This section explains the language of network defense: firewalls, segmentation, VPNs, traffic inspection, trust zones, and secure access patterns.
Use it when the term is about controlling or protecting network communication.
- Allowlist
An allowlist is a rule set that permits only specified users, applications, addresses, domains, commands, or other approved items.
- Bastion Host
A bastion host is a specially hardened system used as a controlled access point into sensitive environments.
- Deep Packet Inspection
Deep packet inspection examines packet contents and metadata more closely than basic header-based traffic filtering.
- Demilitarized Zone
A demilitarized zone is a network area used to place externally reachable services away from more sensitive internal systems.
- Denylist
A denylist is a rule set that blocks specified users, applications, addresses, domains, or other items while allowing the rest unless another rule stops them.
- DNS Filtering
DNS filtering is the practice of controlling domain name resolution so users and systems are blocked from reaching known malicious or unwanted destinations.
- Domain Name System Security Extensions
Domain Name System Security Extensions adds authenticity and integrity protection to DNS data so resolvers can detect certain forms of tampering or spoofing.
- East-West Traffic
East-west traffic is network communication that happens between internal systems rather than between an internal system and the outside world.
- Egress Filtering
Egress filtering is the practice of controlling which outbound network connections systems are allowed to make.
- Email Authentication
Email authentication is the set of controls used to help mail systems evaluate whether a message was sent by an authorized source and handled in an expected way.
- Email Security
Email security is the set of controls used to protect email systems, messages, users, and workflows from compromise, fraud, malware, and data exposure.
- Firewall
A firewall is a security control that filters network traffic based on defined rules so unauthorized or unnecessary communication can be limited.
- Full Packet Capture
Full packet capture is the recording of complete network packets so teams can inspect the contents and context of network communication in detail.
- Intrusion Detection System
An intrusion detection system monitors traffic or activity for suspicious patterns and generates alerts without necessarily blocking the activity itself.
- Intrusion Prevention System
An intrusion prevention system inspects traffic for suspicious patterns and can automatically block or stop activity that matches defined prevention logic.
- Man-in-the-Middle Attack
A man-in-the-middle attack is an interception scenario where an attacker places themselves between communicating parties to observe, alter, or relay traffic without proper authorization.
- Microsegmentation
Microsegmentation applies very granular traffic controls between workloads or services so access is limited to specific allowed communications.
- Network Access Control
Network access control is the practice of deciding which users or devices can join a network and under what conditions.
- Network Segmentation
Network segmentation divides networks into smaller zones so traffic can be controlled more tightly and security incidents are easier to contain.
- Network Telemetry
Network telemetry is the operational data that describes network activity, health, communication patterns, and security-relevant traffic behavior.
- SSH
SSH, or Secure Shell, is a protocol used to securely administer remote systems and move command-line traffic over an encrypted connection.
- Virtual Private Network
A virtual private network creates protected connectivity between devices or networks over a less trusted path such as the public internet.
- Web Application Firewall
A web application firewall inspects and filters HTTP traffic to help protect web applications from malicious or unwanted requests.
- Zero Trust Network Access
Zero trust network access provides narrower, identity-aware access to applications without assuming that network location alone should grant broad trust.