pin a list of trusted MX hostnames, defeating downgrade and STARTTLS-stripping attacks.
Mutual TLS (mTLS)An extension of TLS in which both the client and the server present X.509 certificates so that each side cryptographically authenticates the other.
Network Access Control (NAC)A set of policies and technologies that authenticate devices and users before granting them network access and continually enforce posture requirements.
Network Address Translation (NAT)A technique by which a router rewrites IP addresses and ports as packets traverse it, letting many internal hosts share one or a few public addresses.
Network SegmentationThe practice of splitting a network into multiple zones with controlled traffic between them to contain breaches and enforce least privilege.
Network-Based IDS (NIDS)An intrusion-detection sensor that inspects traffic captured from a network segment to identify malicious patterns and policy violations.
Next-Generation Firewall (NGFW)An advanced firewall that combines stateful inspection with application awareness, integrated IPS, user-identity controls, and TLS inspection to enforce richer policies.
Oblivious HTTP (OHTTP)An IETF-standardized HTTP-over-HPKE relay protocol (RFC 9458) that decouples client identity from request content by splitting trust between a relay (sees IP, not content) and a gateway (sees content, not IP).
OCSP (Online Certificate Status Protocol)An HTTP-based protocol that lets a client query a CA's responder in real time to determine whether a specific X.509 certificate is valid, revoked or unknown.
OpenVPNAn open-source VPN that runs in userspace and uses TLS/OpenSSL to authenticate peers and tunnel arbitrary IP or Ethernet traffic.
Opportunistic TLSAn encryption posture in which two parties use TLS when both support it and fall back to plaintext otherwise, typical of SMTP between mail servers using STARTTLS without strong authentication.
Packet FilteringA network-security technique that inspects each packet's header fields and allows or drops it based on a static ruleset.
PGPPretty Good Privacy, an end-to-end encryption and digital signature scheme for email, files, and messages, originally created by Phil Zimmermann in 1991.
Port ForwardingA NAT configuration in which a router redirects traffic arriving on a specific public port to a chosen internal host and port.
Port KnockingA technique that keeps service ports closed by default and opens them only after a client sends a predefined sequence of connection attempts.
Proxy ServerAn intermediary server that relays client requests to other servers, hiding the client and allowing centralized inspection, filtering, or caching of traffic.
Public Key Infrastructure (PKI)The combined system of policies, software, hardware and trusted authorities used to issue, distribute, validate and revoke digital certificates that bind identities to public keys.
RADIUSA widely deployed AAA protocol used by network devices to authenticate, authorize, and account for user or device access.
Rate LimitingRate limiting caps the number of requests an identifier (IP, user, API key, or token) may make over a time window, protecting APIs and apps from abuse, scraping, and brute-force.
Remote Access VPNA VPN that lets an individual user securely connect a laptop or phone to a corporate network from any internet location.
Reverse ProxyA server placed in front of one or more backend services that receives client requests on their behalf and forwards them inward.
RPKI (Resource Public Key Infrastructure)A cryptographic infrastructure standardized by the IETF that lets resource holders publish signed Route Origin Authorizations (ROAs) for their IP prefixes, so BGP routers can drop or deprioritize obviously invalid route announcements.
S/MIMEAn IETF standard for end-to-end signing and encryption of MIME email messages using X.509 certificates issued by a public or enterprise CA.
SASESASE is a cloud-delivered architecture, coined by Gartner in 2019, that converges SD-WAN with security services like SWG, CASB, ZTNA, and FWaaS at the network edge.
Secure Email GatewayA perimeter or cloud service that filters inbound and outbound email for spam, phishing, malware, data leakage, and policy violations before it reaches user mailboxes.
Self-Signed CertificateA digital certificate that is signed with the same private key whose public counterpart it contains, with no external certificate authority involved.
SFTPA secure file-transfer subsystem that runs inside an SSH session on TCP port 22, providing authenticated, encrypted file and directory operations.
Signature-Based DetectionA detection method that compares observed traffic, files, or behaviour against a database of known-bad patterns (signatures) to flag malicious activity.
Site-to-Site VPNA persistent encrypted tunnel between two networks — typically branch offices, data centers, or cloud VPCs — that lets hosts on each side reach each other transparently.
SPF (Sender Policy Framework)An email authentication mechanism defined in RFC 7208 that lets a domain publish in DNS which IP addresses or hosts are authorized to send mail using its domain in the envelope MAIL FROM.
SSESSE is the security half of SASE — a cloud-delivered bundle of SWG, CASB, ZTNA, and often DLP and FWaaS that protects user traffic to internet, SaaS, and private apps.
SSHA cryptographic network protocol (RFC 4251, port 22) that provides authenticated, encrypted, and integrity-protected remote login, command execution, and tunneling over an untrusted network.
SSH Agent ForwardingAn OpenSSH feature, enabled with -A or ForwardAgent yes, that exposes a UNIX socket on a remote host so commands there can use the local SSH agent to authenticate further hops.
SSH Key TypesThe asymmetric key algorithms accepted by OpenSSH for user and host authentication: RSA, ECDSA (NIST curves), and the modern default Ed25519.
