The Modular Firewall Certification Criteria

Glossary - version 4.1

Definition of Terms

The terms defined below are intended to aid the reader in understanding what is meant in the requirements that
appear in one or more of the modules. The terms defined below are italicized wherever they appear in this
Glossary.

Access Request – The term access request refers to any instance which causes a packet arriving on a network
segment corresponding to one of the Candidate Firewall Products’ network interfaces to be compared against the
access control rules or another non-connection-related, access control structure (e.g., an IP spoofing-related
structure) on the Candidate Firewall Product.

An access request would not include passing a packet through the Candidate Firewall Product where that packet
is part of an ongoing connection. Though many TCP packets may be associated with a session, only one of
those packets represents the access request. Even though UDP is sessionless, vendors often create state using
a timer or other mechanism. Thus for all UDP packets belonging to a UDP “session” (i.e., before the timer
expires) only one of those packets represents the actual access request. The rest are part of the UDP “session”.

The implication of the access request term for the logging requirements in the criteria is that only a single entry
needs to be recorded for TCP sessions and UDP “sessions”. However, for packets that do not belong to a TCP
session or UDP “session” as well as for ICMP and other traffic violating the security policy, the Candidate Firewall
Product must capture every packet when such logging is enabled.

Administrative Functions – These are the operations or actions that must be available for an administrator to
perform on the Candidate Firewall Product. They are only available through an Administrative Interface defined
above and only after the administrator has been authenticated.

Administrative Interface – This is the means by which an administrator will access the Candidate Firewall Product.
Common Administrative Interfaces include: a local or remote web-based interface; a GUI on a dedicated
management station connected to the public, private, or service network; a local console connected directly to an
interface on the product; a command line interface.

Authenticate – Before an administrator can use the administrative functions he/she provides some form of
evidence that he/she is authorized to perform those functions. When that form of evidence, called Authentication
Configuration Data, is presented and accepted the administrator is granted access to the administrative functions
and is said to have authenticated to the Candidate Firewall Product. In the event that the Authentication
Configuration Data is not accepted and as a result the administrative functions remain unavailable then the event
was a failed authentication attempt.

Authentication Configuration Data – Depending on the authentication mechanism(s) available on the Candidate
Firewall Product, there may be varying types of Authentication Configuration Data. When the authentication
mechanism is a password, then the Authentication Configuration Data is the password itself. For stronger
authentication mechanisms, any data that must be entered by an administrator into the Candidate Firewall
Product for synchronization between it and the hardware or software token is part of the Authentication
Configuration Data. Also any data linking a user or a role to this Authentication Configuration Data is considered
part of the Authentication Configuration Data.

Candidate Firewall Product – This is the total package submitted by a vendor to ICSA Labs for testing against the
requirements in the Baseline module, one Required Services Security Policy module and any additional modules
chosen in advance by the vendor and agreed upon by ICSA Labs. The package submitted may consist of some
or all of the following components but is not limited to: firewall hardware; firewall application software; firewall
firmware; underlying operating system software and utilities; management station hardware; management station
rd
software; installation, configuration and/or administration documentation; one-time authentication device; any 3
party logging tool or utility.
Page 1 of 3 Version 4.1
Copyright 2005-2008 Cybertrust. All Rights Reserved Effective Date: 8/15/08
 The Modular Firewall Certification Criteria
Glossary - version 4.1

Captured – This term refers to both recording and then storing elements of data by the Candidate Firewall
Product in a Log.

Drop – This is a potential result of the Candidate Firewall Product not permitting traffic to or through it. Traffic that
is dropped by the Candidate Firewall Product does not elicit any kind of response from the Candidate Firewall
Product back to the sender of the dropped traffic. The Candidate Firewall Product discards the traffic.

Default Installation State – This state reflects the security policy enforced by the Candidate Firewall Product
immediately after being installed according to the installation documentation.

Deny – This is a potential result of the Candidate Firewall Product not permitting traffic to or through it. Traffic that
is denied by the Candidate Firewall Product does elicit a response from the Candidate Firewall Product back to
the sender of the denied traffic. The Candidate Firewall Product discards the traffic.

Hosts, Clients, and Servers – All computers on the private, service and public networks are hosts. Hosts may be
clients, servers or both.