SSL (Secure Sockets Layer)The historical predecessor of TLS, originally developed by Netscape in the 1990s to encrypt traffic on the web and now formally deprecated.
SSL StrippingA man-in-the-middle attack that silently downgrades a victim's HTTPS connection to plain HTTP so the attacker can read and modify the traffic.
SSL VPNA VPN that tunnels traffic over TLS (historically SSL), allowing remote access through standard web ports without a dedicated VPN protocol.
STARTTLSAn SMTP, IMAP, POP3, and XMPP extension defined in RFC 3207 that upgrades a plaintext connection to TLS after the protocol greeting, enabling opportunistic encryption between mail servers and clients.
Stateful FirewallA firewall that tracks the state of active connections in a connection table and allows return traffic that matches an established session.
Stateless FirewallA firewall that evaluates each packet independently against static rules, without tracking the state of connections.
Subdomain TakeoverAn attack in which a dangling DNS record (often a CNAME) points to an unclaimed cloud or SaaS resource, letting an attacker register that resource and impersonate the subdomain.
SubnetA contiguous range of IP addresses that share a common prefix, defining a single broadcast domain and routing boundary on a network.
SWGA Secure Web Gateway (SWG) is a proxy — on-prem or cloud — that inspects user web traffic, enforces acceptable-use policy, and blocks malware, phishing, and data exfiltration.
TACACS+An AAA protocol developed by Cisco that separates authentication, authorization, and accounting and encrypts the entire packet payload between client and server.
TCPA connection-oriented transport protocol (RFC 9293) that delivers an ordered, reliable, congestion-controlled byte stream between two endpoints over IP.
TCP/IPThe four-layer Internet Protocol Suite that defines how packets are addressed, routed, fragmented, and reliably delivered between hosts across interconnected networks.
TLS (Transport Layer Security)The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
TLS HandshakeThe initial protocol exchange in Transport Layer Security that authenticates the server (and optionally the client) and derives the symmetric keys used to encrypt the rest of the session.
Transparent ProxyA proxy interposed in the network path that intercepts client traffic without requiring any configuration on the client.
UDPA connectionless transport protocol (RFC 768) that delivers individual datagrams between ports with minimal overhead but no reliability or ordering guarantees.
VLANA virtual LAN (IEEE 802.1Q) groups switch ports into separate broadcast domains by tagging Ethernet frames with a 12-bit VLAN ID.
VoIP SecurityThe set of controls protecting Voice-over-IP calls (SIP signalling and RTP media) from eavesdropping, fraud, denial of service, and identity spoofing.
VoLTE SecurityVoice-over-LTE security: the set of IMS authentication, signalling, and media protections that secure voice calls carried as SIP/RTP over 4G or 5G data bearers.
VPN (Virtual Private Network)A technology that creates an encrypted, authenticated tunnel over a public network so that traffic appears to travel through a private network.
VPN Kill SwitchA safeguard that automatically blocks all network traffic on the host whenever the VPN tunnel drops, preventing inadvertent leaks over an unencrypted connection.
VPN Split TunnelingA VPN configuration that routes only selected traffic (e.g. corporate subnets) through the encrypted tunnel while letting the rest reach the internet directly.
WAAPWAAP (Web Application and API Protection) is the modern evolution of WAF, adding API security, bot management, and DDoS protection into a unified cloud service.
Web Application Firewall (WAF)A reverse-proxy filter that inspects HTTP/HTTPS traffic to block web attacks such as SQL injection, XSS, and bot abuse before they reach the application.
WEP (Wired Equivalent Privacy)The original Wi-Fi confidentiality protocol from 1997, now considered broken and unsafe for any production use.
Wi-Fi 6EAn extension of Wi-Fi 6 (802.11ax) into the 6 GHz band, where the Wi-Fi Alliance mandates WPA3-only security for certified devices and networks.
Wi-Fi 7The marketing name for IEEE 802.11be, introducing 320 MHz channels, 4K-QAM, and Multi-Link Operation, with WPA3 as the mandatory security baseline.
Wi-Fi Deauthentication AttackA Wi-Fi deauthentication attack abuses unprotected 802.11 management frames to forcibly disconnect clients from an access point, enabling denial of service or follow-on attacks.
Wildcard CertificateAn X.509 certificate whose subject name uses an asterisk to cover any single label under a given domain, such as *.example.com.
WireGuardA modern, minimal VPN protocol that uses a fixed set of state-of-the-art cryptographic primitives and runs as part of the Linux kernel.
WPA2The second generation of Wi-Fi Protected Access, based on AES-CCMP and IEEE 802.11i, that has been the de facto Wi-Fi security standard since 2004.
WPA3The third generation of Wi-Fi Protected Access, introducing SAE-based authentication, forward secrecy, and stronger protections for personal and enterprise Wi-Fi.
X.509 CertificateA standard structure for a digital certificate that binds a public key to an identity through a signature from a trusted certificate authority.
Zero Trust NetworkA network architecture that never trusts users, devices, or services by default and enforces continuous, identity-aware verification of every connection.
ZTNAZTNA is a model that grants users access to specific private applications only after continuous identity, device, and context checks — never network-level access by default.