Local Administration – Local Administration is performed through an Administrative Interface over a direct, non-
networked connection to the Candidate Firewall Product. This includes a direct crossover cable connection
between a host and a dedicated out-of-band network interface on the Candidate Firewall Product.

Log – When it appears as a noun, it refers to a non-volatile physical storage space on some component of the
Candidate Firewall Product including a dedicated separate logging server where log data elements are
permanently stored (unless they are deleted by an administrator). A log may not be overwritten by default. Log
Data sent to and received by a user via email is considered an alert and does not constitute a Log.

Mode – Products may offer a number of modes including straight-through mode, address translation mode,
bridging mode, etc. Also, within a single configuration mode there may be additional modes. For example, within
address translation mode, there may be several modes to choose from when sending traffic inbound to private or
service network servers. Such modes may include one-to-one network address translation, where a single virtual
IP bound to the public interface IP maps directly to a single private network IP. Another example within address
translation mode may be to send traffic to the public interface of the product, and depending on the port, the traffic
gets passed back through to the appropriate private or service network server.

Public, Private, and Service Network – These terms describe the network that a client or server resides on from
the perspective of the Candidate Firewall Product. The public network is the unprotected or external network(s)
that the product cannot protect or make any claims about. It is often, in practice, the Internet. The private
network is the protected or internal network for which the Candidate Firewall Product aims to proxy, filter and/or
monitor traffic. The service network, sometimes referred to as a DMZ network, is another private network usually
consisting of publicly accessible servers.

Remote Administration – The word “remote” indicates that the administration is not being performed locally on or
through a direct, non-networked connection to the Candidate Firewall Product. “Remote” further indicates that
administration is via a node connected in some way to one of the Candidate Firewall Product’s network interfaces.

Security Policy – This is a high-level description of the services explicitly permitted and/or denied to or through the
Candidate Firewall Product. Each Required Services Security Policy module has a security policy that must be
enforced by the Candidate Firewall Product upon installation. However, only the Required Services Security
Policy - SMB module contains a security policy called the “Required Services Security Policy” that must be
enforced after configuring access control rules. The Extended Services Module requires the capability for
Candidate Firewall Products to allow additional services beyond those in the “Required Services Security Policy”.

Service – When not used as a modifier (e.g., “service network server”) or as the object of a commonly known
expression (e.g., “denial of service”) the term service and its plural services refer to one or more protocols at one
Page 2 of 3 Version 4.1
Copyright 2005-2008 Cybertrust. All Rights Reserved Effective Date: 8/15/08
 The Modular Firewall Certification Criteria
Glossary - version 4.1

or more layers in the TCP/IP stack. Most commonly – service refers to any application level protocol that uses
either TCP or UDP as its transport level protocol. However, discovery-like protocols that do not make use of the
transport level protocol (e.g., ARP, RARP, ICMP, etc.) are also services. Further, IP itself as well as protocols
carried by IP (e.g., routing protocols, IKE, TCP, UDP, etc.), are services.

Stronger – When referring to authentication mechanisms, stronger describes an authentication mechanism that is
more difficult to circumvent than one based on something that the user knows (e.g., a password). One stronger
authentication mechanism requires the user to both know something that only that user would know (such as a
pin or a password) and possess something that only that user would possess (such as a personal token device).
Thus the mechanism is stronger than only requiring the user to remember something such as a password alone.
Other authentication mechanisms such as those based on biometrics (e.g., fingerprint scan, retinal scan, etc.) are
also stronger than reliance on something that must be remembered as they too are much more difficult to
circumvent.

Trivial Denial of Service – This is a Denial of Service (DOS) where a published DOS attack tool exists, or the DOS
attack can be performed without using a tool. A DOS attack that requires a series of enabling conditions is not
considered a trivial Denial of Service.

Unresolved – When used in the Customer Support module, it refers to a customer support request that continues
to exist at some level in the Candidate Firewall Product vendor customer support hierarchy. The term does not
imply that customer suggestions rejected by a vendor (or many other similar situations) can never be resolved. In
cases such as this, a rejection of the customer support request could be a valid resolution to a customer support
request.

Page 3 of 3 Version 4.1

Copyright 2005-2008 Cybertrust. All Rights Reserved Effective Date: 8/15/08